Sign up and stay connected to your favorite communities.

sign uplog in
Coming soon
3 points · 10 hours ago

This is called a DHCP or IP Exhaustion Attack. Eventually, the DHCP server will run out of addresses and will no longer respond do Discover requests with an Offer.

Port-security is the feature on most Cisco switches to protect against this attack. It allows only a limited number of MAC addresses to transmit on a single port. In this case, the attacker would find that after their 4th or 5th attempt, they would no longer receive DHCP offers, and even if they set a static IP, their traffic would be filtered.

Original Poster1 point · 6 hours ago

Interesting, what about wifi? Is there is a similar feature to port security ?

see more

Probably, however 802.11 is a completely different L2 protocol so it would look different and probably be implemented on the wireless controller.

3 points · 7 hours ago

It's not trickery on Phillip's part, but rather cost savings on "Light Blue's" part.

There are a lot of ways to convert AC to DC, and a few different ways to dim or color-change LEDs. There are definitely choices in both categories that are cheaper but don't look quite as pleasant--and there are probalby choices that don't work well together.

The difference you are seeing is probably in the PWM frequency used for dimming and color-changing the LEDs. A higher frequency is less noticeable and more efficient but requires a much more sophisticated controller.

23 points · 10 hours ago

The largest difference is the time it takes for SVIs to come up/down compared to physical interfaces. In the case of SVIs, the L2 port must come up, then the SVI is raised. So if this link plays a critical role in failover, a routed interface may be superior than a SVI.

Cisco had a great slide on this in their campus architecture session, but I don't have the link anymore after the redesign.

20 points · 8 hours ago

Found it /u/NetworkTim:

BRKCRS-2031, Slide 23

  • SVI Link Down to Routing Update: 150-200 ms
  • L3 Link Down to Routing Update: 8 ms

If you're routing VOIP across that link, the SVI failover time is unacceptable, while the L3 link failover might go unnoticed.

3 points · 9 hours ago

The "state of IT" isn't a bad idea, but I think that's a lot of manual work for little benefit beyond the week it's created. I would suggest it's better for any employee to find that information using real-time monitoring tools. Here is how we are turning our unmonitored, undocumented network into a responsive, understood tool:

  1. Documentation: figure out what you have, where it is, and how it's connected. This should include model numbers, serial numbers, firmware versions, EoL/EoS status (if any) and uptime.
  2. Backup: figure out how what you have is set up. On demand and automated backups of all device configuration. Oxidized and Rancid are two popular FOSS solutions, other commercial solutions exist as well.

At this point you should be able to recover from almost any disaster, and new employees can study the network without touching it.

  1. Monitoring: figure out how you're using what you have. The common mantra is: monitor everything, alert on little. You want to be able to answer any question about your network with facts and historical numbers.

  2. Upgrades and maintenance: make what you have work like it should. Start cross-checking firmware versions against CVE notifications and published updates. Start with your most critical devices and work down. Create a procedure for each type of device along with estimated downtime, affected parties, and post-upgrade tests.

These last two should allow you to transition from reactionary management to proactive management.

Like others have pointed out, it really depends on what your homelab is for. It gets very, very expensive to keep a Cisco lab modern enough to run a working network. So if you plan on using your lab for networking experience, it's usually best to have separate networks.

I would recomend Ubiquiti for most home networks. Unifi line if you don't plan on doing anything crazy and want a point-and-click interface that is goof-proof. For more advanced networks, the Edge line is superior in features, but will probably require some CLI work on your part, and the single-pane-of-glass dashboard isn't quite there yet.

Original Poster1 point · 19 hours ago

Thanks, whats the other way to do C?

see more

You can authenticate each member link individually. This is how it's presented in Odom.

zanfar commented on
r/CiscoPosted by
3 points · 13 hours ago
4 points · 20 hours ago

I find myself in much the same shoes as you--a company that hasn't ever proactively managed the network. Here's how were approaching it.

  1. Documentation and backups. We decided this was the single most important item as it serves as a last-resort, worst-case recovery solution. If our network gets hit by an EMP and a disgruntled remote hands tech slashes all our cables, we can recover. This also includes knowing the make, model, serial, and firmware for each device.

  2. Monitoring: this was a hidden gem to us. While we knew we needed better monitoring, we really didn't realize how critical it would be. Once we had a small amount of visibility, every question from that point on was framed in terms of facts and metrics instead of feelings and guesses. Currently, we do basic SNMP monitoring and alarming, we are working on syslogs, and plan on purchasing some form of tap or span-based in-depth monitoring tool to track higher-level metrics.

  3. Firmware: I'm going to adjust this to preventative maintenance and vulnerability mitigation--essentially issues caused outside the network. Our security team uses Nessus and we get weekly reports of IPs by the highest vulnerability. This is helpful, but the reports need a fair bit of hand-cleaning to remove duplicate IPs and it doesn't have any knowledge about edge vs internal devices.

    On top of this, the networks team has a custom SNMP script that scrapes firmware versions and compares them with a list we keep of the desired version. Keeping this list up-to-date is the hardest part of the process. We use a combination of CVE subscriptions from vendors, firmware update notifications, and old-fashioned manual checking. We combine all this to come up with what we consider the most-critical update and plan a window. Eventually, we plan to reach the point that we have regular rolling maintenance windows for each zone, and hope to defer most of those due to lack of required updates.

  4. Automation: This is a difficult one. While we have large goals, this is definitely an area where you can quickly get lost in the weeds. We have settled on Ansible as a primary mechanism specifically because it lets us start small. Find the lowest hanging fruit and start there. For us, it was user management and edge ACLs--the first because of security concerns, and the second due to the frequency of time-consuming updates.

zanfar commented on
r/ccnaPosted by
4 points · 1 day ago

INE is the video equivalent of Odom. Incredibly detailed and I learned a lot of deep facts and concepts that I did not find elsewhere.

That being said, it is a lot of reading slides and bad diagrams. I find it just as helpful to watch on mute or listen to the audio-only.

CBTNuggets, for example, is much more entertaining, and Jeremy seems quite a bit more prepared and willing to edit in post. I always felt that CBT was more of a supplementary resource, while INE is much more comprehensive.

zanfar commented on
r/ccnaPosted by
5 points · 1 day ago

What is the format of the exam? (quick-fire questions? online or written?)

Is there a practical part to the exam too?

What is the areas you'd need to know most about?

my overall knowledge of networking in general is good enough to pass.

You might want to re-think how those statements work together. If you aren't aware of the topics and don't know what format the test is in, I would say you are in a pretty bad spot with respect to passing the test.

What study guides/videos/resources helped you the most?

it'll be nice for me to compile all your recent experiences and answers to help myself out

Then feel free to use the search function to your heart's content. Also, most of the top posts on any particular day are passing reports.

We are happy to help you on your journey, and we are even enthusiastic about answering technical questions that we see weekly--someone puts in a considerable effort to write a multi-paragraph answer on subnetting at least every 10 days. What you will have a hard time getting here is answers to questions that are easily answered with the smallest amount of research or questions into which you have put zero effort.

I would strongly suggest you avail yourself of the easily accessed materials offered to you:

  • Cisco's Certification Website
  • The stickied posts
  • The sidebar and search tool
  • The Wiki
3 points · 1 day ago

I have limited experience purchasing SmartNet, but I do use the service:

Purchasing SmartNet from a partner or from Cisco does not change how the program works. If you are getting coverage on equipment Cisco says can't be covered, you aren't purchasing SmartNet.

When you purchase SmartNet, you add the contract number to your Cisco account and that links it to all the covered equipment.

Once your account is linked to the contract number, you can access TAC resources online. You must also provide a covered serial number when opening a case.

zanfar commented on
r/ccnaPosted by
2 points · 2 days ago

One of the differences not mentioned between the two protocols is that LACP supports "standby" links. Both have a maximum of 8 active links in the channel, but with LACP, you can add another 8 that aren't normally used, but will join the bundle if one of the active links goes down.

Rarely used, I'm sure, but for cases where the EC is used for bandwidth and not redundancy reasons, and you can't afford a 12% loss, that might be important.

zanfar commented on
r/ccnaPosted by
3 points · 2 days ago

That theory would be incorrect.

While mildly interesting, you've done no troubleshooting and provided no configs, so my default answer is going to be you missed something. Did you test the EC before setting up VTP? Did you debug your VTP server? How long did you wait for an update?

7 points · 2 days ago

There is essentially nothing I can say or help with without a topology. We need networks, interface addresses, and configurations.

  • Are you on IPv4 or IPv6?
  • Are you doing NAT? Where? From/To what networks?
  • What are your addresses on each interface? What networks are on each router?
  • You can't verify RIP with a ping--that's a connection verification. Have you inspected your routing tables?
  • What's the route on R1 for your R2 source address to
Original Poster2 points · 2 days ago · edited 2 days ago

I knew there'd be important stuff I left out! Thanks for your reply zanfar, I hope this makes sense:


2.Nothing is NATed


Device Interface IP
Plusnet - /24
R1 fa0/1 /24
R1 se0/0 /30
R2 se0/0 /30

Hopefully you can see what's connected to what using the IPs

4.Yeah I have also verified RIP with the 'sho ip route' command

5.I don't understand this question

Edit: Added CIDR

see more
3 points · 2 days ago


  1. What other networks (if any) are connected to R1 or R2?
  2. When you say "ping from R1" what interface/address are you pinging from?
  3. What does show ip route on R1 and R2 report?

I'm guessing it is that Plusnet does not understand where to find the network. It also might be that Plusnet is not NATing foreign subnets. You need to fix/verify the first regardless. If the second issue is the problem, you'll have to NAT on R1 as well at least for external addresses.

Load more comments

1 point · 2 days ago

In general, this sub considers the CCNA R&S an unwritten prerequisite to all other CCNA certifications. Most of the knowledge on the ICND2 is assumed or included in other CCNA certs.

can we talk about the clusterfuck that is DVI though?

There are 6 different connectors, and they all have essentially the same god damn name

see more
4 points · 3 days ago

Transition technologies are always fubared. DVI, passive PoE, parallel-hybrids, XHTML, QuickCharge...

Supporting legacy devices while predicting the future is hard.

2 points · 2 days ago

I find it like how that xkcd comic always describes it, you think it’ll be a new standard, too many appear and you make just one more cable to try and fit all the other standards together. In a way though, few port standards want to be transitional.

see more
3 points · 2 days ago

True, they don't intend to, but they end up there. DVI held on to too much of the past: carry-over of analog signals and ignoring small-format connectors. It was useful in that in-between time where you had analog and digital displays coexisting, but as soon as analog died, HDMI won out due to interoperability with home theater, and the mini/micro formats.

Contrast that to DisplayPort which made a hard jump from time-based to packet-based. Yes, many people needed an adapter during the transition, but it isn't weighed down by any of that legacy baggage.

Edit: I composed this message on two DVI-driven displays; just thought that needed mention

1 point · 2 days ago · edited 2 days ago

Auto/auto unless you have problems.

Long-term: ship a $9 $21 transciever from to the location. If you can trust them to plug in a UTP cable, you can trust them to plug in a GLC-T.

2 points · 3 days ago

You should visit /r/ccna . Even if you're not pursuing the cerfication, this level of knowledge is their bread and butter.

B) 6 * 2 = 12

A) 8 < 12 < 16 or 23 < 12 < 24, so you need 4 subnet bits to provide at least 12 networks. 24 + 4 = 28, so you need to create /28 subnets, or

C) With 4 bits in the last octet, network addresses increase by 28-4 = 16. Conversely, there will be 24 - 2 = 14 usable addresses per subnet.

  2. ....
Original Poster1 point · 3 days ago

Mis typed that. I’ll edit.

I have one server on vlan30, NAS is on vlan1. If I transfer between those two, it’s around 30-40mb/s.

If I transfer between 2 machines on vlan1, I get 100-110mb/s

see more
3 points · 3 days ago

I don't see any L3 interfaces, so are you sure your 3750 is the DG for both hosts? What's the point of having an L3 switch with a trunk to the router?

I'm not sure an L3 switch of that age is really what you want to use if you need wire-speed routing. I'm pretty sure that switch won't route at gigabit speeds. 50% seems reasonable enough.

Also: MB/s is not the same as Mb/s or mb/s, please use units responsibly.

Original Poster2 points · 3 days ago

This is my home gear, and I made the ports trucks to get it up and running, I know I need to refine the ports and config a bit, this was just the start.

This is my first time trying to setup any L3 stuff, and my Cisco knowledge is a little old.

see more
2 points · 3 days ago

So... are you sure the 3750G is the DG for the hosts? .30 isn't exactly a typical GW address.

Load more comments

2 points · 3 days ago

What is the purpose behind having certain commands only available in certain modes?

  • Security. The more dangerous the command, the higher access you need to use it.
  • Safety. You have to enter config mode before making any changes, this helps prevent typos from screwing up your config.

why are the show commands normally only available in privileged exec mode but not in config mode?

They are available via the do operator. When in config mode, the CLI expects to parse only certain commands. The do prefix tells the CLI to use the exec parsing rules instead of the config parsing rules.

I also know that with ASAs you can issue show commands when in config mode or interface mode

Different software altogether. The ASA uses a single parser for all modes.

1 point · 3 days ago

Is your UTM device providing DHCP services?

1 point · 3 days ago

Learn Ansible:

  • Generate access switch config
  • Develop a Hardware and OS Inventory report
  • Set VLANs (and create if necessary) on all access ports

Learn to write Ansible modules:

  • Configure SNMP or NTP

Learn SNMP:

  • Trace a MAC address given only the MAC and a list of core switches
Original Poster1 point · 3 days ago

Are these requests or are you trying to offer advice? I'm aware Ansible has strengths for some of these items. My goal is to learn python for my greater goal. Not just networking.

see more
1 point · 3 days ago

I missed the "offer help" part. Thought you were looking for ideas for your next script.

zanfar commented on
r/ccnpPosted by
Original Poster1 point · 3 days ago

I don't understand how we are using these in our environment then.

see more
2 points · 3 days ago

You're not, at least not as a netmask.

It could be a wildcard mask, but it looks wrong for that as well (not invalid, just not likely useful).

zanfar commented on
r/ccnaPosted by
1 point · 3 days ago

Yes, the tail end of ICND2 was pretty hard. There weren't any more concepts to learn, but a lot of detail memorization. That being said, it was a lot tougher than I expected, so don't slack off. If you're not on a schedule, think about postponing and giving yourself a few weeks off.

Pushing through the end of a project after the fun stuff is over ends up being a useful skill in the workplace too.

Cake day
August 31, 2012

Trophy Case (1)

Five-Year Club

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.