Cisco Certification Program Refresh

The Empty Blog

One of the primary reasons I originally started this blog, was to use it for personal accountability with my Cisco certification progress. As I studied and understood a particular topic, I could write a blog article on that topic to cement it in my mind and share that knowledge with others.

The complete lack of blog posts reflects about how well that plan went… I actually did complete my CCNP Security, and was in pursuit of my CCIE Security when my career trajectory shifted.  No longer was I solely a Network or Security Architect, an increasing portion of my role was focused on Network Automation and solving problems at massive scale.  I stopped chasing traditional networking certifications and spent many thousands of hours learning Python and Golang in order to best solve the problems I was faced with at my job.

While that work has been fulfilling and challenging, it doesn’t present itself well to the traditional Networking world mindset of “certification chasing”. Since I stopped actively pursuing Cisco certifications I have had more than one conversation where people have asked things like: “So where’s your CCIE at?” or “Are you going into management now?” As I looked at the Cisco certifications available, there wasn’t one that presented value to me and the work I was doing every day, beyond the basic knowledge acquired in getting my CCNA and CCNP Voice, Security, and Route/Switch in the past. I couldn’t justify the expense (in both money and time away from my family) to chase a CCIE if it wasn’t applicable to my career.

Well as of today, Cisco is announcing something that changes all of that, and I’m super excited. They are doing a complete, top to bottom, refresh and realignment of the certifications that are offered, and the process to get/keep them.

The New and Improved Cisco Certifications

All the discussed changes below go into affect on February 24th, 2020. So you’ve got time to finish your existing studies or gear up for a new certification/track.

First and foremost, and the most personally exciting to me, is that there is a complete new certification track:

New Certification Tracks from Cisco

Now Network Automation/Netdevops is to be recognized via DevNet certifications in their own track! Including all the way up to a forthcoming DevNet Expert certification targeted at the same level of expertise expected out of CCIE level folks.

According to DevNet the DevNet Professional level exam/certification is targeted at:

… developers who have at least three to five years of experience designing and implementing applications built on Cisco platforms. Two exams cover designing and developing resilient, robust and secure applications using Cisco APIs and platforms, and managing and deploying applications on Cisco infrastructure.

https://developer.cisco.com/certification/

This is exactly where I find myself sitting today, and I’m super excited to see that Cisco and the folks at DevNet are listening to the community and responding to this need! I will be one of the first people in line next February when these exams go live. And I can 100% see the value in pursuing the DevNet Expert examination in my career path.

Additional Changes

There are some significant changes to the certification paths, even inside the existing network focused paths.

  • No more prerequisites for any Cisco certification, if you’re at the Professional or Expert level in your field, go sit that exam.
  • All certifications are good for 3 years from the last pass date (including Expert level).
  • There are now additional options, including Continuing Education, for renewing your certifications at all levels.
  • Associate level (CCNA or DevNet Associate) is one exam.
  • Professional level (CCNP or DevNet Professional) is two exams:
    • A Core skills exam in your track.
    • A Concentration exam in a more specific area of focus to your specialization.
  • Taking additional specialization exams will grant you Cisco Specialist badges/awards.
  • The tracks available to the Networking path are being narrowed down to Enterprise, Security, Service Provider, Collaboration and Data Center.

As discussed above, these changes will go into place on February 24th, 2020. However exam topics and other information is now live via the links below. And expect MANY blog posts and other information from Cisco in the coming days, weeks, and months.

Happy Certing!

Links!

300-208 SISAS – What Is Cisco ISE?

In my earlier post about the Cisco 300-208 SISAS (Implementing Cisco Secure Access Solutions) exam, I gave a brief overview of the exam and listed the exam topics as laid out by the Cisco Learning Community.  However, I felt that these largely boil down to a few key concepts related to Cisco ISE (Identity Services Engine):

  1. Understand what ISE is.
  2. Understand why you might use ISE in a wired or wireless network.
  3. Understand what ISE does at a protocol level.
  4. Understand how ISE interacts with Network Access Devices and other systems.
  5. Understand how to configure ISE and the Network Access Devices.

This post will deal with Concept 1, Understand what Cisco ISE is.


A Little History

Before you can really understand what ISE is, I feel that you need to know where it came from.  Cisco’s NAC (Network Access Control) offerings have been fairly scattershot over the years.  They even tried unsuccessfully to market their own meaning of NAC for several years, attempting to sell their services as Network Admission Control.  Thankfully, they’ve given in and joined the rest of us in Network Access Control land.

Cisco ACS (Access Control Server) was the direct predecessor to ISE, and still exists today.  It provides RADIUS and TACACS services, and is able to integrate with central Identity Stores such as Active Directory or another LDAP speaking software.  This means that you would often find ACS in an enterprise network serving to authenticate VPN and wireless users, or control access to network devices.  Over time ACS evolved, as most Cisco applications have, from something you installed on top of Windows, to a full blown Linux based appliance (as of ACS 5.0 in 2009).  The common “appliance” model in use today, means that without a little (non-Cisco approved) tinkering you don’t have access to the Linux guts of Cisco ACS, or ISE for that matter, you’re simply presented an application.

At the same time that ACS was growing and advancing in capabilities, there was also the burst of BYOD onto the market and a growing market in servers/services to manage and administer user Identity on the network.  Cisco saw an opportunity to forklift the capabilities of ACS into a new product that was targeted directly at the “new” Identity Management market, not just traditional “access control”.  They took the underlying operating system from ACS, a RHEL/CentOS based distribution that they call ADE-OS (Application Deployment Engine), and added in a few new capabilities and features to the application.  This creation is what we know today as Cisco ISE.  Essentially, you can think of ISE as ACS version 6.0.

The only thing left out of ISE (until the recent release of Cisco ISE v2.0) was TACACS, as it was intended that you still purchase ACS to control network device administrative access.  For the purposes of the 300-208 SISAS exam today, you can consider TACACS to be out of scope for ISE, and to be the sole purview of ACS, although you still have to understand TACACS for the exam.

What Is Identity Management?

A full discussion of what Identity and Identity Management is, could take up many pages and posts (see wikipedia), however for the purposes of the 300-208 SISAS exam it can be summed up as this from the Official Cert Guide:

An identity is a representation of who a user or device is. Cisco ISE uses an endpoint’s MAC address to uniquely identify that endpoint. A username is one method of uniquely identifying an end user. Although SSIDs and IP addresses can be used as conditions or attributes in ISE policies, they are not identities.

Woland, Aaron; Redmon, Kevin (2015-04-27). CCNP Security SISAS 300-208 Official Cert Guide (Certification Guide) (Kindle Locations 13023-13026). Cisco Press. Kindle Edition.

An Identity Management system can then be defined as a way to keep track of Identity information for many users or devices, as well as the associated Authorization and Authentication information for those entities.  This is precisely what Cisco ISE is and does.  It provides all manner of services related to managing who users and devices are, and what network resources they may access.  Cisco ISE does not directly stop an entity from accessing a portion of the network (there are sometimes Inline Policy Nodes, but they are not common).  The Network Access Devices themselves handle the heavy lifting of granting/denying access by utilizing IEEE 802.1x which I will discuss in a subsequent post.  ISE simply provides a centralized location to set policy, gather reporting, and then interact with the NAD via Radius.

In the next post I will delve into Concept 2, the Whys surrounding Cisco ISE, as well as give a few example use cases.

300-208 SISAS – How to Tackle the Beast

The best way to finish something, is to begin it.  So I decided I would begin my prep for the 300-208 SISAS (Implementing Cisco Secure Access Solutions) exam, by laying out my personal study plan against the exam topics, found here on the Cisco Learning Community.

The exam topics are broken into five broad categories, and Cisco also gives a general indication of what percentage of the exam is on each topic:

1.0 Identity Management/Secure Access – 33%
2.0 Threat Defense – 10%
3.0 Troubleshooting, Monitoring and Reporting Tools – 7%
4.0 Threat Defense Architectures – 17%
5.0 Identity Management Architectures – 33%

Each of those broad topics has several sub-categories; 1.0 Identity Management/Secure Access, for example, is broken down into over 60 sub-sections.  This depth of expected knowledge can seem quite daunting at first, especially given the vague nature of some of the topics.  However, I’ve found that the exam really breaks down into 5 key areas, and are all focused primarily on Cisco ISE (Identity Services Engine):

  1. Understand what ISE is.
  2. Understand why you might use ISE in a wired or wireless network.
  3. Understand what ISE does at a protocol level.
  4. Understand how ISE interacts with Network Access Devices and other systems.
  5. Understand how to configure ISE and the Network Access Devices.

This is why my primary focus in these exam preparations is getting hands on with Cisco ISE.  I have been spending at least 10 minutes per night, getting familiar with both the GUI itself and the operations that ISE can do.  10 minutes may not seem like much, but getting any hands on time with a complex system matters.  You have to keep yourself sharp and fresh when preparing for an exam.  Especially if, like in my current job, you do not interact with ISE at all on a day-to-day basis.

In the next few posts I’ll dig further into each of these 5 key areas, as well as discuss how to setup an ISE test lab for yourself and talk through some of the scenarios I’m using for my lab.

 

CCNP Security – Halfway There

I am halfway towards my CCNP Security, and am finally gearing up to finish it.  When I completed the 642-618 FIREWALL and 642-648 VPN exams in the beginning of 2014, I was promptly sidetracked with the little things in life.  (Such as moving across the country, starting a new job, and finishing my BSIT at WGU.)  Knowing that the old CCNP Security exams had cycled out in April of 2014, I used Cisco’s CCNP Security Migration Path tool to validate that I was left with these two exams:

  • 300-207 SITCS (Implementing Cisco Threat Control Solutions)
  • 300-208 SISAS (Implementing Cisco Secure Access Solutions)

I am starting first with the 300-208 SISAS exam as it covers a range of topics, such as 802.1x, Cisco ISE, and Radius, that I am very familiar with.  However, from everything I’ve read, it goes into great depth on minutia of the ISE interface.  As I haven’t touched ISE in a production environment in over a year now, I’ve been spending time most evenings in my lab spinning up and down many different scenarios.

My lab for this study is entirely virtual, and is really a dry run for building my CCIE Security lab.  It currently consists of the following, largely coordinated and controlled via GNS3:

  • ISE 1.2 – VMWare Fusion on my MacBook
  • ACS 5.6 – VMWare Fusion on my MacBook
  • CentOS test boxes (x2) – VMWare Fusion on my MacBook
  • IOU L2 Image (x2) – Rackspace Cloud Server
  • IOU L3 Image (x6) – Rackspace Cloud Server
  • ASA 8.4 (x2) – QEMU on a Rackspace Cloud Server

In the weeks to come I’ll be posting more about my exam preparations, including lab scenarios and links.  This is mostly for myself, but if anyone else gets some use out of it too, even better.