So it has been sometime since my last post as since then I have started a new job, moved 1200 miles and all around just have been trying to get settled back in to a steady pattern where I can consistently learn.

There are two areas that I have been and wanting to focus on. 

  1. Palo Alto Firewalls – This is related to the new job and boy is there a lot of information to ingest and it is extra challenging doing it remotely with everyone else being so busy.  There are days that I feel like I am making great progress and then other days it is almost overwhelming.
    1. Side Projects
      1. Aligning the Life-of-a-Pakcet and Life-of-a-Session process with device hardware.
      2. GlobalProtect analysis script
  2. Python Development – I have not decided where I want to talk this at this point so right now I have two learning project that I am looking to focus on.
    1. Migrate the site that I built with my son-in-law for my wife (GMMIndex.com) from a Larvel framework to a Django framework.  
      1. The database calls are taking to long
        1. When the site was first built I did not understand how Lavel created its own Database structure
        2. I found it a bit confusing to get customer database info pulled from the database that I had already built
    2. Finish the python Hardware course that I had started previously with my raspberry pi in which I have sever post.

It will be fun to get back to focused learning and continue growth.

So Christmas has come and gone and a whole new set of toys to play with!!

So I picked up my first Raspberry Pi 4 to start learning with, nothing like getting your hands on something to really learn it.

Raspberry Pi 4 Setup

To start learning and not just have another piece of equipment lying around I also picked up the Freenove ULtimate Starter Kit.  57 projects that have step by step directions using either Python or C/C++ to manipulate the hardware that it comes with.

Freenove Ultimate Starter Kit for Raspberry Pi 4 B 3 B+ 400, 434-Page Detailed Tutorials, Python C Java Code, 223 Items, 57 Projects, Solderless Breadboard

I figure this will help me understand both Linux as well as Python that I learned in the summer of 2019.

In addition to the Hardware/Projects that I picked up, I also picked up the “RHCSA Red Hat Enterprise Linux 8 – Training and Exam Preparation Guide” by Asghar Ghori

The real challenge will be to find time to learn Linux as I just accepted a new position with Palo Alto Networks and will also be working toward my PCNSE which I have been told that I should attempt to have within the first year.

First project down… only 56 to go with whatever projects that I come up with along the way.

As I continue to work toward improving myself the next foundation item that I will be focusing on is the Red Hat RHCSA Certification EX200. 

Reviewing the certification details off of the official site, I knew this would not be enough so combining the official site skills list, along with the outline with the Linkedin Learning course Cert Prep: Red Hat Certified System Administrator (EX200) course. My Red Hat Certified System Administrator study guide will follow the outline below. 

My research and study documentation going to be used are:

Available devices that I will be using for hosting OS:

  • Oracle VM Virtualbox – On Microsoft Surface Book 2
  • HP Laptop running Kali Linux
  • HP Workstation running Ubuntu 20.04
  • Raspberry PI 4 – Nothing loaded on it at this time.

I am targeting the End of April/Beginning of May to take the exam.

RHCSA – Red Hat Certified System Administrator study guide

  • Understand and use essential tools
    • handling files
      • Create
      • Edit
      • Archive and compress files
    • directories
    • command-line environments
      • Redirection
      • File Management
    • documentation
    • Schedule recurring tasks
  • Create simple shell scripts
    • BASH
    • Python
    • Lua
    • Tcl
    • Ruby
    • Grep and regular expressions
  • Operate running systems, including
    • booting into different run levels
    • identifying/Manage processes
    • starting and stopping virtual machines
    • controlling services
    • Interrupt the boot process to gain access
    • Read log files and journals
  • Configure
    • local storage
      • partitions
        • Create
        • Delete
    • Logical volumes management
    • Networking
    • Bootup/modify the bootloader
  • Create and configure
    • file systems and file system attributes, such as
      • permissions
      • encryption
      • access control lists
      • network file systems
        • Mount and unmount
      • Securely transfer files
      • Create and configure
        • Format
        • Mount
        • Unmount
      • Manage SUID, SGID, and sticky bits
  • Deploy, configure, and maintain systems
    • software installation
    • updates
    • core services/kernel packages
    • Linux system Virtual guests
      • Access virtual machine’s console
      • Start/stop virtual machines
  • Manage users and groups
    • Create
    • Delete
    • Modify
    • Password/password aging
    • Use Authentication Systems
  • Manage
    • Security
      • Firewall
      • Key-based authentication for SSH
    • SELinux configuration
      • Modes
      • Security Context
        • Restore Default
      • Modify Booleans
      • Diagnose policy violations
  • Perform basic container management

 

LET THE FUN Begin!!!

It has been a long while since my last post but the information below are items that I learned, study and used in labs before my test.

I took my test on December 1st and it was more challenging than I thought it would be, but at the end of the test I can say that I passed and after a short break of hanging with the family and a few video games with son, I am doing a re-cap and starting my next learning adventure which is Redhat RHCSA.

There was a good period of time where I was not posting but I for sure was studying.  I used the following three items to finish up before the big day.

With the items above and past knowledge I was able to pass my test but there are two things that I would add to this if I was prepping for this again.

  • Review the Cisco Blue Print in more detail (there was a question about password managers which is listed on the Blue Print in 5.4)
  • Use a physical study for CCNA book.
    • The videos were great but I do feel like there were cover all the topics and even more than what was needed but there were some questions that had me thinking more than I thought I should need to and another source that focused on the test opposed to teaching would have been great after the Udemy and Keith Barker info.

So final opinion: The CCNA should not be taken lightly, especially if you have not been working on Cisco devices before or in my case in a few years.  The Boson test was great but don’t expect to see any word for word question or even closely worded questions.

Here is what it all led to my official piece of paper that says I actually know what I am talking about to back up my experience:

https://www.youracclaim.com/badges/aa3a51e0-6ecb-4a87-ab3b-b25920fd943f

CCNA Studying

I do feel that I am getting very close to taking the test but $300 is nothing to throw around so here are few things that I have been learning that I either missed or the study course did not cover in a way the test questions needed additional studying.

  • APIs used with for communications from Controller up (North-bound) to applications or down (south-bound) to network infrastructure.
    • North-bound APIs – Used to talk from the controller to Applications
      • REST – Representational State Transfer
      • OSGi – Jove Open Service Gateway initiative
    • South-bound APIs
      • OnePK
      • OpenFlow
      • OpFlex
      • NETCONF
  • LLDP (Link Layer Detection Protocol
    • Advertise every 30 Second (Default)
      • Configurable to 5-65534 Seconds
      • (config)#lldp timer [time]
    • Default – 120 Second hold time
      • Configurable to 0-65535
      • (config)#lldp holdtime [time]
  • CDP (Cisco Discovery Protocol)
    • Advertises every 60 seconds (Default)
  • auto-cost reference-bandwidth
    • Default cost=reference bandwidth(default 100)/interface bandwidth
  • MAC Addresses used by FHRP (First Hop Redundancy Protocol)
    • VRRP (Virtual Router Redundancy Protocol) – Not a FHRP protocol
      • 0000.5E00.XXYY
    • GLBP (Gateway Load Balancing Protocol)
      • 0007.b400.XXYY
    • HSRP (Hot Standby Router Protocol)
      • Version 1
        • IPv4 
          • Group Address – 224.0.0.2
          • UDP Port: 1985 
          • Virtual MAC: 0000:0c07:acXX
            • The last two hexadecimal characters indicate the group.
      • Version 2
        • IPv4
          • Group address – 224.0.0.102
          • UDP Port: 1985
          • Virtual MAC: 0000:0c9f:fXXX
        • IPv6
          • Group address: ff02::66
          • UDP Port: 2029
          • Virtual MAC: 0005:73a0:0XXX
  • Ethernet frame
    • 7-byte preamble field
    • 1-byte start-of-frame (SOF) field
    • 6-byte destination address field
    • 6-byte source address field
    • 2-byte type field
    • data field in the range from 46 through 1500 bytes
    • 4-byte Frame Check Sequence (FCS) field
  • IPv6 Address to remember
    • Unicast
      • Link-local Address
        • 1111|1110|1000|0000
        • fe80::/64
        • Link-local has been replaced by ULA (Unique Local Address) FC00::/7
          • 1111|1100|0000|0000
      • Global
        • 2001::/16
        • 0010|0000|0000|0001
      • Site-Local
        • FC00::/7-FDFF
        • 1111|1100|0000|0000
      • Loop back
        • ::1/128
    • Multicast address
      • ffxx::/8
      • 1111|1111
      • Routing Protocols – Not routable addresses
        • FF02::5 – OSPF Routers
        • FF02::6 – OSPF DR
        • FF02::9 – RIP Routers
        • FF02::A – EIGRP Routers
    • IPv4 compatible
      • 0:0:0:0:0:0::/96
      • The last 32 bits are replaced with the IPv4 address
  • Hex to binary
    • 0000 – 0
    • 0001 – 1
    • 0010 – 2
    • 0011 – 3
    • 0100 – 4
    • 0101 – 5
    • 0110 – 6
    • 0111 – 7
    • 1000 – 8
    • 1001 – 9
    • 1010 – a
    • 1011 – b
    • 1100 – c
    • 1101 – d
    • 1110 – e
    • 1111 – f
  • Route Determination
    • EIGRP
      • Sum of the segment Delays
      • The lowest segment Bandwidth
    • RIP
      • Hop Count
    • OSRP
      • Reference Bandwidth/Interface Bandwidth
  • ASBR (Autonomus System Boundary Router)
    • A router is considered an ASBR when it issues the command of default-inforamtion originate or redistribute network
  • Leaf – Spine
    • Node – Switch to provide north/south communications for the end devices
    • Spine – Provide East/West communications between leaf switches and north/south communications out of the network
  • EPG – Endpoint Groups
    • Used to map application to the network
    • Act as a container for application components and tiers that can be used to apply forwarding and poikcy logic
    • Allw for the separation of network policy, seucirty and forwarding from addressing
  • APIC – Application Policy Infrastructure Contoller
    • Object-oriented model based on Promise Theory
      • Promise theroy is based on declarative scalable control of intelligent objects
      • Relies on the underlying object to handle configuration state changes initiated by the control system
      • Objects responsible for passing exceptions or faults back to the control system
    • Object modded focused on the deployment of applications.
  • Management Softwares
    • Chef
      • Communicates over HTTPS on Port 443
      • Runs on Linux, UNIX and Windows
      • clietn/server architecture
      • Config written cookbooks written in Ruby DSL, stored on Chef server
      • Chef clients pull cookbook form server
      • Standalone clients run cookbooks from a local directory or from a tar.gz archive on the internet.
    • Puppet
      • Accepts inbound request from agent
      • HTTPS on TCP port 8140
      • Consider the most widely used
      • Runs on Linux, Unix, Windows
      • Client/server architecture
      • Written in Ruby Domain Specfic Language (DSL or Ruby-like Puppet language knwn as Puppen DSL
    • Salt
      • Communications on Ports 4505 and 4506
      • Client/Server
        • Salt Master
        • Salt Minion
      • Use ZeroMQ to communicated
      • Can use Salt SSH without a client but is slower.
      • Written in YAML, Python or Python Domain Specific Language (PyDSL)
    • Ansible
      • Uses SSH over port 22
      • Runs on Linux/Unix and Windows
      • No Agents
      • YAML written in playbooks
  • RED (Random Early Detection) vs WRED (Weighted random early detection)
    • RED
      • Drops packets randomly
      • High priority packets and low priority packets drop at the same rate.
    • WRED
      • Uses a predefined threshold to decide what packet to drop
      • Drops low priority packets when the minimum threshold for the designated service level is exceeded.
      • Low priority packets are dropped first
  • Cisco Alert logging levels anagram
    • Every Awesome Cisco Engineer will need ‘ice cream’ daily
      • 0 – Emergency
      • 1 – Alert
      • 2 – Critical
      • 3 – Error
      • 4 – Warning
      • 5 – Notification
      • 6 – Informational
      • 7 – Debugging

Wi-Fi, WLAN, WLC

If you are not subscribed to Keith Barker and you are working on getting your CCNA, why are you doing it wrong 😉 .  Take a moment and show Keith your support and subscribe: https://www.youtube.com/user/Keith6783

Reviewing the WLC concepts before completing that last lab of Neil Anderson’s Udemy Cisco CCNA 200-301 course: https://www.udemy.com/course/ccna-complete/

  • 4:28 – From the ground up design plan
  • 6:02 – Talk about WLC (Wireless LAN Controller) & APs (Access Point)
  • 12:56 – Packet Tracer config
    • 13:36 – Add Switch, server, laptop, WLC, LAP-PT and smart client
    • 16:15 – Configure server
      • DHCP server was not turned on but fixed later.
    • 18:35 – Configure WLC management IP
    • 20:00 – Wire-up WLC, Server & Laptop
    • 21:25 – Confgure Laptop and turn on DHCP
    • 24:00 – Configure WLC through web interface
    • 33:00 – Connect APs to network
  • 37:45 – WLC Review
  • 45:17 – Packet Tracer Physical View
  • 46:50 – theKeithbarker.com
  • 51:45 – Q&A

Cisco Device Management Configuration

Goal: Configure Syslog and SNMP (Simple Network Management Protocol) logging.

SNMP and Syslog

  • Configure SNMP communities read-only and read-write
    • #conf t
    • (config)#snmp-server community [password] ro
      • Read-only
    • (config)#snmp-server community [password] rw
      • Read-write
  • Configure syslog server to receive all severity events
    • (config)#logging 10.0.0.100
    • (config)#logging debugging
  • Verify logging level
    • #show logging

Cisco Device Security Configuration Lab

Secure administrative access to Cisco routers in a small network.

Secure Privileged Exec Mode

  • Set the enable password
    • #conf t
    • (config)#enable password [password]
  • Set the enable secret password
    • #conf t
    • (config)#enable secret [password]
    • NOTE: While both passwords can be set “secret” will over-ride/supersede the standard enable password.
  • show passwords
    • #show running-config
    • NOTE: Secret password in hashed and cannot be read while the standard password is in plain text.
  • Ensure all pain text passwords are encrypted
    • #conf t
    • (config)#service password-encryption

Secure Remote Telnet and SSH Access

  • Ensure user logged out after 15 minutes on console and virtual terminal
    • Console
      • #conf t
      • (config)#line console
      • (config-line)#exec-timeout 15
    • Virtual (vty)
      • #conf t
      • (config)#line vty 0 15
      • (config-line)#exec-timeout 15
  • Allow workstation at 10.0.0.10 to telnet to router with a different password
    • Create an access list
      • (config)#access-list 1 permit host 10.0.0.10
    • Apply list
      • (config)#line vty 0 15
      • (config-line)#access-class 1 in
      • (config-line)#password line [password]
  • Telnet users to the router should see “Authorized users only” message
    • (config)#banner login [delimiter character]
    • message
    • [delimiter character]
  • Configure login in to require username and password
    • #conf t
    • (config)#username [username] password|secret [password]
    • (config)#vty 0 15
    • (config-line)#login local
    • Note the will supersede the local passwords
  • Allow SSH to the router
    • #conf t
    • (config)#ip domain-name [name]
    • (config)#crypto key generate rsa
    • How many bits in the modulus [512]: 768
      • SSH requires 768
    • (config)#line vty 0 15
    • (config-line)#transport input ssh
      • NOTE: Need to know ssh command for CCNA test 
        • ssh -l [username] [ip address]
  • Set console to use password and no username
    • #config t
    • (config)#line console 0
    • (config-line)#login
    • % Login disabled on line 0, until ‘password’ is set
    • (config-line)#password [password]

NTP Network Time Protocol

  • Configure NTP to synchronise its time with 10.0.1.100 & set timezone as Pacific Standard time.
    • (config)#ntp server 10.0.1.100
    • (config)#clock timezone Pacific -8
  • Show time and verify ntp sync
    • (config)#show clock
    • (config)#show ntp status

Switch Management

  • Configure switch with an ip address on vlan 1
    • #conf t
    • (config)#int vlan 1
    • (config-if)#ip address 10.0.1.50 255.255.255.0
    • (config-if)#no shut
    • (config-if)#exit
    • (config)#ip default-gateway 10.0.1.1

Cisco IPv6 Configuration Lab

Goal: Configure the network to be dual-stack by adding support for IPv6 addresses.

Verify IPv4 Connectivity

  • Verify routers have been configured with IPv4 addresses
    • #show ip int brief
  • View routes between routers
    • #show ip route

IPv6 Addressing

  • Configure global unicast IPv6 address
    • (config)#int [interface]
    • (config-if)#ipv6 address [ipaddress]/[CIDR]
  • Configure devices with EUI-64
    • (config-if)#ipv6 address [ip network address]/[CIDR] eui-64
  • When configuring a IPv6 address the interface also automatically configures a link-local address that starts with FE80::
  • Show IPv6 neighbors
    • #show ipv6 neighbors

Static Routing

  • Verify which IPvt dynamic routing protocols are running
    • #show ipv6 protocol
  • Configure default gateway
    • (config)#ipv6 route ::/0 [gateway address]
  • Turn on IPv6 routing
    • (config)#ipv6 unicast-routing
  • Configure static routes
    • (config)#ipv6 route [IPv6 subnet]/[CIDR] [Next-hop ipv6 address]
  • Verify IPv6 routes
    • #show ipv6 route

First off if you are not subscribed to Keith’s YouTube Channel and you are working on your CCNA… STOP EVERYTHING!!! and go subscribe: https://www.youtube.com/user/Keith6783

Video Summary: https://www.youtube.com/watch?v=xLstDGmzgFI

Keith goes through creating and routing a small network using Cisco Packet Tracer

Time Stamps:

  • 6:20 – Network Design
  • 10:40 – Network Addressing – IPv6 Planning and explanation
    • 11:20 – Explination of 2001:DB8: IPv6 address
      • This address is set aside for documentation.
      • This is still routeable
    • 14:20 – Discuss IPv6 addresses
      • 2XXX::-3XXX:: – Globally routable IPv6 addresses
      • FE80:: – Link Local Address
      • FFXX:: – Multi Cast Address
  • 22:38 – Setup Network and Packet Tracer explanation
  • 34:55 – Configuration of Routers
    • 35:48 – Standard route default settings.
      • enable
        conf t
        line con 0
        logging sync
        no exec-timeout
        exit
        no ip domain-lookup
        endwr
    • 34:42 – Hostname
    • 37:55 – Configure interfaces
      • (config-if)ipv6 address [ipv6address] [link-local]
    • 53:44 – Review what routes are needed
      • Talk about
        • “Optimal” route
        • Administrative Distance
    • 1:04:48 – Write out routes
      • (config)#ipv6 unicast-routing
      • (config)#ipv6 route [network]/[cidr] [net-hop] [administrative distance]
    • 1:12:50 – Apply network configuration

So the one thing that I found during this session if you put in the address incorrectly and the routes are in correct.  Those routes do not show up when you do a show ipv6 route.

Cisco NAT Configuration

Static NAT

  • Set inside and outside interfaces
    • #conf t
    • (config)#int f0/1
    • (config-if)#ip nat outside
    • (config-if)#int f0/0
    • (config-if)#ip nat inside
  • Set the translation for inside and out side
    • (config-if)#exit
    • (config)#ip nat inside source static [insideLocalIP] [InsideGlobalIP]
      • Inside Local address – Actual configured IP address on the inside host OS
      • Inside global address – NAT’d address of inside host as it will be reached/seen by the outside network.
  • Verify translation
    • (config)#end
    • #show ip nat translation

Dynamic NAT

  • Set interface with clients that will use the pool as an inside interface
    • #conf t
    • (config)#int f1/0
    • (config-if)#ip nat inside
  • Set dynamic pool
    • (config-if)#exit
    • (config)#ip nat pool [name of pool] [startingIPaddess] [endingIPaddress] netmask [subnet]
  • Create an access list for the allow addresses to use the pool
    • (config)#access-list [Accesslist#] deny|permit|remark [protocol] [IpAddress] [Wildcard Mask]
  • Associate the access list with the NAT pool
    • (config)#ip nat inside source list [accesslist#] pool [poolname]
  • Verify traffic
    • show ip nat translation
  • Enable Port Address Translation so the last IP address in the range can be reused when all address have been allocated.
    • Add the “overload flag at the end of the associate command
    • (config)#ip nat inside source list [accesslist#] pool [poolname] overload

Port Address Translation (PAT)

  • Remove address from Router Interface and configure it to use DHCP
    • #conf t
    • (config)#int f0/0
    • (config-if)#no ip address
    • (config-if)#ip address dhcp
  • Configure NAT
    • Repeat the assigning interfaces inside and outside
    • Create access-list
    • (config)#ip nat inside source interface f0/0 overload
  • Verify Nat translation
    • #show ip nat trans
  • Show nat statistics
    • #show ip nat stat