Completing CCNP Security – Study notes for SISAS (300-208) – Part 1

I was half way towards completing CCNP Security when they announced the retirement of the current exams and I did not have the enough time to complete study for SECURE prior to the last day to test. Given that old exam passes expire after 3 years and my ASA Security specialist certification expires after only 2 years, I have to pass the remaining 2 new exams before Nov 2015 and no later than Jan 2016 to keep a Cisco security certification without having to to sit further 2 exams.

As has often has been the case with Certification changes, the self study texts have not been published and no public information on availability is on the Cisco Press website (link). In fact the page it’s still referring to the February 2012 refresh and not updated yet. I have been informed that new texts should be out in the sometime in the Fall (aka late Q3 or early Q4?) as they have meet significant delays.

There is of course the official course, but I much prefer the self study route with practice exams. Given that the information is spread around, I’m attempting to pull together some notes and a list of books that I can read to keep study moving forward until official (or other) texts have been released.

The first starting point of course is the Exam Description for SISAS (300-208), so given strong focus on ISE and BYOD I’ve chosen to read Cisco ISE for BYOD and Secure Unified Access: BYOD Network Security with ISE as a starting point and following up with a Lab or evaluation environment for ISE.


What’s in your Networking Tool bag?

For most of the last 6 years, I’ve either not been allowed physical access to our hardware in the DC (a long story from my previous job) or I’ve been working in the same Data Centre as my desk, with no remote locations. So the need to have the tools of my trade with me while doing work based travelling has been very limited (or non-existent).

However last year the company I work for was acquired, and now I’m finding myself in the position that I’m travelling more and need to work in other DC’s while out & about.

So I need to travel with tools, and I’m wondering what’s in your networking tool bag? My laptop bag is small (and mostly light), so I’m hoping to not go too OTT.

My starting list is as follows:

  • Assorted RJ45 Cat5e cables (mainly short (0.3m to 2m – Grey & Blue) + joiner & cross-over adaptor.
  • Cage Nuts and bolts (enough to rack 3 to 5 devices).
  • Small Torch (LED).
  • USB Serial Adaptor (need a new one as current seems to not work with Windows 8) + DB9 adaptor & RJ45 Roll over adaptor (Thanks to WTI).
  • Multi-bit screw driver (with ~10 bits).
  • Some USB cables.
  • Cage Nut insertion tool.
  • USB 10/100 Ethernet.

This is in-addition to the normal stuff (laptop, Lync headset, headphones, USB charger, phone cables, ect).

However I do know I need to find good ear protection. I’ve been spoilt by my home DC having the main cooling plant out of the data rooms. Where I was working on Thursday was loud. Thank goodness there were disposable ear plugs available.

CCNA Security

For the about the last 2 years my Cisco certifications have been mostly on hold, for a number of reasons (namely a study break, doing a ITIL certification, work and then DIY). However last week I passed the Cisco IINS (640-553) exam, this means that I can add CCNA Security to my list of Cisco certifications.

This is quite a new certification, as it was only released last year. The subject matter of the course is very similar to that of ISCW and SND. This should be a great help for me as my next Cisco exam should be ISCW, as I really would like to finally add CCNP to my growing list of certifications.

Adding support for Services to Rails-CMDB

I’ve just checked my work in progress of adding support for modeling services in Rails-CMDB into SVN, it’s not really ready for production use yet (i.e. I may change the model in incomputable ways) and it’s lacking much code and tests.

The following is a my current thoughts on the process flow for modeling transitions of services:


I’m thinking buying a license for OmniGraffle, as I can’t edit the above diagram any more, it seems a lot nicer than Visio which I use quite a lot at work. The only thing is the Professional version worth the extra money ?

Combining Dynamic DNS, DHCP and PXE boot

Following on from looking at PXE based installs earlier on in the week, I then moved on to looking at integrating dynamic DNS updates into DHCP (see this article for more details), which is something else I’ve been meaning to look at for some time.

It does greatly simplify the setting of the hostname and domain name on a server when it’s been automatically installed with Debian pre-seeding or Red Hat’s kickstart over the network. This is because both build systems use the reverse DNS entry of the server’s IP address during installations as its hostname.

Thus the host entry in the DHCPd configuration becomes the single location for the details, as in the following example:

host test-001 {

  hardware ethernet 00:0c:29:56:f3:7b;

  option host-name "test-001";

  ddns-hostname "test-001";

  ddns-domainname "local";


A first look at PXE based installations

I’ve never really managed to spend the time needed to have a good look at setting up an environment for installing Linux via PXE. However I finally managed to find the time earlier on this week, and so far I’m impressed. I’ve now got the start of a boot menu from which I can install Debian Etch, two different versions of Centos and most importantly the DHCP server co-exists on the same network as my cable router.

The following magic in the dhcpd.conf allows this server to co-exist with another DHCP server, due to PXE clients ignoring DHCP replies which do not contain the filename or next-server options:

deny unknown-clients;

class "pxe" {
  match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";

And finally within a pool definition, the real magic:

allow members of "pxe";

This allows hosts that boot with the same file name to be grouped together, which should also allow installation of *BSD systems and may be even Windows servers off the same Linux server running ISC DHCPD and TFTP.

I think the next step is to look at automatic installation of Debian and integrating dynamic DNS updates into DHCP, that way it should be possible to get the correct hostname into a Centos VM. However I’m not sure if how it will work with Debian.