I primarily work deploying network infrastructure systems using vendors such as Aruba (Wireless, Remote Access and Access Management), Cisco (Routing/Switching and Security), Check Point (Firewall, VPN, Identity Awareness etc) as well as core Microsoft infrastructure systems (AD, DHCP, DNS, Certificate Authority etc). I use my home lab for certification studying; with my current focus the CCNP R&S as well as testing new solutions and ideas. Outside of studying for certifications I plan on testing ideas for DMVPN Dual Hub configuration, FlexVPN, Cisco AnyConnect, Cisco ISE, Aruba ClearPass (Guest, OnBoard etc).
Until recently my virtualised home lab was running on my PC running multiple OS within VMware Workstation, when running multiple systems at once this caused the VMs to ground to a halt. I also have physical hardware that consists of:
3 x Cisco 1811 routers (c181x-advipservicesk9-mz.124-24.T1)
3 x Cisco 3560-8 POE switch (c3560-ipservicesk9-mz.122-53.SE)
1 x Cisco 3750-24 switch (c3750-ipservicesk9-mz.122-55.SE4.bin)
Most of the systems can be run from software, with the exception of LAN switching and WLAN controller. With the Cisco CSR 1000v virtual router I should be able to complete most if not all studying for the CCNP ROUTE 2.0 exam (I have already passed SWITCH 1.0). I plan on de-commissioning all but the Cisco 3750 switch and using all virtual systems.
Link aggregation also referred to as interface bonding joins multiple physical interfaces into a virtual bond interface. This interface can then be configured for Load Sharing (Active/Active) or High Availabilty (Active/Backup). HA enables redundancy in the event of physical interface or even upstream switch failure. Load Sharing maximizes throughput by load blancing amongst the interfaces. Load sharing does not support switch redundancy but when switch stack is used (Cisco Catalyst 3750/3850 etc) I see no reason why this would not work.
Below is instructions on how to setup either HA or Load Sharing, using Check Point R77.10 Gaia. Please test in a lab environment before implementation in production.
To install a new Check Point appliance from fresh normally you must run the first time installation wizard, this can easily be overridden by running the command “touch /etc/.wizard_accepted” from expert mode. Once the first time wizard has been disabled you can run the “cpconfig” command to configure the appliance from the CLI.
You need to disable the wizard in expert mode, you must set the expert password before you can login to expert mode
Check Point Application Control software blade allows firewall administrators to identify traffic and allow/block based on type of application, time and bandwidth etc. When used with the Identity Awareness software blade users and groups access to sites can be controlled by the security policy. In this post I am using Check Point R75.46 running Gaia on an open server and will run through the basics of setting up Application Control to block Social Network sites and allow all other traffic.
Configuring Application Control
Login to the SmartDashboard
Click on the firewall object and enable “Application Control” by ticking the box. Click OK
A lot of my day to day work consists on managing and implementing firewalls primarily Check Point and configuring Cisco/ProCurve switches. When it comes testing new Check Point features/blades (Identity Awareness, Mobile Access etc) in the lab I use Oracle VirtualBox and build a virtual machine using the 15 trial license. Where I cannot run a virtual machine I have purchased hardware, over the years I have a gathered a vast collection of hardware from multiple vendors including Juniper Netscreen 5GT firewall, Cisco PIX 501 / ASA 5505 firewalls, HP ProCurve 2610-48 switches as well as a number of Cisco switches (2960, 3550, 3560) and routers (871W and 2600). Having now decided I should start studying for the Cisco CCNP Routing and Switching certification I went through my home lab and ripped out the kit that isn’t up to scratch.
For the Cisco 642-813 SWITCH (Implementing Cisco IP Switched Networks) exam I have 2 x 3560-8 switches running IP Services 12-55.56 IOS and 2 x 2960-24 switches running LAN Base 122-53 IOS.
For the Cisco 642-902 ROUTE (Implementing Cisco IP Routing) exam I will use GNS3 running inside a virtual machine. I have a Shuttle XPC SH55J2 computer with an Intel Core i5 processor and 12Gb RAM with 2 x Intel Dual NIC cards with which I can directly connect into the physical Cisco switches in my lab. The great thing about running VirtualBox virtual machines in my lab is I can also run Windows Servers when it comes to configuring authenticating users/computers with 802.1x etc.
In envisage more posts relating to my CCNP studies soon!
This post describes how to configure Check Point Gaia (R75.46) and Windows 2008 R2 NPS server to authenticate management access to the Check Point CLI or Web GUI. Please refer to the previous post to configure the Active Directory Groups and NPS Policies.
2 roles will be created in the Check Point Web GUI, one with Read Only permissions and another with Read Write. The NPS RADIUS Policy will match the Check Point roles to an Active Directory group and the members of these groups will be assigned the appropriate role when they login.