×

gildings in this subreddit have paid for 6.78 days of server time

CCNA Security homelab question by eatingsolidsPacket Internet Groper in ccna

[–]dookie_nukemccna, ccna-security, sscp 4 points5 points  (0 children)

I just passed the exam a week or so ago and the only lab equipment I used was a physical ASA5505 and GNS3. But if you're able to get a 5505 and ASDM to work on gns3, you wouldn't need a physical ASA.

Take a look at the test outline from Cisco and look at the instances where they say "implement". That's where you'd want to lab.

Most resources don't go into the level of detail that you'd need to pass the exam, so use more than one resource. Also, if you're willing to spend a little dough on the CCNA-Security, I would advise you to use Boson Exam Sim for studying. Boson was the one I found most useful...

I'm getting confused between ARP and RARP by joshgoldeneagleCCENT, A+, Network+, MCSA in ccna

[–]CBRjackCCNA RS/W, BCNP, BCvRE 8 points9 points  (0 children)

ARP is IP to MAC.
RARP is MAC to IP.

ARP, ARP, ARP, IP's eating a big MAC.

Hit a wall with simplest static routing simulation. by arcticrobot in ccna

[–][deleted] 6 points7 points  (0 children)

Are default gateways set on the switch and the hosts?

Need motivation to continue by cody78987CCENT R&S | Studying CCNA in ccna

[–]debaron54 42 points43 points  (0 children)

You don't need motivation, too be honest I hate that word. You need discipline, if you wanna be a network engineer you need to book them exams, print out the exam topics and study the shit out of them. Lab, lab, lab and then lab some more, break those fucking labs, fix them and them break them again a different way. Repeat this shit for a few months at least until you know the topics by heart. Then don't be cheap and buy the Boson Practice exam sims and then do one and you will get a 30% and it will crush you because you have worked so hard. Now you are gonna wanna quit, you will realize you are shit at subnetting and you constantly try to configure shit when you haven't even put conf t into the CLI. However you aren't gonna quit, You are gonna keep studying and keep doing labs until you sit the exam. The big day has come and you are flying through it, you click next on that final question and boom, 798 damn it you failed but thats cool rebook that shit in two weeks. Study the areas you were weak in and next time you will pass. Now you are a CCNA in the help desk so it is time to start rubbing elbows and making it clear to your boss what you want and eventually you will move your desk near the big bad network engineers as they hand you all the bullshit change this port to allow access to vlan 3 please jobs. Welcome to networking, continue this process through CCIE and learn to love it. :)

Need help understanding why I am wrong on a subnetting question. by Kill_Frosty in ccna

[–]roflsocks 1 point2 points  (0 children)

Once you get past the "quiz yourself subnetting" phase, there's pretty much zero math whatsoever in networking. You'll quickly memorize the common masks you see, and you'll not really have to worry about it again.

Instead of dividing, you can just do multiples of 32 until you get to the right answer. You should get a whiteboard for the test, you can do quick math on that when you get something you're not immediately sure of.

Usually the first few are easy to do in your head. Then just write down the last few till you get your answer. 32+32=64, 64+32=96. 96+32=128, 128+32=160, 160+32=192, and we've gone too far.

All of this stuff goes in a pattern, and you can use that to shortcut halfway up. If you're trying to figure out a network, and its above 128, you can always start at 128, and add whatever increment you're working with to get there. 128+32=160, 160+32=192.

I think especially for the networks with a small number of hosts per network, its a lot easier to do the division, but there are always a lot of ways to end up at the same result. Just got to find a method that you fine tolerable to get through the exams.

Keep in mind you can memoirze a chart with your powers on them, and then scribble that down on a whiteboard at the start of your exam. It'll help a bit having something to reference when trying to figure out where things belong.

[edit] Holy gold batman, thanks!

Failed ICND1 today. Don't expect to be able to double check your answers before submitting, because they don't allow that. by windybuff in ccna

[–]the-packet-throwerMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+! 2 points3 points  (0 children)

We're into a semantic argument now so I'm off to find a beer, have a good weekend!

Is a homelab worth pursuing for CCNA? by StrangeHand in ccna

[–]RFC_1925CCENT 3 points4 points  (0 children)

I just wrote a blog post on this topic. Here are my conclusions:

  1. Yes, building a home lab is a great way to gain experience.
  2. You don't add it to your resume. Just bring it up during the interview process.
  3. DO NOT BUY A KIT. The mark up on the price is nuts. Buy pieces for your lab off ebay one at a time.
  4. You can buy a raspberry pie and put linux on it to act as a host device. I also recommend having a laptop.

Here is my blog post, if you are interest. https://rfc1925.blog/2017/07/17/building-a-home-lab-part-1/

Whats RFCs do we have to know for CCENT? by [deleted] in ccna

[–]tectubedk 2 points3 points  (0 children)

Probably not a must but RFC1925

Just Todd Lammle,everyone by [deleted] in ccna

[–]lammle 70 points71 points  (0 children)

haha, I can't believe someone saw that and put that up there, but hey, it's totally true, and my editors couldn't believe I wrote that and said they'd give me $100 if it was published, so after 50,000 copies, I say they owe me now!! :)

Help with the Application / Presentation layers and how deep we need to understand them. by Kill_Frosty in ccna

[–]_chrisjhartCCNA R&S 12 points13 points  (0 children)

As you've stated, the Application layer of the OSI model handles protocols that applications use, such as HTTP, FTP, SNMP, SMTP, NTP, and so on. I would argue that Eli's definition of the Application layer is incorrect - the applications that he listed (Skype, Outlook, Firefox, etc.) do not sit in the Application layer; however, the protocols that each of those applications use in order to function absolutely utilize the Application layer.

To ensure you understand this concept, I'll give you an example, but first we should talk a bit more about the OSI model itself. The OSI model is just that: a model. It is not a rigid, absolute definition of how networking operates; it's simply a guideline that helps us teach and understand how networking can be separated into layers and encapsulations. If you continue to pursue networking education, you'll undoubtedly learn about popular technologies that don't really fit into one specific layer of the OSI model (such as MPLS and ATM, which are commonly considered to be "layer 2.5" protocols.)

Now, onto the example. Consider the following topology. We have two computers, PC and Server. Both are connected to switches, which are subsequently connected to a router. PC lives in the 192.168.0.0/24 subnet and has an IP address of 192.168.0.10, while Server lives in the 192.168.1.0/24 subnet and has an IP address of 192.168.1.10. R1, our router, lives between them and serves as each computer's default gateway, occupying the .1 address on both subnets.

For this example, assume that all devices have just been turned on for the first time. Server is a web server, and PC wants to access a webpage on Server. On the PC, the user types in "https://192.168.1.10" into their web browser, and clicks "Go". At that point, the PC knows it needs to send an HTTP GET message to the web server (Layer 7), and it knows it needs to encrypt that message using SSL or TLS (Layer 6), but in order for that message to be delivered, it first needs to create a socket between PC and Server (Layer 5). However, in order to create a socket, it needs to establish a TCP connection with Server (Layer 4), which requires knowledge about where the IP address of Server is located (Layer 3), which can be mapped using MAC addresses obtained via ARP (Layer 2), all of which will be transmitted over the physical cable medium which will most likely be communicated through bursts of electricity or light (Layer 1).

So, the very first thing that leaves PC's NIC is an ARP broadcast defining the source IP and MAC addresses of PC and querying the MAC address of the owner of 192.168.1.10. The switch receives that ARP broadcast, stores the MAC address of PC in its CAM table for future reference, and broadcasts the ARP frame out all of its interfaces except for the interface that PC is connected to. The ARP broadcast makes its way to R1, who notices the query for an IP address of 192.168.1.10. R1 doesn't know if it has a connection to Server, but when it references its routing table, it has a directly-connected route for 192.168.1.10, which matches the request. R1 replies to the ARP broadcast with a unicast ARP reply, telling PC that it is the "owner" of 192.168.1.10 and to use its MAC address when addressing that IP address.

PC receives the reply, makes a note of R1's MAC address in its MAC address table, and begins to craft a packet designed to establish a TCP connection between PC and Server. This packet has a random source port (within a certain dynamic range, also note that this is Layer 4!), a destination port of 443 (which is commonly used for HTTPS), a source IP of 192.168.0.10, a destination IP of 192.168.1.10, a source MAC address containing PC's MAC address, and a destination MAC address of R1's MAC address. It sends this TCP SYN packet to R1. R1 repeats the above ARP process to find the destination MAC address of Server, rewrites the source and destination MAC addresses in the packet such that Server is the destination and R1 is the source, everybody learns everybody else's MAC addresses and stores it in their respective tables, and R1 forwards the frame to Server.

Server responds with a SYN-ACK, PC receives it and responds with an ACK. This completes the classic TCP three-way handshake, which means that a session/socket has been established between PC and Server, and now PC can send his HTTP GET message. PC encrypts this message using SSL/TLS, then utilizes the socket to send the message. Server receives the packet, decrypts it, then prepares its own encrypted packet containing the webpage that PC is seeking.

Keep in mind that Server's reply might be (and probably will be) too large to fit within a single packet. This means that multiple packets must be sent back and forth between PC and Server in order for PC to finally display the complete webpage. During this time, the HTTP protocol will generally place the received packets into a queue or buffer while it waits for all of the information to be received from Server before PC's application (be it Firefox, Internet Explorer, etc.) "receives" the complete webpage and loads it for PC's user.

This is how communication between applications works on a network. Each application must traverse up and down the OSI model in order to send and receive the information it needs to send. The key thing to notice is the clear demarcation between the layers - the HTTP protocol doesn't care at all what's happening during the ARP process at Layer 2, or how the protocol is being routed throughout a TCP/IP fabric at Layer 3, or whether a physical transmission was successfully sent and received at Layer 1. All the HTTP protocol cares about is the HTTP messages it's sending, and the messages it's receiving; it trusts the lower layers of the OSI model to "do their jobs" and get the packet to where it needs to be.

In short, that's how the OSI model works.

As for your concerns regarding understanding the concept, I wouldn't worry too much about that. Network engineers rarely need to worry about the intricacies of what happens above the Session layer - normally, that's the territory of developers who create or work with the protocols mentioned in the Presentation and Application layers. It's important for network engineers to know what protocols fit where in the OSI model, but you're not going to need to program NTP messages or anything like that.

If you have any additional questions, feel free to let me know, and I'll answer them to the best of my ability!

Passed 200-105 / ICND2 877/811 by kanakanak in ccna

[–]the-packet-throwerMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+! 1 point2 points  (0 children)

switchport port-security by alpachydermatologist in ccna

[–]AgeudumCCNA R&S 9 points10 points  (0 children)

This is actually a very interesting question, as it not only requires you to know what port-security is, how it relates to MAC addresses, and how to read its respective show commands, but it also requires you to know what happens if you haphazardly apply port-security policies on top of existing port-security policies.

To demonstrate this, I threw together a quick Packet Tracer, which can be viewed here. In this scenario, we have two computers (192.168.0.1 and 192.168.0.2, respectively) hooked to a hub, which is hooked up to Fa0/24 of a switch. Attached to Fa0/1 of the switch is a PC with an address of 192.168.0.10. A third PC, which is not yet attached, will be used later - it has an IP of 192.168.0.3.

First, we must configure port-security on Fa0/24 of the switch the same way your question has port-security configured. This is done by enabling port-security, setting the maximum number of MAC addresses on the port to 2, then changing the violation mode to restrict.

S1#
S1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
S1(config)#int fa0/24
S1(config-if)#switchp mode acc    <-- Necessary in order to activate port-security in our scenario
S1(config-if)#switchp port-sec
S1(config-if)#switchp port-sec max 2
S1(config-if)#switchp port-sec viol restrict

Next, let's look at the output of "show port-security interface fa0/24", which will give us a table similar to the one your question provided.

S1(config-if)#do show port-sec int fa0/24
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

You'll notice that the maximum MAC addresses is 2, which makes sense, as that is what we configured it to be. However, at this time, the "Total MAC Addresses" field is 0; this is because no traffic has been received by the switch yet, so no MAC addresses have been recorded in the CAM table for this particular interface.

So, let's generate some traffic by having the two PCs hooked to the hub (PC0 and PC1) ping each other. Because all incoming frames are broadcast out all ports on a hub, the switch sees these broadcasts and adds each PC's MAC address to its CAM table. Running show port-sec int fa0/24 after the ping is complete demonstrates this.

S1(config-if)#do show port-sec int fa0/24
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0001.64D8.DC78:1
Security Violation Count   : 7

You'll notice that in this output (very similar to the one your question provided), the "Total MAC Addresses" field has changed to 2!

Next, to simulate what your question is asking, let's run "switchport port-security mac-address 0001.64D8.DC78" on the fa0/24 interface and see what happens.

S1(config-if)#switchp port-sec mac 0001.64D8.DC78
Total secure mac-addresses on interface FastEthernet0/24 has reached maximum limit.

This is where things get interesting. Technically, your command was successful and 0001.64D8.DC78 was whitelisted - however, because the maximum number of MAC addresses have already been recorded on this port, that host will not be able to send traffic through the switch.

To demonstrate this point, you can ping 192.168.0.1 and 192.168.0.2 successfully because their traffic moves through the hub. However, you are not able to ping 192.168.0.10, which is sitting on the other side of the switch.

This is actually a very important question that is relevant to the real world, as it teaches a lesson to you that the number of MAC addresses you configure as static entries in an interface's port-security should match the maximum number of MAC addresses allowed on that interface - otherwise, you might run into weird scenarios where you accidentally deny service to the host you statically added to the whitelist simply because other devices talking on that interface happened to talk first!

Hopefully this answers your question! Let me know if you have any additional questions!

is my home router a switch too? by hossein4 in ccna

[–]CBRjackCCNA RS/W, BCNP, BCvRE 0 points1 point  (0 children)

That's the whole point of this sub! ;-)

Staffing agencies? Anyone know why they are so prevalent now? Do they hurt or help the IT community? What are your experiences? by _FractalCCNA R&S in ccna

[–]the-packet-throwerMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+! 6 points7 points  (0 children)

Staffing agencies have always been around.

IT project or shift work is often suited to contracting roles and companies (unfortunately) do tend to like contract to hire as a probation period since they don't pay benefits or training and can drop you for whatever reason they choose if the need comes up.

On the plus side it can make being hired a little bit easier since a company is theoretically taking less of a risk with you. Often you'll interview with the contracting firm and then they'll pass along the results to interested companies.

Being a contractor is also unique since you can often ignore company politics, won't be invited to company events etc, and you often have more restricted access.

When doing summarization, does the networks CIDR matter? by geekthinker in ccna

[–]CBRjackCCNA RS/W, BCNP, BCvRE 2 points3 points  (0 children)

With the netmask, you will know if there are "holes" in between your networks that might change your summarization.

If I give you :

10.0.0.0/24
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24

You can summarize it to 10.0.0.0/22, but if I change the masks and ask you to summarize only these networks :

10.0.0.0/24
10.0.1.0/24
10.0.2.0/25
10.0.3.0/24

Then the previous answer isn't valid. You have a "hole" where 10.0.2.128/25 is that should not be included. The proper summarization would then be 10.0.0.0/23, 10.0.2.0/25, 10.0.3.0/24. If you were to only look at the first bit change, you might miss the "hole" there that would make 10.0.0.0/22 the wrong answer.

Be careful during tests, because this is the kind of question that can get you.

Packet Tracer Help by Sykor2 in ccna

[–]Romi3 0 points1 point  (0 children)

Because you are using ripv1 (doesnt support vlsm), both router 7 and 8 are summarizing your /25 networks to 192.168.2.0/24. So both your routers think they are directly connected to 192.168.2.0, so to fix this you need to enable version 2 and disable auto summary, version 2 supports VLSM.

If you do a show ip route on router 7 and 8 you will see router 7 doesnt know how to get to the 192.168.2.128 network and router 8 doesnt know how to get to 192.168.2.0 networks.

Under the rip process of each router add
no auto-summary
version 2

Hope this helps, sorry about my shit explanation.

OSI model question by hhhax7A+, SEC+ in ccna

[–]technicalityNDBO 15 points16 points  (0 children)

Yeah. It's easier to digest the OSI model if you compare it to just talking with someone.

Think of a buddy telling you what he did last weekend. At the uppermost layer, you're listening to a story.

Let's get one layer deeper. That story is made up of sentences. There's a set of rules (a protocol) for building sentences. The protocol is grammar. You need a subject and a verb/predicate. Sometimes a direct object.

A layer deeper - Sentences are made up of words. There's a set of rules (a protocol from a lower layer) for determining which words to use. You'd use a different "tense" of a verb to indicate whether something happened in the past, is happening now, or will happen in the future for example. When using a pronoun to describe a dude, you'd use "He" if it is the subject of the sentence or "Him" if it is the object.

A layer deeper - words are made up of combinations of letters. The alphabet is on this layer. There is a protocol for how certain letters combine and what sounds they make. For example, S makes a certain sound by itself but a different one when combined with an H. Additionally the letters have to be the correct combination in the correct order to make a sensible word (i.e., they have to be spelled correctly). Spelling and Pronunciation are the protocols at this layer.

A layer deeper - what are sounds? They're waves of energy created by our voice box and picked up by ear drums. This is like the lowest layer. It describes what is physically occurring when your buddy is telling you the story. There's no real protocol here - just the laws of physics and nature.

So a microphone would be a layer 1 device. It records sounds. It doesn't know what a word or a story is, nor does it care. But an Amazon Echo or a smartphone (Siri) would be a higher layer device. Although these have a microphone on them which is a layer 1 device, they're still capable of understanding what words and sentences are. Words and sentences only exist in the upper layers.

EDIT: Since I've been gilded, I felt compelled to go back and proofread for clarity and make a few edits.

Port security question by [deleted] in ccna

[–]PromKing 8 points9 points  (0 children)

Could be wrong (learning my CCNA too), but i believe the way to think about it is: -i can have 3 MAC before my "violation" happens -i learn my ports dynamically -oh hey im already configured with secure-mac AAAA, that leaves me two more dynamically learned MACs to go before violation.

DDDD will never become a secure-MAC as there wont be a spot even if AAAA has never connected

Can you help me setting up this router? by [deleted] in ccna

[–]EasyLif3 5 points6 points  (0 children)

How do I configure port 0/0?

Instead of setting a static IP address (like you did for f0/1), you do:

Router(config)#int f0/0
Router(config-if)#ip address dhcp 
Router(config-if)#no shut

What does really means 192.168.1.0 network is to NAT overload out of the WAN uplink?

It means that all of the inside LOCAL addresses from 192.168.1.0/24 will be translated to a single inside GLOBAL address <--- this is the address that router will get on f0/0 as a DHCP client. It will use the combination of the global IP address (the one on f0/0) and a layer 4 port number to represent one local address. This is called NAT overloading or PAT (port address translation)

For example:

Global             <--> Local
92.87.165.15:52953 <--> 192.168.1.5:52953
92.87.165.15:47928 <--> 192.168.1.6:47928
etc...

Here's how you configure this:

Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)#ip nat inside source list 1 interface f0/0 overload
Router(config)#int f0/0
Router(config-if)#ip nat outside
Router(config-if)#int f0/1
Router(config-if)#ip nat inside
Router(config-if)#no shut
  1. Define an ACL to permit the addresses to be translated.
  2. Configure dynamic source translation - binding the ACL with the exit interface
  3. Tell the router which is the outside and which is the inside interface

There are errors in your DHCP config with the second range of excluded addresses. Because you want to use .250 as well and because .255 is the broadcast address, do this:

ip dhcp excluded-address 192.168.1.251 192.168.1.254

The rest looks fine, I think.