This section was pretty straight forward.  Everything worked as advertised.  I did make an initial mistake in my ACL for allowing NTP traffic.  I made the mistake and setup the ACL using TCP instead of UDP, which confused me when it would not accept "eq ntp" on the end. This was easily corrected.

 

This section introduced a command I have never used, "track".  It is basically a way to setup a "smart" static route.  This is a very handy command.

"a static route tracking feature is used to track the availability of a static route and, if that route fails, remove it from the routing table and replace it with a backup route."

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

The only question I had regarding this lab was disabling OSPF on the connection to R4.  The command in the solution guide appears to be incomplete. This may be due to my lab running PIX instead of ASA.  To disable OSPF on my PIX the command is:

 Rack1ASA1(config)#router osfp 1

 

The solution guide does not include the "area 1".  I will test this on an ASA to see if it behaves the same.

 ****Update 02.19.2010****

The "area 1" is also required on the ASA

Nothing to report here.  These labs went as expected.

Comments and observations from CCIE Security Lab Workbook Volume I Version 5.0

ASA Firewall 1.1 VLANS and IP addressing

This section was pretty straight forward; however I did get some inconsistencies from my lab equipment compared to the solution guide.  These verification inconsistencies did not take away from the overall objectives of this section.

My verification result (from Switch1):

Rack1SW1#show interface trunk

Port        Vlans in spanning tree forwarding state and not pruned

Fa0/21      1,100,120-121,124

Fa0/22      none

Fa0/23      none

 ****The solution guide says ports Fa0/22 - 23 should display the same results as Fa0/21. Why would Fa0/22 and Fa0/23 show "none"? I haven't figured this out. 

 

My verification result (from Switch2):

Rack1SW2#show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan

Fa0/13      on           802.1q         trunking      1

Fa0/21      on           802.1q         trunking      1

Fa0/22      on           802.1q         trunking      1

Fa0/23      on           802.1q         trunking      1

***The solution guide says ports Fa0/21 - 23 should be "auto". I can make my results look like the solution guide by changing the provided intial config for SW2 ports Fa0/21, Fa0/22, Fa0/23

from: switchport mode trunk

to: switchport mode dynamic auto

I decided to use the Internetwork Expert End-to-End CCIE Security Program for my study material; however I could not swing the cost of this training.  I was able to purchase INE's Security Value Package 1 electronic edition. This package includes:

CCIE Security Advanced Technologies Class-on-Demand
CCIE Security Lab Workbook Volume I (Electronic)
CCIE Security Lab Workbook Volume II (Electronic)

My initial study strategy includes finishing the Class-on-Demand and Volume I by the end of the year.  I am going to attempt 2 hours a day of Workbook study and 1 hour of reading.  Starting January 1, I will re-evaluate my study plan and build a schedule for Volume II and rack time. I hope to schedule my lab in July.