Cisco ASA High Availability Implementation

security Dec 18, 2018

As a redundancy measure, it’s possible to deploy multiple Cisco ASAs together in a failover configuration, also known as a High Availability Implementation. This requires that the ASAs have identical software, licensing, memory, and interfaces. There are three possible high availability options to protect against downtime, which we'll explore here.

Active/Standby Failover Implementation: In this model, only one of the firewalls is responsible for processing traffic, while the other is designated as a hot standby. The standby device has the ability to take over traffic processing duties in the event that the active device fails.

Active/Active Failover Implementation: In this model, both firewalls actively process traffic as a cluster. The network is able to tolerate the failure of one of the devices, since they are performing identical duties.

This implementation is a bit more complex and requires multiple context mode. With multiple context mode, it’s possible to...

Continue Reading...

Route Redistribution- Part 4

ccie r/s ccnp r/s Nov 29, 2018

This post is the fourth in a series of posts on route redistribution. If you haven't yet read the first three, here are the links:

Up until now in this series, we’ve seen the need for route redistribution, looked at a basic configuration, saw how we could filter specific routes from being redistributed, and learned how to prevent a routing loop by tagging redistributed routes. In this final route redistribution post, we want to check out route redistribution with IPv6, and how that configuration varies a bit from what we’ve done previously with IPv4 networks.

Consideration #1 - The Redistribution of Connected Networks

First, consider a router running a routing protocol; let’s say it’s OSPF in this instance. Also, let’s say that router has several interfaces that are participating in the OSPF routing protocol. On that same router, imagine we’re running...

Continue Reading...

ZPF Concepts and Implementation

security Nov 27, 2018

Cisco Zone-Based Policy Firewalls are a more modern implementation of the interface-based stateful inspection. This allows you to group interfaces into zones, which have similar functions or features. This allows for stateful packet inspection and application control, and a much more granular firewall policy.

In this video, I'll discuss common ZPF concepts and walks through a basic CLI implementation.

All the best,

Charles Judd - Instructor
CCNA Security & R/S, BS Network Security

Continue Reading...

"Getting Your Hands Dirty" with Cisco Packet Tracer

Uncategorized Nov 19, 2018

In this video, you'll learn how to download (for FREE) Cisco Packet Tracer.

Then, you'll load a .PKT file (click HERE to download your .PKT topology file) into your copy of Cisco Packet Tracer and complete the described tasks.

The video then walks you through a complete solution.

Kevin Wallace, CCIEx2 (R/S and Collaboration) #7945

Continue Reading...

VLAN Security Concepts

security Nov 13, 2018

A Virtual Local Area Network (VLAN) is a logical grouping of devices on one or more LANS, configured to communicate as if they were on the same segment. In order to communicate with devices in another VLAN, a Layer 3 device must be present for routing.

Private VLAN (PVLAN)

One way to simplify a multi-VLAN deployment is by use of the Private VLAN (PVLAN) feature. PVLANs achieve isolation at Layer 2 between ports in the same VLAN. This is done by designating the ports as one of three types: promiscuous, isolated, orcommunity. Each designation has its own unique set of rules which regulate the ability to communicate with other devices in the same VLAN.

Promiscuous Ports: These ports have the ability to communicate with all other ports within the PVLAN. The default gateway for the network segment would likely be a promiscuous port, since all devices need to be able to communicate with the gateway.

Isolated Ports: These ports have Layer 2 separation from all other ports...

Continue Reading...

Route Redistribution- Part 3

ccie r/s ccnp r/s Nov 06, 2018


This post is the third in a series of posts on Route Redistribution. If you didn’t yet read the first two, here are the links:

So far in this series, the route redistribution examples we’ve worked through used a single router to do all of the redistribution between our autonomous systems. However, from a design perspective, we might look at that one router and realize that it's potential single point of failure.

For redundancy, let’s think about adding a second router to redistribute between a couple of autonomous systems. What we probably don’t want is for a route to be advertised from, let’s say, AS1 into AS2, and then have AS2 advertise that same route back into AS1, as shown in the figure. 

The good news is, with default settings, that probably won’t be an issue. For example, in the above graphic, router BB2 would learn two ways to get to Network A. One way would...

Continue Reading...

Route Redistribution- Part 2

ccie r/s ccnp r/s Oct 30, 2018

In a previous post, we considered the need for route redistribution, and we also took a look at some configuration examples. This posts builds on that previous configuration and discusses how we can filter routes using route maps.

Specifically, the previous example performed mutual route redistribution between EIGRP and OSPF, where all routes were redistributed between the two autonomous systems. However, some design scenarios might want us to prevent the redistribution of every single route. One way to do that filtering is to use a route map.

For your reference, here’s the topology we’re working with:

Screen Shot 2018-09-14 at 1.14.46 PM.png

Also, with our current route redistribution configuration, the IP routing table on router R1 looks like this:

Let’s say, for some reason, we don’t want the /24 network redistributed from EIGRP into OSPF. One way to do that filtering is to use a route map that references an access control list (ACL).

First, let’s go to router R2 and...

Continue Reading...

Clientless SSL VPN with ASDM

cybersecurity Oct 16, 2018

If the security track is on your radar, particularly CCNA Security, you need to have a working understanding of configuration and troubleshooting with Cisco's Adaptive Security Device Manager (ASDM).

In this video, I'll walk through the setup of a basic clientless SSL VPN using Cisco's GUI-based ASDM software.

All the best,

Charles Judd - Instructor
CCNA R/S, BS Network Security

Continue Reading...

Network Security Zones

security Oct 09, 2018

Our organizational IT environments are constantly changing, driven by factors such as telecommuting, cloud technologies, and BYOD (Bring Your Own Device) policies. This requires modular and dynamic architectures in place, allowing flexibility while still maintaining a rigid security posture. One of the most foundational ways to accomplish this is through the use of network security zones, which we'll take a look at in this blog post. We'll cover common security zone types, and also zone filtering policy considerations for each.

Network Security Zones

A security zone is a portion of a network that has specific security requirements set. Each zone consists of a single interface or a group of interfaces, to which a security policy is applied. These zones are typically separated using a layer 3 device such as a firewall.

In a very broad sense, a firewall is used to monitor traffic destined to and originating from a network. Traffic is either allowed or denied based on a...

Continue Reading...

Route Redistribution - Part 1

ccie r/s ccnp r/s Sep 25, 2018

Introduction to Route Redistribution 

Until there is one routing protocol to rule them all, there is a need to have multiple routing protocols peacefully coexist on the same network. Perhaps Company A runs OSPF, and Company B runs EIGRP, and the two companies merge. Until the newly combined IT staff agrees on a standard routing protocol to use (if they ever do), routes known to OSPF need to be advertised into the portion of the network running EIGRP, and vice versa.

Such a scenario is possible thanks to route redistribution, and that’s the focus of this blog post. Other reasons you might need to perform route redistribution include: different parts of your own company’s network are under different administrative control; you want to advertise routes to your service provider via BGP; or perhaps you want to connect with the network of a business partner. Consider the following basic topology.


In the simple topology show above, we’re wanting OSPF and...

Continue Reading...
1 2 3 4 5 6 7 8 9 10 11 12 13

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.