Author Archives: Simon

ASA License Upgrade

There maybe a time when you need to upgrade your license on a Cisco Adaptive Security Appliance (ASA).  The license is responsible for what feature set you have on the firewall and a comparison of licenses can be found here (v9.1).

The first step is to register your PAK key on the Cisco website.  The PAK key can be activated here and will require the device’s serial number to complete.  Follow the activation wizard and you will receive an email from Cisco with the activation key.

The process itself is quite straightforward. But, before we get started it’s highly recommended to take a copy of the current activation key the ASA is running with, take a running configuration backup and take a copy of the version properties.  

To view this the current activation key and version properties, use the following commands:

giantsandrunts#show activation-key
giantsandrunts#show version

Great, we’ve now got everything backed up, we now need to go into configuration mode and issue the below command:

giantsandrunts(config)#activation-key xxxxxxxx yyyyyyyy zzzzzzzz xxxxxxxx yyyyyyyy

At this point, there is no verification that we can do as this will not show in the version properties or the activation key properties until the firewall has been reloaded.  Proceed to reload the firewall, which should take anywhere between 5 and 20 minutes. It’s good practice to provide a reason for the reload.

giantsandrunts#reload reason license upgrade

The final steps are to verify the activation key and the features which are available in the version properties.  

To conclude, this article has walked you through a license upgrade to an Adaptive Security Device and it has provided you ways of verifying after the upgrade process.  


ASA – Dynamic FQDN Filtering

In today’s IT world, we are relying more and more on public cloud services such as Amazon Web Services (AWS), Azure and Google Cloud which typically have large IP address allocations. These cloud providers have the right to change the IP address of your hosted environment at any point in time and it is important that as network engineers, we can configure our equipment to dynamically adapt to applications changing IP addresses.  

Although in some environments use proxy servers for web traffic, there are some applications and websites which simply don’t work via a proxy, meaning traffic must bypass a firewall, typically at your internet edge.

Cisco Adaptive Security Appliance (ASA) Continue reading

CCIE R&S – Lab Attempt #1

On the 23rd of November 2018 I took my first attempt at the CCIE Routing and Switching lab exam.  This article outlines my view on the lab experience, from both the traveling and the lab itself.

Travel & accommodation

I flew out from London Heathrow the day before the lab, with Matt, someone I have been studying with for the last few years originally met via RouterGods.  

The overall flight experience was pretty good and the travel between the airport in Brussels and the hotel I stayed at was around 5-10 minutes uber drive, which cost about 15 euros.

I stayed at NH Hotel, Airport Brussels which is Cisco’s recommended accommodation. I can see why too, it’s exceptionally close and you can, in fact, see Cisco from the hotel!

The hotel was good for both location and also quality.  It wasn’t anything incredible but for a one night stay, it definitely served a purpose and I recommend it for anyone taking the lab in Brussels. 

Most importantly, I got a good night sleep prior!

I flew back the same day after my attempt,  my flight was quite late so I had plenty of time.  This helped minimize costs of the experience and also allowed me to get home right away, which is what was important to me!

Lab day

The day had arrived, I got some breakfast at around 06:30 at the hotel and then headed over to the Cisco testing center for a 08:00 start.  Arrived and checked in we were taken to the exam room, where we had two 24″ monitors and the trusty American format keyboard.

At first, I was a little disappointed that the keyboards weren’t the K120’s I had been practicing on and in fact were some form of Dell. No sweat, I cracked on, starting the 2-hour troubleshooting section.

First thoughts; it was a huge topology! Without going into too much detail, it was a fair section, it was certainly tricky – but so it should be, it’s an expert level exam at the end of the day.  Once this section had concluded, you have the option of extending it by 30 minutes.

I didn’t take the extra time, after following the advice of peers in RouterGods and forums across the internet and I’m glad I took this approach.

Secondly, diagnostics, a 30-minute section based off of non-CLI based functions – the only section I’d not been able to lab due to its format. 

This was a fair part of the exam and was actually quite fun, it allowed me to think outside the box and was something a bit new which was welcomed after 3 months of speed preparation prior to the lab!

Lastly, configuration, 4 hours of pure joy but let’s not talk about this. All joking aside, this was really tricky and I really struggled to grasp what they wanted me to achieve. Task-wise though, again, it was fair.

Complaints? One, I found that the diagrams to be poor resolution and I struggled to interpret it at times – other than that, it was a fair exam and I think it’s a true good knowledge test.


Saturday at around 19:00 my results arrived, it was a fail – which is fine!

I passed diagnostics which was reassuring, however, troubleshooting and configuration I wasn’t so lucky. 

I’m not too grieved by it though, I now know where to focus my attention, it’s identified my weak areas and it’s now time to reschedule and re-align. 

Take aways

A few bullet points of some exam technique which I will be applying for next attempt:-

  • I need to get faster – particularly at configuration.
  • Control the stress and anxiety to have a clear mind.
  • Identify a clear troubleshooting process for each technology.
    • Nick Russo – “Create a hypothesis and be willing to ditch it quickly, once disproven”
  • Identify what they’re asking for and drive towards that end result 

EIGRP – Faster Convergence vs Optimal Traffic Flows

Enhanced Interior Gateway Protocol (EIGRP) is a distance vector protocol, originally a dynamic routing protocol created and made proprietary by Cisco.  By default, EIGRP supports equal cost load balancing and when configured, EIGRP supports unequal cost load balancing.

Design Thoughts

Often when we design and engineer our networks, we are presented with a lot of challenges and hurdles to overcome of which should  Continue reading

Love it or hate it – RIP

Routing Information Protocol (RIP), love it or hate it – it’s still used and sometimes still even deployed but why?

First of all; let’s look at what RIP is, summarized in a few bullet points:-

–  Distance vector
–  Metric-based protocol
–  Slow convergence

The list of RIP attributes are not limited to the above, but it’s what I think of when I think of the protocol. Continue reading