Network Engineering

LEVEL 1-2 (Associate-Intermediate):
A+|MTA Networks|MTA Security|MTA Servers
Network+|Security+|Cloud+|Storage+|Linux Essentials
CCNA RnS|JNCIA-JUNOS|CCNA Security|CCNA Collaboration|CCNA Wireless|CCNA SP|CCNA DC|CCDA|ITIL|MCSA(Server 2012)|VCA-DCV|VIRL|GNS3

LEVEL 2-3 (Intermediate-Expert):
LPIC1|LPIC2|F5|Checkpoint|Palo Alto|Wireshark|VCP-DCV|CEH(Penetration Testing)|Solarwinds|Nagios|PRTG|Cacti|Kiwi Syslog|Netflow
CCPD|CCNP RnS|JNCIS-ENT|JNCIP-ENT|JNCIS-SP|JNCIP-SP|JNCIS-Security|JNCIP-Security|CCNP SP|CCNP Security|CCNP DC|CCNP Collaboration|CCNP Wireless|HP|Meraki|Aruba|Aerohive|Meru|Ruckus|CISSP

LEVEL 3-4 (Expert-Advanced):
CCDE|CCIE RnS|CCIE SP|CCIE Security|CCIE DC|CCIE Collaboration|CCIE Wireless|JNCIE-ENT|JNCIE-SP|JNCIE-Security

CCNA/CCNP/CCIE (wr and LAB) RnS Prep

CCIE LAB RnS Blueprint: 
http://www.cisco.com/web/learning/exams/docs/ccieRS_Lab5.pdf

CCIE RnS Final Revision/Prep Notes/Commands extracted from all the studied material below*: 
https://networkengineer.me/category/ccna-ccnp-rns/

CBT Nuggets (CCNA/CCNP/CCIE): 
http://www.cbtnuggets.com

INE Videos and Woorkbooks (CCNA/CCNP/CCIE) (Recommended): 
http://www.ine.com

Books:
How to Master CCNA by Molenaar, René
How to Master CCNP SWITCH by Molenaar, René
How to Master CCNP ROUTE by Molenaar, René
How to Master CCNP TSHOOT by Molenaar, René
CCIE Routing and Switching V5.1 Foundations: Bridging the Gap Between CCNP and CCIE (Practical Studies) by Narbik Kocharians

Reference Guides for Revision:
CCNA portable command guide
CCNP portable command guide
Quick Reference Guides for CCNA, CCNP SWITCH, CCNP ROUTE, CCNP TSHOOT and CCIE

Forums:
http://certcollection.org/forum/

CCIE Hall Of Fame:  http://cciehof.com

Cisco VIRL (INE ATC LABs):
http://virl.cisco.com/

 

Defining the Need for NAT Exemption

http://www.packetu.com/2012/05/29/defining-the-need-for-nat-exemption/

CCIE Study Notes

CCIE RnS Notes

Palo Alto PCNSE7 Study Guide and CLI commands

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/PCNSE7Guide.pdf

https://paloaltonetworks.csod.com/clientimg/paloaltonetworks/LOResource/16570_2016060605472497_428328097_PDF.pdf

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/70/pan-os/cli-gsg/section_3.pdf

https://blog.webernetz.net/2013/11/21/cli-commands-for-troubleshooting-palo-alto-firewalls/

Palo Alto troubleshooting commands

NPS, Wireless LAN Controllers, and Wireless Networks Configuration Example

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server

http://www.cioby.ro/2016/07/22/configuring-and-deploying-cisco-ios-certificate-server/

Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server (CCIE Notes)

How Does NAT-T (NAT Traversal) work with IPSec?

ESP encrypts all critical information, encapsulating the entire inner TCP/UDP datagram within an ESP header. ESP is an IP protocol in the same sense that TCP and UDP are IP protocols (OSI Network Layer 3), but it does not have any port information like TCP/UDP (OSI Transport Layer 4). This is a difference from ISAKMP which uses UDP port 500 as its transport layer.

Why can’t an ESP packet pass through a PAT device?
It is precisely because ESP is a protocol without ports that prevents it from passing through PAT devices. Because there is no port to change in the ESP packet, the binding database can’t assign a unique port to the packet at the time it changes its RFC 1918 address to the publically routable address. If the packet can’t be assigned a unique port then the database binding won’t complete and there is no way to tell which inside host sourced this packet. As a result there is no way for the return traffic to be untranslated successfully.

How does NAT-T work with ISAKMP/IPsec?
NAT Traversal performs two tasks:
Detects if both ends support NAT-T
Detects NAT devices along the transmission path (NAT-Discovery)

Step one occurs in ISAKMP Main Mode messages one and two. If both devices support NAT-T, then NAT-Discovery is performed in ISKAMP Main Mode messages (packets) three and four. THe NAT-D payload sent is a hash of the original IP address and port. Devices exchange two NAT-D packets, one with source IP and port, and another with destination IP and port. The receiving device recalculates the hash and compares it with the hash it received; if they don’t match a NAT device exists.

If a NAT device has been determined to exist, NAT-T will change the ISAKMP transport with ISAKMP Main Mode messages five and six, at which point all ISAKMP packets change from UDP port 500 to UDP port 4500. NAT-T encapsulates the Quick Mode (IPsec Phase 2) exchange inside UDP 4500 as well. After Quick Mode completes data that gets encrypted on the IPsec Security Association is encapsulated inside UDP port 4500 as well, thus providing a port to be used in the PAT device for translation.

To visualize how this works and how the IP packet is encapsulated:
Clear text packet will be encrypted/encapsulated inside an ESP packet
ESP packet will be encapsulated inside a UDP/4500 packet.

NAT-T encapsulates ESP packets inside UDP and assigns both the Source and Destination ports as 4500. After this encapsulation there is enough information for the PAT database binding to build successfully. Now ESP packets can be translated through a PAT device.

When a packet with source and destination port of 4500 is sent through a PAT device (from inside to outside), the PAT device will change the source port from 4500 to a random high port, while keeping the destination port of 4500. When a different NAT-T session passes through the PAT device, it will change the source port from 4500 to a different random high port, and so on. This way each local host has a unique database entry in the PAT devices mapping its RFC1918 ip address/port4500 to the public ip address/high-port.

What is the difference between NAT-T and IPSec-over-UDP ?
Although both these protocols work similiar, there are two main differences.

When NAT-T is enabled, it encapsulates the ESP packet with UDP only when it encounters a NAT device. Otherwise, no UDP encapsulation is done. But, IPSec Over UDP, always encapsulates the packet with UDP.

NAT-T always use the standard port, UDP-4500. It is not configurable. IPSec over UDP normally uses UDP-10000 but this could be any other port based on the configuration on the VPN server.

Cisco ASAV 9.2 VMware and ASDM 722 integrated with GNS3

 

Cisco VIRL (Virtual Internet Routing Lab)

List of supported features for IOSv:
802.1Q, AAA, ACL, BGP, DHCP, DNS, EEM, EIGRP, EoMPLS, Flex Netflow + TNF, GRE, ICMP, IGMP, IP SLA, IPSec, IPv6, ISIS, L2TPv3, MPLS, MPLS L2VPN, MPLS L3VPN, MPLS TE, Multicast, NAT, NTP, OSPF, PfR, PIM, PPPoE, RADIUS, RIP, SNMP, SSH, SYSLOG, TACACS, TFTP, VRF-LITE
Features likely to work for IOSv:
HSRP, VRRP, GLBP, EZVPN, QoS, LISP, ZBFW, Performance Monitor• Read more for IOSv: https://learningnetwork.cisco.com/docs/DOC-30469List of supported features for IOSvL2:
Layer-2 forwarding (auto-config’d), Switchport (auto-config’d), 802.1q trunk, 802.1q VLANs (auto-config’d), Spanning Tree (auto-config’d), Port-Channel (Pagp and Lacp), 802.1x passthrough, Port-ACLs, Dynamic Arp Inspection, DHCP Snooping, IP device tracking, Switched Virtual Interfaces, Layer-3 forwarding over SVIs, Routing protocol support, VTP v1-3, PVST, QoS, Inter-VLAN routing, VLAN Access Maps (VACLs / access control lists for VLANs), ACL functionality for both layer2 and layer3 protocol packets, Dynamic Trunking Protocol support, Switchport protected mode

• Read more for IOSvL2: https://learningnetwork.cisco.com/docs/DOC-30404

List of supported features for IOS-XRv:
IPv4, IPv6, BGP, MP-BGP, EIGRP, ICMP, OSPF, NTP, TFTP, MPLS, MPLS L3VPN, MPLS TE, ISIS, mVPN GRE / mLDP / P2MP TE, AAA, RADIUS, TACACS, SNMP, FLEX CLI, Multicast (PIM, MSDP, IPv6), Syslog, VLANs / QinQ (.1Q, .1AD), RPL, ACLs, SSH, VRF-LITE

• Read more for IOS-XRv:https://learningnetwork.cisco.com/docs/DOC-30449

List of supported features for NX-OSv:
802.1x, AAA, AMT, BGP, CDP/LLDP, EIGRP, FHRP-HSRP, GLBP, VRRP, ICMP, IGMP, IPv4, IPv4/6, IPv6, ISIS, L3 Routing Protocols, LDAP, LISP, MLD, MSDP, NTP, OSPF, PIM/PIM6, Radius, RIP, SNMP, Syslog, TACACS+, VRF, XML/Netconf, NX-API

• Read more for NX-OSv:https://learningnetwork.cisco.com/docs/DOC-30470

UPDATE 4/10/2016: NX-OSv (Titanium) – end of development
The NX-OSv virtual machine image that has been provided with VIRL is based on the Titanium development platform, using the NXOS operating system with a hardware model based on the NEXUS 7000-series platform.
The virtual machine provides Layer-3 and management-plane features taken from the 7.x.x version of the NXOS operating system. As many of you will be aware, Layer-2 switching functionality is not present in the image.
Development efforts in the NXOS operating system, are now strongly focused on moving to the next generation NXOS as implemented today on the NEXUS 9000-series platform. To that end, Layer-2 and Layer-3 feature development is aligned toward the next generation NXOS virtual machine platform. As a result, there are no plans to deliver Layer-2 switching features on the NX-OSv (Titanium) virtual machine platform.
The first virtual machine platform using the next generation NXOS operating system will be NXOSv9000, which is expected to be available on VIRL in late 2016.

List of supported features for CSR1000v:
802.1Q, AAA, ACL, BGP, DHCP, DNS, EEM, EIGRP, EoMPLS, Flex Netflow + TNF, GRE, ICMP, IGMP, IP SLA, IPSec, IPv6, ISIS, L2TPv3, MPLS, MPLS L2VPN, MPLS L3VPN, MPLS TE, Multicast, NAT, NTP, OSPF, PfR, PIM, PPPoE, RADIUS, RIP, SNMP, SSH, SYSLOG, TACACS, TFTP, VRF-LITE
Features likely to work for CSR1000v:
HSRP, VRRP, GLBP, EZVPN, QoS, LISP, ZBFW, Performance Monitor

• Read more for CSR1000v: http://www.cisco.com/c/en/us/products/routers/cloud-services-router-1000v-series/datasheet-listing.html

List of supported features for ASAv:

• Read more for ASAv: http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/asav/quick-start/asav-quick/intro-asav.html

ASA Quick Review

ASA Quick Review

CCNA RnS Subnetting_Commands_Notes

CCNA RnS Subnetting_Commands_Notes