This section was pretty straight forward.  Everything worked as advertised.  I did make an initial mistake in my ACL for allowing NTP traffic.  I made the mistake and setup the ACL using TCP instead of UDP, which confused me when it would not accept "eq ntp" on the end. This was easily corrected.

 

This section introduced a command I have never used, "track".  It is basically a way to setup a "smart" static route.  This is a very handy command.

"a static route tracking feature is used to track the availability of a static route and, if that route fails, remove it from the routing table and replace it with a backup route."

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

The only question I had regarding this lab was disabling OSPF on the connection to R4.  The command in the solution guide appears to be incomplete. This may be due to my lab running PIX instead of ASA.  To disable OSPF on my PIX the command is:

 Rack1ASA1(config)#router osfp 1

 

The solution guide does not include the "area 1".  I will test this on an ASA to see if it behaves the same.

 ****Update 02.19.2010****

The "area 1" is also required on the ASA

Nothing to report here.  These labs went as expected.

Comments and observations from CCIE Security Lab Workbook Volume I Version 5.0

ASA Firewall 1.1 VLANS and IP addressing

This section was pretty straight forward; however I did get some inconsistencies from my lab equipment compared to the solution guide.  These verification inconsistencies did not take away from the overall objectives of this section.

My verification result (from Switch1):

Rack1SW1#show interface trunk

Port        Vlans in spanning tree forwarding state and not pruned

Fa0/21      1,100,120-121,124

Fa0/22      none

Fa0/23      none

 ****The solution guide says ports Fa0/22 - 23 should display the same results as Fa0/21. Why would Fa0/22 and Fa0/23 show "none"? I haven't figured this out. 

 

My verification result (from Switch2):

Rack1SW2#show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan

Fa0/13      on           802.1q         trunking      1

Fa0/21      on           802.1q         trunking      1

Fa0/22      on           802.1q         trunking      1

Fa0/23      on           802.1q         trunking      1

***The solution guide says ports Fa0/21 - 23 should be "auto". I can make my results look like the solution guide by changing the provided intial config for SW2 ports Fa0/21, Fa0/22, Fa0/23

from: switchport mode trunk

to: switchport mode dynamic auto

I have scrapped the previous security lab I was working on.  I have been able to acquire the following physical equipment:

2 - 3550-24 12.2 IP Services 

4 - 2610XM 12.4(15)T11 ADV. Security

2 - PIX 525 8.0(4) 

1 - Dell 1750 Running Windows 2003 with VMware Server

1 - Dell Latitude D600

All of this equipment is cabled according to the INE Lab Physical Interface Connections document. 

This should get me through the majority of the VOL1 Workbook.  I thought I had access to an ASA 5510, but I will have to get by using a 5505 for ASA only features.

 

I spent my day building a security lab based on Internetwork Expert's rack  design.  My lab will include both physical and virtual hardware. I will also base my lab on Paul Alexander's "Security Home Lab"

http://cciejournal.wordpress.com/2009/03/26/security-home-lab/

The physical hardware I have acquired so far includes:

2 - 3550-24
1 - 3750E
1 - ASA 5510
2 - PIX 525
1 - IDS 4210
1 - Dell 1850

Today I racked the 3 switches and will attempt to configure them as detailed on Paul's website:

"The key to getting the whole topology working is in the Intel Server NIC and the 3548XL switch. I created a VLAN (which shows as a logical interface in windows) for every device that needs to ‘physically’ connects to the 3550 switches. In total there are 21 VLAN interfaces."

I am going to use my 3750E in place of Paul's 3548XL. After racking the switches I did my initial cabling of all three switches and then configuration of the two 3550's. I will configure the 3750E tomorrow and patch in the Dell 1850.

I will post all my switch configs when I am completed.  Hopefully I can follow Paul's design, but may have to shoot him an email if I get stumped.