Tuesday, December 30, 2014

New Job, new direction, yet again...

Realized that I never made a post per my successes in finding work.

It took a bit longer than I had expected.

I had a fairly involved interview process with Google, including a face to face, which ultimately didn't pan out, but allowed me to make some great contacts, and led to another phone interview, for a position I told them I didn't believe I was qualified for, but they decided they wanted to phone interview anyway. That didn't evolve into anything, either. I worked for a short time as a Project manager for a local inside plant special systems company which ended up being a REALLY bad idea. Although I was listed as a Director of operations, I wasn't anything more than a glorified cabling lead most of the time.

After that, I became a bit more picky and decided Project Management isn't what I want to do right now, especially with a new CCNP cert sitting on my desk, and started applying for solely Network Engineering positions. During that time, Google called back, on an App that I had submitted for a position located in Mountain view. I got all the way to scheduling the mountain view interview, and talking about relocation process. I think I probably would have received an offer for that position, but it was in their NOC, and I wasn't sure I wanted back into the always-putting-out-fires type of work after 8 years of it previously, especially in a NOC that was probably in the midst of developing their processes. Frankly, I was a bit tired.

That leads me to why I didn't take the Google interview. I had already had an offer for a Network Engineer position with a public entity, and the start date conflicted with when I could interview with Google, and after a lot of soul searching, turned down the flight to MV. I'm sure it would have been cool, but for the type of work it would be and the amount of hassle involved in relocating (I have a house here, kids in school, etc.) It just didn't seem like the best path forward. So I started the Public entity job, after also interviewing with another public entity for a network architect position. About a week into the new position, I was informed that I was the runner-up for the other job, but that they would keep me in mind.

The job I initially accepted had great benefits, good retirement, strangely, somewhat expensive insurance though. Pay-wise, it wasn't much of a step forward, in that respect. All I was going to get to do there, for the most part, was to do some slight break-fix, VPN adds, manage ISE, Solarwinds, and some interfacing to cloud services with AWS. The second job I interviewed with, for the Architect position, called back about a month into the job I accepted, and made an offer that I simply couldn't refuse for exactly the type of work that I wanted to do, and that pretty much any Network Engineer should want to do. After three months there, I have to say, I'm pretty much ecstatically happy.

The funny thing is the place that I'm working at was employing the guy, (who I used to work with at another company) that got the initial job that I interviewed with Google for. And now I'm doing some of his work.

My first project, a month in, was configuration of Dual Core 6807XL's in VSS, 10gig uplinks to each telecom room, with VRF separated networks, and Meraki guest wireless. One of the 2 largest Campus upgrades they had done in ten years. Talk about trial by fire. It worked out, 36 devices replaced with new, 15 hours on a Saturday, and zero trouble tickets put in by users on Monday. I did a pretty decent job, and am fairly proud of my work. I might almost call myself a network engineer now.

Anyway, I hope this may be inspirational to someone as I've spent quite a while working on becoming a network engineer, fairly late in my career, and hopefully it shows what can happen when you keep plugging away.

Good luck to all of you, and this blog will now focus on my new path, which will be CCDA-CCDP-CCIE R&S.

Stay tuned. I don't know that there will be much configuration posting while working on CCDA-CCDP, which I'm giving myself until the summer to complete. The way it's designed it's just two tests to get there due to CCDP using two of the CCNP tests as part of the cert path.




Sunday, November 16, 2014

GNS3 with IOU switching tested

Was dreading putting this together, but it ended up being pretty straightforward in 1.1

Have a simple switching topology setup and it's working so far for basic commands.




L2 port-channels work it appears.

Word is that ISL trunking does not work. A list of what did not work in early versions is here:

http://www.routereflector.com/cisco/cisco-iou-web-interface/features-not-supported/

And here is the how-to in the new GNS3 forums:

https://community.gns3.com/groups/cisco-ccna/blog/2014/11/03/how-to-setup-and-configure-cisco-iou-ios-on-unix-to-gns3-11

And here is the how-to for adding ASA images to QEMU:

https://community.gns3.com/community/support/forum/blog/2014/10/26/how-to-add-cisco-asa-842-to-gns3-11-and-get-it-working

etherchannel debug works:


Friday, July 11, 2014

Active - Active Failover with two ASA's




And Active to Active Failover...

Working off of this walkthrough:

https://www.youtube.com/watch?v=C4mTwnLIZnY

Tuesday, July 1, 2014

ASA to ASA VPN tunneling

What I'm working on now:



I'll do a post on advanced GNS3 setup to include ASA simulation, which had it's issues as did adding a second ASA once the single ASA setup was accomplished.

ASA1

ASA Version 8.4(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.255.255.252
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network LocalNetwork
 subnet 192.168.100.0 255.255.255.0
object network RemoteNetwork
 subnet 192.168.200.0 255.255.255.0
access-list Site1-to-Site2 extended permit ip object LocalNetwork object RemoteNetwork
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ASA1Tranform-set esp-aes-256 esp-sha-hmac
crypto map ASA1VPN 1 match address Site1-to-Site2
crypto map ASA1VPN 1 set pfs
crypto map ASA1VPN 1 set peer 10.10.10.2
crypto map ASA1VPN 1 set ikev1 transform-set ASA1Tranform-set
crypto map ASA1VPN 1 set security-association lifetime seconds 28800
crypto map ASA1VPN interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:7db04233c3969554643f82fc508ffc02
: end

ASA2

ASA Version 8.4(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 10.10.10.2 255.255.255.252
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network LocalNetwork
 subnet 192.168.200.0 255.255.255.0
object network RemoteNetwork
 subnet 192.168.100.0 255.255.255.0
access-list Site2-to-Site1 extended permit ip object LocalNetwork object RemoteNetwork
access-list NAT extended permit ip object LocalNetwork object RemoteNetwork
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ASA2Tranform-set esp-aes-256 esp-sha-hmac
crypto map ASA2VPN 1 match address Site2-to-Site1
crypto map ASA2VPN 1 set pfs
crypto map ASA2VPN 1 set peer 10.10.10.1
crypto map ASA2VPN 1 set ikev1 transform-set ASA2Tranform-set
crypto map ASA2VPN 1 set security-association lifetime seconds 28800
crypto map ASA2VPN interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:f6e37b3d077f5f321ff8917aae9142bf
: end



Monday, June 30, 2014

Moving in a new direction... new name for the Blog.

I've really enjoyed putting all of this down in one place, and since I'm moving in new directions, have a new book released, and am working on a possible run at some security certifications, I think I'll fire this back up.

I'm currently working within GNS3 and have successfully, up and running, a couple ASA instances.

I'll probably add a CCNA security tab to the top here shortly and add the process I've gone thru to get them up and running shortly.

I'm in the process of running through a few labs on site-to-site vpn's through ASA's both in and out of ASDM.

Monday, June 23, 2014

Well, It's done. I'm an Author now. "CCNA Home Lab Purchase and Build Guide" is now available for Kindle on Amazon.

I've pulled a lot of what is in this blog together to make a small guide for building CCNA home labs.

It will be interesting to see if there is demand.

You can get a copy here:

http://www.amazon.com/dp/B00L7CT8NK



Thursday, March 6, 2014

Looks like I may have to remove the "or Bust" from the Blog title...

A long road complete.

The T-SHOOT test was as much fun as I thought it would be. The break-fix work I did at my last job probably helped. With limited actual configuration rights on the Carrier core network, the test was like work was, just ping your way to the the answer and find the incomplete or incorrect configuration.

So... Now, I'm an unemployed CCNP.

We'll see how the rest of this next week plays out and that may change.

I'm pretty sure that either position that is high on my list will require me shuttering this blog for a good while, if not indefinitely as I'll possibly be moving back into the management track, and the way I work, there won't be a lot of time for extra-curricular activities like this, or likely much more Cisco certification need.

It's been fun, I'll keep people posted, and look for me to promote a book that I've been working on, related to what I've learned in maintaining this blog. It's about half complete and I expect it will be available on Amazon, and possibly iTunes/iBooks.

Wednesday, March 5, 2014

And one day until T-Shoot...

Just been running through the CBT nuggets vids and simulating some of the issues that CBT Nuggets has to rectify on the set up I built simulating the Cisco Topology.

My CCNP rack is already listed on Ebay. If I don't pass, I'll have to decide if I want to leave it or not...

http://www.ebay.com/itm/251467713528?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649

Tuesday, March 4, 2014

T-Shoot simulation setup IPV4 layer 3 topology

Just wanted to drop a pic of the physical set up. I guess you could say it's not a simulation, since it's on live equipment.



It is setup to switch to the Layer 2/3 topology by moving the connections to the 2811 in the middle of the rack setup which is set up as a Frame Relay switch.

hostname FRSW1
enable secret cisco
no ip domain lookup
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 56000
frame-relay intf-type dce
frame-relay route 403 interface Serial1/1 304
no shut
exit
!
interface Serial1/1
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 56000
frame-relay intf-type dce
frame-relay route 302 interface Serial1/2 203
frame-relay route 304 interface Serial1/0 403
no shut
exit
!
interface Serial1/2
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 56000
frame-relay intf-type dce
frame-relay route 201 interface Serial1/3 102
frame-relay route 203 interface Serial1/1 302
no shut
exit
!
interface Serial1/3
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 56000
frame-relay intf-type dce
frame-relay route 102 interface Serial1/2 201
no shut
!
line con 0
no exec-timeout
!
line vty 0 4
no exec-timeout
password cisco
login


Sunday, March 2, 2014

T-SHOOT scheduled

taking T-SHOOT about a week from Switch.

One more week of craziness, then hopefully a bit of a break... at least for a weekend maybe ;-)

Link to the T-SHOOT demo. It's pretty cool actually. I think I'm actually looking forward to this one:

T-SHOOT demo



Friday, February 28, 2014

CCNP Switch cleared...

The test ended up being more difficult than I thought it would be, and I stumbled a bit in the Sim's but ended up passing, although I wasn't sure it would be a pass until they printed out the results.

So... one step closer to CCNP, one step away from Bust.

I took the test to the day, exactly one year from taking ROUTE.



I hadn't really intended for it to take that long, but life intervened. So now, I'm scheduling T-SHOOT for a week from now.

Amazing what you can do when you put your mind to it.


Thursday, February 27, 2014

Wednesday, February 26, 2014

Pouring it on...Test in two days.

In case anyone wanted to know, the method to my madness.

$99.00 month subscription to CBT.nuggets.com
Cisco Press Route/Switch/T-Shoot books
YouTube labs from others for the test
Self-created practice test from the Cisco Press book

So how I go about it is:

Watch Jeremy Sciorra's video for a section, and do any configuration he runs through on my homelab.

Re-read the section in the Cisco Book

Run through a few You Tube labs on the section on my home lab

Take practice test's, created from questions in the Cisco Press book. Keep going until I hit 95%

I'm about 3/4's through the book/videos, with really just WLAN's to go, and two days until the test.

Then six days until the next test. I've lost some of my Route skills over the last year. (I'll be taking SWITCH exactly a year from the day I took ROUTE...)


Monday, February 24, 2014

Long time no post

Well, I've been a busy camper lately. Between the business, and now looking for new opportunities, It's been tough to think of helpful things to post for others.

That said, the CCNP journey continues, with a little more urgency. I'm in the midst of interviews right now with several great companies, but won't know more for a few weeks. Sitting at home without a plan is not really part of my M.O. , so I've scheduled my CCNP Switch test. No going back. The plan is to schedule CCNP T-Shoot the week after completing Switch should I pass.

I should be able to remove the "Bust" from the title of the blog within two weeks, barring any unforeseen loss of grey matter.

Thought I'd drop a pic of the lab set up for HSRP/VRRP/GLBP labs:


Friday, February 7, 2014

Lot's o' goodies. CCNA security, voice, and wireless racks coming soon...

Picked up all of this from one lot for an insane price... (plus a 2970, 3 2950g's, and a couple Cisco business class routers and switches.)

And yes, that is a 3560 POE switch.



I am only missing a p/s for the ASA. If it doesn't work when the P/S get's here I'll probably cry a bit.



Saturday, January 25, 2014

ESXi - install complete

The ESXi install was a bit of an anit-climatic event.

It's pretty easy. Kudos to VMware. Figuring out how everything is situated and how VM installs go was a bit harder. I was having a hard time wrapping my head around client vs. host. Once I figured out the ISO could be installed from the VSphere client machine's DVD drive, everything went smoothly.

Have a VM running Ubuntu 12.04, now and am getting ready to install another of Kali for some light Certified Ethical Hacker study.

This is kind of a lame post, so when I get done with my taxes, I'll do a screenshot walkthrough of the d/l, install, licensing, and then the install of Kali, for the ESXi noobs like myself.


Monday, January 20, 2014

Starting an ESXi 5.5 install.

So begins a foray into the VM world.

Installing ESXi onto the Dell Optiplex initially.

Good for only 60 days ?

Seems like others were not paying for this.

Saturday, January 18, 2014

Adding more Storage... The hard way.

More noise, more power, moar FUN!!!

Adding a couple Terabits of Storage by fibre channel. It was cheap, and I still had a few fibre-channel cards from the Dell 2950 I had a while back. We'll see If I can get it up and running as a home storage solution on 2gbps links.


Tuesday, January 14, 2014

Carrier E-line topology updated


One SRX on it's way to a new home, the two NIB SRX's in beginning configuration to behave as much like MX'es as one can make them. Still deciding on the second switch, but am running directly from the SRX to the ADVA 825. I don't really need to add a switch on that side. On the West side I am simulating a carrier hotel situation where we provide services to multiple customers in the same building on a switch, which would IRL be an EX4200, too costly for simulation.



Sunday, January 12, 2014

Topology for the almost finished Carrier E-Line network

After some good deal-making this last week, I'm one Juniper EX2200 short of my Point to Point Metro-Ethernet simulated network. The final EX2200 might morph to an EX3300 or EX4200 with some luck, or more likely, will be a an EX2200-C-12T, although I wouldn't rule out a Cisco ME3400.

Here will be the topology:


Friday, January 10, 2014

CCNA Voice lab beginning

To facilitate a few other possible projects in the future, I'm beginning the build of a CCNA Voice lab.

I'll be looking for a few more phones, and and modules, and will eventually set up a SIP based phone service here, possibly, just to say that I did it, maybe more, we'll see.






Ohh, and the T3600 is up and running, if a bit hampered by some Raid controller card issues on a single 64gb SSD for now.

These are the same workstations we use at work, but believe it or not, at 8gb of system ram in my home system, I have twice as much as my workstation at work. 

Our video cards, at work, on the other hand, are no slouches. We have two W7000, 4GB cards in each station. If you're asking why $1300 worth of Video cards, and only 4gb of system ram in a workstation that does no CAD/CAM, but runs 4-5 Java-heavy Element Management systems, you'd be asking the same question I do every day. I think I've finally goaded them into getting us 8-12gb loaded soon. 

Such is the life of being a technical employee under decidedly, non-technical managers. I had my shot to become one of them, but chose to stay on the Engineering track. I'll revisit management again someday, but I've still got a ton of training and study to do before I'd feel qualified to manage another engineer.








Thursday, January 9, 2014

One step closer to a viable JNCIA-ENT/SEC lab






Just need to unload one SRX at a decent profit, and pick up a second EX switch with the proceeds. Might spring for a 3200 or 4200 if one comes along cheap enough.

Monday, January 6, 2014

CCP aka Cisco Configuration Professional

I've had a real dearth of posts lately, due to both inherent craziness at work, and a couple other projects that I'm working on.

The HomeLab business was dry for a few months, then picked up with a vengeance right at Christmas. I sold 7 configured Labs over a two week period, ending the very last day of the year. Now that everything is shipped, I can get back to the projects I've been working on.

One of the projects will be... sometimes I forget the title of the Blog, "CCNP or Bust". It probably seems to the outsider, that it's more Bust than CCNP, but because of the limited use of Cisco gear at my day/night job, having the CCNP is less of a driving force. Becoming a well rounded network engineer, is more of a concern with the MEF-CECP a much more desired certification where I work.

That said, I'll be back focusing on the CCNP between February and the end of March, with a desired completion date of March 27th. There is a good reason for this, so the posts will probably be coming in a flurry between the beginning of February and that date.

I likely will be trying to take Switch around the end of Feb. So as the kids say... "It's on like Donkey Kong"

I have a few toys coming as well. I have a Dell Precision workstation, a T3600, identical to the workstations we have at work arriving today. Only thing it's missing are the dual W7000 Video cards that they (for whatever reason) Spec'ed our systems with. It's a bit of an example of what it's like to work at a company in which most of the people, apparently, even our IT department, don't really have a good grasp on what we do. $1300 for dual 4GB video cards, but only 4Gb of system ram. One can only chuckle. I picked up the entire workstation, with 8GB of system ram, for likely, less than my company paid for ONE of the video cards in my workstation at work. I estimate we probably overspent around $30,000 on our workstations.
I picked this up to run ESXi vm's for various reasons, including the evaluation version of Cisco Unified Connection manager, eventually.

I also have two more Juniper SRX210's on the way to facilitate a focus on the JNCIA-ENT after the CCNP is finished. At some point, I'd like to get out of NOC work, and into a 9-5, Monday through Friday position. I don't mind dealing with the occasional emergency network situation, but after nearly 8 years of constant Fiber cut/Network outage management, it's beginning to wear on me.


That all said I do have a subject here, and it aligns with one of my other projects, to be named later...

Cisco Configuration Pro. Something one will have to have some experience with for some of the new CCNA tests, and likely the CCNP when a likely revamp of those come.



I've set it up seriously for the first time. I have an 1841 discovered and now a 3560.

There are a few simple configurations you will need to get a node discovered.

  • interface configured on the network you have your PC running CCP on.
  • username, privilege, and secret password for the device.
  • VTY configured with priviledge, local login, and transport inputs set



and that's pretty much it