Archive for NetSec

CCDP/ Cisco ARCH (v.3): Further Readings

It may be that due to the nature of this course – focusing on theory and design instead of digging into command and “computer architecture” kind of topic, it may be good for 300-320 ARCH exam but explanation given was not clear for a techie. Below are some of the contents I found useful to enhance my domain knowledge complimenting Cisco CLN E-Learning: Designing Cisco Network Service Architectures (ARCH) v3.0 (Other Learning Resources here )

More links will be added here, so come back from time to time 🙂

Last Update: 2016/07/13 – Including readings for Ch23 Designing Firewall and IPS Solutions

» Continue reading “CCDP/ Cisco ARCH (v.3): Further Readings”

Comments off

Cisco ARCH (v.3) Learning Resource

Last Update: 2016/07/13 – Including link to my new blog post “CCDP/ Cisco ARCH (v.3): Further Readings

Almost three years since the last re-certification… Originally I would like an CCIE R&S written but as I don’t have enough time now, I decided to go for ARCH v.3 (300-320) instead. Resources are petty limited…. 🙁


Official Self-Study Material


Materials from 3rd party

Material for previous generation of exams


Note: CLN = Cisco Learning Network

Comments off

Cisco WLC Upgrade Outline

Study the Release Note completely is the most important thing – especially the Open Caveats and downgrade limitation

  1. Check upgrade requirement
    1. Any need to upgrade FUS?
    2. Any need to upgrade to an interim SW version before further upgrading to the target SW version
    3. Open Caveats that hits the setup of our environment and the impact
    4. All APs are supported in the latest firmware? Any bug for any AP model?
    5. Fallback – Issue to hit if we downgrade from this version to the earlier version
  2. Prepare Image(s) – FUS & OS SW
  3. Pre-check & Implementation
    1. AP inventory – “show ap inventory all” <- check number of APs and who are they
    2. Check number of wireless interfaces being down
    3. Download WLC SWs to the WLC
    4. Check boot sequence – “show boot”  (the new image should be the primary image)
    5. Pre-download – “config ap image predownload”
    6. Check the pre-download status – “show ap inventory all” / GUI: Wireless > Access Point > All AP
    7. Reboot the controller – GUI: Commands > Reboot
  4. Post-check
    1. Check number of APs and who are they
    2. Check number of wireless interfaces being down
    3. Sample check a few APs Flexconnect group & VLAN mapping if any


Reference, WLC: Predownload The Image To The Access Points From The Controller CLI –

(Used to upgrade from to

Comments off

Spot Rogue DHCP Server on Linux

Extract from –

To expand on l0c0b0x‘s comment about using bootp.type == 2 as a filter. The bootp.type filter is only available in Wireshark/tshark. It is not available in tcpdump which the contextual location of his comment inclined me to believe.

Tshark works perfectly for this.

We have our network divided up into numerous broadcast domains, each with their own Linux-based probe with a point of presence on the “local” broadcast domain and on an administrative subnet in one fashion or another. Tshark combined with ClusterSSH allows me to easily look for DHCP traffic or (anything else for that matter) on the further flung corners of the network.

This will find DHCP replies using Linux:

# ifconfig ethX promisc
# tshark -i ethX -n port 68 -R 'bootp.type == 2'

Comments off

Detect, Spot & Prevent Rogue DHCP server in your network

Detect Rogue DHCP server using MS Rogue DHCP Server detection tool

Tools below are provided by the DHCP team of Microsoft –

Spot Rogue DHCP server using Wireshark

DHCP prcoess
1. discover
2. offer
3. request
4. acknowledge / DORA

  1. Install wireshark & restart machine
  2. Start wireshark with no capture filter
  3. Go to the command prompt and type ipconfig /release and ipconfig /renew
  4. Save the trace file as as roguedhcp.pcap
  5. Open the capture file – Add filter: bootp
  6. Target DHCP Offer Packet – this will be the template for display filter
    Select the line with “DHCP Offer – Transaction ID xxx”
    View -> Packet Details
    Expand “Bootstrap Protocol”
    move down, find and expand “Option: (53) DHCP Message Type”
    right click on “DHCP: Offer (2) -> Apply as Filter -> Selected
  7. On the menu bar, Statistics -> Endpoints
    filter will now become – bootp.option.dhcp == 2
    Select Tab “IPv4” and tick “Limit to display filter”, then IPv4 addresses displayed will be limited to the filter we selected earlier
  8. There may be multiple unicast IPs and single broadcast IP (ie, the unicast IPs should be the IPs of DHCP servers trying to allocate IP to endhosts in the subnet

Prevent Rogue DHCP server by DHCP snooping


Comments off