I’m finally back from RTP and have a stable enough Internet connection to finally write a post.  After my SP lab last week, I decided to visit some relatives in Charleston, SC to relax over the weekend before coming home.  I tried to post something on Friday, but my hotel wireless connection was terrible.  Anyways, read on for a recap.

Since the Thanksgiving weekend, I’ve been scrambling to get enough practice time in for the configuration portion of the lab.  Shortly a few days after committing payment to Cisco for the lab, the announcement for the OEQ or Core Knowledge came out which changed my studying strategy quite a bit.  At the time, I had just begun going through INE VOL2 labs before the Christmas holidays and so now I needed to come up with another game plan.  I gave myself a deadline to finish up the VOL2 labs 1 through 5 by New Years.  For the remaining 5 VOL2 labs, I was just going to read the solutions.  Once the new year began, I only labbed up mini scenarios and didn’t bother doing any full scale labs.  All I ended up doing was reading anything I could get my hands on regarding the SP lab blueprint (i.e. books, FAQs, blogs, Cisco white papers, articles, etc.).

Did all the reading help?  Yes, it did.  The set of OEQs that I received were pretty straightforward.  If you have some clue as to what you are doing in general with topics covered in the blueprint, you should be prepared.  Now I know that statement is vague and probably doesn’t really help you much, but the OEQs are really nothing to be concerned with at all.  I can’t speak for individuals who took the lab in the first 2 months, but I think the Cisco folks have finally figured it out where the OEQs are really ‘Core Knowledge’ type questions.  If I could make one suggestion to the Cisco developers, you should have the OEQs at the end of the lab.  The biggest complaint for many individuals that get a set of off-the-wall questions is they feel gypped having just forked over $1400 for only 30 minutes of completing the test.  What’s the point in continuing onward if you already knew you blew your chance at the start of your day?  Nothing you do in the configuration portion matters if you can’t get by 3 out of 4 questions.  IMHO, I think if the questions were at the end of the lab then test takers couldn’t complain since they would actually have to work through the entire day.

Unfortunately, because I spent so much time on reading, my speed was off with the configurations.  There was a lot of typing involved with my version of the lab. On top of that, I wasn’t fully rested going into the test as I would’ve liked.  I was a bit foggy having been up all night due to nerves.  Believe me, I exhausted myself before my flight out to Raleigh so I could just sleep when I arrived, but I was pretty wired and couldn’t stop thinking about 4 questions.  In the end, I fell short on the configuration end of the spectrum.

Here’s an outline on what I did for this attempt:

1) Read: Just try to understand the material you are reading.  I don’t think you need to memorize every little detail, but know the important subject matter.  Here’s a list of everything I read:
MPLS Fundamentals
MPLS VPN Architectures
MPLS VPN Architectures Volume II
Routing TCP/IP Volume I
Routing TCP/IP Volume II
Cisco FAQs
Cisco White Papers
RFCs

2) Choose a vendor workbook:  For my attempt, I used INE’s VOL1 and VOL2.  Keep in mind the material is very outdated but still relevant for this lab.  Everything you need to know is in VOL2, you just need to reference the Cisco documentation yourself to get a thorough understanding of the technology.  If I could make a suggestion to the INE folks, I think the only updates you should make for your products are:

-VOL1: Create some IS-IS labs with explanations.  I ended having to use my R&S OSPF, EIGRP, and RIP VOL1 lab scenarios to test out IS-IS.  IS-IS is extensive enough on the exam that it should be covered in your product.

-VOL2: I really liked what INE has done with the R&S and Security workbooks; they give you a brief explanation alongside the expected output.  We could really use the additional information to help reference materials for the OEQ.

3) Core Knowledge Simulator:  I ended up purchasing this product 1.5 weeks before the lab and only looked at it 2-3 days beforehand.  IMHO, the product just destroys your confidence all together because you feel like you’ve forgotten your CCNP studies.  You also get a false sense that you are required to know the granular details of the technologies.  Based on the OEQs I received, your questions are really off the mark and probably need to be scaled down just a bit.

4) Practice: I didn’t utilize the rack rentals as I had anticipated.  I ended up just using dynamips when I was labbing, which should be enough.  If you have the money to spend, go ahead and rent or buy equipment.  If you are on a shoe string budget and have a powerful enough workstation, then invest some time in dynamips or GNS3; the IOS code you should be running is 12.2S.  There’s definitely a difference in the feature sets when you are running 12.3T and 12.2S so you should be familiar with both versions.

Am I going to take a 2nd attempt?  That depends, having just checked the availability the next possible opening at San Jose is in September.  I don’t think I’ll be flying out to other locations anymore to test.  In fact, most of the tests will be running of SJ anyways (similar to the R&S format) and conducted at nearby Pearson Vue locations in the future so it doesn’t make sense to fly out (unless of course work pays for it and everything isn’t out of my own pocket).  There are other rumors that this lab will be retired and replaced by SP Operations.  I was told that for the month of July all lab testing sites will be blocked off completely to allow major changes to the lab testing facilities as well as when the announcements will be revealed.  If I can get another test in before June, I think I’ll donate more money to Cisco.  Until I can get a close enough date, I’ll just be enjoying my time away from all the stress:

-Catching up on all my shows on the DVR

-Toying around with JNCIE-ER or JNCIE-M/T

-Creating some mini-scenarios to help cover the lacking areas of technologies

-Playing basketball on the weekends again

-Networking at Interop, CiscoLive, etc.

Recently, I was tasked with implementing Websense to help monitor the activities of our user base in LA and NY.  After a few discussions with the Websense sales engineers, I came up with a design to utilize the ASA firewalls in both my locations.

The Websense components were installed as follows:

For the filters:

User Service - This service identifies the users, groups, and domains within Windows Active Directory.

Filtering Service - This is the service that will monitor or block content.

Network Agent - This component is how the server will communicate with the Policy Server.

DC Agent - This service integrates AD authentication for end users who don’t want to be filtered.

Usage Monitor - This service collects usage information based on categories, protocols, etc.

For the manager:

Policy Database - Microsoft SQL is required to store your database.

Policy Broker - This service updates the filter servers whenever a change is made to the policy.

Policy Server - This service provides policy management.

Websense Manager - This service allows you to manage your filters.

Log Server - This service collects the logs off the filters for reporting.

The Websense engineers recommended that I install the Policy Broker, Server, and Database on one of the filter server.  I felt it didn’t make sense to add the bulk of the processing power to a dedicated filter box.  Plus, I’d rather have all the management components reside on a central server.

During my initial install of each of the filters, I only had one network card enabled.  Also, for some odd reason I was unable to set up ‘integrated’ mode and was forced to install each filter as ’stand-alone’ devices.  Integrated mode allows you tie in with your ASA firewall, but can only filter http, https, or ftp.  Here are the commands I used:

url-server (inside) vendor websense host 11.27.194.44 timeout 30 protocol TCP version 4 connections 5
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
url-block url-mempool 1500 –> Recommended configuration from Websense.
url-block url-size 4 –> Recommended configuration from Websense.

Even though I was running in stand-alone mode, I was still able to run the ASA firewall commands and the filter started working.  This particular setup ran for about a week until we had to move a new group who seem to have had stringent requirements for their web surfing activities.  What it boiled down to was they weren’t very pleased with the fact that our Internet connection was monitored and filtered.

Our LA filter was performing just fine, but our NY filter where the new group resided was extremely slow.  There were complaints that simple websites would take anywhere between 10-60+ seconds to load.  To troubleshoot the performance problem, I verified performance to/from the intermediate switches, core routers, and firewalls which all checked out fine.  The design I had built took into account that there were 150 end-users combined from both locations and the Websense engineers validated that the integration with our firewalls was sufficient.  After verifying the network, I had contacted the sales engineer to engage their support.

Websense support noticed I wasn’t running integrated mode properly and walked me through updating each filter.  Once we were fully integrated, the performance for NY suffered even more to the point that web pages were taking minutes to load.  So now I started questioning whether or not the integrated mode could support a handful of users.  Websense’s documentation clearly states that the integrated mode with an ASA firewall can easily support up 250+ users which was obviously not the case.

I had to engage support yet again and was told to run each filter in stand-alone mode, activate the second network card on the filters, and SPAN the data to the second NIC.  Websense support clearly stated that RSPAN doesn’t work with their product and that it was unsupported.  To the set the record straight, RSPAN does work with Websense.  You just have to figure out the IOS configuration because most of Cisco’s documentation still refers to the ‘reflector-port’ option which doesn’t run on 3560s or 3750s.

My ASA inside interface in LA was configured as a trunk on port Gi1/0/3 on SW11; nothing special needed to be configured on the trunk port where the firewall was connected.  Here’s my configuration on SW11:

vlan 888 –> This vlan number should be lower than 1000.  I tried 1888, but that didn’t seem to work.
name RSPAN-ASA-INSIDE
remote-span

interface vlan 888 –> A ’show interface’ will reveal that the line protocol is down, which is fine.
no shutdown

monitor session 1 source vlan 8 –> Using ’source interface gi 1/0/3′ didn’t work for me.
monitor session 1 destination remote vlan 888

interface GigabitEthernet1/0/25
description CONNECTED-TO-SW13-G0/24
switchport trunk allowed vlan add 888 –> I do this because I specifically allow certain VLANs across the trunk.

Here’s my configuration on SW13:

vlan 888
name RSPAN-ASA-INSIDE
remote-span

interface vlan 888
no shutdown

interface GigabitEthernet0/24
description CONNECTED-TO-SW11-G1/0/25
switchport trunk allowed vlan add 888

monitor session 1 source remote vlan 888
monitor session 1 destination interface Gi0/22 encapsulation dot1q ingress untagged vlan 8

Once I entered the destination interface, my stand-alone LA filter started seeing all the protocols.  The performance appeared to be much better and can supposedly handle up to 1200+ users.  I’ve excluded the new groups from being filtered for the time being and have activated it for the rest of my group to validate the performance.  I’ll probably monitor the behavior over the long weekend before implementing entirely, but hopefully my performance problems are now behind me.

I wonder if it would’ve been easier to implement Cisco’s Ironport web filter??

Since my last posting I’ve been quite busy with various projects at work and took on a few weekend contracts to familiarize myself with some of the SP technologies.  My time for studying was split between working and enjoying whatever free time I had to spare.  Aside from keeping up with all my TV shows (i.e Stargate Universe, Sanctuary, V, Dexter, Californication, Heroes, Trauma, Vampire Diaries, How I Met Your Mother, The Big Bang Theory, Fringe, Cake Boss, Crash, etc.), I did manage to squeeze in some reading of a few technologies (i.e. MPLS, QoS, and IS-IS).  I know what you are thinking, does he really watch all those shows?  The answer is ‘yes’ and then some.  Aside from playing basketball once a week and going to the gym 3-4 times a week, it was the only way of keeping my brain from melting with a 7-day work schedule.

Another outlet for me has been Twitter; I don’t really tweet as much and mainly use it as a means of aggregating information on potential IE candidates, IEs, and sports.  Most of the bloggers who were diligently updating their sites before have now turned to tweeting.  In fact, many of their sites have gone unattended, so I finally decided to clean up my blogroll.  Can’t you tell the list is shorter? 

My game plan from this point forward is to finish off my projects and contracts before the Christmas holidays.  I’ve already reserved some ‘me’ time with the family, so they know I’ll be concentrating on studying the last week of the year.  I have a little over 100 days from now until my scheduled lab, 03/04/2010, so hopefully the exam doesn’t change by then.

Ahmed passed his R&S lab last week.  My apologies for announcing this so late, but I’ve been preoccupied with my own studies.  He only passed his written in April and manage to stick to his studies to pass the lab in 6 months.  Send him your congrats.