Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
Coming soon

Even though Cisco certifications are geared toward their products, it is still helpful in learning networking concepts IMHO. While syntax are different, you’d eventually figure it out. The networking concepts are the most important one and not the syntax difference.

As for taking certification exams, it really depends on what your plans are in the future. Do you want to eventually move to a gig with Cisco products? If so, it would help get past some HR requirements.

see more

Even though Cisco certifications are geared toward their products, it is still helpful in learning networking concepts IMHO.

Absolutely. Personally I always recommend Cisco certs for anyone trying to break into the field - simply because Cisco's cert system is quite extensive and there is far more good, high-quality Cisco study material than there is for any other vendor. Not saying there's no good study material elsewhere, but for people just starting out, in my opinion it's much easier to navigate the Cisco path.

From there, transferring that knowledge to other vendors is not terribly difficult. At that point you know all the technologies, you better understand network design, etc., and more than anything else you just have to translate syntax and config structures from Cisco to what ever vendor you are working on.

Is there a well know/respected book or online resource that I can start looking at to prepare and study for CCNA exam that you guys would recommend?

see more

Agreed with the others, INE makes pretty comprehensive video courses, and Cisco Press has an extensive set of text books. If you're looking into certifications specifically, just search the latest "CCNA Official Cert Guide" to find the relevant book. INE plus this book would be a really solid starting point.

Applying the ACL to the VTI directly seems most appropriate. A big reason to use VTI versus crypto map is so that you can treat it as any "normal" interface, so to me it just feels like the most intuitive and "clean" configuration, so to speak.

Also, agreed with /u/packet_whisperer, vpn-filter is an incredibly hacky feature. In addition to only being able to specify the single policy inbound, it's also a stateless filter. With vpn-filter you lose a lot of what makes a firewall a firewall.

Comment deleted2 months ago

172.27 is clearly used by columbia wireless internally and not part of the public internet. You're on columbia wireless's internal network and not on the public internet at that point.

Clearly not, as a traceroute toward OP's destination from an entirely different part of the country and different provider also ends up returning 172.27 addresses:

C:\WINDOWS\system32>tracert -d

Tracing route to over a maximum of 30 hops

  1    <1 ms     1 ms    <1 ms
  2    10 ms    13 ms     9 ms
  3     8 ms     7 ms     7 ms
  4     8 ms     7 ms     7 ms
  5    13 ms    11 ms     7 ms
  6    41 ms    39 ms    39 ms
  7     *       37 ms    37 ms
  8    38 ms    39 ms    44 ms
  9    38 ms    41 ms    41 ms
 10    46 ms    43 ms    50 ms
 11    44 ms    41 ms    43 ms
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18    54 ms    55 ms    56 ms

Trace complete.


You probably should not speak with such authority and certainty about things that are nothing more than your own assumptions.

Comment deleted2 months ago

No one made any claims that 172.27 was routable. Did you read OP's question?

Is it breaking a rule to have RFC1918 IP addresses visible to the Internet? Here's a traceroute to a public IP address...

The IPs are quite clearly visible. No one referred to them as routable aside from you.

71 points · 2 months agoGilded1

Well, FYI, Cisco has this function built in (to a certain extent):

switch#traceroute mac ?
  H.H.H      48-bit hardware address of source
  interface  Interface on which this source mac exists
  ip         Specify ip addresses

This MAC trace does rely on CDP as well. And I'm not sure whether it's supported on all platforms. It's been a while since I've tried the utility myself so I can't comment much more than that - but here's some documentation:

How do I traceroute a mulitcast network path? Every page I find is a conglomeration of checking igmp-snooping and pim at multiple points on the switch and router assuming you have a multicast source operating.

see more

How do I traceroute a mulitcast network path?

There is an "mtrace" standards proposal which is implemented by some vendors. This mtrace provides similar functionality to a traditional traceroute, but it's built around an active query/response mechanism - which means that all multicast routers in the path must support mtrace in order for it to function.

I know that Cisco in particular supports this, simply with the mtrace command (Basic Multicast Troubleshooting Tools). I don't actively work with multicast these days so I can't comment on whether you'll find this available on other vendors' gear.

People are doing this, Google around for layer 3 to the host. People are running vrouters, or running VyOS, FRR, Bird or something to peer servers to ToR. Outside of data center I have not see this yet... Cumulus Networks has a cool technology called redisitrube neighbor that could possible work for campus networks as well as DC. Although the switches they sell are geared towards DC. VLANs are stupid simple so will remain popular for a long time.

Also Google search for Medallia routing on host, super interesting talk they did at a Meetup in Silicon Valley.

see more

People are doing this, Google around for layer 3 to the host. People are running vrouters, or running VyOS, FRR, Bird or something to peer servers to ToR.

True, but to be clear - this is done much more for redundancy, failover time, performance, etc. than for any form of security like OP is discussing.

If security with this level of segmentation and isolation is required, the more appropriate solution is some form of NAC, combined with dynamic access policy and port-based access control. Cisco's ISE (with 802.1X and potentially integration of malware scans) is a good example of this.

In ASDM if I just check the box "Use LOCAL if Server Group fails" on the AnyConnect Connection Profile, will I be able to use a local admin account to connect? Or do I need to add a local user to a group?

Yes, you should be fine just enabling that feature on the AnyConnect connection profile. No need to add users to a group, because there's not any real user group structure in the ASA's local database. Any local user is simply considered part of the LOCAL group, and that's all there is to it.

3 points · 4 months ago · edited 4 months ago

it seems that it takes me multiple times to read a paragraph when first covering a topic to be able to retain anything more than a minute later.

Agreed, which is why I almost never make technical text books my first method of study. Since it sounds like you're asking specifically about certifications, I'll speak to that. Typically my study pattern for certs is something along the lines of:

  1. Watch a video course all the way through to get a general overview of all relevant topics - what the technologies do, why you'd use them, general overarching ideas of basic functionality and how all topics from start to finish fit together with one another.
  2. Read technical resources - text books, whitepapers, configuration guides, etc. to get a deeper understanding of nitty-gritty details.
  3. In tandem with #2, do lab work on relevant topics, specifically focusing on the side that the technical resources tend not to focus on. That is, technical resources tend to tell you how to do things correctly - I most often try to lab broken setups so that I can learn the symptoms of different misconfigs, and then their resolutions. This has proven one of the most effective ways that I learn the real deep-down, low-level behaviors of any topic.
  4. Re-watch either the same video course or a different video course as a sort of review, and to bring the focus back to the high level stuff and the overall picture of how all different topics are tied together.
  5. If any concepts are still a bit shaky, repeat #2, #3.
  6. Take the exam.

Basically, video courses tend to lack depth, while text-based learning resources are often more detailed and expansive but sometimes quite dry. It took me a decent number of certs to work out the above study method, but at this point it does work quite well for me to have those basic high-level overview concepts from step #1 rooted in my mind before attempting any deep dive.

Thanks for this. I was studying for ARCH a few months ago but lost focus when work started taking up too much time and energy. Hoping to get back to it soon, and once I do this certainly will be helpful.

13 points · 4 months ago

Have you tried something like this?

  • show run <start of command you want to see>

ASA doesn't share a code base with IOS, so you shouldn't expect any given IOS feature to be available in ASA.

I like to think that ASA is just enough like IOS that you think you know what you're doing, but just different enough for you to shoot yourself in the foot.

see more

I like to think that ASA is just enough like IOS that you think you know what you're doing, but just different enough for you to shoot yourself in the foot.

asav-lab1# sh ip int br
ERROR: % Invalid input detected at '^' marker.

Been working with ASAs for a few years now and this still bugs me :|


I've never worked with CSR 1000v before and I've just got a basic question in terms of specs. I see that the device is licensed by throughput level and feature set. Since this is a virtual device with its actual potential performance based off of RAM/CPU availability, should I expect degraded performance when running certain types of traffic, encryption, NAT, etc.? Or to put it more directly:

If I license a CSR 1000v for 500mbps with Security feature set, should I expect real-world 500mbps IPSec throughput, since the "physical" limitation of the device is significantly higher than 500mbps (assuming I allocate appropriate RAM/CPU)?

I've been trying to dig around for actual real-world numbers, similar to these studies for the physical ISRs, but have not been able to find much useful info on this subject regarding CSR 1000v in particular:

ISR G2 Performance Overview
ISR 4000 Series Performance Overview

Any info is appreciated, even anecdotal. Thanks in advance to anyone who can provide some insight!


Yes you get pretty much what you paid for..we have 4 of those and are heavily used but never crumble. Also when deploying them, have a plan on spinning new ones with all your configs should they fail.

see more
Original Poster1 point · 5 months ago

Perfect, thanks for the input!

The desire is to add the new IP range to the existing VLAN interface, while I know how to add an "IP Secondary" to a standard Vlan Interface, I am not sure if this is possible to do on an interface that is setup with HSRP.

This is possible, you just add secondary to the HSRP configs as well:

int vlan 100
ip address
ip address secondary
standby 100 ip
standby 100 ip secondary

Or as /u/geronimo1000 said, you can configure unique groups for each HSRP IP - this would allow you to have one HSRP IP active on switch1 and another HSRP IP active on switch2. With this setup you don't want to use the secondary keyword for the unique groups. For example:

int vlan 100
ip address
ip address secondary
standby 101 ip
standby 102 ip
standby 101 priority 150
standby 102 priority 50

int vlan 100
ip address
ip address secondary
standby 101 ip
standby 102 ip
standby 101 priority 50
standby 102 priority 150

Of course, all that said, if you can use entirely unique VLANs that would likely be ideal.

2 points · 5 months ago

Why would you do this? Why not just create another vlan?

see more

From the network admin perspective, yes, a new VLAN is almost always the proper way to go about this. Unfortunately I think in OP's case, he's facing resistance from other parties (maybe unknowledgeable management that refuses to take the word of the network admin, maybe server admins that are not able to easily coordinate any changes this may force onto their systems, etc.).

One example of a valid use case from the networking point of view would be an IP migration. If you're planning to change the subnet (e.g. expanding a /24 to a /23), eventually decomming the old subnet entirely, then secondary IPs can facilitate that migration and make it a bit more seamless, as opposed to having to change everything over to a new VLAN as well.

This is the thing that I need to know: Does LLDP use BPDU's the same way CPD does? This is, again, a manufacturing group so many of the switches (even the cisco industrials) will use MST instead of PVST and LLDP instead of CDP due to IEEE standards and licensing. Do I need to enable LLDP on all of these switches and see if any ports get shut down?

I think there's a misunderstanding here - and maybe I'm taking a bit of a leap, but I think you are misunderstanding what a BPDU is. CDP doesn't use BPDUs, LLDP doesn't use BPDUs, just STP (all varieties) uses BPDUs. CDP and LLDP do use PDUs - protocol data units - which is really just a very generic term to describe the framing and formatting of any particular protocol's data flows. A single CDP packet/frame can be called a CDP PDU, a single LLDP packet/frame can be called an LLDP PDU. A single STP packet/frame is called a bridge PDU, or BPDU.

To sum that up - CDP and LLDP use their own PDUs, but not BPDUs, because a BPDU is specific to STP, which serves an entirely separate purpose from CDP and LLDP.

.. And with that in mind, to clarify your final question directly - LLDP will not in any way, ever, cause a port to be disabled. Go ahead and enable LLDP on your Cisco switches, it may indeed help you glean some more detail. But then again, it may not, you might just see the same neighbors as with CDP.

Anyways, apologies if I made some assumptions and explained things you already knew. But hopefully at least some piece of this has been helpful!

CDP doesn't use BPDUs, LLDP doesn't use BPDUs, just STP (all varieties) uses BPDUs.

On my HP switches, enabling BPDU Guard breaks 802.1x. So either HP is doing some weird stuff, or 802.1x is using a BPDU (Not a STP BPDU, but a BPDU nonetheless).

see more

On my HP switches, enabling BPDU Guard breaks 802.1x.

Huh, interesting. My suspicion would be that this is just a flaw in HP's implementation of BPDU guard.. though personally I've never touched HP gear so that's pure speculation on my part.

Good to know, regardless.

That would be correct, yes. We have some on 8.4.7 and "webvpn" still shows up in the configuration even after the command. However I'm not able to connect to the device on TCP/443 from a non-management IP address, so I'm assuming that means we're safe.

see more

Sounds like you're okay, but you might show asp table sockets to verify.

Perhaps I'm misunderstanding, but won't it show a listening socket for management regardless of the state of webvpn?

see more

Right, if you have ASDM enabled, yes. I overlooked that because most of my ASAs are only managed via SSH.

Paste the result into the comments box, highlight all and indent as code.

Wait, what? Can I get a tutorial on indenting a bunch of lines all at once in a reddit comment box?

see more

This seems like a genuine question but for some reason reads as sarcasm to me. Either way, legitimate answer: Reddit Enhancement Suite browser addon.

I've got to say - it's great that you're asking these questions. Stay curious and you'll go far. Here, I'm going to try to answer your question with a question of my own.

First, some basic groundwork of the functionality of HSRP (and other first-hop redundancy protocols):

  • There is one shared virtual IP between the two devices
  • Each device also has its own unique dedicated IP (though in the case of some protocols like this, VRRP for instance, the virtual IP can potentially coincide with one of the dedicated IPs)
  • This virtual IP has its own unique MAC - separate from the hardware MACs of the devices
  • There's no active "peer" relationship between the devices - each device simply expects to hear hello packets from the other periodically, and if it stops receiving these hellos, it assumes the other device is down in some way, and takes over as active

So your question - how does the router signal to the rest of the network that it is now in charge of the virtual IP?

The switch(es) that the routers are connected to know nothing of HSRP itself, all that the switch sees is frames to be forwarded out one port or another. Ignoring HSRP itself for a moment, in terms of basic switching functionality, what might cause a switch to begin forwarding traffic for the virtual IP out of port #2 instead of out the original port #1?

Original Poster1 point · 6 months ago

that is exactly my question! I wasn't sure how to word it. So I understand layer 2 switches are in a sense dumb, compared to a router and would not know to send it though port #2 instead since the hello messages from router .1 have stopped, so what stops the switch from sending packets from port #1 to port #2 now since router .2 has taken the role as active router?

see more
1 point · 6 months ago · edited 6 months ago

The new active router has to force the switch to update its MAC address table. The only time that a switch will move a MAC from one port to another is if it receives traffic from that MAC as the source on some new port. So the new active router, as soon as it goes active, must send at least one unsolicited frame into the network using the virtual MAC as the source MAC.

In the case of HSRP (and again, many other similar redundancy protocols), this is done with gratuitous ARP. Gratuitous ARP is essentially just an ARP reply when there has been no ARP request. As soon as a device takes over as HSRP active, it will send out at least one gratuitous ARP packet, forcing the layer 2 network to re-learn the virtual MAC on the new port.

You can read more about this functionality with HSRP specifically here:

Though as I mentioned, gratuitous ARP is used often with other similar redundancy protocols - or more generally, in any situation that some networked device might want to ensure that the MAC address tables on switches are fully up to date.

Edit - Apologies, it seems that article doesn't go super in-depth on how it's used with HSRP. Here's one with a bit more detail, which also expands on different use cases for gratuitous ARP:

1 point · 6 months ago · edited 6 months ago

The active/standby pair do not send the active ip on both units in an HA pair.

What kind of connection is this? Physical cable? Routed vlan? VPN? Let’s start there.

Edit: if the stand-alone ASA is using redundant interfaces, the standby interface becomes active only when the primary interface fails. It’s not clear to me if the standby interface is in an up/up, up/down, or down/down state. That may be what the problem is here though. Can you shim a switch in between the pair and the stand-alone ASA and see if that helps the HA standby change from failed? The metrics that determine if an interface is failed for Failover is L2 and L1. L3 does not come into play there unless there is a track command with a ping going, so it is not an up addressing issue.

see more

if the stand-alone ASA is using redundant interfaces, the standby interface becomes active only when the primary interface fails.

I think this line needs to be highlighted here.

/u/nzwasp, because of this behavior, your failover will only trigger correctly in scenarios where the link between the primary ASA and the standalone ASA is seen as physically down by the standalone ASA. An example of where this would cause a problem is if some other interface on the primary ASA fails, then the secondary will take over - but the standalone ASA will know nothing about this and will continue to send traffic to the primary ASA.

Best practice with ASAs in an HA pair is, for each interface, to have a single layer 2 domain that both the primary and secondary to connect to. The standalone ASA does not bridge the layer 2 domains in this case thus you are outside of the recommended setup and could very well run into some unexpected failover failures as described above.

tl;dr - put a switch between the standalone and the pair.

I just need to show them that the packet is getting to the server, or atleast the wire to the server. The issue is there is also normal UDP streams between the servers. I can't for the life of me find something that shows me the source address I should be seeing for multicast traffic. Is is the true source, or the multicast group address?

The packet when it enters the receiver's NIC will still have a destination IP of the multicast group. The source IP is likely simply the real IP of what ever server the stream is sent from - though this is not strictly necessary, and there might be some use case where this would not be true.

tl;dr - if you have a packet capture, simply filter based on the multicast group IP as the destination.


Short version - I'm looking for something that diagrams what a multicast packet looks like as it flows through the tree. I can't find the magic phrase for google to spit out what I need.

There are some command line tools for this sort of thing, platform-dependent obviously. For example, some basic troubleshooting on Cisco devices can be done with mtrace and ping:

Edit - To be clear, all of the above is regarding layer 3 multicast. If your post is in reference to strictly layer 2 multicast then this may not necessarily apply.

I don't care so much about individual tunnels, just IPSEC usage as a whole.

There are some global stats you can pull this from in CISCO-IPSEC-FLOW-MONITOR-MIB.

cipSecGlobalInOctets -
cipSecGlobalOutOctets -

I've got a Zabbix setup that polls these and graphs the aggregate of the two for total IPSec usage on the ASA. Can't really comment on doing the same in Solarwinds but I'd imagine it must be possible.

My only guesses are these switches are just now rebooting for the 1st time since the July changes occured and have lost their config.

It should be simple to be sure of whether the switches are rebooting - are they, in fact, rebooting?

Well now we have shutoff the tftp server and disabled the service, yet we are still seeing this behavior.

You realized that there were some switches pulling old configs, likely due to unsaved changes - have you not gone back into every single switch and issued a copy run start to ensure that all configs are saved?

Since your cert is expired, it's exactly the same as if you never had it in the first place. You can do both exams separately.

see more

Since your cert is expired, it's exactly the same as if you never had it in the first place.

Right, this.

To make this clear: you simply cannot renew an expired cert. You can only renew active certs.

OP, in your case, you are not looking to renew a cert anymore, you are now looking to earn the CCNA from scratch - which you can indeed do by passing ICND1 and ICND2 separately.

Yes, as long as you're the type of person to keep yourself motivated and on track. Just make sure to be thorough and study based around the official exam topics listed on Cisco's site. Most online video courses and text books will stay centered on those well enough, but always go back to the exam topics just to ensure you're solid on each.

Original Poster1 point · 9 months ago

I think I have the converting IP’s to binary and vice versa. At this very moment I’m a little stuck on Subnet masks and CIDR notation.

I’m reading that the CIDR tells how many bits are the same for each IP on the subnet.

It gives me 1100 0000 - 1010 1000 - 0000 0000

How are the first 24 bits the same? I’m trying to find the best way for me to understand.

see more

How are the first 24 bits the same? I’m trying to find the best way for me to understand.

It means that the first 24 bits are the same between all IPs in this subnet. As an example, for a typical subnet ( mask), all IPs,,, and will begin with the same 24 bits.

Or to put it another way, 192.168.10 translates to binary 11000000.10101000.00001010. So any IP within the subnet will begin with exactly those 24 bits. If any of the first 24 bits were different from what's listed here, then that IP would by definition simply be in a different subnet.

Essentially, a subnet is just defined by 1. deciding the amount of bits in the mask (i.e. define the subnet mask) and 2. deciding the value of those bits (i.e. define the network ID).

ASA 9.6 Config Guide - Routed and Transparent Mode Interfaces

Transparent Mode and Bridge Group Guidelines
* <snip>
* Each directly-connected network must be on the same subnet.
* The ASA does not support traffic on secondary networks; only traffic on the same network as the BVI IP address is supported.
* For IPv4, an IP address for the BVI is required for each bridge group for both management traffic and for traffic to pass through the ASA. IPv6 addresses are supported, but not required for the BVI.
* <snip>
* The BVI IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (
* <snip>

IMO: Don't bother with interface cost.
Focus on device priority.

see more

With his topology, priority/bridge ID alone is not going to guarantee that the first downstream switch prefers the fiber path.

/u/jburm - You'll want to do two things here:

  • Set "switch A" to have a low priority value so that it takes root.
  • Set the copper link between "switch A" and the first downstream switch to some cost value higher than the default (doesn't matter what value, just has to be greater than the fiber links). Do this on both ends of the link.

Note - The remaining copper links and the fiber links can remain at default costs.

Cake day
November 25, 2013
Trophy Case (2)
Four-Year Club

Verified Email

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.