Tuesday, 28 March 2023

Cisco Modeling Labs 2.5: Now with Resource Limiting

Cisco Career, Cisco Exam, Cisco Exam Prep, Cisco Exam Certification, Cisco Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Materials

Whether you’re using a large virtual machine or beefy hardware server, running labs with a lot of nodes or labs with resource-hungry nodes in Cisco Modeling Labs (CML) can require a lot of memory/RAM and CPUs. But this can become especially problematic in a multi-user system—until now.

Cisco Modeling Labs offers a new feature called resource limiting, available now in CML 2.5 for Enterprise and Higher Education. Read on to learn more about resource limiting, how to set up resource limits in CML 2.5, and what you need to know as you configure the new feature on your CML server or cluster.

What is resource limiting in CML 2.5?


Resource limiting is one of the new features of the CML 2.5 release. The basic idea here is to limit the resources an individual user or group of users can consume with an administrative policy configured on the CML server or cluster. Since this feature only makes sense within a multi-user system, resource limiting is only available in CML Enterprise and CML for Higher Education. Obviously, there is no reason to have a single user restrict themselves.  

Resources on a CML deployment, defined

Prior to the introduction of resource limiting, a user could grab all resources on a CML deployment. And, as a result, other users were unable to launch their labs and nodes.

For context, resources in a CML deployment refer to: 

◉ Memory 
◉ CPU cores 
◉ Node licenses 
◉ External connectors 

The first three elements of this list are indeed resources with limited availability. The external connectors, however, can be restricted from a policy point of view. Even though external connectors are almost free in terms of memory and CPU cost, it can make sense to restrict their usage for different users/groups. 

How to configure CML resource limits


By default, no resource limits are present. An administrator can put resource limits in place by creating resource pools, which then are assigned to a user or group of users. 

Create and assign resource pools


You can manage resource pools by navigating to Tools → System Administration → Resource Pools.

Cisco Career, Cisco Exam, Cisco Exam Prep, Cisco Exam Certification, Cisco Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Materials

From there, you can create and assign pools. The system differentiates between a template and an actual pool, which is always based on a template and has a user or multiple users connected to it. 

When assigning a template to a group of users, all users of this group will be in one of these two categories: 

◉ They’ll be assigned an individual pool cloned from the chosen template.  
◉ They’ll share the same pool cloned from the chosen template. 

The shared pool switch controls this assignment, as the following screenshot shows: 

Cisco Career, Cisco Exam, Cisco Exam Prep, Cisco Exam Certification, Cisco Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Materials

When adding CML users to the resource pool (via the Next step button in the Add workflow), the administrator can choose which users (or groups of users) are assigned to the pool, as shown in the following screenshot: 

Cisco Career, Cisco Exam, Cisco Exam Prep, Cisco Exam Certification, Cisco Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Materials

Create and define your template(s)


Resource pools are always based on a template. This also means that, at the very minimum, you must configure one underlying template (a base template) first. Templates allow us to automatically associate a new resource pool with a new user, whether they are manually created by an administrator or when they are created based on a new lightweight directory access protocol (LDAP) user login. 

Templates also allow you to quickly change a setting for all the pools inherited from a template. In addition, you can override values for individual pools.  That is, the values in the individual pool take precedence over the values defined in the individual pool’s template. 

When a pool has multiple users assigned, then all users share the resources configured in this pool. 

Limit access to external connectors 


External connectors provide outside connectivity. In shared environments with additional network interface cards (NICs), which connect to different outside networks, you might want to control which user or group has access to which outside networks. You can also achieve this by leveraging resource limiting.

A resource pool can define which external network configuration is allowed or denied. As shown in the following screen shot, the administrator can give users of this resource pool one of two options:  

◉ They can use no external connector at all (see: Block all). 
◉ They can decide which specific external connector configuration to use by selecting the appropriate one

Cisco Career, Cisco Exam, Cisco Exam Prep, Cisco Exam Certification, Cisco Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Materials

In the absence of a specific external connector limit, users with this policy can select all existing external connectors. 

How to check resource usage 


The administrator, as well as individual users, can check the resource limit status. For administrators, the overall system state is shown. (For example, all existing resource pools, including their current usage.) The resource limit use is available via the Tools → Resource limits menu entry, as the following graphic shows: 

Cisco Career, Cisco Exam, Cisco Exam Prep, Cisco Exam Certification, Cisco Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Materials

Here, the administrator sees that there are two pools and that node licenses are in use in the pool named Max50. In addition, the CPU and Memory usage of that pool also appears. However, since the usage is not limited, the bar appears in gray. The external connector and user column show the external connectors the pool is using and the users assigned to the pool, respectively. 

As for the users, their view appears in the following graphic (also via Tools → Resource limits): 

Cisco Career, Cisco Exam, Cisco Exam Prep, Cisco Exam Certification, Cisco Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Materials

Node licenses are limited, 6 out of 50 or 12% are in use, and 13 CPU cores and 6.5GB of memory are in use. Both CPUs and RAM are not limited, indicated by the infinity symbol in the gauge.

NOTE: Resource limiting does not check for over-subscription. In other words: If the CML system has, for example, 32 CPUs, and the administrator puts a 64 CPU limit into a pool, then the system would not prevent this. It is up to the administrator to put reasonable limits in place! 

Consequently, if no limit is put in place, resources are obviously not infinite. 

Highlights and benefits of CML 2.5 resource limits


The new resource limiting feature of Cisco Modeling Labs 2.5 provides a granular way to ensure fair consumption of resources on a shared system. In addition, it allows better policy control and is also a useful way to quickly determine resource usage by users or groups of users via the Resource Limits status page.

Source: cisco.com

Monday, 27 March 2023

Everything You Need to Know About Cisco 300-215: The Exam and Certification Guide

Are you planning to take the Cisco 300-215 exam to enhance your career prospects as a security engineer? If yes, then this article is for you. This article will cover all the essential information you need to know about the Cisco 300-215 exam, including the exam syllabus, preparation tips, and the certification process.

Cisco CyberOps Professional Certification, CyberOps Professional Mock Exam, CyberOps Professional Question Bank, CyberOps Professional, CyberOps Professional Sample Questions, 300-215 Questions, 300-215 Quiz, 300-215, Cisco 300-215 Question Bank, CBRFIR Exam Questions, Cisco CBRFIR Questions, Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps, Cisco CBRFIR Certification, Cisco 300-215 Practice Test Free, CBRFIR Certification Questions and Answers, CBRFIR Certification Sample Questions

Know About Cisco 300-215 CBRFIR Exam

Cisco 300-215 CBRFIR exam, also known as Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps, is designed to test the knowledge and skills of security engineers in conducting forensic analysis and incident response using Cisco technologies. The exam duration is 90 minutes and consists of 55-65 questions.


300-215 CBRFIR Exam Syllabus

The Cisco 300-215 CBRFIR exam syllabus is divided into six domains, each covering different topics related to forensic analysis and incident response. The domains are:

  1. Fundamentals- 20%

  2. Forensics Technique- 20%

  3. Incident Response Techniques- 30%

  4. Forensics Processes- 15%

  5. Incident Response Processes- 15%

Target Audience

The target audience for the Cisco 300-215 certification exam is security engineers who want to specialize in conducting forensic analysis and incident response using Cisco technologies. This certification is ideal for professionals protecting and securing organizational assets, including networks, endpoints, and data.


The certification is also suitable for professionals who want to enhance their knowledge and skills in forensic analysis and incident response, regardless of their current job title or industry. It can benefit professionals in various fields, including:

  • Cybersecurity: Cybersecurity professionals who want to specialize in conducting forensic analysis and incident response using Cisco technologies can benefit from earning the Cisco 300-215 certification. It demonstrates their expertise and enhances their credibility in the field.
  • IT Operations: IT operations professionals responsible for managing and securing IT infrastructure can benefit from earning the Cisco 300-215 certification. It gives them the necessary knowledge and skills to effectively detect and respond to security incidents.
  • Law Enforcement: Law enforcement professionals who are involved in investigating cybercrime can benefit from earning the Cisco 300-215 certification. It gives them the necessary knowledge and skills to conduct forensic analysis and incident response using Cisco technologies.
  • Compliance: Compliance professionals are responsible for ensuring that organizations that comply with regulatory requirements can benefit from earning the Cisco 300-215 certification. It provides them with the necessary knowledge and skills to conduct forensic analysis and incident response to meet regulatory requirements.

300-215 Certification Process

After passing the Cisco 300-215 exam, you will receive the Cisco Certified CyberOps Professional certification. This certification validates your knowledge and skills in conducting forensic analysis and incident response using Cisco technologies. You can use this certification to enhance your career prospects in cybersecurity and related fields.

Top 5 Cisco 300-215 CBRFIR Preparation Tips

Preparing for the Cisco 300-215 CBRFIR exam requires a comprehensive study plan and a structured approach. Here are some tips to help you prepare for the exam:


1. Study the Exam Syllabus:

The exam syllabus is your roadmap to success. Make sure to study each domain thoroughly and understand the topics covered.


2. Use Study Materials:

Cisco provides official study materials, including books, videos, and practice tests, to help you prepare for the exam. You can also use third-party study materials from reputable sources.


3. Practice, Practice, Practice:

Practice is essential to passing the exam. Use practice tests to assess your knowledge and identify areas of improvement.


4. Join Study Groups:

Studying groups can help you learn from other candidates and share your knowledge and experiences.


5. Latest 300-215 Questions:

300-215 exam questions are confidential and not publicly available. Candidates should study the exam objectives and topics thoroughly and keep up with the latest trends and technologies in forensic analysis and incident response to prepare effectively for the exam.

Cisco 300-215 CBRFIR Benefits

Cisco 300-215 certification is a valuable asset for security engineers who want to specialize in conducting forensic analysis and incident response using Cisco technologies. Here are some of the benefits of earning this certification:

  • Career Advancement: Cisco 300-215 certification is recognized by industry leaders and can help you advance your career in cybersecurity and related fields. It demonstrates your knowledge and skills in conducting forensic analysis and incident response using Cisco technologies, making you a valuable asset to any organization.
  • Competitive Edge: The cybersecurity industry is highly competitive, and earning Cisco 300-215 certification can give you a competitive edge over other candidates. It shows you have the necessary knowledge and skills to perform the job at a high level.
  • Enhanced Skills and Knowledge: Preparing for the Cisco 300-215 exam requires a comprehensive study plan and a structured approach. Studying for the exam will enhance your skills and knowledge in conducting forensic analysis and incident response using Cisco technologies.
  • Increased Earning Potential: According to PayScale, the average salary for a security engineer with Cisco Certified CyberOps Professional certification is around $106k annually. Earning this certification can increase your earning potential and lead to higher-paying job opportunities.
  • Professional Development: Cisco 300-215 certification is valuable to your professional portfolio and can help you stand out in the job market. It demonstrates your commitment to professional development and lifelong learning.

Cisco 300-215 Scope


The Cisco 300-215 CBRFIR exam covers various topics related to conducting forensic analysis and incident response using Cisco technologies. The exam syllabus is divided into six domains, each covering different areas of expertise. Here is an overview of the scope of the Cisco 300-215 exam:

  • Fundamentals of Forensic Analysis and Incident Response: This domain covers the basic concepts and principles of forensic analysis and incident response. It includes forensic investigation, evidence collection, and legal considerations.
  • Network Forensics and Traffic Analysis: This domain covers network-based forensic analysis and incident response. It includes network traffic analysis, protocol analysis, and intrusion detection and prevention.
  • Endpoint Forensics and Analysis: This domain covers endpoint-based forensic analysis and incident response. It includes malware analysis, memory forensics, and disk forensics.
  • Incident Response: This domain covers incident response procedures and methodologies. It includes incident detection and analysis, classification and prioritization, and incident response planning.
  • Incident Handling: This domain covers the practical aspects of incident handling. It includes containment, eradication, recovery, and communication and coordination with stakeholders.
  • Incident Response Teams: This domain covers the organization and management of incident response teams. It includes team roles and responsibilities, incident response plan development and maintenance, and incident response team training and exercises.

The Cisco 300-215 exam covers various topics related to forensic analysis and incident response using Cisco technologies. The domains cover the field's theoretical and practical aspects, making it a comprehensive certification for security engineers.


Conclusion

The Cisco 300-215 CBRFIR exam is an essential certification for security engineers who want to specialize in conducting forensic analysis and incident response using Cisco technologies. Following the tips and guidelines in this article, you can prepare for the exam and pass it with flying colors.

Good luck!

Saturday, 25 March 2023

Designing and Deploying Cisco AI Spoofing Detection – Part 2

AI Spoofing Detection Architecture and Deployment

Our previous blog post, Designing and Deploying Cisco AI Spoofing Detection, Part 1: From Device to Behavioral Model, introduced a hybrid cloud/on-premises service that detects spoofing attacks using behavioral traffic models of endpoints. In that post, we discussed the motivation and the need for this service and the scope of its operation. We then provided an overview of our Machine Learning development and maintenance process. This post will detail the global architecture of Cisco AISD, the mode of operation, and how IT incorporates the results into its security workflow.

Since Cisco AISD is a security product, minimizing detection delay is of significant importance. With that in mind, several infrastructure choices were designed into the service. Most Cisco AI Analytics services use Spark as a processing engine. However, in Cisco AISD, we use an AWS Lambda function instead of Spark because the warmup time of a Lambda function is typically shorter, enabling a quicker generation of results and, therefore a shorter detection delay. While this design choice reduces the computational capacity of the process, that has not been a problem thanks to a custom-made caching strategy that reduces processing to only new data on each Lambda execution.

Global AI Spoofing Detection Architecture Overview

Cisco AISD is deployed on a Cisco DNA Center network controller using a hybrid architecture of an on-premises controller tethered to a cloud service. The service consists of on-premises processes as well as cloud-based components.

The on-premises components on the Cisco DNA Center controller perform several vital functions. On the outbound data path, the service continually receives and processes raw data captured from network devices, anonymizes customer PII, and exports it to cloud processes over a secure channel. On the inbound data path, it receives any new endpoint spoofing alerts generated by the Machine Learning algorithms in the cloud, deanonymizes any relevant customer PII, and triggers any Changes of Authorization (CoA) via Cisco Identity Services Engine (ISE) on affected endpoints.

The cloud components perform several key functions focused primarily on processing the high volume data flowing from all on-premises deployments and running Machine Learning inference.  In particular, the evaluation and detection mechanism has three steps:

1. Apache Airflow is the underlying orchestrator and scheduler to initiate compute functions. An Airflow DAG frequently enqueues computation requests for each active customer to a queuing service.

2. As each computation request is dequeued, a corresponding serverless compute function is invoked. Using serverless functions enables us to control compute costs at scale. This is a highly efficient multi-step, compute-intensive, short-running function that performs an ETL step by reading raw anonymized customer data from data buckets and transforming them into a set of input feature vectors to be used for inference by our Machine Learning models for spoof detection. This compute function leverages some of cloud providers’ common Function as a Service architecture.

3. This function then also performs the model inference step on the feature vectors produced in the previous step, ultimately leading to the detection of spoofing attempts if they are present. If a spoof attempt is detected, the details of the finding are pushed to a database that is queried by the on-premises components of Cisco DNA Center and finally presented to administrators for action.

Figure 1: Schematic view of Cisco AISD cloud and on-premises components.

Figure 1 captures a high-level view of the Cisco AISD components. Two components, in particular, are central to the cloud inferencing functionality: the Scheduler and the serverless functions.

The Scheduler is an Airflow Directed Acyclic Graph (DAG) responsible for triggering the serverless function executions on active Cisco AISD customer data. The DAG runs at high-frequency intervals pushing events into a queue and triggering the inference function executions. The DAG executions prepare all the metadata for the compute function. This includes determining customers with active flows, grouping compute batches based on telemetry volume, optimizing the compute process, etc. The inferencing function performs ETL operations, model inference, detection, and storage of spoofing alerts if any. This compute-intensive process implements much of the intelligence for spoof detection. As our ML models get retrained regularly, this architecture enables the quick rollout—or rollback if needed—of updated models without any change or impact on the service.

The inference function executions have a stable average runtime of approximately 9 seconds, as shown in Figure 2, which, as stipulated in the design, does not introduce any significant delay in detecting spoofing attempts.

Figure 2: Average lambda execution time in milliseconds for all Cisco AISD active customers between Jan 23rd and Jan 30th

Cisco AI Spoofing Detection in Action


In this blog post series, we described the internal design principles and processes of the Cisco AI Spoofing Detection service. However, from a network operator’s point of view, all these internals are entirely transparent. To start using the hybrid on-premises/cloud-based spoofing detection system, Cisco DNA Center Admins need to enable the corresponding service and cloud data export in Cisco DNA Center System Settings for AI Analytics, as shown in Figure 3.

Figure 3: Enabling Cisco AI Spoofing Detection is very simple in Cisco DNA Center.

Once enabled, the on-prem component in the Cisco DNA Center starts to export relevant data to the cloud that hosts the spoof detection service. The cloud components automatically start the process for scheduling the model inference function runs, evaluating the ML spoofing detection models against incoming traffic, and raising alerts when spoofing attempts on a customer endpoint are detected. When the system detects spoofing, the Cisco DNA Center in the customer’s network receives an alert with information. An example of such a detection is shown in Figure 4. In the Cisco DNA Center console, the network operator can set options to execute pre-defined containment actions for the endpoints marked as spoofed: shut down the port, flap the port, or re-authenticate the port from memory.

Figure 4: Example of alert from an endpoint that was initially classified as a printer.

Protecting the Network from Spoofing Attacks with Cisco DNA Center


Cisco AI Spoofing Detection is one of the newest security benefits provided to Cisco DNA Center operators with a Cisco DNA Advantage license. To simplify managing complex networks, AI and ML capabilities are being woven throughout the Cisco network management ecosystem of controllers and network fabrics. Along with the new Cisco AISD, Cisco AI Network Analytics, Machine Reasoning Engine Workflows, Networking Chatbots, Group-Based Policy Analytics, and Trust Analytics are additional features that work together to simplify management and protect network endpoints.

Source: cisco.com

Tuesday, 21 March 2023

Designing and Deploying Cisco AI Spoofing Detection – Part 1

The network faces new security threats every day. Adversaries are constantly evolving and using increasingly novel mechanisms to breach corporate networks and hold intellectual property hostage. Breaches and security incidents that make the headlines are usually preceded by considerable recceing by the perpetrators. During this phase, typically one or several compromised endpoints in the network are used to observe traffic patterns, discover services, determine connectivity, and gather information for further exploit.

Compromised endpoints are legitimately part of the network but are typically devices that do not have a healthy cycle of security patches, such as IoT controllers, printers, or custom-built hardware running custom firmware or an off-the-shelf operating system that has been stripped down to run on minimal hardware resources. From a security perspective, the challenge is to detect when a compromise of these devices has taken place, even if no malicious activity is in progress.

In the first part of this two-part blog series, we discuss some of the methods by which compromised endpoints can get access to restricted segments of the network and how Cisco AI Spoofing Detection is designed used to detect such endpoints by modeling and monitoring their behavior.

Part 1: From Device to Behavioral Model

One of the ways modern network access control systems allow endpoints into the network is by analyzing identity signatures generated by the endpoints. Unfortunately, a well-crafted identity signature generated from a compromised endpoint can effectively spoof the endpoint to elevate its privileges, allowing it access to previously unauthorized segments of the network and sensitive resources. This behavior can easily slip detection as it’s within the normal operating parameters of Network Access Control (NAC) systems and endpoint behavior. Generally, these identity signatures are captured through declarative probes that contain endpoint-specific parameters (e.g., OUI, CDP, HTTP, User-Agent). A combination of these probes is then used to associate an identity with endpoints.

Any probe that can be controlled (i.e., declared) by an endpoint is subject to being spoofed. Since, in some environments, the endpoint type is used to assign access rights and privileges, this type of spoofing attempt can lead to critical security risks. For example, if a compromised endpoint can be made to look like a printer by crafting the probes it generates, then it can get access to the printer network/VLAN with access to print servers that in turn could open the network to the endpoint via lateral movements.

There are three common ways in which an endpoint on the network can get privileged access to restricted segments of network:

1. MAC spoofing: an attacker impersonates a specific endpoint to obtain the same privileges.

2. Probe spoofing: an attacker forges specific packets to impersonate a given endpoint type.

3. Malware: a legitimate endpoint is infected with a virus, trojan, or other types of malware that allows an attacker to leverage the permissions of the endpoint to access restricted systems.

Cisco AI Spoofing Detection (AISD) focuses primarily on the detection of endpoints employing probe spoofing, most instances of MAC spoofing, and some cases of Malware infection. Contrary to the traditional rule-based systems for spoofing detection, Cisco AISD relies on behavioral models to detect endpoints that do not behave as the type of device they claim to be. These behavioral models are built and trained on anonymized data from hundreds of thousands of endpoints deployed in multiple customer networks. This Machine Learning-based, data-driven approach enables Cisco AISD to build models that capture the full gamut of behavior of many device types in various environments.

Cisco Certification, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Prep, Cisco Preparation, Cisco AI
Figure 1: Types of spoofing. AISD focuses primarily on probe spoofing and some instances of MAC spoofing.

Creating Benchmark Datasets


As with any AI-based approach, Cisco AISD relies on large volumes of data for a benchmark dataset to train behavioral models. Of course, as networks add endpoints, the benchmark dataset changes over time. New models are built iteratively using the latest datasets. Cisco AISD datasets for models come from two sources.

◉ Cisco AI Endpoint Analytics (AIEA) data lake. This data is sourced from Cisco DNA Center with Cisco AI Endpoint Analytics and Cisco Identity Services Engine (ISE) and stored in a cloud database. The AIEA data lake consists of a multitude of endpoint information from each customer network. Any personally identifiable information (PII) or other identifiers such as IP and MAC addresses—are encrypted at the source before it is sent to the cloud. This is a novel mechanism used by Cisco in a hybrid cloud tethered controller architecture, where the encryption keys are stored at each customer’s controller.
◉ Cisco AISD Attack data lake contains Cisco-generated data consisting of probe and MAC spoofing attack scenarios.

To create a benchmark dataset that captures endpoint behaviors under both normal and attack scenarios, data from both data lakes are mixed, combining NetFlow records and endpoint classifications (EPCL). We use the EPCL data lake to categorize the NetFlow records into flows per logical class. A logical class encompasses device types in terms of functionality, e.g., IP Phones, Printers, IP Cameras, etc. Data for each logical class are split into train, validation, and test sets. We use the train split for model training and the validation split for parameter tuning and model selection. We use test splits to evaluate the trained models and estimate their generalization capabilities to previously unseen data.

Benchmark datasets are versioned, tagged, and logged using Comet, a Machine Learning Operations (MLOps) and experiment tracking platform that Cisco development leverages for several AI/ML solutions. Benchmark Datasets are refreshed regularly to ensure that new models are trained and evaluated on the most recent variability in customers’ networks.

Cisco Certification, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Prep, Cisco Preparation, Cisco AI
Figure 2: Benchmark Dataset and Data Split Creation

Model Development and Monitoring


In the model development phase, we use the latest benchmark dataset to build behavioral models for logical classes. Customer sites use the trained models. All training and evaluation experiments are logged in Comet along with the hyper-parameters and produced models. This ensures experiment reproducibility and model traceability and enables audit and eventual governance of model creation. During the development phase, multiple Machine Learning scientists work on different model architectures, producing a set of results that are collectively compared in order to choose the best model. Then, for each logical class, the best models are versioned and added to a Model Registry. With all the experiments and models gathered in one location, we can easily compare the performance of the different models and monitor the evolution of the performance of released models per development phase.

The Model Registry is an integral part of our model deployment process. Inside the Model Registry, models are organized per logical class of devices and versioned, enabling us to keep track of the complete development cycle—from benchmark dataset used, hyper-parameters chosen, trained parameters, obtained results, and code used for training. The models are deployed in AWS (Amazon Web Services) where the inferencing takes place. We will discuss this process in our next blog post, so stay tuned.

Production models are closely monitored. If the performance of the models starts degrading—for example, they start generating too many false alerts—a new development phase is triggered. That means that we construct a new benchmark dataset with the latest customer data and re-train and test the models. In parallel, we also revisit the investigation of different model architectures.

Cisco Certification, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Prep, Cisco Preparation, Cisco AI
Figure 3: Cisco AI Spoofing Detection Model Lifecycle

Next Up: Taking Behavioral Models to Production in Cisco AI Spoofing Detection


In this post, we’ve covered the initial design process for using AI to build device behavioral models using endpoint flow and classification data from customer networks. In part 2 “Taking Behavioral Models to Production in Cisco AI Spoofing Detection” we will describe the overall architecture and deployment of our models in the cloud for monitoring and detecting spoofing attempts.

Source: cisco.com

Monday, 20 March 2023

Top 10 Tips to Pass CCNP Service Provider 350-501 SPCOR Exam

One of the most sought-after certifications in the field is the CCNP Service Provider. It demonstrates basic knowledge while allowing you to tailor the certification to the preferred technical field. This post will discuss the CCNP Service Provider 350-501 SPCOR exam. Your proficiency and expertise with service provider solutions are put to text during this certification exam.

Overview of Cisco 300-501 SPCOR Exam

To achieve CCNP Service Provider certification, you should pass two exams: a core exam and a concentration exam of your choice.

• The core exam, Implementing and Operating Cisco Service Provider Networks Core Technologies v1.0 (300-501 SPCOR ), highlights your knowledge of the core architecture, service provider infrastructure, networking, automation, services, quality of service, security, and network assurance included. This core exam is also a prerequisite for the CCIE Service Provider certification, and passing this Cisco exam helps you earn both certificates.

• The concentration exam focuses on the development and industry-specific topics, like VPN services, advanced routing, and automation.

The Implementing and Operating Cisco Service Provider Network Core Technologies v1.0 (SPCOR 350-501) exam is a 120-minute exam consisting of 90-110 questions. This exam is associated with the CCNP Service Provider, CCIE Service Provider, and Cisco Certified Specialist – Service Provider Core certifications.

The exam covers the following topics:

  • Core architecture
  • Services
  • Networking
  • Automation
  • Quality of services
  • Security
  • Network assurance
  • Proven Tips to Pass the CCNP Service Provider 350-501 SPCOR Exam

    1. Understand the Exam Objectives

    Understanding its objectives is the first and most crucial step toward passing any certification exam. The CCNP Service Provider 350-501 SPCOR Exam tests your knowledge of implementing, troubleshooting, and optimizing service provider VPN services. Therefore, it is essential to have a comprehensive understanding of the exam objectives, which can be found on the official Cisco website.

    2. Get Familiar with the Exam Format

    The CCNP Service Provider 350-501 SPCOR Exam consists of 90-110 questions you must answer within 120 minutes. The exam format includes multiple-choice, drag-and-drop, simulation, and testlet questions. Familiarizing yourself with the exam format will help you manage your time efficiently during the exam.

    3. Study the Exam Topics Thoroughly

    Once you clearly understand the exam objectives and format, it’s time to start studying. The official Cisco website provides a comprehensive list of exam topics you must study to pass. Cover all the topics thoroughly and practice hands-on exercises to reinforce your knowledge.

    Also Read: The Best & Ultimate Guide to Pass CCNP service provider 350-501 SPCOR Exam

    4. Use Official Cisco Study Materials

    The best way to prepare for the CCNP Service Provider 350-501 SPCOR Exam is to use official Cisco study materials. These materials are designed specifically for the exam and provide you with in-depth knowledge of the exam topics. You can also use third-party study materials, but ensure they cover all the exam topics.

    5. Join a Study Group

    Joining a study group is an excellent way to prepare for the CCNP Service Provider 350-501 SPCOR Exam. You can discuss exam topics with your peers, exchange ideas and insights, and get feedback on your progress. You can find study groups online or in your local community.

    6. Practice with Exam Simulators

    Exam simulators are an excellent way to prepare for the CCNP Service Provider 350-501 SPCOR Exam. These simulators simulate the exam environment, including the format and difficulty level of the questions. They also provide instant feedback on your performance, allowing you to identify your strengths and weaknesses.

    7. Take Practice Tests

    Taking practice tests is an essential part of exam preparation. Practice tests not only help you assess your knowledge of the exam topics but also help you get familiar with the exam format. You can find a wide range of practice tests online or in official Cisco study materials.

    8. Manage Your Time Effectively

    Managing your time effectively during the exam is crucial. Read each question carefully, understand what it asks, and allocate your time accordingly. Don’t spend too much time on difficult questions; move on to easier ones and return to the difficult ones later.

    9. Relax and Stay Focused

    It’s normal to feel nervous before and during the exam. However, it’s essential to stay calm and focused. Take deep breaths, clear your mind, and stay focused on the task at hand. Remember, you’ve prepared well, and you have the knowledge and skills required to pass the exam.

    10. Review Your Answers Carefully

    After you have answered all the 350-501 SPCOR exam questions, review all the answers. This is because candidates often get so enthusiastic about being done with an exam that they forget to go back and check their answers. It may seem redundant, but it’s important to double-check their answers. This helps to ensure that each question has been answered completely and thoroughly and that they haven’t made any simple mistakes. 

    Conclusion

    If you study thoroughly for your CCNP Service Provider 350-501 SPCOR exam and follow the tips in this article, you will succeed in this exam. Earning the CCNP Service Provider 350-501 is one of the best ways to advance your career as a network engineer, support engineer, and network technician. Therefore, you can prepare for the exam with the best resources and master the exam concepts, which will help you pass your exam on the first attempt.

    Thursday, 16 March 2023

    Cisco SD-WAN: The Right Tool for Keeping Fleets Moving

    Cisco SD-WAN, Cisco Career, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Prep, Cisco Tutorial and Materials

    When people think of fleets, they often think of a collection of ships cruising across the sea. Modern-day fleets, however, include public transportation, first responders, and service trucks for utilities, ISPs, and equipment or appliance repair. Gone are the days when fleet activities were solely managed by two-way radio voice communication from a dispatcher.  In the last 20 years, fleets have been reinvented to digitally connect over wide area networks (WANs) while on the move and sending and receiving important information in real-time enabling them to operate efficiently and reliably.  Modern fleets share the need for reliable and available communications, security, and visibility.

    Communication, Reliability, and Visibility


    Whether we are talking about public transportation moving thousands of citizens across the city, first responders racing to the scene of an accident, or service fleets responding to power outages – fleet deployments have a definitive need for secure, reliable network connectivity with high availability that will relay business information in real-time and through the best transport possible in order to maintain operational availability and contain costs.

    Consider the impact of a city bus losing connectivity to computer-aided dispatch and missing route updates or a first responder being unable to access the location of an accident scene. These kinds of scenarios emphasize the criticality of that connectivity being both reliable and available. Just like office applications, these fleet solutions require always-on, reliable WAN connectivity to perform their functions while in motion and while they are wirelessly connected.

    Security as the Backbone of Fleet Management


    Segmentation is critical. Take a city bus for example – several applications are running simultaneously across payment services, predictive maintenance, passenger services, and video analytics. Each requires controlled access so that only the intended persona can access data associated with each service. Using these examples, you’d want only the payment processing company seeing payment information, the maintenance department seeing predictive maintenance data, and security forces seeing video footage. This segmentation enabled by virtual routing and forwarding (VRF) capabilities provides peace of mind for those on the security side while simplifying the day-to-day life for those on the operations side.

    Credentialed access to enterprise networks is also important for service fleets that run applications accessing inventory databases, work order management systems, and even payment systems that are hosted in the enterprise core network. Identity-based security policies on Cisco SD-WAN help ensure that access to sensitive information is automated and scalable to keep the right eyes on the right data.

    Data encryption is critical for first responders, particularly ambulances, due to the additional consideration of patient information. Privacy is necessary to comply with HIPPA guidelines so stricter measures may need to be taken to ensure the data is secure. Cisco SD-WAN provides peace of mind when it comes to the handling of sensitive information as 2048-bit encryption keys, and underlying traffic encrypted using the AES-256 cipher come standard for devices connected through your routers.

    Operational Efficiency – The Brass Ring


    While all fleet categories require reliable and available connectivity as well as security, transit systems, and service fleets are also greatly concerned about operational efficiency. The fact is that most public transit systems operate at a loss and are publicly funded, bringing immense pressure to reduce costs. Service fleets, while typically funded by private industry, are ever vigilant about controlling costs and reducing service call count and duration. Both have the need for automation, consolidation, visibility, and managing airtime costs.

    Cisco SD-WAN is the Answer


    Cisco SD-WAN provides fleet operators with the ability to connect and monitor their fleet vehicles and automate processes while also providing needed visibility, security, and consolidation with the enterprise network.

    The ruggedized industrial routers in the Cisco Catalyst IR Series come SD-WAN ready to meet vehicle environmental conditions. These routers provide reliable and available connectivity through multiple means of transport ranging from 5G and LTE to broadband, Wi-Fi, and even satellite. Cisco SD-WAN also offers configurable failovers between transports to ensure continuous communication. The brain of Cisco SD-WAN, vSmart, can automatically route business critical traffic over high bandwidth links and send lower priority traffic over lower cost links, while the vManage dashboard lets you see it all in real-time.

    Cisco SD-WAN comes standard with a host of security functions that ensure your fleet vehicles and their applications are protected at the same level as the enterprise. By creating template-based policies, onboarding new devices come with ease and helps bridge together your IT and OT teams as well. The main security benefits of using Cisco SD-WAN for fleet management come from:

    ◉ End-to-end segmentation that isolates and protects critical information.
    ◉ Encrypted IPsec tunnels for data privacy.
    ◉ Identity-based policy management for both enterprise and industrial networks.
    ◉ Utilizing Cisco Umbrella for protection against internet-based threats.
    ◉ Security features running directly on the router, including embedded enterprise firewall, IPS, and URL filtering capabilities.

    Cisco SD-WAN provides end-to-end visibility for every application and device across the entire SD-WAN fabric. Between the IoT devices powering your fleet, cloud-native applications used in the office, and every device your employees touch – Cisco SD-WAN provides a consolidated console that is guaranteed to simplify your IT operations. Reliability, availability, security, and visibility are all provided to ensure that your enterprise and fleet vehicles are optimized and protected in any scenario.

    Source: cisco.com

    Tuesday, 14 March 2023

    Perform Web GUI Administration and Configuration with the AXL API

    The AXL Philosophy and Purpose


    We, as programmers, often look at an API with wild dreams about building dazzling user-facing applications that inspire jaw-dropping amazement. That’s just how we’re built. And the AXL API has the power to let you do that.

    One word… DON’T.

    AXL is not an API for user-facing applications. It’s an administration and configuration API. You don’t want to push an end-user application built on AXL to 1,000 users. And if you do, you’re going to have a bad time.

    Think of AXL as a programmatic way to perform web GUI administration and configuration tasks. For example, in the web GUI, you add an end user this way.

    1. Select the User Management menu
    2. Select End User
    3. Click on +Add New
    4. Fill out the form
    5. Save.

    Now, programming that might seem silly and more work than using the web GUI. But think of it this way. You have a text file with a list of names, email addresses, phone numbers, assigned company phone extension and other personal data of new employees. Now you can write an application that reads the file and creates and configures an end-user account for each of the persons and creates and configures lines and phones entries for them. That’s automating an administration and configuration task in a way that makes your life as an administrator easier.

    The Basics


    AXL is a SOAP-based API. There’s no REST for the wicked here.

    The most often used AXL APIs fall into the following groups:

    1. addSomething (e.g., add a phone)
    2. getSomething (e.g., get a phone’s info and settings)
    3. updateSomething (e.g., change a phone’s info and settings)
    4. applySomething (e.g., apply the changes you made for the phone)
    5. removeSomething (e.g., remove a phone)
    6. listSomething (e.g., list all phones)

    There are a few other AXL APIs not in those groups that you’ll need at times, but those are the most frequently used operations.

    Getting Started: Preparation


    The best way to get familiar with AXL is to use a free, open-source tool called SoapUI. SoapUI makes it easy to experiment with the AXL API. But first, you need to download the files you’ll use with SoapUI.

    Log into Call Manager as an administrator. Under the Application menu, select Plugins.


    Click the Find button (not shown in this screen shot). The first item is the Cisco AXL Toolkit. Click on Download and save it somewhere.


    The saved file should look like this:


    Open the zip file to see its contents


    Open the schema directory.


    Pick the version of Call Manager you are using. In this sample, we’ll pick current.


    Copy the three files above to a working directory. I chose C:\SOAP.


    Download and install the open-source SoapUI from this page. You’re done with preparation. Now, it’s time to create an AXL project to play with the API.

    Set Up a SoapUI AXL Project


    Click on the File menu and choose New SOAP Project.


    Pick a name for your project. Set the Initial WSDL to point to the AXLAPI.wsdl file you saved to a working directory earlier. Click OK.


    In the left column, you should see this (assuming you used the name New AXL Test, otherwise look for the name you chose).


    Right click on AXLAPIBinding and select Show Interface Viewer. You should see this Dialog Box.


    Click on the Service Endpoints tab and you’ll see where you can enter information for AXLAPI binding.


    Type what you see in the Endpoint field, except point to your server where it says YOURSERVER. Assuming it’s safe for your work environment to do, enter your Administrator username and password in the appropriate fields. You can create an Administrator account in Call Manager specifically for use with the AXL API, or you can use your primary Administrator account.

    You can close this dialog box now.

    Now let’s play with one of the requests. In the left column, find listPhone and click on its plus sign. Then double-click on Request 1. You should see all the XML for this request pop up in a new dialog.


    The listPhone request has a few potential hangups that are good to learn how to avoid. Any listSomething request is going to return, well, a list of things. Scroll down to the bottom of the request XML and you’ll see these options. These give you the option to skip a number of results, or define the starting point. We don’t want to mess with those options right now, so select them and delete them.


    At the top, look for what I have selected here, select it and delete it. This attribute can be useful, and you don’t always have to delete it, but in this case, you’ll need to remove the ‘sequence=”?”’ for the request to work properly.


    There’s one more thing. Get rid of what you see selected in this screen shot. Select it and delete it.


    There are way too many values to specify, so let’s chop down the request to look like this. Make sure to put a percent sign in the <name></name> tag. This is a wild card, which means it will list ALL the phones. You want to start simple, so this is a simplified listPhone operation.


    Now’s the time to try it out. Click on the green “run” icon in the upper left. You should see the right side of the request change to this:


    This is an unfortunate bug in the current version of SoapUI. It should show you the XML response by default, but it instead shows you raw information. Until the app is fixed, you’ll have to click on the upper left XML tab to view the response.

    The response might look something like this:


    With that, you now have enough basic knowledge to experiment with any of the AXL APIs. Hey now, you’re an all-star, get your game on, go play.

    Programming Tip


    And if you really want to run with the big boys, here’s a tip for running multiple AXL request sequentially. Every time you make an AXL request, Call Manager launches a Tomcat session. When you make many requests in a row, Call Manager will launch multiple Tomcat sessions, which use up CPU and RAM.

    Here’s a way around that. At the bottom of the response, open up the headers and you’ll see a cookie named JSESSIONID and its value.


    If you set the JSESSIONID cookie and use the same value for your next AXL request, Call Manager will re-use the Tomcat session instead of launching a new one.

    What to Avoid and Common Mistakes


    Many requests have a list of optional search parameter tags, commonly <name> and <uuid>. You will usually have to choose one and delete the others.

    As logical as it may seem, you can’t perform a getPhone, change some values, and then copy and paste the modified XML into an updatePhone request. getPhone and updatePhone XML tags are not mirror images.

    Be careful when using APIs that give you direct access to the Call Manager database, like executeSqlQuery. Complicated joins may be clever, but they can also suck up CPU and memory the size of a spy balloon, and that eats into the performance of every other operation.

    Source: cisco.com