×

Multiple Cisco switches reverting back to old configs, losing vlan settings, etc. by Maxronald85 in networking

[–]newworldmonkeys2 41 points42 points  (0 children)

My only guesses are these switches are just now rebooting for the 1st time since the July changes occured and have lost their config.

It should be simple to be sure of whether the switches are rebooting - are they, in fact, rebooting?

Well now we have shutoff the tftp server and disabled the service, yet we are still seeing this behavior.

You realized that there were some switches pulling old configs, likely due to unsaved changes - have you not gone back into every single switch and issued a copy run start to ensure that all configs are saved?

Can you take ICND1 and ICND 2 to recert an expired CCNA? by mtroman85 in Cisco

[–]newworldmonkeys2 3 points4 points  (0 children)

Since your cert is expired, it's exactly the same as if you never had it in the first place.

Right, this.

To make this clear: you simply cannot renew an expired cert. You can only renew active certs.

OP, in your case, you are not looking to renew a cert anymore, you are now looking to earn the CCNA from scratch - which you can indeed do by passing ICND1 and ICND2 separately.

Anyone passed CCNA with only online training and no previous networking experience? by bluecoyote5 in ccna

[–]newworldmonkeys2 4 points5 points  (0 children)

Yes, as long as you're the type of person to keep yourself motivated and on track. Just make sure to be thorough and study based around the official exam topics listed on Cisco's site. Most online video courses and text books will stay centered on those well enough, but always go back to the exam topics just to ensure you're solid on each.

www.cisco.com/go/ccna

I thought binary form and binary notation are one in the same? by visionarygvp in ccna

[–]newworldmonkeys2 1 point2 points  (0 children)

How are the first 24 bits the same? I’m trying to find the best way for me to understand.

It means that the first 24 bits are the same between all IPs in this subnet. As an example, for a typical 192.168.10.0/24 subnet (255.255.255.0 mask), all IPs 192.168.10.100, 192.168.10.241, 192.168.10.1, and 192.168.10.48 will begin with the same 24 bits.

Or to put it another way, 192.168.10 translates to binary 11000000.10101000.00001010. So any IP within the 192.168.10.0/24 subnet will begin with exactly those 24 bits. If any of the first 24 bits were different from what's listed here, then that IP would by definition simply be in a different subnet.

Essentially, a subnet is just defined by 1. deciding the amount of bits in the mask (i.e. define the subnet mask) and 2. deciding the value of those bits (i.e. define the network ID).

ASA transparent mode subnet mis-understanding by Groundswell17 in networking

[–]newworldmonkeys2 1 point2 points  (0 children)

ASA 9.6 Config Guide - Routed and Transparent Mode Interfaces

Transparent Mode and Bridge Group Guidelines
* <snip>
* Each directly-connected network must be on the same subnet.
* The ASA does not support traffic on secondary networks; only traffic on the same network as the BVI IP address is supported.
* For IPv4, an IP address for the BVI is required for each bridge group for both management traffic and for traffic to pass through the ASA. IPv6 addresses are supported, but not required for the BVI.
* <snip>
* The BVI IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255).
* <snip>

spanning-tree cost question by jburm in networking

[–]newworldmonkeys2 6 points7 points  (0 children)

With his topology, priority/bridge ID alone is not going to guarantee that the first downstream switch prefers the fiber path.

/u/jburm - You'll want to do two things here:

  • Set "switch A" to have a low priority value so that it takes root.
  • Set the copper link between "switch A" and the first downstream switch to some cost value higher than the default (doesn't matter what value, just has to be greater than the fiber links). Do this on both ends of the link.

Note - The remaining copper links and the fiber links can remain at default costs.

“Over certified”? by thenetworkstudent in ccna

[–]newworldmonkeys2 6 points7 points  (0 children)

First thing to note - I'm sharing this from my own experience, different points of views from others are still entirely valid, real concerns.

I'm part of the camp that says it's pretty difficult to be "over-certified" (assuming you passed all exams by legitimate means). Any reasonable employer should be able to take a CCNA, CCNP, even CCIE for exactly what it is - a guarantee that a person has a specific set of skills. A CCNP does not guarantee real-world experience, it does not guarantee anything outside of exactly what was tested on the exam. Any employer trying to look at a certification like these as any indication of real-world experience is a bit short-sighted.

I had CCNA R&S, CCNA Security, and was half-way through CCNP R&S before I ever touched a single real-world network device. All of my studying had been on my own time, via books, video courses, and my home lab. I did lack any of the practical experience of network administration, however I was still hired into a position managing Cisco and Arista gear, with EIGRP, BGP, DMVPN, multicast, etc. I was given a technical interview and showed that I knew the technologies at hand. However, I also made it clear that I was aware that I lacked the real-world experience - be honest about your limitations. Some employers may determine that the lack of experience trumps the technical knowledge - and that's fine, they have their own needs. In my case, the company took a chance with me because I was able to prove not only that I knew the technologies, but that I had had the drive, motivation, and ability to seek out this knowledge myself, rather than relying on any other external source (job experience, any senior admin mentor, teachers/classes, etc.) to push the knowledge onto me.

Both viewpoints are valid, I would say. It depends on who you are interviewing with. Some companies may be able to take the chance on a candidate without practical experience to back up the knowledge, and your motivation shown by your past self-study may even help you in interviews. Other companies, as evidenced by some of the comments here, may be very wary of someone with certifications and no experience. You run a bit of a risk either way.

--

On a separate note entirely:

Screw the idea of holding your own self study back so that you might possibly look better in interviews. Study for yourself, learn what ever it is that you find most interesting, and if you have the knowledge to do so, go get certified. Personally I believe that if an employer can't view my certifications as my own personal desire and motivation to learn, then they are not a company that I want to work for. I'd much rather follow my own passion for learning and potentially put this "over-certified" red flag on my resume than to trim and tailor my own personal desires to match what certain employers are looking for.

RPF - why is it off by default by SyberCorp in Cisco

[–]newworldmonkeys2 3 points4 points  (0 children)

Can anyone help me understand why anyone would NOT want this feature enabled, so traffic is was able to be spoofed?

In the case of asymmetric routing, uRPF would drop traffic that should not be dropped. Asymmetric routing is not an uncommon scenario in networks with multiple links to internet.

I can't comment as to why it's disabled by default on all Cisco devices. I'd speculate that the idea for routers/switches at least is "this is a security feature, not a routing feature, so it shouldn't be enabled by default on routers". Personally I do agree it should be enabled by default on ASAs at least, especially since ASAs generally shouldn't be deployed in asymmetric topologies to begin with.

CCNP preparation by [deleted] in ccnp

[–]newworldmonkeys2 0 points1 point  (0 children)

it really seems like theyre so deep into out smarting dumps they point to a random section of the config guides and then figure out how to make that a question.

They do quite literally do this. At least on a couple of the CCNP Security exams, I've seen questions that were word-for-word taken from the official Cisco documentation.

As for the actual thread topic - I'd use the OCG at least as a guide of what to focus on. The OCGs tend to do a very good job at highlighting the big topics, whereas the configuration guides are not tailored to the exams and thus you may find yourself getting lost in items that are not so important for the exam itself if you use solely the config guides. So I would definitely suggest both the OCG and the configuration guide paired together.

New login history feature on ASA 9.8(1) by ciscotree in Cisco

[–]newworldmonkeys2 1 point2 points  (0 children)

no aaa authentication login-history, for those curious.

ASA Stateful Failover by bl0dR in Cisco

[–]newworldmonkeys2 3 points4 points  (0 children)

I have an HA pair of 5555's that the last time (months ago) I had to failover had a problem where none of the DMZ hosts got switched over to the mac address of the active unit.

Either you've misdiagnosed the issue or you've encountered a serious bug. The secondary ASA will take over the MAC of the primary during a failover scenario.

CDP/STP/DTP -> Which Vlan are these protocols are using? by [deleted] in ccna

[–]newworldmonkeys2 0 points1 point  (0 children)

They don't use any VLAN.

You'll hear often that they use VLAN1, or sometimes that they use the native VLAN. Neither of these are true - even though a CDP frame and a native VLAN1 frame are encapsulated in the same manner at layer 2.

Try it out (note - I'm not sure if 100% of these are supported in PT, particularly the debugs.):

interface f0/0
switchport mode trunk
switchport trunk allowed vlan none
end
!
show spanning-tree interface f0/0 detail
show cdp neighbor
!
debug spanning-tree bpdu
debug cdp packets
debug cdp events
debug dtp packets

You should see STP counters increasing and your debugs should show frames entering and leaving the interface for each of the three protocols. Try out the debugs on the switch connected to f0/0 as well and you should see the same. Even though all VLANs have been removed from f0/0's allowed list, these control protocols are still passed on the interface with no problems.

tl;dr - CDP, STP, and DTP use untagged frames and are not part of any VLAN. Even though data carried over the native VLAN also uses untagged frames, control protocols like these cannot be considered part of the native VLAN.

ACL question about allowing all incoming UDP by workrelatedquestions in Cisco

[–]newworldmonkeys2 0 points1 point  (0 children)

However with this config important things break.

Such as?

If you're in a bind and you can't get a proper stateful firewall in the near future, you could permit specific source ports inbound. For example, an outbound DNS request would be destined to UDP 53, and the response would be sourced from UDP 53 - so permit source port 53 inbound.

It's not ideal and you'll essentially have to whitelist each specific UDP application, but it's better than permit udp any any.

VIRL Lab Bug by NetworkGuy22 in networking

[–]newworldmonkeys2 5 points6 points  (0 children)

Just reading it incorrectly.

  • iosv-1 g0/1 is connected to iosvl2-1 g1/2
  • iosv-2 g0/1 is connected to iosvl2-1 g1/1

Recommended study material for the TSHOOT 300-135 by nok4us in ccnp

[–]newworldmonkeys2 0 points1 point  (0 children)

Yep, they still use the same topology. It's been a while since I took the 300-135 so I can't recall with certainty whether all of the small details like individual IP addresses and port numbers match 100%, but the large picture (where BGP exists, the distinct OSPF areas, VLAN topology, etc.) certainly matches.

Recommended study material for the TSHOOT 300-135 by nok4us in ccnp

[–]newworldmonkeys2 2 points3 points  (0 children)

I used a combination of the OCG and INE's videos.

Learn the TSHOOT topology - you can find it here. It's the topology used for all TSHOOT "lab" type questions.

Difference between allowed vlan and native vlan by HazzyDevil in Cisco

[–]newworldmonkeys2 0 points1 point  (0 children)

Disabling the native vlan is usually not a good idea over a l2 topology. If I remember correctly most if not all l2 protocols (vtp, stp etc) use it for exchange of protocol messages.

Those protocols don't use the native VLAN - they just use untagged frames. There's a difference, the protocols in question essentially are outside of any VLAN. Disabling the native VLAN won't affect such traffic, as the switches will send these frames untagged regardless.

It's a common security practice to disable the native VLAN on trunk ports (helps prevent VLAN hopping attacks).

CLI help for ASA5508 by MerNerm1 in Cisco

[–]newworldmonkeys2 2 points3 points  (0 children)

The inspect command is nested within other sections.

Generally, you have three CLI modes.

  • exec mode - This is noted by the > prompt. You can run a number of show commands here, but not all (e.g. show running-config is not available in this mode). You cannot make any configuration changes here.
  • privileged exec mode - This is noted by the # prompt. You can run all show commands here. You cannot make any configuration changes here.
  • config mode - This is noted by the (config)# prompt, you can only enter config mode from privileged exec mode. This is where you make all configuration changes.

The ASA's config structure is a nested one, for certain types of configurations. The inspect command is one of those circumstances. Use show running-config policy-map in order to see the section where those inspect commands would be placed - the nesting is denoted by one or more spaces at the beginning of any particular line. If your ASA is still mostly configured as default, the commands you'll need to enter from start to finish should look something like this:

asa-hostname>enable
!(enter password when prompted)
asa-hostname#configure terminal
asa-hostname(config)#policy-map global_policy
asa-hostname(config-pmap)#class inspection_default
asa-hostname(config-pmap-c)#inspect icmp
asa-hostname(config-pmap-c)#end
asa-hostname#copy running-config startup-config

You shouldn't need to enable DNS inspection, as that should be enabled by default, and you should see it listed when you do show running-config policy-map.

ASA 9.4 active/standby question by loganbest in networking

[–]newworldmonkeys2 2 points3 points  (0 children)

To do this correctly you need both ISPs connected to both ASAs.

To be clear, this requires a switch between the ISPs and the ASAs. Each ISP should have its own VLAN.

old CCDP, refresh it and get CCNP? by pinglube in networking

[–]newworldmonkeys2 1 point2 points  (0 children)

if I scheduled up 300-135 TSHOOT before June, then will the "blending" of old (642-902/1.0 ROUTE, 642-813/1.0 SWITCH) and new (340-135/2.0 TSHOOT) get me both a renewed CCDP and a fresh CCNP?

Yes, in general you can combine old and new exams. You can verify for certain at the same site linked earlier, under Certification Progress. It lists the full set of exam/prerequisite combinations for any given cert in a lengthy tree form. Browse to the CCNP R&S cert, and then "CCNP (v.5) -> B -> B.2" should be the relevant section. Since your ROUTE and SWITCH are still valid, you should see B.2.1 and B.2.2 filled, with B.2.3 (TSHOOT) being the last requirement.

old CCDP, refresh it and get CCNP? by pinglube in networking

[–]newworldmonkeys2 0 points1 point  (0 children)

  • To get CCNP R&S, you need to pass ROUTE, SWITCH, and TSHOOT within a single three-year period.
  • To renew CCDP, you need to pass any 300-level exam or higher.

So it's really a question of when you passed ROUTE and SWITCH. If you passed ROUTE and SWITCH in 2013 but then passed ARCH in July 2014 for example, then your ROUTE and SWITCH are already expired and you would need to pass all three ROUTE, SWITCH, TSHOOT to gain CCNP R&S. If you passed all ROUTE, SWITCH, and ARCH in July 2014, then you have until July to just take TSHOOT and gain CCNP R&S.

You can check your exam pass dates at cisco.pearsoncred.com under Home -> History.

Advice/Help: Inner vlan routing multiple switches by Synbyte in networking

[–]newworldmonkeys2 0 points1 point  (0 children)

We'll call the firewall 172.31.0.5 actually, since 172.31.0.3 would overlap with VLAN999 in the other example.

!switch A:
interface VLAN 998
 ip address 172.31.0.6 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 172.31.0.5

!switch B:
ip route 0.0.0.0 0.0.0.0 172.31.0.1

Advice/Help: Inner vlan routing multiple switches by Synbyte in networking

[–]newworldmonkeys2 2 points3 points  (0 children)

A L3 routed link is different than a trunk (tagging vlans)?

With a trunk, you span the subnet/VLAN across two switches. For example, with your current setup if you wanted to put a VLAN20 server onto switch A, you could do so simply by creating an access port in VLAN20. Using a layer 3 routed link between the two switches, you would no longer span the VLANs across switches, and instead isolate each VLAN to one of the two switches.

Say port g1 on each switch is the link between the two switches. The IP addresses and routing could look something like this (note - I'm not familiar with HP syntax, hopefully the context is clear enough):

!(assuming each VLAN is 192.168.X.0/24, where X is subnet ID)

!switch A:
interface vlan 10
 ip address 192.168.10.1 255.255.255.0
!
interface g1
 switchport mode access
 switchport access vlan 999
interface vlan 999
 ip address 172.31.0.1 255.255.255.252
!
ip route 192.168.20.0 255.255.255.0 172.31.0.2
ip route 192.168.30.0 255.255.255.0 172.31.0.2
ip route 192.168.40.0 255.255.255.0 172.31.0.2
ip route 192.168.50.0 255.255.255.0 172.31.0.2
ip route 192.168.60.0 255.255.255.0 172.31.0.2

!switch B
interface vlan 20
 ip address 192.168.20.1 255.255.255.0
interface vlan 30
 ip address 192.168.30.1 255.255.255.0
interface vlan 40
 ip address 192.168.40.1 255.255.255.0
interface vlan 50
 ip address 192.168.50.1 255.255.255.0
interface vlan 60
 ip address 192.168.60.1 255.255.255.0
!
interface g1
 switchport mode access
 switchport access vlan 999
interface vlan 999
 ip address 172.31.0.2 255.255.255.252
!
ip route 192.168.10.0 255.255.255.0 172.31.0.1

Advice/Help: Inner vlan routing multiple switches by Synbyte in networking

[–]newworldmonkeys2 0 points1 point  (0 children)

You move the layer 3 interfaces from switch A to switch B (except for VLAN10, which stays on switch A because all VLAN10 hosts exist on switch A). You then use the link between the two switches as a layer 3 routed link rather than spanning the layer 2 VLANs across this link as you currently do. The layer 3 link between the two switches would be outside of any of the current VLANs - you'd either assign IP addresses directly to the switch ports on each end, or you'd create a new dedicated point-to-point VLAN for this purpose. Use either static routing or some dynamic protocol (OSPF is your best bet here) so that switch A can learn the routes for subnets on switch B, and vice versa.