| View previous topic :: View next topic |
| Author |
Message |
vex
Joined: 17 Feb 2007
Posts: 61
Location: Boston, MA
|
 Posted: Mon Aug 27, 2007 7:02 pm Post subject: CCIE #18683 (Security) |
 |
|
Thanks to Dynamips I passed the security lab on Friday.
I can't thank Greg and team enough as I ran my entire topology on dynamips/dynagen apart from the security devices. I accessed the real devices via dot1q trunk breakout.
I've waited more than 9 months to post this. Thanks you guys.
_________________
CCIE (Security) |
|
| Back to top |
|
 |
hacki
Site Admin
Joined: 16 Jul 2006
Posts: 499
Location: Austria
|
| Posted: Mon Aug 27, 2007 7:41 pm Post subject: |
|
|
Congratulations.
One question: you wrote that you accessed the real devices via a trunk. How exactly did you do that?
h. |
|
| Back to top |
|
|
vex
Joined: 17 Feb 2007
Posts: 61
Location: Boston, MA
|
| Posted: Mon Aug 27, 2007 7:55 pm Post subject: |
|
|
I enabled dot1q on the Linux server, I had to use Intel NICs as the Broadcom NICs did not forward the vlan tags.
| Code: |
#3550 switch port setup
#f0/1 = dynamips breakout trunk
#f0/2 = pix inside vlan 11
#f0/3 = pix outside vlan 12
#f0/4 = ASA1 inside vlan 50
#f0/5 = ASA1 outside vlan 49
#f0/6 = VPN Conc priv vlan 11
#f0/7 = VPN Conc public vlan 12
#f0/8 = IPS 4215 CC vlan 10
#f0/9 = IPS 4215 sniffing vlan 12
#f0/10 = ASA2 inside vlan 55
#f0/11 = ASA2 outside vlan 5
#f0/12 = Cat 3550 vlan 6
|
Then I configured a trunk port on a 3550 switch and connected the dynamips box to it. This is my dynamips breakout.
| Code: |
interface FastEthernet0/1
description dynamips breakout
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
|
I used the Dynagen internal switch and assigned my routers dot1q vlans. These VLAN also have to exist on the 3550
| Code: |
[[ETHSW S1]]
1 = dot1q 1 NIO_linux_eth:eth2 #trunk to 3550
2 = access 11 #R1 f0/0
3 = access 10 #R1 f0/1
4 = access 12 #R2 f0/0 on diag f1/0
5 = access 49 #R4 f0/0
6 = access 5 #R5 f0/0
7 = access 6 #R6 f0/0
8 = access 5 #BB2 f0/0 on diag e0/0 NO ASA2 so the vlan changed from 55 to 5
9 = access 49 #R9 f0/0 NO ASA1 so the vlan changed from 50 to 49
|
_________________
CCIE (Security) |
|
| Back to top |
|
|
hacki
Site Admin
Joined: 16 Jul 2006
Posts: 499
Location: Austria
|
| Posted: Mon Aug 27, 2007 8:53 pm Post subject: |
|
|
| Quote: | | I enabled dot1q on the Linux server, I had to use Intel NICs as the Broadcom NICs did not forward the vlan tags. |
That is exactly the answer I was looking for. Thanks a lot. Which specific NIC did you use?
h. |
|
| Back to top |
|
|
vex
Joined: 17 Feb 2007
Posts: 61
Location: Boston, MA
|
| Posted: Mon Aug 27, 2007 9:29 pm Post subject: |
|
|
My bad, I must be using the Intel quad card in the VMWare host.
On this host I installed a Linksys for the trunk port and the Broadcom for the host port.
| Code: |
[root@dynamips ~]# lspci | grep Ether
02:02.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5704 Gigabit Ethernet (rev 10)
0a:01.0 Ethernet controller: Linksys NC100 Network Everywhere Fast Ethernet 10/100 (rev 11)
[root@dynamips ~]#
|
_________________
CCIE (Security) |
|
| Back to top |
|
|
conspathas
Joined: 28 Mar 2007
Posts: 1218
Location: CCIE
|
| Posted: Tue Aug 28, 2007 10:55 am Post subject: |
|
|
| Congrats on the digits vex! |
|
| Back to top |
|
|
qamar00
Joined: 23 Aug 2007
Posts: 2
|
| Posted: Wed Aug 29, 2007 7:01 am Post subject: |
|
|
| Can we run complete lab for ccie security using vmware for IDS , dynagen for both sw & routers and pemu for PIX . is there any missing device? |
|
| Back to top |
|
|
conspathas
Joined: 28 Mar 2007
Posts: 1218
Location: CCIE
|
| Posted: Wed Aug 29, 2007 10:42 am Post subject: |
|
|
| qamar00 wrote: | | Can we run complete lab for ccie security using vmware for IDS , dynagen for both sw & routers and pemu for PIX . is there any missing device? |
Just my 2cents worth but how about giving vex a pat on the back seeing as you posted in this thread and then perhaps asking your question?  |
|
| Back to top |
|
|
vex
Joined: 17 Feb 2007
Posts: 61
Location: Boston, MA
|
| Posted: Wed Aug 29, 2007 11:11 am Post subject: |
|
|
LOL @ Conspathas
The lab requires:
2 x ASAs
1 x VPN Concentrator
2 x 3550 switches
These are devices that cannot be emulated as far as I know. You can always just use Pixes instead of ASAs, but make sure you practive WebVPN on an ASA since it is not supported on the Pix
The 3550's you'll need for SPAN and RSPAN and to get a feel for the IOS on ther switch. Setting up trunks etc etc.
the VPNC is end of life, but is still in the exam.
Apart from the VPNC and the 3550s you should be all set doing this virtually.
_________________
CCIE (Security) |
|
| Back to top |
|
|
jumaroyu
Joined: 16 Apr 2007
Posts: 3
|
| Posted: Fri Aug 31, 2007 11:30 pm Post subject: |
|
|
congrats on your passing, I think that the next update to the lab will include asa/pix v8 and remove vpnc, you can do all the vpn stuff with the asa vpn enhanced boxes.
great info thanks a lot |
|
| Back to top |
|
|
cyphur
Joined: 25 Jul 2007
Posts: 64
Location: DFW, Tx
|
| Posted: Sun Sep 02, 2007 1:25 am Post subject: |
|
|
| Congrats! I hear it's no walk in the park. |
|
| Back to top |
|
|
greg
Site Admin
Joined: 17 Jul 2006
Posts: 704
Location: USA
|
| Posted: Sun Sep 02, 2007 11:36 am Post subject: |
|
|
| Congratulations vex! |
|
| Back to top |
|
|
parish4512
Joined: 20 May 2011
Posts: 134
|
| Posted: Fri Jun 17, 2011 8:10 am Post subject: |
|
|
Can we run complete lab for ccie security using vmware for IDS , dynagen for both sw & routers and pemu for PIX . is there any missing device?
_____________________________
Link Building
Link Building Services |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
