the crypto key gen rsa modulus 1024 is what secures the traffic on the switch. SSH uses this encryption to secure its traffic. SSH will not work without a certificate that has been generated for the switch hostname and domain name as those are requirements for building the cert. run the command and ssh will work. I would drop it frm 2048 to 1024 to reduce overhead unless it is a production switch. I would also add no ip domain-name look up so mis-typed commands dont try and resolve.
also, and i may be wrong on this, but the http server-secure command only makes the web interface active for use on port 443 so it will not work on the SSH port 22.
Cisco provides this video series for CCNA. its based on mind mapping and habits. VERY worth watching. once you register for it exit and reclick the link to go to the videos. its free.
most of the classes people fly through are the ones that they have personal experience with such as working in that field. If you had micro / macro economics in high school then the course should be like a review. If you currently work in management, then the management based classes should be a review. Subjects that are new to a student typically take 4-6 weeks to complete. you have to get 12 CU's each term/semester. After you get your 12 then you can add additional classes and pass as many or few as you like. I took the entire month of Dec. off because I had my 12, then started back up. Finished 47 CU's in the first term and got to take a break for the holidays. The key is to get your first 12 CU's to keep the pressure off. Dont wait until the last two months of the term to try and get them in. Knock them out early and then its like a game to see how many you can actually rack up.
FYI, Ubiquti APs don't need to be in the same subnet/VLAN as their controller. They call it layer-3 adoption or something, you can either tell the AP directly where its controller is or use DHCP options (43 I think) to tell the AP what its controllers IP is.
the instructions for that are not really clear. It looks like you need another option that is a fee. I did notice though that I can change the site default VLAN to be whatever I need it to be with the latest software update, so no need to point the native vlan to the server vlan.
Maybe you're referring to the cloud key/controller? The cloud key has a fee, but just pointing the AP to a server in a different VLAN is free. I almost never run APs in the same subnet as the controller
you are correct. based on this i can add option 43 to the dhcp pool i have running on the switch and point the AP back to the IP address of the server. Thanks a bunch.
You can post as many links as you like, be they from random people in the Cisco community forums or otherwise. (That link says nothing on the topic by the way).
If you define a native vlan, and that vlan is not in the "switch trunk allowed vlan" list, that vlan doesn't work. End of story. Go try it yourself if you don't believe it.
yeah, I can 100% say that whatever vlan you want to use, it has to be in the allowed vlan list. I have tested the crap out of that today.
im still confused as to what the native vlan is used for, and getting even more confused the more i read. off to google some videos.
im still confused as to what the native vlan is used for
It's simply used to handle the "default" untagged traffic on a subnet. You can have no native vlan if you so desire, either with a global command, or by setting the native vlan to some otherwise unused ID and not allowing that over the trunk.
that is the answer i was looking for. so i can set each existing vlan, like vlan 100 with a native vlan of 699and not cause a problem
i'm 44 and just now working on my under grad and ccent. Age is relative. You can do anything you decide to do. take the step and do it.
I am 40 and am starting over in IT. I was involved in it professionally, and finished the training for the CCNA in 03, but never took the test, and then some personal things took me out of the entire industry for 15 years. It's very daunting being the help desk guy at this age. It's good to know that others are in this age range and just starting
it is 100% doable. plus we come from a generation that knows how to be on time and bathe on a regular basis.
Another best practice is to use a black-hole VLAN for your trunk native traffic as well. The idea here is that all traffic on a trunk should be specifically addressed to a particular VLAN. This also helps prevent VLAN jumping with mismatched native VLANs.
My go-to switch config for an interface is:
spanning-tree mode rapid-pvst spanning-tree portfast default spanning-tree portfast bpduguard default ! vlan 998 name NO_ACCESS vlan 999 name TRUNK_NATIVE ! interface GigabitEthernet0/0 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan none switchport access vlan 998 switchport mode access switchport nonegotiate shutdown
I can then allow what is necessary from there if I need the port. It has to be turned on, and either the access VLAN specified, or flipped to a trunk and the allowed VLANs specified. Either way, it's almost impossible to create a security hole by forgetting something or plugging somethin in.
i guess i am confused as to the native vlan terminology. In my head, if i have vlan 100 and interfaces in that vlan then all those interfaces should use vlan 100 as native to keep untagged traffic on that vlan that they are members of. is this right or not?
"interfaces in that VLAN" usually means access ports. Access ports don't have a native VLAN because all traffic is sent untagged. The understanding is that the host on the other end is ignorant of 802.1Q tagging (is ignoring VLANs). Most hosts work this way, so the switch adds a VLAN tag when a frame is received and strips the VLAN tag off before a frame is sent.
A Trunk is for communicating with devices that understand tagging--usually other network hardware, but also servers, hypervisors, and some advanced hosts. On a trunk, all traffic is sent tagged except for the native VLAN. The switch strips the tag from any frames in the native VLAN before sending and assumes that any untagged frames it receives belong to the native VLAN.
This is why it's important to use precise language. Access ports do not have native VLANs, and Trunk ports do not have access VLANs. You don't . "put an interface in a VLAN", you specify the access VLAN for an access port.
You almost never want most of your access interfaces in the same VLAN as your trunk native VLANs if you have a VLAN setup. The point of putting switch ports in different VLANs is so that they can be tagged and segregated.
In the config I posted, neither VLAN 998 or VLAN 999 should ever leave the switch--they should not be allowed on any trunks. This way, any untagged trunk traffic, or random devices on unconfigured access ports, doesn't go anywhere.
is this correct?
description NG port 1 Default
switchport access vlan 2
switchport mode access
description NG port 2 Vlans (Trunk)
switchport trunk allowed vlan 2,10,20
switchport mode trunk
Working with co-workers who had those god complexes in IT was more difficult than ever working with an end user who couldn't find the file they created. Go back into your hole, your computer skills don't mean shit in the grand scheme of life.
Dude, i was simply explaining how SOME IT people end up with an attitude. To tell me to go back into a hole is not very nice. just for the record computer skill mean very thing in the world we live in. You wouldn't have power if not for someone with a certain skill set in computers. calm down.
Sorry, I was a bit harsh. Poor choice of wording on my part as well because I meant my last comment as a general statement to all people in IT with a god complex and didn't mean it specifically against you. Unless you also have a god complex at work, then by all means...
Computer skills, like any other skill is just one part in a well-rounded individual. It took numerous other skills to get electricity to my home other than just computer skills. I don't think technology is the end-all solution to everything in this world that everyone seems to make it. And in the grand scheme of things most help desk workers who treat end-users with disdain don't usually contribute much of anything to their field. I digress...
I see. I most certainly do not have a God complex. I actually feel bad for end users. at the same time, it si frustrating with the lack of communication that is usually severely lacking in detail about an issue. I guess this was a horrible threat to have started. It was really meant to be a list of funny support calls.
I hope this was a sarcastic response. I consider this a particularly rude answer to someone looking for help in a subreddit designed to provide that help.
no it was serious, however, now i understand that you were not calling my response an ultra noob and referring to yourself. My apologies.
Memorial day always sucks for me because it usually falls on my birthday... poor logic, but something eats at me on the inside saying that I shouldn’t be celebrating anything.
Lost 2 in January back to back (2014/15), thankfully that turned around.
Hanging in there... how about you?
Im good, memorial day, thanksgiving, and Christmas are the worst. I have a good group of buddy's and we seem to be able to keep each other straight.
No configuration in CCENT, just reading configs, so having a basic feel for the commands is enough.
Fir the ICND2, tab completion and ? are available, so you should be able to quickly decide if either is acceptable.
your comment is the most information I think i have seen posted, ever, about the CCENT. thank you.
CIW is useless but A+ is extremely common, dude.
unfortunately you are correct. I dont see how A+ has survived. Net+ and Sec+ are an overview that is made difficult with poorly written questions. How CompTia got the DOD to require Sec+ is beyond me. I cant stand the the CompTia tests. They dont test knowledge, they test how well you can figure what the hell they are asking for
I haven't finished yet, four classes to go. I can tell you that the BSIT-SEC is no joke degree. If all someone has is a few CompTia certs, I would not seriously entertain their opinion. Go on linked-in and she how many high profile people have a degree from WGU, its shocking. Someone the other day posted they got into a masters program at GA. Tech, with a WGU undergrad.
Depends on the program.
A lot of times, the ucertify stuff alone isn't enough for some of the IT cert exams, but none of it is something that you can't still learn on your own with some extra learning material.
But for geneds, I 100% agree with you.
I agree. What I'm talking about is someone asked for my C170 paper. Insteadof learning basic SQL and how to normalized a database, they simply wanted to copy my stuff and submit it. Their reason, the class was holding them up and they didn't understand what to do. I should have sent them the first paper I did that missed a couple items and let them debug it. It tool me a couple weeks and a call to the mentor to figure out what was wrong.
someone asked for my C170 paper.
Hate to sound like a "narc" but this would piss me off - why haven't you reported them for this? I Would've
Never said i didn't report it brother. three things in life i detest; a liar, a thief, and a cheater.
And i really can't stand someone who cheapens a degree I'm working on. All because they want to "accelerate". Well tough shit. Here is the bad thing. I have had to work with people like this POS, and guess what, they don't know their assignment or job because they skipped through everything. I will not be a part of that. I am not an enabler useless you are a Cisco router, switch or firewall.
I think the C170 course is worded the way it is because that is how the real work environment is. The non technical person doesnt know how to communicate what they want. It's the job of the IT professional to ask questions, follow up, and figure out how to make it happen. If this person dosnt learn these abilities now; they will be detrimental to the team they are working with.
The other part is that certain information cannot be given or it will basically tell you how to build the entire database. If a person reads the book, there should be no questions; if you know the terminology it is not hard to follow at all.
Thanks for your response. How long did you spend in this class if you don’t mind me asking?
about three days, but close to 8 hours a day
Oh wow. That was pretty fast, and you sure got a lot of studying done in those 3 days. I gotta bump up my studying hours.
I spend 4-6 hours a day in studies and 12-14 on weekends. Im luck i can work on school stuff while at work. let me know if i can help any. when you go to take the cert test make sure you choose the correct cert number. I chose the wrong one because i didnt read the email properly and ended up taking a 90 question exam. I got three certs out of it though.
if there are other cisco switches on the network put VTP in transparent mode and set all ports to access no negotiate, until you need one to trunk. also clear config and delete vlan.dat from flash.