Tuesday, May 30, 2017

Protect The LAN: IPv6 RA Guard

So while nerding on YouTube, one of my favorite YouTubers Quidsup did a demonstration of using Kali Linux to perform a pretty nifty denial of service attack against Windows 10. The attack has some minor caveats, but none the less is dangerous and relatively easy to pull off. It works by flooding the connected network segment with IPv6 router advertisements (RA). IPv6 RAs assist in stateless autoconfiguration, so that IPv6 hosts on the network can assign themselves an IP, and can also carry default router information. However, since hosts can have multiple IPv6 addresses, Windows ends up trying to autoconfigure an IPv6 address for every RA is receives. This results in pretty hefty CPU spikes, as well as the NIC being completely unresponsive. However; Cisco has a pretty neat little trick we can implement on our access layer switches to mitigate these types of attacks. Based on the title of this blog, I'm sure you guessed what that feature is; RA Guard.

I like to think of RA Guard as being somewhat akin to DHCP snooping. We build a policy, assign said policy to switch ports, and RA Guard will drop unauthorized RAs. The configuration is fairly straight forward, but seeing the difference it can make when implemented is impressive. See video below :-).

Tuesday, May 2, 2017

CCIE status suspended (but then got it back)

So that happened. Now, I know what some of you are thinking based on the title of this post alone.

That's fair. The truth of the matter is, 2yrs sneaks up on you (or at least snuck up on me) really fast. After I passed the lab in 2015, all I wanted in the world was a break. At that point, not many days had gone by that I hadn't thought of, talked about, or studied for my route switch lab. While I love R/S, and find the technologies incredibly interesting, it just isn't my only interest. Not even within the technology field. There were so many other things I wanted to learn, and to be honest... a lot of video games, TV shows, and general lounging about I felt I had missed out on.

Immediately after passing the lab, I sought to do (2) things. First and foremost, catch up on some seriously overdue slacking off time. I bought video games. So many games. I wanted to watch every TV show I had casually overheard co-workers or friends talking about. Secondly, I wanted to start learning something new. Not necessarily to the degree of a CCIE, but just something different. After a few months went by, I started feeling the itch to start working on something new. At that time I was really struggling to find something to scratch that itch. I felt like I didn't want to recertify in R/S, but if not R/S then what?

Data Center

Data Center... DataCenter... Data Centre? I didn't care, I had deployed a handful of Nexus switches. I thought (and still think) VPC and FabricPath were pretty cool. However after a few months, I started realizing that I was interested quite enough to justify going much further with it. That's not to say I'm ruling out CCNP DC, just I didn't see going after the DC written a path forward.

Service Provider

Oh SP, how much I still wish I could have made this make sense for me. It gets all my nerd juices going. For me studying SP was like all my favorite parts of R/S, but on steroids. MPLS is hands down one of my favorite topics, so from an interest level, this made perfect sense. However, after 6 months or so (yeah... 6 months lol), I started realizing that it didn't make much practical sense. I love the technology, but when would I ever get to use this knowledge? I don't work with ISPs often, and I have zero interest in working full time for one. I do work with large enterprise networks that run MPLS internally on occasion, but the R/S material is more than sufficient to support that. So that left me wondering if I could find something I both found interesting and had practical career applications.


The upsides, I was already pretty versed on the ASA and IOS security measures. The downsides. at this time Security v5 had been announced and I knew that I couldn't wait for v5 to be released (January 31st 2017) because there's no way material for that exam would be out in enough time for me to prepare for the written before my number expired April 1st 2017. That left me with a narrow window to learn v4 of the lab (which had a fair bit of older technology). But I decided to go for it, I'd spend 3-4 months prepping for v4  security written, and make my first attempt in December of 2016. My thinking there, that would give me enough time to reasonably be ready for the test, but also enough time that if I failed I could retake before Cisco retired the exam.

Bad News Bears.

I wasn't ready for the v4 written in December, and I only had enough time for (1) retake before the exam retired. Which I also failed lol. Meaning there was no choice to keep my number in active status aside from taking the written for R/S. However, in February I decided I wouldn't do that. I figured "Who cares, I'll let my number go into suspended status until I can pass the v5 security written." Well, turns out I care. The day I got the email from ccie@cisco.com saying CCIE status was now suspended I instantly freaked out. Really really hard.

Routing & Switching

So after a couple weeks of getting back up to speed on R/S written material (c'mon, like you expect me to work with IS-IS and Multicast routing everyday), I sat for my R/S written last Friday and passed. It was a bitter sweet moment, on the one hand I got my number back in active status, and all the perks that come with that. On the other hand, I felt like I spent my first two years as an IE spinning my tires. So what now? Security, I'm coming for you. As for this blog, I'm back here as well. Focused on R/S, SP, and Security technologies just like before. 

In keeping with my ususal standard of blogging, I'm not proof reading this post until much much later. Have fun grammar Nazis. 

Wednesday, January 18, 2017

I'm Alive!!

Just thought that'd be worth sharing... I guess. CCIE Security studies have been consuming most of my time. However, I'm just about at the point where I can publish some stuff. I've had drafts for my FlexVPN with dynamic spoke-to-spoke tunnels sitting in draft for months now. So that'll likely come first, after that I may get into some FirePOWER posts.