In this post - we’ll take a look at how to set up & configure AdGuard Home on OPNsense.

Please note that the AdGuard Home plugin for OPNsense is a community built plugin, and not officially supported by OPNsense.

What’s AdGuard Home? Why use it?

Almost every website we visit these days is loaded with additional components for advertisements, analytics, and engagement tracking. One one side, these tools can be very helpful for the company or website owner to monetize their platform and/or track & understand their audience’s interests.

However, it’s also becoming more popular to want to avoid being tracked on every website, or reduce the amount of advertisements you see. Unfortunately, a lot of these scripts & code snippets are automatically embedded in websites and most don’t allow you to opt-out.

A while back, there were a few browser extensions that became popular by automatically blocking the advertisement & tracking elements from loading. These were great (and still are!), but a lot of website owners have been fighting it & making it harder to block their content. In addition, these types of extensions operate at your web browser level - meaning that your computer has already made a few calls out to the internet before the extension even has a chance to block something.

Here’s where we’ve started to see more ad blockers come out that operate at the network level. AdGuard Home is one of them, but you also may have seen similar packages like Pi-hole or NextDNS. These are typically packages that you install on your home network & run as a local Domain Name System (DNS) server.

Each time your browser needs to load something from the web, the first step is figuring out what IP address to connect to. For this, the computer reaches out to it’s configured DNS server and provides the website name (like 0x2142.com). The DNS server looks up where that lives & provides the computer with the IP address (like 203.0.113.52). Then your computer can load the website by connecting to that address.

With a DNS-level blocker, like AdGuard Home, we can block your computer from ever trying to establish that connection. If you tried to go to a website (like 0x2142.com), and there was an embedded advertisement or tracking, AdGuard would tell your computer that the domain hosting the advertisement doesn’t exist (usually via returning a 0.0.0.0 or NXDOMAIN response). So your browser would still be able to load the main site (0x2142.com), but it would never even try to establish a connection to the advertisement or tracking components.

So we gain a few benefits here - the big ones being some level of privacy & reduced advertisement noise when browsing the web. But also since we block so much of that noise early in the process, your computer never has the opportunity to load that content - meaning that we also save on bandwidth usage & data costs. There may also be small performance improvements since each site has less content that needs to be loaded.

The other bonus worth considering is security. There are quite a handful of DNS blocklists that are constantly updated with the latest malicious or suspicious domains. The quicker we can block & stop clients from potentially connecting to those domains, the better off we are!

Is there a down side? Yeah, of course there is! A lot of these DNS-level blockers pull from varying website blocklists - which are not always 100% accurate. So sometimes you may still see advertisements or get tracked. It’s not a perfect system. In addition, you may also (and sometimes often) see the reverse - parts of websites being blocked that are legitimate. And there are quite a handful of websites these days that won’t work correctly unless they can load 3rd party components. Most of the time everything will be fine, but just be aware that there may be some time spent troubleshooting & manually unblocking website components.

Do I have to install this on OPNsense?

Nope. AdGuard Home has a number of packages & ways to get running. Check out their GitHub repo.

If you’re already running OPNsense, it’s easy to install this as an add-on package & not have another system to manage. However, if you prefer to set up AdGuard (or Pi-hole, or others) elsewhere, that’s fine too. You’ll just need to update your client network’s DHCP options to use the new DNS servers. See the last section below on how to do that.

Okay - Let’s get started with setting this up!

Topology

For the purposes of this walkthrough, we’ll be using a fairly simple & straightforward topology. A single OPNsense appliance connected to the internet via it’s WAN port, as well as a single client PC connected via the LAN port.

In this setup, the OPNsense appliance is configured to provide IP address & DNS information to our client PCs via DHCP.

Adding the Community Repository to OPNsense

So by default, AdGuard Home is not included in the available plugins to download/install in OPNsense. However, someone built a community plugin repository that includes a small handful of additional packages.

Before we can install the AdGuard Home plugin, we will need to setup & install that community repository.

To do this, we’ll need direct SSH or console access to our OPNsense appliance.

SSH is disabled by default, but we can enable it quickly by navigating to System > Settings > Administration and then scrolling down to the Secure Shell section.

We’ll need to check the box for Enable Secure Shell and Permit Password Login. If you’re logging into OPNsense with the root account, you’ll also need to select Permit root user login.

Then scroll down to the bottom of the page & click Save.

Note: By default OPNsense will also have the SSH Listen Interface set to All. I would highly recommend setting this to only enable on your LAN interface Also: If you don’t need SSH access all the time, please remember to disable this service once you’re finished setting this up!

Okay, now that’s enabled - we can connect to our OPNsense appliance using your preferred SSH client (like PuTTY).

If you’re using the root account, you’ll likely be dropped into the OPNsense shell - but you can select option 8 here to access the underlying FreeBSD shell.

In order to install the community repository, we’ll pull down the repository config file using the following command:

fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

Then, we’ll need to ask OPNsense to update it’s local cache with the new repo - so it knows what packages are hosted there:

pkg update

If everything is successful, you’ll see output similar to below - which lists the mimugmail repository now:

root@0xOPNsense:/home/matt # pkg update
Updating OPNsense repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01
Fetching packagesite.pkg: 100%  229 KiB 234.3kB/s    00:01
Processing entries: 100%
OPNsense repository update completed. 822 packages processed.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01
Fetching packagesite.pkg: 100%   54 KiB  54.8kB/s    00:01
Processing entries: 100%
mimugmail repository update completed. 177 packages processed.
All repositories are up to date.

Installing the AdGuard Home Package

Now that the additional package repository is set up, we can download & install the AdGuard Home plugin via the OPNsense web interface.

So back in our browser, we can nagivate to: System > Firmware > Plugins. On this page we can search for adguard or scroll through the list to find it.

Then we just click the plus icon on the right side to install (not shown in the screenshot above).

This should install pretty quickly:

***GOT REQUEST TO INSTALL***
Currently running OPNsense 22.7.9 (amd64/OpenSSL) at Sun Dec  4 12:48:38 EST 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
mimugmail repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
 os-adguardhome-maxit: 1.8 [mimugmail]

Number of packages to be installed: 1

The process will require 35 MiB more space.
7 MiB to be downloaded.
[1/1] Fetching os-adguardhome-maxit-1.8.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/1] Installing os-adguardhome-maxit-1.8...
[1/1] Extracting os-adguardhome-maxit-1.8: .......... done
Stopping configd...done
Starting configd.
Migrated OPNsense\Adguardhome\General from 0.0.0 to 0.0.1
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/Adguardhome: OK
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

Now all we have to do is enable the plugin.

So we’ll navigate down to Services > Adguardhome > General. Our only option here will be an Enable checkbox, so we’ll select that & Save.

The rest of the setup & initial configuration will be done directly from the AdGuard-specific web interface.

Initial Setup

By default, the AdGuard Home web interface will run on port 3000 & is not HTTPS-enabled. So if your OPNsense firewall is at https://192.168.1.1, you’ll need to connect to http://192.168.1.1:3000.

As long as that works - we’ll see the initial setup prompt below:

We’ll click on Get Started.

Now we’ll be asked to configure the Admin Web interface (the interface we’re connected to now) and the DNS server interface (which clients will use to resolve domain names).

By default, AdGuard home will try to set both of these to listen on All interfaces - and set the web on port 80 & DNS on port 53.

I would recommend setting the Listen Interface on both of these to only your LAN-side networks. There is no reason to enable them on your WAN, and it can be a security risk to do so.

You may also get warnings that port 80 & 53 may already be in use. For the web interface, we could change 80 to 3000 & just keep what we’re using now.

However, if we change the default DNS port, that will cause some additional problems since client machines will query port 53. Likely if port 53 is already in use, it’s because another service on OPNsense (like Unbound DNS) is already enabled. In my case, I disabled this in favor of using AdGuard. However, if you want to use both - you can change the default DNS port in AdGuard to something like 65353, then have Unbound forward requests to AdGuard (More on this down below).

So here’s what my set up looks like so far, with 192.168.1.1 being my LAN side interface:

On the next page, we’ll be prompted to set up an administrative user & password for logging into AdGuard.

Next we’ll be given instructions on how to set up client devices. In my lab network, the OPNsense firewall is providing DNS server configuration via DHCP - so we’ll get to that configuration shortly.

For now, we’ll just click Next.

On the last screen, we’ll just get a message saying that setup is complete & a link to open the dashboard:

And now we can log in:

AdGuard Home Configuration

After logging in, the first thing we’ll see is a pretty empty dashboard. We don’t have any clients configured to use this yet, so there isn’t anything to report on.

Blocking Domains

First thing we’ll look at is our DNS blocklists. We’ll navigate to Filters > DNS blocklists.

Here is where we can ask AdGuard to query lists of what domains to block. By default, AdGuard does include two - but we can add more if we want:

If we want to add to the configured blocklists, we can do so by clicking the Add Blocklist button. This will prompt us whether we want to choose from a pre-populated list, or supply our own custom list:

The easy option will be selecting from the provided lists:

There are a ton of different curated block lists available depending on what you’re trying to block. If we wanted to use a custom list, a lot can be found on GitHub just by searching for PiHole or Adguard blocklists.

How to pick a blocklist will be up to you. There are blocklists that focus on advertisements, tracking & analytics, parental controls, etc. So it just depends on what areas you want to focus on.

Allowing Domains & Custom Filtering

If we have a list of known services that we want to ensure are never blocked, we can pull those lists via Filters > DNS allowlists. However, it’s more likely you’ll find a handful of domains you want to unblock, rather than a whole list.

For that - we can go to Filters > Custom filtering rules. At the bottom of this page there is a tool to check filtering, where we can enter a domain name & instantly see what the result is.

For example, with the default ruleset I’ll check to see if 0x2142.com is filtered:

So by default that domain isn’t found anywhere, so it will be permitted. The tool also gives us a convenient button to quickly block a domain.

We can click that button, or add the syntax ||0x2142.com^ to the custom filtering rules at the top of the page (and saving via the Apply button). Now if we check the results again - the filter check will show the domain is blocked:

And of course, we don’t want to block 0x2142.com!! So let’s add this to our allowlist instead, so that it can never be blocked 🙃. We can do that by adding @@||0x2142.com^ to the custom filtering.

And now we’ll see a green box that shows that the domain is permitted via an allowlist:

Blocking Known Services

The other option worth mentioning is the ability to block certain known services, like WhatsApp, Twitter, Reddit, etc. This can be great if there are certain services you want to block, or for use as parental controls.

This can be found on the Filters > Blocked Services page.

This way we can select a service to block, rather than having to know all of the individual domains that service uses. For example, I’ll go ahead and select YouTube to block - and we’ll check that later on after we configure our clients.

Configure OPNsense DHCP to use AdGuard

Now that we’ve taken a quick look at the AdGuard Home settings & have a few things configured - let’s look at setting up our clients to use our new DNS server.

In the lab environment I’m using, the OPNsense appliance is providing client IP address configuration via Dynamic Host Configuration Protocol (DHCP).

By default, if a specific DNS server is not configured for your client DHCP settings, then OPNsense will provide the clients with the same DNS server it uses. This could have been a DNS server that was configured when you set up OPNsense, or it also can use DNS servers that are provided by your internet service provider.

So to update our LAN DHCP configuration, we’ll head back to our OPNsense web interface. From there, we’ll navigate to Services > DHCPv4 > [LAN].

In the configuration, there is an open option for DNS Servers. We’ll set this to our OPNsense LAN IP address. In my case, that is 192.168.1.1. Then scroll to the bottom of the page & click Save.

Client Testing

Now we should be all set up! However, it’s important to note that because of the way DHCP works, clients may not pick up the new configuration immediately. When DHCP assigns an IP address, it also tells the client how long it can use that address for. So if a client stays powered-on & connected, it won’t ask for new configuration until that timer expires.

We can speed that up by resetting the network interface on our clients. This can be done in a number of ways including rebooting the client or simply disconnecting from wifi/ethernet & reconnecting.

I’m using a Linux computer as my test system, so first I’ll check via the nslookup command - which will query our configured DNS server & return the resolved IP addresses.

If you remember, I blocked all of YouTube’s services earlier:

As we can see, we did get the correct IP addresses - which means our filtering isn’t working yet.

I’ll reset the network adapter on the test PC, which will refresh the DHCP configuration - then try again:

Now that’s the result we want! By returning the 0.0.0.0 result, our client can no longer resolve that domain. So if this was an advertisement or tracking domain, it’s now blocked from loading.

And sure enough, if we now try to browse to that site via a web browser - we don’t be able to access it:

Troubleshooting Blocked Domains

Okay, so now we know our blocking works…. But now someone in our home is trying to access YouTube & it’s not working. How can we tell if that’s our AdGuard service?

Our first stop might be the AdGuard query log. Opening this log, we can filter by domain name or client - or show only blocked queries if we like.

Pretty quickly we can see the issue - we blocked YouTube’s services:

Now we know how to fix the issue, which would be to unblock that service. However, if it was just a specific domain that was blocked, we would likely want to add it to our custom filtering as we showed earlier.

Reporting

Last but not least, we can also check our AdGuard Home dashboard again, which should be much more interesting than before:

Here we can quickly see how many queries have been made & how many were blocked for various reasons. We’ll also see what clients are using our DNS server, and which are making the most queries.

Most interesting (at least to me), is being able to see the top domains that were queried or blocked. Here’s where you might find some interesting information. For example, on my test machine - it’s a fresh installation of Ubuntu & we used FireFox to test. But we can see that even during the brief time it’s been set up, almost all of the highest queried domains belong to Mozilla’s analytics services. So it may be tempting to add those to our custom blocklists.

Additional Info

What if I have AdGuard running on a different server? Or want to keep using Unbound DNS?

Sure - we can make both of those work.

For the first scenario, maybe we have AdGuard Home installed & set up on a Raspberry Pi on our network. For that, all we need to do is set that Raspberry Pi as the DNS server in our DHCP configuration on OPNsense. See above where we did that for our on-box AdGuard setup.

For the other situation, perhaps you want to use Unbound on OPNsense, but also AdGuard. There might be reasons for this - like even though Unbound does support DNS blocklists, AdGuard has better reporting tools. But on the other hand, Unbound has more features & configuration options for DNS than Unbound.

In this case, we would want to run AdGuard on a different DNS port (like 65353), then have Unbound forward those to AdGuard. See below if you need to change the port AdGuard uses for DNS.

Within OPNsense, we could go to Services > Unbound DNS > Query Forwarding. Then add a new custom forwarding entry. Here we can forward requests for specific domains if we want - or if we want to forward all DNS requests, we can leave the domain field empty. Then fill in the AdGuard information - so in my example this would be 192.168.1.1 and port 65353.

Then click Save and Apply!

How do I change the interface / port for the Web UI or DNS?

So perhaps we mis-typed something when configuring AdGuard. Or just wanted to change the interface IP address AdGuard listens on. No problem!

Unfortunately, since this is a community plugin - there is no configuration for the plugin within the OPNsense interface.

We’ll need to reconnect to the OPNsense command line to make some additional configuration changes. This can be done via SSH or the device console.

Once there, we can use the command edit /usr/local/AdGuardHome/AdGuardHome.yaml.

That config file looks like this:

At the top, bind_host & bind_port pertains to the admin web interface. A little below there, under the dns section - you’ll see another bind_hosts and port config. Those ones are specific to the DNS server side of things.

Once done, save the config file by pressing Esc then selecting to quit the editor & save the file.

Lastly - Go back into the OPNsense web UI & restart the AdGuard Home service for the changes to take effect.

One of the big things that helped me was just the experience I had prior to starting on the CCIE. My experience going into the studying likely gave me a huge step up compared to if I tried the exam earlier in my career. If I tried the CCIE eight years ago like I originally wanted to, it would have been a lot more difficult and much more time consuming. I would have had much more to learn from scratch, and much less practical experience to help.

Additionally - the other huge benefit was going into the lab with a solid strategy around time and task management. There were several places through the exam that I felt like I could have easily lost 30-45 minutes on one item. It was very important for me to be able to step back and admit I couldn’t solve something. Instead, it let me focus my time on completing the tasks that I could do - and working on the unknown stuff if I had time later.

On the task management side - I spent time early in the study process on finding a good strategy that worked for me. Once I had this figured out - I used it on every single practice lab. I ended up using a combination of a few things other people have written about previously. My base task management was using a great blog post by Chris Miles (Read it here). In Chris’ blog, he suggests breaking up the tasks per location - then completing all the tasks for a location, one location at a time. That part didn’t work for me. Instead, I only used his method of organizing all of the tasks under individual locations - that way I could easily see what tasks were left and where I still needed to work. For example, if I needed to configure EIGRP - I could easily look at the sheet and see every location that needed some form of EIGRP config.

For the actual order in which I implemented tasks, I followed the guidance of a LinkedIn post by Kim Bartlett (Link here). In that article, Kim suggests a logical order of operations - like L2, IGP for MPLS, then MPLS, etc. Doing things in this way made sense to me. So I worked out what order worked for me, and decided to follow it. The big difference in my strategy, was that I found it easier to complete all tasks for a certain protocol/technology at once. For example, if I was configuring OSPF - then I would configure it at every location at the same time before moving onto the next piece. My overall order of operations was something like this: L2 -> all IGP -> VPN/MPLS -> MP-BGP -> iBGP -> eBGP -> BGP -> IPv6 -> Anything else. I found this to be a good flow for me. It allowed me to configure things like BGP only after I had already configured all of the underlying dependencies - which meant I could test immediately to see if everything was working as intended.

All of the above combined with constant labbing for months prior to the exam was absolutely critical to helping me pass on the first try. I had found a good strategy that worked for me and applied it to every practice lab, which meant that I walked into the actual exam feeling like I had a good way to guide myself through the onslaught of work. Had I walked in with just labbing experience and no good strategy, I don’t think I could have gotten close at all.

Okay, Now What?

I’m now getting around to posting this over three months after I passed the CCIE. I’ve spent a lot of time catching up on things around the house, reading books, running through a few video games, and overall just trying to enjoy the free time.

That being said - it wasn’t long for me to start feeling guilty and itching to start working on something else. My first thought was to begin working on the DevNet certifications. I’ve been doing a bit of Python & network scripting over the past few years, and I’m excited that Cisco is launching a certification program around it. I’ve been working on this a bit recently, which has also helped me get back into a few Python projects I hadn’t touched in a while. My current plan is to try taking some of these exams shortly after they launch.

I’ve also kept thinking back to one of the other certifications I considered going after: the CCDE. In my current job as a Systems Engineer at Cisco, the content behind this certification applies a lot more to my job than the CCIE. That’s not saying the CCIE doesn’t help me - it absolutely does. However, my job today is more understanding the technologies and how they fit into a customer’s network, rather than performing in-depth configuration work.

I don’t know yet whether I will fully pursue the CCDE and take the exams. But I have started reading a few of the recommended books, and I’m already finding bits of information that are valuable to me. I’m also really enjoying the content and getting much more interested in some of the topics. For now - I am planning on continuing to read through the information just to learn it and see where I can apply it. Once I get a good feel for everything, I’ll decide whether to chase the actual certification or not. For now, I think I’ll just enjoy not looking at a PuTTY window for a while 🙂

Thanks for reading - and thanks to all the people who have supported me over the past few years. It’s was a long journey, and not always an easy one - but I think it was well worth it.

Started here? Read the rest of my story:

Part 1: Getting Started

Part 2: Written Exam & Lab Prep

Part 3: Lab Day

Part 4: Lab Strategy & What’s Next

Lab day finally came - and I arrived at Cisco building 5 in Richardson, TX around 7:45am. There were already a handful of other CCIE candidates waiting outside for the building to open. Once it hit 8am, we all went in to get signed in and fill out our lunch order forms. Then it was time to wait.

The exam proctor showed up around 8:17 and guided us to the exam room. I figured there would be more time allotted to the proctor talking through rules, guidelines, etc… but instead he just said a few quick things and we were told to begin.

Troubleshooting

The troubleshooting section had me a bit concerned. It’s always difficult to jump into a completely unknown network and try to fix a problem - and this was no different. My first question immediately made me start panicking a little. I read the ticket, looked at the expected output - and began wondering where to start while being very aware of my short time limit. Every question felt like “I’m never going to figure this out in time” - yet after a few minutes of troubleshooting I was able to find the answers to the first few questions.

Halfway through the section I received a few tickets that required a lot more work. Some of these I didn’t make much progress on, and some I was able to get half-way resolved. For each of these I tried very hard to keep to a reasonable time limit per question, then mark it down as something to come back to later if I had time.

A lot of people talk about counting your points during the exam to know where you stand. I had originally assumed that this would just be a waste of time. Yet when I finished going through the remaining tickets, I knew I had to make sure I had enough points. Turned out I was barely on the edge of a passing score - assuming I had resolved all of the tickets correctly. My first two hours ran out, and I got the 30 minute warning. I was hoping to avoid using the extra 30 minutes, but I knew I needed to go back to the 3-4 questions I hadn’t completed.

About 15 minutes later - I had managed to figure out one or two more of the tickets and decided to give up on the remaining items. Based on my estimated point count - I should have been in a good spot on the troubleshooting section….. But I still wasn’t confident in all of my answers. I knew I had a ticket or two that might not be resolved in the correct way. I decided to save the remaining 15 minutes and just move onto the next part of the exam.

Diagnostics

Next was the diagnostics section. My biggest complaint here (and it’s somewhat minor) is that the on-screen timer is located in a completely different place than troubleshooting & config. At first (probably because I was in a rush), I couldn’t find the timer - and I also had not kept track of when I began the section. That was a big mistake on my part. So I forced myself to rush through the section, knowing it could end unexpectedly at any second.

Once I wrapped up my diag questions - I finally found the timer… and to my surprise had just under five minutes left. Not a ton of time, but enough for me to go back and double check a few answers that I had rushed myself through. I also used the last minute or two to run for a restroom break before starting the config section.

I honestly had no idea how well I was doing on this section. One of the questions seemed straightforward, but the answer I picked felt too simple. But maybe I was just overthinking it? The other questions made me waffle back and forth between a few answers. In the end, I just went with what my instincts told me was the most likely answer and just stuck with that.

Config

The config section is extremely overwhelming at first. Well, I suppose it doesn’t get any less overwhelming during the exam - but you quickly get busy enough to stop caring about that 🙂

I had about 30-45 minutes in the config section before we took lunch. That was enough time for me to get through all of the Layer 2 tasks quickly and then build out my task list on the scratch paper. During this time, I thought I was doing okay until I got to the end of one of my first tasks. I had just completed all of the items within that task when I read the last item - which made me realize I had done the entire task incorrectly. That was not a pleasant feeling. Luckily, I caught my mistake before moving on - but the time had already been wasted and now I had to go back and re-configure that entire section.

Lunch was quick. We went out, ate our food, then got back to the exam in less than 15-20 minutes. There was a bit of minor discussion - but not a whole lot.

The remainder of the day went by very quickly. As I had practiced during the prior weeks of practice labs, I placed my trust in strategy & order of operations - then just went heads down and got to work. I tried not to look at the clock and instead just focused on getting the tasks done as quickly and efficiently as possible. I’ll share a little more on my strategy in the next post.

I ran into a few problems here and there throughout the exam, but nothing too crazy. The strategy I used allows for quick connectivity/functionality testing after completing a task, which allowed me to find and fix my errors quickly. Similar to the troubleshooting section, I hit a few tasks that I could only figure out parts of - so I marked them down to follow up later and just moved on. Since you don’t get partial credit for tasks, I knew I would need to circle back to these if I wanted a shot at passing - but there is no sense in wasting too much time on one task if I couldn’t figure it out quickly.

By the time I had finished every task, I finally let myself check the clock. I was shocked to see I still had almost a full hour remaining. I quickly took advantage of the time to go back to the several sections I needed more work on. A few of these I stumbled through until I was able to find my problems - and some of it I had to crack open the documentation site to figure out what I needed to do.

Running through a lot of the verification steps - there was still a few things not working as they should. I spent time troubleshooting, changing configs, and finally figuring out a few things. I made quite a few configuration changes here to force a few things to work, but I wasn’t sure if they were valid solutions - or if I would end up losing points for doing things I shouldn’t have.

In the last 10 or so minutes, I tried to very quickly add up my points while performing a quick skim through the tasks again. Being that close to the end of the exam - it made me feel a bit sick to start finding additional items I had missed. I rushed to throw in a few last-minute changes, then retest to make sure nothing broke in the process. I didn’t make it through re-reading all of the tasks, so I was left wondering what else I might have missed.

Assuming I had not missed anything else - my count of points placed me in a fairly decent spot on config. However, since there is an overall cut score for the entire exam - I had no idea if I would have enough total points between all three sections to pass. I was already like I might have just barely scraped enough points together for troubleshooting, and diag felt like a complete wildcard.

When I left the exam center, I found myself feeling much better than when I had entered. If I passed, then that would be awesome. And if I had failed, then at least I was confident in what I needed to go back and study. Rather than having to keep worrying about what tricks the exam might hold, I now had the experience of knowing what to expect. I was happy to have attempted the exam once - and knew I would be far better prepared the next time.

That evening I went to dinner with a few CCIE candidates who would be attempting the exam the following day. Just tried to have a good time, and not check my email too much :). When I got back to the hotel that night, I still had no results yet - so I just went to bed and tried to get some sleep.

The Next Day

I woke up probably a dozen or more times throughout the night. Every time my first instinct was to grab my phone and see if I had gotten my results yet. Every time I forced myself to not check, and just go back to sleep. Around 5am, I finally let myself check once - but still had nothing.

I finally got up around 6:30 - and the CCIE exam site was down. I had a bunch of text messages from people back home asking if I had anything to report - but now I couldn’t even check the site. Later I would find out that the site was broken due to an internal issue at Cisco, but for the time I couldn’t do anything. I tried a few more times throughout the morning, but mostly just gave up and decided to wait it out.

My flight left around 10:30 am. While waiting in the airport, I still kept checking every so often but could not get to the site.

Once I got onto the plane, the site finally loaded! But my results were the same: No score yet. A this point I figured I would just give up, enjoy the flight - and check when I got back home.

Boarding took a little longer than usual for the remaining passengers. Right as it was announced that they were shutting the doors and we would be taking off shortly, I decided to try checking one more time.

As the site loaded - this time I was greeted with a new status: Pass.

My initial reaction was just absolute relief to finally be done - knowing that I didn’t have to keep worrying about trying to pass before the upcoming certification changes. I sat back for a minute before refreshing the site again to make sure the result didn’t change. Nope - the result still said pass.

With that - on October 9th, 2019 - I was done. I had my number. CCIE #63461.

Keep going for the rest of my story:

Part 1: Getting Started

Part 2: Written Exam & Lab Prep

Part 3: Lab Day

Part 4: Lab Strategy & What’s Next

Finally in early 2019 I gave up on trying to gauge where I was at - and figured it was time to just give the exam a shot. I had already been studying for almost a year and a half, and I was craving some definitive way of figuring out where I was at. I went ahead and scheduled an exam for Tuesday, March 12th.

When I walked into the written exam, my first question immediately made me feel unprepared. It was something specific to provider WAN switching - not a topic I had spent enough time on yet. I did my best to take an educated guess, but that first question gave me a lot of doubt about how well prepared I was.

The written exam overall felt very… all over the place. It didn’t feel like a single cohesive exam - instead it felt like 20 different banks of questions shuffled into one. Some people call the exam just random networking trivia - and in some ways that might be accurate. For example, I might have a question on very basic L2, followed immediately by a very in-depth question on MPLS. Then probably over to something completely different. I didn’t want to admit it at the time, but I probably felt far less confident in answering many of the questions I got - and gave my best effort on guessing at quite a few.

Already not feeling great about how well I was doing, the test finally made its way into the evolving technologies section. This section did nothing to ease my nerves :). I completely understand why this section exists, but it felt like there was almost no effort put into some of the questions. Many of the questions I got made no sense, had grammatical errors, or gave a set of possible answers that didn’t line up with what the question was asking. Even for technologies that I did have a lot of experience with, it felt like the question was just written by someone who had no understanding of it.

As I finished my last question, there was no doubt in my mind that I had failed. To me, it was just a matter of how badly did I miss and how can I better prepare for next time. I was already making several mental notes on what topics I desperately needed to go back and review for the next attempt.

However - when I clicked through the remaining screens on the exam, I was extremely surprised to see that I had passed. It was only by a few points - but a pass is a pass!

Walking out of the exam, I sent a message to a few people at work to let them know I had passed. Even with the score sheet in my hand, I didn’t feel comfortable saying that I had passed. At no point during the exam did I feel like I was doing well. Maybe that’s just part of the difficulty? I don’t know… I’m honestly glad to see the written exam requirement is being dropped from the new exam blueprints.

Studying for the Lab Exam

Once I had gotten past the written exam, my full attention went into working toward the lab. I spent too much time initially trying to get my lab environment all sorted out. Went back and forth trying to choose between EVE-NG and GNS3, before finally settling on GNS3. Then I wasted a bunch of time trying to find the right images to use and testing them to make sure everything worked.

Finally - I picked up a copy of “CCIE Routing and Switching v5.1 Foundations: Bridging the Gap Between CCNP and CCIE” and got started. Going through this first book was far less enjoyable than I had hoped. Each lab was a completely different topology with a lot of pre-work to get going - and in many cases completing the actual practice lab would take a fraction of the time it took to get set up. I got frustrated with this a lot - but tried to keep pushing through to at least finish the book as a starting point. This ultimately amounted to a rocky start to labbing for me. Not working on it as much as I should, and not necessarily looking forward to it.

My next set of materials would be the INE workbooks - which honestly are structured far better. These labs were all on a shared topology that I could easily clone in GNS3 every time I started a new section. All of the pre-config is done for you - so that you can just focus on the pieces relevant to the topic. For example, if you’re working on a BGP lab - you don’t have to start from scratch with IP addressing or L2 configs. This made the content much easier to consume, and did a lot to help me spend more time working on practice labs. I got through these labs pretty quickly and repeated quite a few for additional practice.

At Cisco Live US 2019 - there was a huge announcement regarding certification changes. The CCIE exam & content was changing (along with pretty much everything else). I wasn’t entirely surprised to hear the announcement since the existing track was several years old, and I had come across a few rumors on the internet of possible changes. Even still, I was finding myself now up against a very finite amount of time to pass the lab exam. The old test would be phased out in just eight months (in February 2020).

After the announcement, I talked to my manager about what to do. We decided it would probably be in my best interests to schedule a lab date, and do whatever I can to try and pass ahead of the exam changes. So - only a few days after the new content was announced, I had scheduled a lab date for October 9th, 2019. This was less than four months away, and I still had a ton of content / practice labs to get through.

Having the looming deadline did great things for my motivation :). On the good side of things - It helped me to spend more and more time studying for the lab exam. I was able to focus more than before, and I was finding it much easier to push myself to practice even when I wasn’t necessarily excited to. Over the summer I nearly doubled the amount of time I had spent labbing compared to before the announcement. On the not-so-good side - I had also put together a week-by-week plan of what I still needed to accomplish between now and October. It was a tighter timeline than I was originally looking at, and now it felt like I didn’t have enough time to accomplish everything. I pushed through it anyways, knowing that October was just my first attempt. If I couldn’t finish everything in time, then I would still have time before the second try.

Remember back when I mentioned that six year gap between getting the CCNP and starting on the CCIE? This is the big part where that helped me a ton. Going through a lot of the workbooks - I didn’t necessarily feel like anything was too crazy. Over the past 10+ years I’ve worked at a number of different companies and had the opportunity to play with a lot of networking gear. I had a great base of experience with most L2/L3 technologies, including quite a bit of practice with all the fun that BGP has to offer.

One of the other big things that I think helped was that not all of my prior experience was on Cisco equipment. Having to learn how to configure BGP, VRFs, or switching on multiple vendors forces you to think beyond the syntax. Every vendor implements things in their own unique way - and this helps you to get beyond just memorizing what commands to enter. Instead, you begin having to learn much more about the underlying technologies and how they operate - and understanding what you’re actually trying to accomplish. Then it’s just a matter of researching whatever syntax that specific vendor uses to implement that function.

Having that good base of knowledge and experience helped me burn through the practice labs fairly quickly. A lot of content felt very familiar, with maybe a few new variations of commands - or maybe a new option that I hadn’t previously used. Even some of the pieces that I hadn’t used much of before, like DMVPN or multicast, still seemed easy enough to grasp how it worked and learn the necessary syntax.

That being said - In a lot of ways it also gave me a false sense of security. Feeling like maybe I knew more than I realized and therefore maybe I was better prepared. Yet at the same time, knowing how difficult the lab is supposed to be - and constantly wondering what I could be missing.

Keep going for the rest of my story:

Part 1: Getting Started

Part 2: Written Exam & Lab Prep

Part 3: Lab Day

Part 4: Lab Strategy & What’s Next

In about a month, most of the exams will be changing over to the new blueprints so I’m not sure how relevant any of this will be - but it’s still worth throwing out there, right?

Why CCIE? Why now?

The two years I spent working on the CCIE dragged on for what seems like forever. Back in late 2017, I had hit a point where I felt like I wasn’t being challenged enough technically - and I missed the old days of excitement when I was studying/labbing for certifications exams. I had always wanted to go after the CCIE for a number of reasons, but it never made sense before. I had decided that maybe it was finally time to give it a shot.

To step back for just a moment - I originally began my career in networking by taking advantage of the Cisco Networking Academy program, which had been offered at my high school. It’s hard to believe I started that over 14 years ago - but it was likely the single most influential thing in getting me where I’m at in my career today. After two years of classes, I walked out in late 2007 with my CCNA and eager to begin working in networking.

Over the next few years - I worked on a number of additional certifications. I always had fun going after certifications because they gave me a path to follow and a goal to achieve. They helped to make the process of learning a bit more fun. On the Cisco side of things, I worked on the CCDA, CCNA Voice (now retired), and my CCNA Security. Finally in 2011 I finished up my CCNP and had to figure out what was next. I was super interested in the CCIE - but there was no way my company would pay for it. For the time I shelved the idea - but I didn’t give up on it as a goal. Instead, I just continued to maintain & recertify my existing certs, and picked up the CCDP along the way.

Fast forward to late 2017. I had officially passed my 10 year anniversary on my CCNA. I was also feeling like I was hitting a wall in my technical abilities. I wanted to do something different and fun - and my first thought went back to pursuing a new certification because of how much I used to enjoy the process. I debated between a handful of certs, including CISSP, CCNP Security, CCDE, and CCIE R&S. After giving it some thought and talking to a few people, I decided it was finally time to tackle the CCIE and work toward one of my long-standing goals. That six year gap between CCNP and starting on the CCIE would come back to cause me a lot of problems, but also help me in a few ways I hadn’t expected - both of which I’ll talk about later.

Time to Study

On October 4th, 2017 - I ordered by first set of books and began studying for the CCIE Routing & Switching written exam.

To be absolutely honest, I had no plan going into this. Historically when I took certification exams my process was usually watching a set of training videos (usually CBT Nuggets), reading through the official cert guides a few times, picking up maybe another book or two, taking a bunch of notes, then a lot of labbing. It was never enough for me to just watch/read about the stuff - I needed to get hands on and break it to really learn. Usually by the time I had finished all of that, I would be feeling confident enough to go give the test a shot. I went into the CCIE written assuming this strategy would still probably work - and I was absolutely wrong.

When I began working through the books and videos I had - I found that I wasn’t getting as excited about it as I had hoped. In fact, it just felt like so much of the content was just review of things I had learned years ago during CCNP studies. That long gap since my CCNP also left me reluctant to want to memorize all of the little details again. How many things had I studied for the CCNP that I never used in my actual job? I certainly didn’t want to waste the time trying to re-learn/re-memorize those things now… But I knew I would need to if I wanted to pass the exam. This kinda killed my motivation in some ways - because I would end up having to force myself to try and retain information that I didn’t want to.

Studying for the written was hard for me - and probably more than it should have been. Between the mixed motivation, I was also working through a lot of stress and nonsense in both my personal and work life. I would eventually work through these issues - but sometimes it would mean having to take a few weeks off from studying.Every time I took a break, I knew I needed to - yet it was still very demoralizing.

I got some help toward my goal in June 2018: I had the opportunity to take a job working at Cisco as a Systems Engineer. In terms of working toward the CCIE, this was an absolute key step in getting there. I was finally working for a company that was willing to encourage and help me toward my goal. I was also surrounded by a ton of engineers and enthusiastic networking professionals who were there to support me. I got to spend time with other people who were working on certifications, and even network engineers at my customers who always wanted to ask how my studies were going. This helped a lot to get me back into being excited about the content - and brought a bit of motivation back.

Even though I was spending a lot of time studying for the written exam - I never really felt like I was making true progress. I believe this was likely caused by the fact that the exam blueprint is so large and diverse. I never settled on a good method to reliably track how far I had progressed on all of the content. While I felt like I had learned a lot, I also perpetually felt like I was nowhere close to where I needed to be. I also have an old habit of waiting to schedule the exam until after I already already feel confident I have a good shot at passing. With the CCIE written, I felt like that level of confidence was never going to happen.

Keep going for the rest of my story:

Part 1: Getting Started

Part 2: Written Exam & Lab Prep

Part 3: Lab Day

Part 4: Lab Strategy & What’s Next

Back in 2011 I picked up a Synology DS411 NAS, which has proved to be one of the most beneficial parts of my home lab. When I purchased it, I filled it with 4x 3TB drives for a total of 12TB of storage (~8TB usable with RAID5). I use the NAS as an iSCSI datastore for my home ESX hosts, which has helped me to run many more test virtual machines than I could have otherwise. I’ve also been using the NAS as a media server, file server, and a general backup location for everything I do.

The only problem with the DS411 is that the device is now over six years old - which means its processing power just doesn’t keep up with what I need it for today. The device is also reaching its end of life state, so I needed to replace it anyways. For reference, the device only came with a single-core 1.6Ghz processor and 512Mb of RAM.

Synology just recently released their new 2018 models, so I opted to pick up the DS918+. I could have upgraded to an equivalent model(DS418) of what I already have, but I was really interested in some of the additional features offered by the plus-series model. The DS918+ supports docker containers and Synology’s own virtualization hypervisor - along with the ability to add extra RAM modules later if I need them.As sad as I am to see my DS411 go, it was definitely time for an upgrade!

Anyways, I just completed the migration from my old DS411 NAS to a new DS918+. The whole process was much easier than I had anticipated, but I figured I would write up a quick summary of what I did:

1. First thing - Update the current NAS to the latest version of Synology DSM

   • Control Panel > Update & Restore > Click Update if one is available

2. Take a backup of the DSM configuration

   • Control Panel > Update & Restore > Configuration Backup > Click Backup Configuration

3. Power off the old NAS - in my case, my DS411

4. Unplug the old NAS and remove the drives

   • For the DS411, this requires disassembling the chassis
   • MAKE SURE YOU KEEP THE DRIVES IN ORDER (I actually printed labels to put on mine)
     • For the DS411, the drive numbers start top to bottom (Disk 1 is top, Disk 4 is bottom)

5. Install the drives into the new NAS - in my case, a DS918+

   • Again, these drives must be replaced in the same order!
     • The DS918+ numbers left to right (Disk 1 is the first slot on the left, Disk 4 is last slot on the right)

6. Once all of the drives have been inserted - Plug in the new NAS and power it on

7. Download the Synology Assistant application

   • This is necessary because the new NAS will not retain the previous IP configuration of the old NAS

8. Once the new NAS is booted up - Open Synology Assistant and click Search

   • It should locate the NAS, and the status should be Migratable
   • In my case, it shows both network adapters for the NAS

9. Select the NAS and click Connect - This will launch the Web UI of the NAS

10. The WebUI should show something similar to the screenshot below, with the button to Migrate

    • If the WebUI does not show you a migrate option, DO NOT CONTINUE. You may need to double-check that the drives have been inserted in the correct order.

11. Click Migrate, then you will be prompted to select whether you would like to migrate all settings or perform a clean install of DSM

    • Performing a clean install will still retain all of the data on the NAS, but all DSM settings will be lost
    • I selected the option to retain all of my settings

12. Next, Click through the prompts to install the newest version of DSM

13. Wait for the system to download and install DSM

Once complete - you will be brought to your DSM login screen and the migration is complete!

If you selected to keep the DSM settings, everything should still be there - with the exception of your IP/network configuration.

After all that is complete - you’re ready to enjoy your new Synology NAS! The migration was significantly easier than I had expected it to be. The longest part for me was just removing the drives from the DS411 - since it requires disassembling the chassis and removing multiple screws to free the drives from the drive sleds. So far the DS918+ is fantastic - and I would highly recommend purchasing one to anyone who is interested.

Hope this quick tutorial helps out - Let me know in the comments!

As part of my home lab, I have an older Synology DS411 that I picked up in early 2012. I’ve been using the device since then with 4x 3TB drives as an iSCSI backend to my ESX host. Of course, I’ve also been using the NAS for general file storage (photos, videos, documents, etc). So in late 2014 I decided that I needed to find a good backup solution for it.

I started using CrashPlan, because they offer unlimited cloud storage for only $5.99 a month. This was amazing to me, because I had around 1.2TB of data at the time. I found a great community package here, which allowed me to install the backup client directly on the NAS. This ran great until late 2016 when CrashPlan updated to 4.8.0 and ended support for ARM processors (which is what the DS411 uses). For the past 6-7 months, I’ve been unable to back up my primary storage device at home. Since my DS411 is reaching the end of it’s life anyways, I figured I would just wait until I replaced it with one of the new Synology devices that use an Intel processor.

Well a few days ago, I received an email from CrashPlan threatening to delete my backups since my NAS hadn’t connected in over 6 months. It makes sense why they do that - but I didn’t want to lose my backups before I could replace the device. Re-seeding my backups whenever I picked up a replacement NAS would take forever (I think I have ~2TB backed up currently). So I finally forced myself to sit down and find an alternate solution.

Alright - so as of today I now have a dedicated CentOS VM running on my ESX host, which is connected to the Synology via NFS. This VM is running the CrashPlan client, and my backups have resumed! Here is how I got this all set up:

Synology Configuration

1. Enable NFS on the Synology

   • Open up the Control Panel and go to File Services
   • Scroll down to the NFS section, and check the box for Enable NFS
   • Click Apply

2. Apply NFS permissions to each share

   • Still under Control Panel, visit Shared Folders
   • For each folder you need to back up via CrashPlan:
     • Select the folder and click Edit
     • Click the tab for NFS Permissions, then click Create
     • Enter the IP address for your CentOS VM (or other linux system)
     • Set privilege to Read-Only (you could probably leave this read-write, but CrashPlan only needs read permissions to back up data)
     • Click OK

Linux VM Setup

1. Build a CentOS VM - This can be on an ESX host like I used, or just a standalone PC

   • Don’t forget to use the same IP address that we entered in the Synology for NFS

2. Install packages

   • Make sure you get the latest package updates first: yum -y update
   • Install NFS tools: yum -y installnfs-utils nfs-utils-lib

3. Test NFS

   • If you have the packages installed and NFS set up correctly on the Synology, then you should be able to validate the configuration by using showmount. For example, here are the directories that I was using CrashPlan to backup:

   [root@SynologyBackupVM~]# showmount -e 10.12.32.2
   Export list for 10.12.32.2:
   /volume1/backups   10.12.32.209
   /volume1/documents 10.12.32.209
   /volume1/homes     10.12.32.209
   /volume1/photos    10.12.32.209
   

   • Make your local Linux directory structure, which shouldmatch what the Synology structure is. So in my case, I made new directories on my local Linux VM for /volume1/backups, /volume1/documents, etc
   • Edit /etc/fstab to auto-mount your NFS shares on boot. In my case, I added the following lines:

   # NFS Share location          Local Folder
   10.12.32.2:/volume1/backups   /volume1/backups   nfs defaults 0 0
   10.12.32.2:/volume1/documents /volume1/documents nfs defaults 0 0
   10.12.32.2:/volume1/homes     /volume1/homes     nfs defaults 0 0
   10.12.32.2:/volume1/photo     /volume1/photo     nfs defaults 0 0
   

   • Reboot, and check to make sure each NFS share was actually mounted. If you do a ls /volume1/backups, do yousee all the files on the NAS in that folder?
   • If everything works, then grab the CrashPlan Client installer (4.8.2 was the latest at the time)
     • wget https://download.code42.com/installs/linux/install/CrashPlan/CrashPlan_4.8.2_Linux.tgz
   • Extract the files: tar -xzvf CrashPlan_4.8.2_Linux.tgz
   • Run the installer: cdcrashplan-install/ && ./install.sh
     • I just let CrashPlan use all the defaults, so I didn’t change any options during install
   • Set CrashPlan to start automatically: chkconfig crashplan on
   • Make sure the service is already running: /etc/init.d/crashplan status

At this point we should be able to run CrashPlan’s backup client on our VM, which will pull the data across the network from the NAS. The last step is to set up our local PC for remote administration of the Linux VM. Unfortunately, this process has become more and more painful as CrashPlan keeps updating their clients. They provide their own documentation on how to do this piece, but I’ll summarize what I did here:

Connecting the CrashPlan UI to the Linux VM

1. Download and install the CrashPlan Client on your PC (In this case, I’m using a Windows 10 laptop)

2. On your linux VM, run the following command to findyour authentication token: cat /var/lib/crashplan/.ui_info

3. Back on the Windows side, place that token in the following file: C:\ProgramData\CrashPlan.ui_info

   • You will replace the existing token in the file
   • Also change the port from 4243 to 4200
   • Should look something like this when you’re done: 4200,3da4v903-7q38-4r52-e67e-79aecxf760c4,127.0.0.1

4. Download PuTTY, which will be used to create a SSH tunnel to our linux box

5. Open PuTTY and set the following configurations:

   • On the left side, go to Connection > SSH > Tunnels
   • Enter thesource port: 4200
   • Enter the destination: localhost:4243
   • Click Add
   • On the left side, go back up to Session
   • Enter the IP address of your Linux VM
   • (optional) Under Saved Sessions, put in a name and clickSave

6. Once that’s done, go ahead and clickOpen to connect to your Linux VM

7. Log into the VM and just leave the window open.

   • Note: This SSH session will need to remain open any time you need to connect to your Linux VM and administer CrashPlan

8. Open the CrashPlan client locally on your Windows machine

9. Log into CrashPlan using your account (Should be the same one you were previously using to back up your Synology with)

10. CrashPlan may give you a warning about migrating to a new PC, and ask if you want to adopt the backups - You want to acceptthis prompt, and let CrashPlan know that your new Linux VM is a replacement PC for your Synology.

As long as everything went according to plan, the CrashPlan client should start scanning the NFS shares on your Linux VM and comparing them to what’s already backed up. Once it completes its synchronization, it will initiate the backup processes again.

I was extremely happy that this worked, because I was able to start backing up my data again (which had apparently almost doubled since the last time CrashPlan was connected). In my case, moving to a Linux VM provided me with much better backup performance as well, since the Synology DS411 only has a 1.6Ghz single-core processor and 512MB of RAM.

I hope this helps out anyone else out there who may have been trapped in a similar scenario. If you have any questions, please feel free to leave me a comment below!

If you really want to become great at something, you practice it a ton, right? Well networking and IT work exactly the same. You’re not going to become an expect by just reading a ton of tech books and blogs. While those certainly help, there is nothing better than simply getting your hands dirty. Having a good home lab setup is key to truly understanding how things work.

So how do you get started? Well the way that I built a home lab over the past 10 years is probably much different from you could today, given the amount of virtualization technologies available. Still, I believe that some physical pieces of equipment are necessary. I took classes in high school toward CCNA certification, and we had a lab of several routers and switches there. Once I got into the real world, I wanted to start working on additional certifications and just improve my skills overall. So I picked up an old Cisco 2611 router and a 2950 switch. I played with these for a bit and used them to get my CCNA Security, which at the time covered the basics of securing Cisco IOS routers and switches.

Another year or so down the road and I expanded by picking up a power-over-ethernet switch, and two Cisco 7900 series IP phones. Since I had discovered that the 2611 router could run Cisco’s Call Manager Express, I decided to go for the CCNA Voice certification. Having this equipment to work on gave me experience that was much closer to real world, than if I had just studied the textbooks. I could configure things, break things, then sit there for hours until I figured out how to fix my problem. I could configure the entire system, test it all, then tear it down and completely rebuild. Being able to configure the entire CME system from memory gave me a lot of confidence toward taking the certification exam.

So do I still have a home lab today? Oh yeah, you bet I do! It’s changed quite a bit from what it used to be, but the same concept still applies. I have an entire environment to play with, which allows me to test and learn new technologies outside of work. In fact, my ‘home lab’ has evolved into just part of my home networks. So here is what I’ve got running today:

• Cisco ASA 5505 (Probably soon to be replaced with a Juniper SRX 300)
• Two Cisco 2960G-8TC-L switches
• Ubiquiti UniFi 802.11n wireless access point
• Synology DS411 Network Attached Storage with 4x 3TB drives (Soon to be replaced, as it is over 5 years old(Update: Got myself a DS918+!))
• A few spare PCs running VMware ESX 6.0

The ASA, switches, and AP run just about all of my home network. I even have the ASA running AnyConnect SSL VPN so I can access my storage at home from anywhere. The Synology has been one of the best additions to my network and lab. For one, it acts as a centralized storage device for my home network. I back up all of my PCs to it, and any digital media I own is also stored on it so I can stream it to devices within my home. For two, the Synology acts as an iSCSI backend to my VMware hosts. This setup allows me much more flexibility with my lab.

On the ESX hosts, I have a few VMs for lab use and a few that are for my home network. A GitLab server hosts all of my Git repositories for my own personal coding projects. I have a CentOS box for running the Ubiquiti management web interface. Another few CentOS VMs for running bind DNS, Observium, and Splunk. I also run a personal Minecraft server on there, so it’s not all work here 🙂

I love the idea that at any time I can just go home, spin up a few VMs, and start playing with something new. When I was learning Juniper’s SRX platform, I downloaded their free trial of the vSRX and had it running for a while. When I changed jobs, I needed to learn a new web proxy software - so I downloaded their free trial and stood up a VM. You really learn a lot by building a platform from scratch, because you gain a better understanding of what impact certain configuration options have. You also have the freedom to change whatever settings you want and see what they do. I once had an idea for a coding project, so I turned up a VM running RabbitMQ - and spent a weekend learning how it works to see if it would accomplish what I needed for the project.

So to sum it up - I just want to say that having a home lab has really contributed a lot to my success. It offers way more flexibility than trying to test something at work, unless they also offer you a complete lab environment. Your lab doesn’t have to start off perfect, nor does it need to have expensive equipment - it just needs to help facilitate your ability to learn and gain experience. Have a lab at home? Tell me about it in the comments below! I would love to hear what other people have done.