my subscriptions
POPULAR-ALL-RANDOM | LOADING...MORE »
the-packet-thrower commented on a post in r/networking
the-packet-thrower 1 point

Cisco has a fairly flexible regex for its pipe commands.

The next level up is Terminal shell which has basic Linux utils like grep and cut.

If your on 16.6 then you can run a full RHEL shell so you can do awk and sed and whatever else.

the-packet-thrower commented on a post in r/networking
the-packet-thrower 2 points

On paper net neutrality is just doing the stuff we already do in the enterprise, we do pay the ISPs more for an MPLS connection that supports QoS etc. So a tiered internet isn’t all that unheard of, though things like support and service calls will get more complicated in this model for residentially.

Saying that no one trusts their residential internet so this will be seen as a pure money/power grab especially with the media conflict of interest.

the-packet-thrower commented on a post in r/ccna
the-packet-thrower 1 point

Typically 3 years but there is nothing stopping Cisco from updating the test if they feel like it.

Saying that if you earn the ccent then your a ccent and will just need to pass the other exam to be a ccna if there is an update.

the-packet-thrower commented on a post in r/ccna
3
swatlord 1 point

If a candidate does a cert properly by getting the proper prerequisite experience, doing all the studying and labbing everything then they will be a solid CCNP/CCIE/A+, of course cheating and paper certs is a thing which is why rigorous interviews are very important.

The thing is, the cert itself doesn't do any of this. That's what I'm saying (and you're agreeing) just having the cert means you can pass the test. It boils down to the soft process of interviewing to root out whether or not the candidate knows what they claim. The same can be discerned from another candidate who doesn't have a cert.

the-packet-thrower 1 point

It is the framework for studying and the assumed knowledge that I'm arguing for. It helps prevent what I call the "D-link tech" where they just know what they know in their current job.

For example, if you work in a EIGRP only shop and only learned on the job then it is possible that you know nothing about OSPF, also along those lines is that places like NOCs analysts are notorious for skipping over fundamentals in favour of knowing what commands can make the ticket go away. But if you had a CCNA in the same position then it is reasonable to assume that you would at least know the basics.

swatlord 1 point

The problem is most current certification tracks don't prove candidate knowledge, they prove candidate test ability. It's why you ban brain dumps here. If more certification tracks included at least a hands-on portion of the exam, this would be less of a gripe. You've said it yourself memorization and brain dumps cheapen the value of certs.

But if you had a CCNA in the same position then it is reasonable to assume that you would at least know the basics.

If that's the case, why not skip the technical portion of the interview and move straight to "will they fit in the team"?

the-packet-thrower 1 point

Even hands on certs can be dumped, it wouldn't be hard to buy the latest RHCE exam if you wanted to. Hell even the CCDE was briefly leaked this year and that exam is only issued several times a year to control the exam (though Cisco went full scorched earth after that)

I wouldn't be surprised if Cisco exams eventually use VIRL or such to replace sims since it will let them make sims harder without much hassle. But certs should always test theory / fundamentals as well as lab stuff rather then just making the CCNA a smaller CCIE TShoot/Config lab.

Load more comments
the-packet-thrower commented on a post in r/networking
the-packet-thrower 1 point

It is just a safe guard, you don’t need it if your Q-In-Q network has a clean native vlan setup but by just having the switch tag everything you remove the potential for accidents later. Plus it is a good L2 security practice.

igatrinit 1 point

What accidents, exactly? That's the question I can't find the answer to(

the-packet-thrower 1 point

If you don't pay attention then to your native vlan you might accidentally use the wrong vlans for your Q-in-Q which can cause everything from it not working to weird stuff like dumping the traffic in the middle of the L2 network etc.

the-packet-thrower commented on a post in r/ccna
zanfar 5 points

Some of this is a bit beyond the CCNA, but it makes a great jumping-off point for further self-study. Taken mostly from the Cisco Live! and OCG. Definitely not comprehensive.

General Cisco Best Practices

Security

  • Enable password encryption
    (conf)# service password-encryption
  • Set fail-safe enable password
    (conf)# enable secret <password>
  • Set fail-safe vty and console passwords
    (conf-line)# password <password>
  • Use AAA for enable, vty, and console access as a first resort
  • Disable telnet access
    (conf-line)# transport input ssh

Convenience

  • Disable DNS lookup
    (conf)# no ip domain-lookup
  • Use synchronous logging
    (conf-line)# logging synchronous

Interfaces

  • Disable all unused ports
    (conf-if)# shutdown
  • Add a description to all used ports
    (conf-if)# description <label>

Switching Cisco Best Practices

Access Ports

  • Disable trunking and DTP explicitly
    (conf-if)# switchport mode access
    (conf-if)# switchport nonegotiate
  • Don't use VLAN 1
    (conf-if)# switchport access vlan <vlan>
  • Port-security max 5-10, split voice/data if possible
    (conf-if)# switchport port-security
    (conf-if)# switchport port-security mac-address sticky
    (conf-if)# switchport port-security maximum 5
    (conf-if)# switchport port-security violation restrict
    (conf-if)# switchport port-security aging time 5
    (conf-if)# switchport port-security aging type inactivity
  • Max port-security SNMP traps (conf)# snmp-server enable traps port-security trape-rate 5
  • Disabled port recovery time if violation mode is disable (conf)# errdisable recovery cause secure-violation (conf)# errdisable recovery interval 60

Trunk Ports

  • Enable trunking explicitly
    (conf-if)# switchport trunk encapsulation dot1q
    (conf-if)# switchport mode trunk
  • Disable DTP negotiation for convergence speed
    (conf-if)# switchport nonegotiate
  • Unused native VLAN
    (conf-if)# switchport native vlan 666
  • Tag native VLAN
    (conf)# vlan dot1q tag native
  • Hard-code speed and duplex for 10/100 or slower trunks (not an issue with Gigabit)
    (conf-if)# speed 100
    (conf-if)# duplex full
  • Disable VTP (unless using v3)
    (conf)# vtp mode [transparent|off]

DHCP Snooping

  • Globally config snooping on all VLANs
    (conf)# ip dhcp snooping
    (conf)# ip dhcp snooping vlan <vlans>
    (conf)# no ip dhcp snooping information option
  • Limit request rate for non-server ports
    (conf-if)# no ip dhcp snooping trust (default)
    (conf-if)# ip dhcp snooping limit rate 10
  • Trust server ports
    (conf-if)# ip dhcp snooping trust
  • Backup snooping table
    (conf)# ip dhcp snooping database tftp://<server>/<file>
    (conf)# ip dhcp snooping database write-delay 60

STP

  • Primary and Secondary root priorities (if not more) (conf)# spanning-tree vlan <vlans> root [primary|secondary]
    or
    (conf)# spanning-tree vlan <vlans> priority <1-16*4096>
  • Rapid STP
    (conf)# spanning-tree mode rapid-pvst
  • Portfast and BPDU Guard on access links
    Per interface:
    (conf-if)# spanning-tree portfast
    (conf-if)# spanning-tree bpduguard enable
    or globally
    (conf)# spanning-tree portfast default
    (conf)# spanning-tree portfast bpduguard default
  • LoopGuard on upstream links
    (conf-if)# spanning-tree guard loop
  • RootGuard on downstream links
    (conf-if)# spanning-tree guard root

Routing Cisco Best Practices

Routing protocols

  • Explicitly set router-id
  • Disable auto-summary

FHRP

  • Priority and failover should match STP priority
the-packet-thrower 4 points

Just an FYI, disabling DNS is a false best practice. People do it to prevent typos from being resolved but it kills the DNS feature which can cause issues, it is better to use transport preferred none under the lines to prevent that headache.

the-packet-thrower commented on a post in r/ccna
the-packet-thrower 1 point

The rack monkey job is more applicable to network roles, the help desk route mostly just helps out with things like soft skills and getting used to dealing with a large volume of issues and difficult situations.

meganax 1 point

So if I had to pick between the two which one would you recommend? Keep in mind I certainly want a career in Network Administration/Network Engineer/Network Security.

the-packet-thrower 2 points

Either path should work, or even both since the path to true Net Eng is a long one.

The rack monkey path is good because you will at least do some basic things with network devices. It will have a heavy focus on things like cabling, working racks / data centres, installing / swapping cards etc. You’ll also communicate with various network teams so you’ll get the lingo down etc. It will often be on a 24 hour rotation so you could be the guy they call at 3am because NOC can’t talk to a router.

The tech support role tends to be less useful since your often fixing issues where the user is simply an idiot who is trying to login into their toaster oven because they think it’s their monitor. However, it is more common for juniors to go the help desk route. It is more about just getting some kind of IT experience on your resume, it can improve your soft skills and get you used to corporate processes like ticketing every call, using their tools, and dealing with stupid management metrics.

the-packet-thrower commented on a post in r/networking
jrpthagod 11 points

I'd love to see an example

antikludge -1 points

No more than jq < curl | nc after the refactor.

the-packet-thrower 2 points

This can really go either way, sure your solution seems like a clean and efficient (at least without knowing the task at hand) but it doesn’t necessary provide things like say error handling.

Of course it goes without saying that scripts can become overly long any number of reasons ranging from poor coding to it simply not being the best tool for the job to the coder just trying to put everything into classes etc.

Anyway doesn’t really seem like python’s fault as much as the wrong tool for the job.

the-packet-thrower 6 points

I’m sure it was ifconfig ens33 up

Load more comments
the-packet-thrower commented on a post in r/Cisco
9
VA_Network_Nerd 1 point

I woundn't trust that site. They have terrible reviews on Yahoo.

the-packet-thrower 1 point

What’s its yelp score?

VA_Network_Nerd 1 point

1.5 Stars "Worst Soup Sandwich I've ever tasted."

the-packet-thrower 1 point

Damn! I’m ruined!

Load more comments
the-packet-thrower commented on a post in r/ccna
3
the-packet-thrower 1 point

No, the only free path is to wait for the scholarship course to start and pass their coursework etc.

greenee111 1 point

what do you mean wait?

the-packet-thrower 1 point

Exactly what I said, if you take the test now then your paying for it. It would be no different from anyone else going for the cert.

Cisco will only give the vouchers once you earn it by finishing the course when it starts.

view more:
next ›
the-packet-thrower Snoovatar

the-packet-thrower

34,116 Karma
2,902 Post Karma
31,214 Comment Karma

Following this user will show all the posts they make to their profile on your front page.

About the-packet-thrower

  • Reddit Birthday

    June 6, 2014

Other Interesting Profiles

    Want to make posts on your
    own profile?

    Sign up to test the Reddit post to profile beta.

    Sign up