CCIE Security #22317 Mnh chia s vi anh em mt t kinh nghim luyn lab, hi vng s c ch cho cc bn luyn track security.

Mnh bt u luyn CCIE Sec t IPExpert 4.0. Mnh nh gi 1 s workbook ca cc hng. Nu bt u luyn lab cc bn nn i t Internetwork Expert or IPExpert. Nu level cao hn bn c th bt u vi NetMetric, tc gi ca Trinet Security ni ting lc trc. CCBootcamp version c cng kh good, nhng mnh ko c version mi nn cng ko nh gi c b sch ny. Ty vo mi ngi s chn cho mnh mt b sch ch o luyn lab, tuy nhin nn tham kho cc hng khc bao gm workbook and COD. Mnh chn b Internetwork Expert l ti liu chnh luyn lab. Cc bi Mini lab a s u c th thc hin c thng qua Dynagen, pemu. Tuy nhin lm cc bi lab lin quan n WebVPN phi lm trn ASA tht, cc bi lab ny cc bn c th tham kho Cisco Elearning lm v tm hiu cc tnh nng ny. Cng nh cc bi lm IPS lin quan n SPAN port cng i hi lm trn Switch tht. IPExpert Minilab mi section bi lm ko di 3 4 h i hi ngi lm phi theo di config t u n cui hiu c bi lab v cc feature. Mnh nh gi cao v phn AAA ca IPExpert. Cc bi superlab theo mnh rating khong 6 7 so vi Internetwork Expert, vit ko o su vo cc vn , nhiu kha cnh ko th thy c tip cn vi mt bi lab tht. Internetwork Expert 1 bi mini lab tng i ngn, d hiu, cc bi s inherit config t cc bi trc . y l iu kin nm vng tng feature nhanh chng. Cc feature s dn dn c o su hn v ch thy c thng qua cc bi superlab. Lm v verify vi Forum Online ca Internetwork expert, thc s nhiu p n sai trong workbook (no trust any solution except Cisco Document). Theo Brian Dennis, cc bn nn lm v hiu k cc bi rating khong 7 8, ko cn qu ch tm vo nhng bi qu kh rating 9 10 v vy s tn nhiu thi gian ca cc bn. Xem COD do Brian Dennis, bn c th hc hi kn lm lab t thao tc chut, bn phm vi cc thao tc copy paste. Theo mnh y l yu t cc k quan trng quyt nh ng sai ca bi lab, ch cn bn g sai hay d 1 khong trng cng s lm rt mt thi gian trong vn trouble shooting. i vi Router v Switch ko c c ch kim tra iu ny. Vd nh pha trn khai bo 1 access-list v apply vo interface sai tn access-list, router v switch ko nhn ra iu , nhng trn firewall ASA v PIX th ok. Lu 1 iu khi lm thi l hn ch vn trouble shooting, nu hn 15 20 pht ko tm ra li th b qua lm cc phn khc. Do cc bn nn tp thi quen lm lab bng copy paste, nhiu khi k c IP address, c th s tn thi gian hn bng cch g phm nhng m bo chnh xc. l kinh nghim xng mu khi lm lab. Mnh nh r 1 ln trouble shooting cho ngi bn v authentication EIGRP. 1 bn key l cisco, bn kia l cisco (d khong trng). ng nhin khi show run mt thng nhn thy s key y chang. Ch c cch t en hoc show key mi thy key nm trong du nhy c d khong trng. NetMetric Cun workbook v DVD solution, cc video ny ko y v chi tit tng cu hi ca minilab, i hi ngi hc cn phi nm vng kin thc trc khi vo b sch ny. Mnh cng cm thy ngp trc khi bc vo b sch ny. COD Khawar Butt qu bro vi k nng g command ko cn dng tab v thuc lng cc command, tuy nhin ri ro s cao. Thi gian luyn lab. Luyn cc bi Minilab hiu cc feature khong 2 3 thng. Luyn Vol1 cng vng th kh nng control c config s rt cao v lm super lab s rt nhanh. Vol2 luyn khong 2 3 thng, c gng lm mi bi t nht 2 3 ln quen cch suy ngh cng nh nhng thao tc khi lm full lab. 1 thng lm quen tra cu document, nn xem trc list cc feature guide ca tng mc c th d dng tra cu theo mc ch ng thi xem li, tham kho Group Study, SecurityIE xem kinh nghim ngi i trc. Cc bc lm khi thi Export ton b init cu hnh Router v Switch ra desktop. Son sn cc alias thng dng, mnh thng dng 1 s alias config v verify cu hnh Alias exec c conf t Alias exec sr show run Alias exec sir show ip route Alias exec sib show ip int brief c qua t nht 1 ln thi. Bt u lm t cc phn init configuration, ch lm tht k phn ny v n l yu t quyt nh c th lm nhng cu sau. Lm n u verify n . Mnh note cc im chnh trn chnh notepad. C gng gii quyt bi lab t 5 6 h, thi gian cn li verify. Init ASA hoc PIX lu vn tag VLAN, ty theo physical hoc logical interface s cu hnh port gn vi switch trunk hoc access vlan tng ng. Nn hiu k cc quy tc tag VLAN ny. i vi multicontext cn hiu k quy tc classtify trn context trn shared interface: NAT or MAC classify, ty theo yu cu. Th t verify v trouble shoot: Layer 2, IP, Routing, NAT, ACL, . Command thng dng verify config: show run | include abc|123|xyz show history , copy group command th bn ny sang bn kia nhanh chng. m bo cc traffic chy thng sut. Khi apply ACL v s dng CBAC hoc reflexive ACL, nh note li ACL inbound v outbound trn interface tng ng c th control traffic i qua theo yu cu cn thit ca cc cu hi khc. Nm vng cc quy tc debug traffic vd nhu deny ip a a log kt hp vi logging console, buffed hoc s dng debug ip policy ( nh no ip route-cache trn interface, cn ko s ko thy log), policy routing

Site to Site VPN m bo 2 u entry point thy nhau v thy c route sang LAN bn kia Quy tc dn ng: kim tra allow cc traffic VPN nh udp 500, 4500, esp Vi im khc nhau trn Firewall v Router Default Phase 1: ASA group 2, Router group 1 VPN Client: group 2 Cc bc verify VPN Site to Site trn ASA Crypto isa enable outside Crypto map <name> interface outside NONAT traffic VPN nu c NAT traffic hoc nat-control Synopt permit-vpn (bypass VPN ACL) DMVPN permit traffic GRE gia 2 entry point, bc ny cn thit trc khi apply ipsec ln tunnel, permit udp 500, esp l bt buc. Tunnel key : bt buc c interface up NHRP network-id: bt buc c chy NHRP, ngoi ra cc command khc ty thuc client v server. IPS Hiu r quy tc SPAN port, VLAN pair, Inline pair config switch port tng ng. Traffic ch thc s i qua khi apply vo virtual sensor. Bt cc signature test nh Echo (2004) hay echo-reply (2000) kim tra hot ng thng sut. VPN Concentrator Nm vng thao tc init VPN 3k nh IP, DefaultGW, Lu nh add thm rule cho Public Filter khi s dng cc service nh RADIUS, t Public interface. Config VPN client ch chn IP Address Assignment tng ng, nu qun Client ko th ly c IP. Ngoi ra cn cc yu t revert route kt hp vi redistribute route. ACS Server Quen thuc thao tc bt cc attrible cn thit gn cho user, group. Khc bit gia Radius v Tacacs+ v attrib tng ng. Quy tc AAA, trnh b tnh trng logout khi console khi apply AAA. Cn nhiu vn khc c dp mnh s post ln sau. V mt th gii CCIE Vietnam. Ngay 4.9 : RS thi de tho hon, du sao em cung da thuc hanh LAB IEWB 4.1 trong vong 2 thang (trong khi SP thi ko co co hoi de lam LAB, chi hoc ly thuyet thoi). De thi cung kha hay, khong kho lam. Em lam den 11h55 thi duoc 60%, sau do them 2h nua thi hoan thanh 97%, mot cau redistribute hoi bi kho (chi lam duoc 2/3). Ngoi check 1h, roi ra ve. Ket qua pass #21953 Hi all, Trong qu trnh luyn CCIE, ti c vit ra nhng iu ti note li v mun chia s vi AE hi vng s gip cho cc AE c 1 hng tip cn vi CCIE. Ti mong rng s nhn c s b xung v gp ca cc AE nhng ngi yu thch cng ngh Cisco cng nhau xy dng con ng i ngn nht n CCIE :).