I’m currently working on a design and needed to verify some failover behavior of the Cisco ASA firewall. The ASA can run in active/active or active/standby mode where most deployments I see run in active/standby mode. When in a failover
CCDE – Firewall And IPS Design Considerations
Introduction This post will discuss different design options for deploying firewalls and Intrusion Prevention Systems (IPS) and how firewalls can be used in the data center. Firewall Designs Firewalls have traditionally been used to protect inside resources from being accessed
ASA version 9.0 released
Version 9.0 of the Cisco ASA software has now been released. Here are some of the major features in the new release. Filter ICMP by ICMP code Clustering of multiple ASAs OSPFv3 and EIGRP support IPv6 support on outside interface
Quick notes on Zone Based Policy Firewall (ZBFW)
Continuing to check things off from the blueprint. Did some ZBFW labbing today. Here are some important stuff to be aware of. ZBFW is basically a wrapper for CBAC. We create policys between zones and assign interfaces to zones instead
AAA new-model – What does it do?
To enable AAA we need the AAA new-model command but what does it really do? Many of us makes assumptions about this command. By default if we have an empty config then we will be able to use the console
Quick post on IP applications
I’m going through the blueprint and now I checked off IP accounting. The feature is very simple, it lets us see which source destination pairs that are sending traffic to each other. We can also configure to look what precedence
Quiz – AAA authorization
I’m doing the security section of Vol1 right now and this is something I think people might have confused. Look at the following configuration: ! Scenario 1 aaa authentication login default group tacacs+ none aaa authorization exec default none !
Generate traffic with traceroute
I found a very useful tool when practicing the INE labs. How to generate traffic with traceroute. I’ve used telnet lots of times to generate TCP traffic on different ports but what if we want to generate UDP traffic instead?
Lock and key ACL
The lock and key ACL is one of those features you’re not sure how to use in production but it is viable for the CCIE lab. The lock and key ACL is a form of dynamic ACL which requires a
Filtering traffic with a route-map
This post describes how to filter packets with a route-map. I have never used a route-map for the sole purpose of filtering packets before. I ran into this while doing a vol2 lab and the task was to filter ICMP