When it comes to simulating networking scenarios using Cisco Routers, Firewalls , Switches we have a great tool called VIRL. Since its introduction, VIRL has gone viral people started using to extensively for CCNA, CCNP and even CCIE preparations. People tend to rely more on VIRL these days to master the networking concepts, testing their customer topologies, trying new features, planning the migrations etc.
As of today VIRL offers maximum 15 nodes which at times can be a limiting factors to simulate some complex labs, the community of VIRL users were not satisfied fully and the community raised this to Cisco, as a good listener Cisco listened them and announced that , starting November 2015 the node limit will be increased to 20 for free, that’s a great move and I would congratulate the VIRL team for making this possible.
One more enhancement Cisco is offering 30 nodes VIRL package, one can easily upgrade their existing node limit form15 to 30 by paying the upgrade fee which is unknown. I suggest to lookout for VIRL updates and take advantage of these new announcements.
Cisco is doing some major revamps when it comes to Cisco Design certifications , Cisco announced new version for their CCDA Certification from DESGN version 2.1 to 3.0. It’s a welcome move from Cisco especially when technology is evolving so fast.
In the newly designed 300-320 ARCH exam Cisco has removed following topics
- Design for infrastructure services
- Identify network management capabilities in Cisco IOS Software
- Create summary-able and structured addressing designs
- Describe IPv6 for campus design considerations
- Describe the components and technologies of a SAN network
- Create an effective e-commerce design
- Create remote access VPN designs for the teleworker
Following topics are added to ARCH exam
- Create stable, secure, and scalable routing designs for IS-IS
- Determine IPv6 migration strategies
- Design data center interconnectivity
- Design data center and network integration
- Select appropriate QoS strategies to meet customer requirements
- Design end to end QoS policies
- Design a network to support Network Programmability (SDN)
- Describe network virtualization technologies for the data center
The interesting addition is the SDN part, this is a great move from Cisco. I hope soon Cisco will release Cisco Press Study guides.
When it comes to the foundation of Network design its well known that Cisco Certified Design Associate is the great certification to start with. Recently Cisco announced the some major revamps in their current CCDA Design version 2.1. According to Cisco December 14 ,2015 will be last day take “Designing for Cisco Internetwork Solutions (DESGN) v2.1.
Currently Cisco is offering following versions of CCDA exams
|640-864 DESGNLast day to test: December 14, 2015||Designing for Cisco Internetwork Solutions (DESGN) v2.1|
|200-310 DESGN||Designing for Cisco Internetwork Solutions (DESGN) v3.0|
Cisco removed following topics from the new CCDA 200-310 DESGN exam, these topics are still part of the current exam 640-864 DESGN exam.
Topics Removed from the DESGN Exam:
- Describe developing business trends
- Describe network management protocols and features
- Describe network architecture for the enterprise
- Identify Cisco technologies to mitigate security vulnerabilities
However Cisco added following topics to the new CCDA 200-310 DESGN exam:
- Describe the Cisco Design lifecycle – PBM (Plan, Build, Manage)
- Describe the importance and application of Scalability in a network
- Describe the importance and application of Resiliency in a network
- Describe the importance and application of concept of Fault Domains in a network
- Design a basic branch network
- Describe the concepts of virtualization within a network design
- Identify network elements that can be virtualized
- Describe Data Center components
- Describe the concepts of Network Programmability within a network design
A good move from Cisco to include Data Center topics in the new CCDA 200-310 DESGN exam. I am pretty sure Cisco Press will come out with a new Cisco Press title to address this exam.
In Palo Alto Networks Firewalls zones plays a very vital role. Unlike other firewalls Palo Alto Networks Firewall security policies are configured based on zones. One of the first step one must consider while configuring the Palo Alto Networks firewall is to create appropriate zones and name them, specify the types of zone and assign an interface to that zone.
One must give up most attention while naming the zones as they are case sensitive, for example “trust” and “TRUST” are not the same zone. They are different zones and the security policy creates for “TRUST” zone doesn’t work with “trust” zone.
Palo Alto Networks Firewall comes out with four main zone types namely
- Virtual Wire
- Layer 2
- Layer 3
One cannot have an interface part of two zones at same time, it can be part of only one zone. The zone based firewall are quite handy in managing security policies and it makes life easier of firewall administrator.
Palo Alto Networks Firewalls can be administrated by multiple Administrators using WebUI access, it becomes quite challenging to see who is controlling the firewall and making either config changes or committing the changes done in Palo Alto Networks Firewalls.
To provide more flexibility and accounting Palo Alto Networks offers two types of locks
- Config Lock
- Commit Lock
Using these two features a Palo Alto Network Firewall administrator can prevent configuration changes or commit operations by another administrator. Until the lock is removed another administrator cannot do any changes.
Config Lock – Basically blocks other administrators from making changes to the configuration of the Palo Alto Firewall. One should set Config Lock at the global level. Only the administrator who set this lock or a superadmin can remove Config Lock.
Commit Lock – Basically block other administrators from committing any changes until all the locks have been released. By using this lock one can prevent any collisions occur when two administrators try to make changes to the Palo Alto Firewall at the same time. This lock releases automatically the moment the commit operation is completed by the administrator who started the commit activity first, or this can be release manually as well.
Any one can see, who is hold Commit Lock from the WebUI and can ask the concerned administrator to release the commit lock. Only the administrator who set this lock or a superadmin can remove the Commit Lock
From the below example its quite evident that the commit lock is held by the user admin and yasir is the user who has logged into the Palo Alto Firewall. Yasir cannot do any changes until admin completes his task. The only way to overcome this is either release the commit lock by admin or by the superadmin.
This little feature is quite handy and ensures who have control over the Palo Alto Firewall and I recommend one should enable this feature to ensure no changes are done accidently by the other administrator.
Thanks to Jamie Shoup of Cisco Press for providing me a copy of the title ” CCDE Study Guide” , I too was waiting for this title with lot of eagerness and quite happy to have a copy.
As you all know my journey of CCDE has begun and God willing I am planning for my success. Thought of sharing my initial reviews especially for those who are preparing for the CCDE exam.
I could see Marwan Al-Shawi used comparative and analytical approach which certainly helps CCDE aspirers to practice the “Why Question” with regard to designs. Its been said those who asks questions they cannot avoid answers. CCDE is also about asking right questions .
I could able to read first two chapters, they are quite engaging and penned down in a very simple manner, Marwan Al-Shawi ensured that the content is brief and addresses all the aspects of CCDE practical exam.The first chapter deals with Network design requirements , he talks about the common approach used to analyse and design the network, thought this not a new topic but its been presented in a very simple way, I liked this part.
This title is quite different from other Cisco Press books as “Do I Know this Already? Quiz” section is missing and however the section “further reading” at the end of each chapter is quite good and helpful for some one to have quick recap of the concepts.
There are few typos I have seen in the first two chapters, which needs to be corrected by the publisher and also I have a recommendation for Cisco Press to have a proper hyper link to “Further Reading” topics, so that one can directly click the hyperlink and start reading. At present one need to search the suggested further reading topics.
To conclude I would give 5 stars to this wonderful title by Marwan Al-Shawi and he stands right for the following statement in the book.
“Therefore, you can use this book as an all-in-one study guide covering the various networking technologies, protocols, and design options in a business-driven approach. You can expand your study scope and depth of knowledge selectively on certain topics as needed.”
Once I am done with reading this title I will come out with a detailed review.
Palo Alto Networks Firewall Admin role has three parts namely:
- XML API
- Command Line
WebUI supports Enable, Read Only and Disable levels
XML API offers only Enable and Disable levels.
When it comes CLI only pre defined built-in roles are allowed, customization is not allowed in CLI mode.
Palo Alto Networks firewall offers following built-in roles
Lets see what kind of privilege each user have in Palo Alto Networks Firewall
- none: will have no access cli mode of Palo Alto Networks Firewall,
- superuser: is the root user of the Palo Alto Networks firewall, superuser will have full configuration access of the firewall which also includes the access to create user accounts and virtual systems. This privilege also can create another user with superuser rights.
- superreader: will have full read access to the firewall except superreader cannot do any configuration to the Palo Alto Networks Firewall.
- vsysadmin: wil have full configuration access to the selected virtual system on the Palo Alto Networks firewall.
- vsysreader: will have full read access to the selected virtual system on the firewall, and vsysreader cannot do any configuration to the selected virtual system on the Palo Alto Networks Firewall
- deviceadmin: will have full configuration access to the selected device except for creating user accounts and virtual system on the Palo Alto Networks firewall.
- devicereader: will have full read access to the selected device, and no configuration rights like deviceadmin on the Palo Alto Networks Firewall.
This is also one great feature from Palo Alto Networks, which ensures that one can assign the user privileges, based on user roles and responsibilities. This also eases the task of Firewall Administrator he/she doesn’t need to build a user profile from scratch.
When it comes to CCDE preparations one should master many concepts, one should refer to plenty of resources available in form of books, articles, Cisco validated designs, Videos,RFCs etc. For every journey there is a starting point, for CCDE I believe “Optimal Routing Design” is the path towards success.
Many thanks to Alvaro Retana, Don Slice & Russ White to come out with such a great resource, which any designer can dream of. Though “Optimal Routing Design” has been penned down in 2005, yet it is quite relevant to today’s network design concepts. The concepts are well organized and the case studies add more value in each chapter. This title covers the following
- Network Design Goals and Techniques
- Applying the Fundamentals
- EIGRP Network design
- OSPF Network Design
- IS-IS Network Design
- BGP Cores and Network Scalability
- High Availability and Fast Convergence
- Routing Protocol Security
- Virtual Private Networks
I thoroughly enjoyed reading this title and quite benefitted from its contents and I am quite hopeful this title will empower me to conquer CCDE. As mentioned by Terry Slattery in Cisco Learning Network CCDE group discussions the publishers should seriously consider correcting those errors.
Since there are many resources and recommended books are there for CCDE I don’t see a reason for new revision of this book. To conclude a very well written book which any CCDE aspirer cannot miss to read from cover to cover.
I would like to thank my old time professional friend from Cisco Press Jamie Shoup for providing me a copy of newly released Cisco Press title ” CCNA Security 210-260 Official Cert Guide” penned by Omar Santos & John Stuppi.
This title comes with 19 chapters, which shows that the contents covered are in quite dept. CCNA is always a great starting point for fresh network engineers, Cisco ensures that by completing CCNA, one does possess good understanding of basic concepts and terminologies, so is this title. This ensures that one understands the concepts like fundamentals of Network Security, Security Threats, AAA, VPN, IPS, Email Security, Web Security , Securing virtual environments, ISE, Layer 2 security, NGIPS etc.
The authors have done a great job, the content is really written in very engaging way , I simply couldn’t able resist reading for at least couple hours with out any break.
I really liked the way how chapter 2 is penned down which deals with concepts like Social Engineering, different types of attacks, Malware detection tools etc.
This title begins with a typical Cisco Press title ” Do I Know this Already? Quiz” which really good which gives you an idea on how good you are and what are things you may need to focus more.Also the chapter ends with “Review all the Key Topics” is very handy and revises what you read.
One thing certainly needs some more clarity, is the chapter that deals with AAA and TACACS+ configurations, its not easy to find good resources on AAA or ACS , so if the examples were explained with a sample topology and configurations would have added more value.
The Premium edition of this title comes with Pearson IT Certification Practice Test, which is really great and one can certainly monitor his/her progress by taking those tests. I have one more recommendations to the publishers is to provide the test engine for MAC operating Systems as well.
To conclude really well written title which not only helps CCNA Security aspirers to archive their goal but also a great reference guide for any Network Security Engineer.
Palo Alto Network Firewalls by default comes with a predefined admin account; further additional admin accounts can be added. Before jumping into types of roles Palo Alto Networks firewalls offers its better to get aware what different method Palo Alto Networks Firewall offers for Administrators authentication?
One can authenticate an Administrator account using:
- Local Data Base
- Active Directory
- User Certificates
- TACACS+ *
* TACACS+ authentication option is available only after the 7.0 PAN-OS releases, prior to 7.0 PAN-OS one has to rely on RADIUS.
Adding TACACS+ option to new release of PAN-OS 7.0 is a great move from Palo Alto this shows how all other vendors are accepting TACACS+.