A smart guy using the handle mmm123 posted in the Dynamips forum how he created a pix emulator in his pc using QEMU. I tested it and works like a charm! Here's what you need to do.
1. Download QEMU. For dependency, you might need to download SDL as well.
2. Download the Pixemu binary. You need to register to the forum first.
3. Get a copy of the PixOS. I used Pix version 7.2.2(10).
4. I've read from the thread that in theory it is possible to run qemu in windows but it will be a pain to make it work. To make it run in Windows without the headache, I downloaded the fedora core 4 minimal install vmware image and run it using the free vmware player.
5. Copy qemu, pixemu and PixOS software (via tftp, ftp or scp) to your FC4 virtual machine. Of course you have to setup the virtual machines network settings.
6. Install (rpm -ivh) SDL and QEMU in the virtual machine.
7. Untar (tar -jvxf) the pixemu binary.
8. Create flash disk by running this command:
dd if=/dev/zero of=FLASH bs=1k count=16k
9. Unzip the Pix OS then copy the unzipped file in the same folder as pixemu.
unzip pix721.bin
mv target/f1/pix ./pixemu
10. You should be all set. Read the README, edit the pixemu.ini if you need to change the serial number and pix filename,etc. To run the pix emulator:
pixemu -net nic,vlan=1,macaddr=00:aa:00:00:02:01 -net tap,vlan=1,script=if1up -net nic,vlan=2,macaddr=00:aa:00:00:02:02 -net tap,vlan=2,script=if2up -serial stdio -m 128 FLASH -no-kqemu
You can find a sample setup here where pixemu is integrated with dynamips. Awesome!
Thursday, April 19, 2007
Tuesday, April 10, 2007
NetPro Ask The Expert Yusuf Bhaiji on CCIE Security
Here's a very insightful thread from Cisco's NetPro Conections Forum. Yusuf Bhaiji, Program Manager for the Cisco CCIE Security certification and lab proctor, takes time to answer questions about the lab exam. The answers to most questions are mostly already available in the Lab Blueprint. But the Q&A helps to clarify some questions a CCIE candidate might have. Here are some of Yusuf's responses to questions which I believe is useful in knowing what to expect from the CCIE lab exam.
"As mentioned in the new blueprints, the new exam is heavily focused on Security technologies only, and routing functions are tested on Security appliances only. Advance Routing features such as filtering, summarization etc are no longer core objectives, and is tested mostly on written exam. "
"Yes, since VPN3000 concetrator is announced EOS, it is very likely to be removed from the CCIE lab exam. We are presently working on this and will make an announcement when a decision has been made. Meanwhile, it will continue to appear in the exam. "
"Yes, all routing & switching is pre-configured on all devices except the security appliances (i.e. PIX/ASA, VPN3k, IDS). Candidates are required to configure everything on security appliances."
"1) PIX/ASA will be running version 7.2.x (Q: Can you tell us what exact release is currently running on the exam for ASA, is it 7.2(1)? , or at least is it 7.2(X)?)
2) IPS version 5.1.x (Q:For IPS, is the lab running 5.1? )
3) NAC Framework can be tested on other devices such as the Switch or VPN3k etc (Q:Regarding NAC, on IOS it is not supported on 12.2(T) the current IOS, how will the lab test NAC then ?)
4) Both, promiscuios and inline. (Q:Do we still have to prepare for promiscuous mode IPS (or IDS) deployment or line and inline-vlan pair only? )"
"1) It depends on the requirements & restrictions, but in most cases, there is no penalty for over-configuration. (Q:Are we penalized for over-configuration on the CCIE Security Lab?)
2) Again, it depends on the question's requirements & restrictions. There is no golden rule that you can apply. (Q:can we configure more 'generic' ACLs ? I mean in the security LAB are ACLs supposed to be as specific as possible)
Pls read the questons carefully, and if unclear, pls ask the proctor for clarification. "
"The grading is entirely dependant on the proctor. Having said that, we also use 'automated tools' to expedite some of the repetitive tasks in grading and checking same stuff on all devices, but ultimately, it is the proctor who decides to judge if the answer is correct and/or reward the points. "
"Troubleshooting is most likely within the pre-configuration as security appliances (PIX/ASA, VPN3k, IDS) does not have any configuration except the basic (hostname, enable pwd, etc). "
"...all aspects of routing on security appliance can appear on the exam. But pls note, the emphasis is NOT routing, but these will appear merely to complete an exercise. "
"Troubleshooting is mainly focused on FUNCTIONALITY. For e.g. there will be a broken scenario (security context) e.g. IPsec LAN-to-LAN is pre-configured but NOT working. You will require to identify and fix the end-to-end thing and ensure it is working. The issue can be related to IPsec config or even non-IPsec config within... "
My Favorite:
"No Hints (from the proctor) :) The lab proctor is available to clarify the requirements only. He cannot offer you any hints. "
Read the rest of the conversation on this link.
"As mentioned in the new blueprints, the new exam is heavily focused on Security technologies only, and routing functions are tested on Security appliances only. Advance Routing features such as filtering, summarization etc are no longer core objectives, and is tested mostly on written exam. "
"Yes, since VPN3000 concetrator is announced EOS, it is very likely to be removed from the CCIE lab exam. We are presently working on this and will make an announcement when a decision has been made. Meanwhile, it will continue to appear in the exam. "
"Yes, all routing & switching is pre-configured on all devices except the security appliances (i.e. PIX/ASA, VPN3k, IDS). Candidates are required to configure everything on security appliances."
"1) PIX/ASA will be running version 7.2.x (Q: Can you tell us what exact release is currently running on the exam for ASA, is it 7.2(1)? , or at least is it 7.2(X)?)
2) IPS version 5.1.x (Q:For IPS, is the lab running 5.1? )
3) NAC Framework can be tested on other devices such as the Switch or VPN3k etc (Q:Regarding NAC, on IOS it is not supported on 12.2(T) the current IOS, how will the lab test NAC then ?)
4) Both, promiscuios and inline. (Q:Do we still have to prepare for promiscuous mode IPS (or IDS) deployment or line and inline-vlan pair only? )"
"1) It depends on the requirements & restrictions, but in most cases, there is no penalty for over-configuration. (Q:Are we penalized for over-configuration on the CCIE Security Lab?)
2) Again, it depends on the question's requirements & restrictions. There is no golden rule that you can apply. (Q:can we configure more 'generic' ACLs ? I mean in the security LAB are ACLs supposed to be as specific as possible)
Pls read the questons carefully, and if unclear, pls ask the proctor for clarification. "
"The grading is entirely dependant on the proctor. Having said that, we also use 'automated tools' to expedite some of the repetitive tasks in grading and checking same stuff on all devices, but ultimately, it is the proctor who decides to judge if the answer is correct and/or reward the points. "
"Troubleshooting is most likely within the pre-configuration as security appliances (PIX/ASA, VPN3k, IDS) does not have any configuration except the basic (hostname, enable pwd, etc). "
"...all aspects of routing on security appliance can appear on the exam. But pls note, the emphasis is NOT routing, but these will appear merely to complete an exercise. "
"Troubleshooting is mainly focused on FUNCTIONALITY. For e.g. there will be a broken scenario (security context) e.g. IPsec LAN-to-LAN is pre-configured but NOT working. You will require to identify and fix the end-to-end thing and ensure it is working. The issue can be related to IPsec config or even non-IPsec config within... "
My Favorite:
"No Hints (from the proctor) :) The lab proctor is available to clarify the requirements only. He cannot offer you any hints. "
Read the rest of the conversation on this link.
Subscribe to:
Posts (Atom)