Friday, December 31, 2010

And its a wrap! Thank God for 2010

Its been a great year for me - I hope you had a great year too
To everyone that contributed in making my year awesome - Thanks!
To everyone that I had the privilege of meeting - Thanks!
To everyone that I might have offended - I apologize
And to everyone - Hope you all have a great 2011

The next post would be in the new year!



Friday, October 15, 2010

What Next?

Hi Everyone! (Wonder if anyone still reads this blog)

This is my first post after a long hiatus from blogging.

Its been four months since my Last major exam. I decided to take a very long break since the exam was very demanding and I had to make up for 'other parts of my life' that suffered while trying to obtain my second CCIE.

Now, Its time to answer the million dollar question: WHAT NEXT?

At 21, with 2 CCIEs, I have just completed my year of 'compulsory' service to my country (finally), and its time to make a major career decision.

1. Pursue an academic (technical) degree: A Masters in Engineering or some related course looks appealing (the perfect icing on the cake for the Bachelors) but just doesn't seem to fit in the grand career plan at the moment. I do not see the relative advantage that a masters degree would offer me at the moment, so I'll pass.

2. Pursue an MBA: A masters in Business Administration might expose me to the right business knowledge that would complement my technical skills but I dont think this is the right time for an MBA, I'm a techie at heart and I still love what I do. Maybe in the next 2 years but definitely not now.

3. More CCIEs: I have been toying with the idea of taking another CCIE in SP or Voice. The challenge and the knowledge that comes with the CCIE study process is just too much fun to ignore. But if I have to do any more CCIEs, I need to have the experience to back it up, so I would wait for a few months before I launch out.

4. CCDE: The CCDE exam intrigues me because of it acclaimed difficulty, some part of me wants to study for the exam while the other part is certain that the exam is not meant for mere mortals like me. After looking at Petr Lapukhov's recommended list of materials, I have decided that I would pass. That would take a few years to study :)

5. Nothing :)

Conclusion: I do not think I would be taking any milestone exams in the next few months. I would rather focus on getting enough experience and building my project profile. This might involve changing job-roles, changing organizations or even location as long as the goal is accomplished.

Please feel free to drop your comments, I actually need them :)

Hope to post some more (non-techie) stuff soon.

Thursday, June 17, 2010

It is done...Security Lab Passed!

Hi All,
I passed the security lab yesterday in Lagos (mobile lab) on my first attempt.
Thanks to everyone that was a part of this journey.
1. God: For grace, strength, courage, provision and favour.
2. Family: For all the support. Thanks a million.
3. Friends: You guys are the best. It's not easy to have so many friends when all you do is sit and stare at a screen all day.
4. Study Partners: (Tacack, Deolu, Peter) It was fun studying with you guys. Wishing Peter all the best as he takes the lab today!
5. Study groups: OSL totally rocks. Groupstudy, CLND and IEOC are also very helpful.
6. Everyone that wished me Luck :)

Study Materials
I used INE study materials (because I fell in love with them since my R&S) and they are very good. IPExpert also has some quality materials too. Yusuf's labs are also incredible and they show you what to look out for in the lab.

Once again, thanks for everything.
Amplebrain, CCIE R&S and Sec

Wednesday, June 2, 2010


In Real world,
1. We live in the 21st century

2. The legal adult age in most countries - Alcohol, rent-a-car etc.

In mathematics
3. A Fibonacci Number
4. A Triangular Number
5. A star number

6. An octagonal number

7. composite Number

8. A Harshad Number

9. A Motzkin number


10. Number of the perfection by excellence, 3 x 7, according to the Bible.

11. 21 chapters in the Gospel of St John

In Science/Networking :)

12. FTP port number

13. Atomic Number of Scandium

In entertainment & Sports:

14. Used to be a TV show

15. 21 points are required to win a game of badminton and tennis

16. A card game, also known as blackjack

17. Name of favorite movie :)

18. Number of spots on a cubical dice


19. Number of shots fired in a salute of Royalty

20. Number of demands sent to the Chinese by the Japanese in 1915

and finally.

21. That's how old I become today :)

Yep, Happy birthday to me!
Thanks to everyone who has made the day special so far.


Wednesday, May 26, 2010

7 wishes for 21

Its exactly 7 days to my 21st, and I am very excited. I am trying to make a wish list and I am finding it so hard (I'm just not used to making wishes :)
Anyway, here's my list - Just 7 items.

7. A smartphone: I'ld like a device that would keep me away from my laptop. I spend approximately 16hrs with *her* per day.

6. A PhotoAlbum: Yes, I intend to keep one :-)

5. A book - I can never omit this. Learning is what keeps me alive :) I'ld let you choose the kind of book :)

4. A transition ceremony: I personally consider 21 as the full transition to adulthood. I'ld like to celebrate this transition in a special way :)

3. A sincere opportunity to give back: All my life, I have experienced divine and human help in all my endeavors. I believe in paying-it-forward so I am looking for a *sincere* opportunity to give back in the little way I can.

2. A special gift in exactly 21days from now :)

1. A gift from the maker: Something special from the one who started me on this journey and has kept me for the past 2 decades.

That's it :-)

Saturday, May 8, 2010

GETVPN With Multicast Rekeying

Hi All,
A post by fellow CCIE-Sec Candidate TacAck made me do some research/revision on GETVPN Rekey. I would highlight my findings in this post.
1. There are 2 modes: Unicast and Multicast.
2. The Rekey address command references an access-list that is downloaded to the group members which makes them automatically join the group (for multicast Rekeying)
3. With Rekey Authentication, The crypto keys must be generated
4. Rekey is triggered by changing the SA access-list. Rekeys are retransmitted for a number of times n after a period p. This can be adjusted with the "rekey retransmit p n" command

Here is a sample config for the KS:

crypto isakmp policy 10
encr 3des

hash md5

authentication pre-share

crypto isakmp key CISCO address

crypto isakmp key CISCO address

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto ipsec profile GET

set transform-set TRANS

crypto gdoi group GET

identity number 123

server local

rekey address ipv4 REKEY

rekey retransmit 10 number 2

rekey authentication mypubkey rsa GET

sa ipsec 1

profile GET

match address ipv4 GET

replay counter window-size 64

address ipv4

ip access-list ext REKEY
permit udp host ho

5. If an ASA is placed in between the KS and the GMs; two things must be considered.
1. Allowing GETVPN traffic especially if GMs are outside since the GM initiate the registration process. A hole should be punched to allow udp destination 848
2. Multicast traffic should be forwarded by the ASA. If the GMs are directly connected as in a STUB, then the "igmp forward" should be enough to forward the traffic.

Nuff said, time to take a break :)
Cheers, Amplebrain

Wednesday, April 28, 2010

My Favorite RFC

I have had to review several RFCs in the course of preparing for the security CCIE. Common ones include RFC 1918, 2827, 3704 and 3330 which are on the test. Other Fun RFCs include 2385, 3715, 3945 and 3947.
Today, I stumbled on what I would call my favorite RFC 1882 - 12 Days of technology before Christmas. This is a classic geeky joke. :D


Cheers, Amplebrain

Saturday, April 24, 2010

Ups and Downs

Hi All,
I have been extremely busy with work and studies. I hardly find time to prepare a technical post.
I salute everyone who had their CCIE while working on a full-time job (well, almost everyone did :-)
Sometimes, I feel ready, sometimes, like today, I just don't know. I definitely still have some work to do. In any case, I strongly feel that I'ld be ready for the beast if I can maximize the remaining 7weeks.

Nuff said, Time to get back to studying? Where are my routes :-)

Monday, April 5, 2010

Hardcore Studying

Hi All,
Happy Easter Celebrations to everyone.
I have been extremely busy these past few weeks and I hardly have anytime to create a detailed post. Merging work with studies hasn't been as easy as I thought :(

I am trying to see if i can put in approx 40hrs a week till my security lab in June...That should average to about 320 - 350 hrs of study before the security lab day. Currently using INE materials with gradedlabs rackrental. The Equipments are a little old though. Ild like to try out the proctorlabs if I can fit it into the budget.

I noticed that when connecting to the Workstations remotely either using VNC or Remote desktop;

1. Do not change the Adapter settings for the external interface.
2. Do not set another default gateway for the Lab interface as multiple default gateways confuse the Windows operating system.
3. Watch out for split tunnels when using EZVPN... You can lose your connection if you don't specify the split tunnel as the TestPC would attempt to route all INTERNET traffic through the EZVPN Tunnel.

Have fun studying...


Thursday, March 11, 2010

Cisco's New ASA 8.3(x)

The newly released ASA 8.3(x) software released by Cisco. Many new features have been added. Notable features include:
1. The Support of browser based VPN on Win7 and 64 but Windows
2. Overhaul of NAT config - static, global, NAT-config and alias commands have been retired.
3. Use of real (not NAT) addresses in the access-list configuration.

The new features can be found here.

I haven't tested the features yet so I dont have any personal opinion. I think I would have preferred that they left NAT the same way though :-).

The good news is that these 'features' would not appear on the Security lab for at least another six (6) months.

Have fun studying and working!

Cheers Amplebrain

Tuesday, March 9, 2010

A Year After...

Today makes it exactly one year since I became a Routing and Switching CCIE. I can't believe Its 365 days already. I can remeber my LAB day like it was yesterday.

Bruno was the Proctor. I walked into the lab feeling confident with my level of preparation but when I logged into my routers, they were all fully configured. I checked with Bruno (nice proctor) and he confirmed that it was their error - they failed to re-initialize the rack so the previous candidates configs were still on the rack. I had to wait for some minutes again. I lost all the composure I had.
By the time I was called in, I was a bag of nerves. I just stared at the screen and try to see if I could continue with my strategy. I just had to hope that there wasn't going to be any more mistakes that would cost me my lab. I wasn't ready to throw away 1750 dollars (I took the mobile lab).

The lab went well, OEQ were okay, The config section was good too. Finished on time, verified and identified some careless mistakes. Fixed them and verified again. I went home and waited till 1:30am and there was no mail from cisco. Fell asleep and woke at 4:30 am with an IM from my friend. He had passed. I logged in and there was it. PASS. I was so excited. Now i could focus on finishing school - I was in my final year in the University.

In the past year, a lot has changed. I have realized that a CCIE isn't by any means the pinnacle. It just gives you the opportunity to see farther. In the last year;

I graduated from the University,
I got a full time Job
I started this blog
I have learnt so much about so much.
I have been asked more questions than the previous 19years of my life before I became a CCIE

Looking back at the last year? Has it been worth it? YES...I wish I had a little more experience though but I am making up for that. :-)

Do I intend to take another CCIE? Yes: But the conditions are certainly different now - I am working (less time to study).

I hope that by the next 'anniversary', I'ld be a dual CCIE.

Right now, Its time to get back to studying.
Thanks for reading!

P.S: Cisco officially announced CRS-3 on my 'Anniversary'


Friday, February 26, 2010

Advertise maps in BGP

A recent discussion on groupstudy pushed me into labbing BGP again.
In BGP, Advertise maps are used for two functions;
1. Conditional Advertisement
2. Route aggregation.

In conditional advertisement, Advertise maps are with an EXIST-MAP (or NON-EXIST map) to perform conditonal advertisement. Here the advertise-map specifies a route-map that matches the prefixes that would be advertised ONLY if the prefixes in the EXIST-MAP exist in the routing table.

The syntax is "neighbor ip-address advertise-map map-name {exist-map|non-exist} map-name"

The other use of advertise-maps is in specifying what attribute would be carried along in the as-set attributes of an aggregate during summarization.

Assume we have R1, R2,R3 and R4 in AS 1, 2,3 and 4 respectively
R1 -- R4 --- R3

R1, R2, and R3 advertise 150.1.x.0/24 into bgp where x is the router number.

R4 aggregates the routes to 150.1..0.0/16 with as-set attribute.
By default, none of the routers get the update anymore since their
individual routes are a part of the summary.

Using advertise map, we want to make R1 and R3 get the summary; so we only advertise the attributes of the prefix form R2 with the summary.

Using as path access-lists and route-maps on R4 we have,

ip as-path access-list 1 permit ^2$
route-map adv permit 10
match as-path 1

router bgp 4
aggregate-address as-set summary-only advertise-map adv

Now, R1 and R3 get the summary, R2 doesn't because its AS number is carried along with the summary

R1(config-router)#do sh ip bg | i
*> 0 0 4 2 i

R2(config-router)#do sh ip bg | i

Ok. That's it for now. Back to security :-) I was trying to look into NAC with the CTA and CSA. Fun stuff :D


Friday, February 5, 2010

Death of Dynamips...or NOT?

Hi All,

Cisco has introduces software licensing with the IOS 15.0
My first reaction was to mourn the exiit of my faithful friend...DYNAMIPS.

But on a closer look, the IOS licensing DOES NOT directly affect dynamips.

"Cisco Software Activation is a simplified approach to software deployment and management, and is implemented on Cisco Catalyst 3750-E and 3560-E Switches and Cisco Integrated Services Routers Generation 2"

Dynamips CANNOT emulate the devices with licenses yet.

The Licensing hasn't been implemented on the 7200s yet so we can still run the 15.0 on the 7200 routers.

Thanks to Ivan of "Cisco IOS Hints and Tricks" for pointing this out.

I guess we can still have fun studying afterall :-)

Tuesday, February 2, 2010

Creating a Loopback Adapter on Windows 7

The Microsoft Loopback Adapter is a very useful tool for setting up networks with dynamips/gns3 when you need to connect the emulated network to the life system.
Instances include; setting up a terminal Server, connecting to a AAA server, using a VPN Client etc.

With Windows XP/Vista, creating a Loopback Adapter is Pretty Easy;

1. Go to control Panel
2. Click Add Hardware
3. Select Install Hardware from list,
4. Select Network Adapters
5. Select Microsoft as the Manufacturer
6. Select Microsoft loopback Adapter
7. Click Next and Install...
With Windows 7, there is a slight problem; "Add Hardware" is no longer in the Control Panel.
It is now a hidden feature that has to be run by an adminstrator from command prompt.

To get to the Add Hardware program;

1. Run command prompt as Administrator.
2. From command prompt, Run "hdwwiz.exe"

To install the Loopback Adapter, Follow steps 3 through 7 above.

Have fun studying.

Saturday, January 30, 2010

Cisco Mobile Lab in Nigeria

The CCIE Mobile Lab would be in Nigeria between June 14 and 18. There are 6 R&S slots and a security slot per day.
I hope I would be ready for my security lab by then :-)
More info can be found here.

It's time to quit playing around and get into hardcore studying. This is barely 4 months away.

Wish you all the best with your studies. CCIE Security - here I come!


Monday, January 25, 2010

Cisco Updates CCNP and introduces new Service Operations Track

Hi All,

Today, Cisco announced a big change in the Certifications path.
The CCNP has been entirely revised. There are now 3 exams;
Route - Replaces the BSCI
Switch - Replaces BCMSN
TShoot - Brings back troubleshooting into the game.

All exams would be 120mins long and cost $200
While the BSCI and BCMSN exams are stil a valid for 3 years, the ISCW and ONT are only valid (count towards the completion of your CCNP) till end of July.

The Tshoot exam would a hands-on exam - barely 10% theory.
The exam focuses more on Routing and Switching and is a lot deeper. IPV6 also has its fair share on the exam.

Finally, My favorite Authors get to write the Cisco Press Cert guide: Wendell Odom, David Hucaby and Kevin Wallace

The SP Operations track focuses on IP Carrier Ethernet NGN Networks. The SP Operations is a full track with Associate, Professional and Expert level Exams. Yes, anothe CCIE. Oh Damn Cisco! More info on the Cisco Learning Network.

Right now, It's tiime to focus on getting the CCIE Security before I am old enough to rent a car.

Study hard, Learn stuff and most importantly, have fun!



Monday, January 11, 2010

ASA Transparent mode NAT

The ASA transparent mode acts as a bump in the wire (Placed in the layer 2 path of the traffic). There is no interface IP addressing with transparent mode. The ASA can be assigned an IP address for remote management and testing. In the transparent mode, there are still access rules and inspection rules. There are a few exceptions though. For instance, ARP and BPDU is allowed from lower security level interfaces by default.

With the ASA 7.x code and lower, the ASA did not support address translation in transparent mode. In fact, the 'nat' and 'global' commands were disabled. The static command was available but the real and translated addresses must be the same. IMO, the command was enabled so that the static options can be used. An example would be the 'norandomseq' keyword that is used in BGP authentication.

With the ASA code 8.x code, there is now support for NAT in transparent mode.
The NAT implementation has a few caveats:
1. The alias command is NOT supported.
2. Since there is no interface address, interface PAT is not allowed.
3. Arp Inspection is not allowed
4. Since the inside and outside interfaces are on the same 'subnet', if any of the addresses (real or translated) is NOT on the subnet, then static routes have to be used to point to the address so that routing can take place. This is from the configuration guide:

"When the mapped addresses are not on the same network as the transparent firewall, then on the upstream router, you need to add a static route for the mapped addresses that points to the downstream router (through the security appliance)

If the real destination address is not directly-connected to the security appliance, then you also need to add a static route on the security appliance for the real destination address that points to the downstream router. Without NAT, traffic from the upstream router to the downstream router does not need any routes on the security appliance because it uses the MAC address table. NAT, however, causes the security appliance to use a route lookup instead of a MAC address lookup, so it needs a static route to the downstream router."

With the Routing fixed, NAT with the ASA transparent mode should not be too different from the regular routed mode NAT.

Further Reading:
ASA Configuration Guide: NAT in Transparent mode