+ Reply to Thread
Page 2 of 3 First 12 3 Last
Results 26 to 50 of 61
  1. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #26
    Quote Originally Posted by joetest View Post
    I've just refreshed that after someone else asked the same thing.
    In short: Yes you're on the right path. With a vlan filter/VACL you can permit/deny traffic inside the same vlan and couple it with Mac ACLs too.

    I.e. you can deny all HTTP/tcp80 traffic just by making an acl like:
    access-list 123 permit tcp any any eq www
    and inside a vlan access-map you drop the matched acl:
    match ip address 123

    action drop

    And a new sequence number with just an "action forward" to allow everything else inside the VLAN filter.
    Something like:
    access-list 123 permit tcp any any eq 80
    vlan access-map Deny-http 5
    match ip address 123
    action drop
    vlan access-map Deny-http 10
    action forward
    vlan filter Deny-http vlan-list 10 (apply the "Deny-http" access-map to vlan-list with vlan10)

    All TCP/80 traffic inside vlan 10 is denied by matching all tcp/80 trafic in your ACL 123 after adding the vlan10 in the vlan filter command.
    To clarify a bit more: They can control access for packets bridged/forwarded inside a vlan or routed across VLANs(think SVIs). They just don't have any control if its inbound or outbound - it's both.
    I appreciate the response, but I am still lost :/ It could be the head ache though. I finished the FLG tonight, starting to lab and re-read subjects that I feel weak on.


    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    Jan 2014
    Posts
    98

    Certifications
    CCNP R&S
    #27
    It's a bit like a route-map. Instead of setting some action(set ip next-hop bla bla), you're now telling to drop or forward whatever traffic it is you're permitting in your access-list(which can be a Mac acl).

    I say match all traffic (any to any) using port tcp/80 aka http/www in access-list 123:
    access-list 123 permit tcp any any eq 80
    Then I start a vlan access-map "Deny-http" with sequence nr. 5 like a route map, using that name to make it descriptive:
    vlan access-map Deny-http 5
    Where I match IP addresses based on whatever is in the ACL 123(which was any to any on port tcp/80):
    match ip address 123
    Ok, so now I've told the access-map to match traffic on port 80 and If traffic inside whatever vlan is matched(packets to going to port 80 on server host) then drop/stop it:
    action drop
    Now all http traffic going from any to any will be dropped, but remember like ACLs there's an implicit deny ip any any
    at the bottom, so to circumvent that I make a new statement with a higher sequence in the same vlan access-map:
    vlan access-map Deny-http 10
    And I tell the next sequence number to just forward all traffic(if it's not http-traffic):
    action forward

    Now I've created my access-map(like a route-map) and just have to apply it to whatever Vlans I want to use this filter(deny all http traffic, but permit everything else):
    vlan filter Deny-http vlan-list 10
    You now drop all http traffic going from any to any INSIDE vlan 10. That's why you also can drop/forward based on Mac adresses if you use a mac acl to match them. It's inside the same Layer 2 domain which forwards based on... Mac adresses.

    You'll get it once you lab it a bit.
    Reply With Quote Quote  

  4. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #28
    Thanks again! I was over complicating the idea...I have a better grasp on it now. I need to lab it a bit before I feel comfortable with it though.


    Reply With Quote Quote  

  5. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #29
    For anyone following along, I am still chugging away at the studies. I have decided to start posting on linkedin. Essentially what I do is I make 1 post for each objective, breaking the objective down into terms I understand than write about it as if I am trying to tech someone else what I just learned. So far its been great for retaining the knowledge. It also forces me to lab the objective so that I can verify my post is accurate.

    It has the nice benefit of increasing profile views as well as showing potential employers I am not just looking for a job, I really do enjoy this stuff!


    Reply With Quote Quote  

  6. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #30
    I realized yesterday my CCNA expires in Jan of 2017 (1/4/2017), so now I REALLY need to buck up and finish this.....picking up where I left off, reviewing the OCG for material as a refresher, reviewing my linkedin posts I made which are summaries of each section, then moving onto labbing.

    Set the lab up in the new house (moved in late January of this year, new job in June, been busy) and now just need 3 more console cables to get everything connected all the way. Reset configs, erases vlan.dat's and did so wr mem....ready to go!

    Also ordered the FLG and lab guide.


    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Jan 2015
    Location
    Cluj-Napoca, RO
    Posts
    330

    Certifications
    Several (ITIL, Avaya, ShoreTel, Cisco)
    #31
    Quote Originally Posted by --chris-- View Post
    I realized yesterday my CCNA expires in Jan of 2017 (1/4/2017), so now I REALLY need to buck up and finish this.....picking up where I left off, reviewing the OCG for material as a refresher, reviewing my linkedin posts I made which are summaries of each section, then moving onto labbing.

    Set the lab up in the new house (moved in late January of this year, new job in June, been busy) and now just need 3 more console cables to get everything connected all the way. Reset configs, erases vlan.dat's and did so wr mem....ready to go!

    Also ordered the FLG and lab guide.
    Good luck man. Also going through a CCNA review at the moment & planning on tackling CCNP soon. Going to start ROUTE first though.
    Reply With Quote Quote  

  8. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #32
    Spent an hour trying to get one of the 3750's setup for management but could not get SSH to work. Telnet turned off, SSH enabled, I could connect but I would keep getting rejected because of a bad password.

    Finally I wr mem, reloaded and it worked...must have been a hung service?

    Finished chapters 1-3 in FLG, setup the lab for VTP next time.


    Reply With Quote Quote  

  9. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #33
    Quote Originally Posted by negru_tudor View Post
    Good luck man. Also going through a CCNA review at the moment & planning on tackling CCNP soon. Going to start ROUTE first though.
    Good luck, I wish I would have went straight to CCNP studies from CCNA. The material is not much more difficult to understand if you are at CCNA level and NP is where you finally get into the fun stuff. I think of NA as your first year of college, getting all the boring required learning out of the way before the meat and potatoes.


    Reply With Quote Quote  

  10. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #34
    Determined this morning that one of my lab switches is failing. I have to reboot it every 20-30 minutes to ssh into it. Good thing I ordered that other switch...hopefully it will be here this week.


    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Jan 2015
    Location
    Cluj-Napoca, RO
    Posts
    330

    Certifications
    Several (ITIL, Avaya, ShoreTel, Cisco)
    #35
    Quote Originally Posted by --chris-- View Post
    Determined this morning that one of my lab switches is failing. I have to reboot it every 20-30 minutes to ssh into it. Good thing I ordered that other switch...hopefully it will be here this week.
    any specific reason why it's going A-wall? seen this happen to my lab 2801 and it was due to the RAM stick.
    Reply With Quote Quote  

  12. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #36
    Quote Originally Posted by negru_tudor View Post
    any specific reason why it's going A-wall? seen this happen to my lab 2801 and it was due to the RAM stick.
    I did not troubleshoot it, I only have an hour or so each morning to put into studying SWITCH topics and I have a new switch on the way. Its also exhibiting other odd behaviors that are fixed with reboots (like VTP not propagating, but a reload makes that work). Unless I am missing something with VTP?


    Reply With Quote Quote  

  13. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #37
    Its almost worthwhile to have a busted switch in your lab, your constantly troubleshooting! (half kidding)

    Got VTP working, played with different modes, reset counters, adjusted parameters and broke it a few times then fixed it. Watched info propagate out to clients. Discovered the server can jump between vtp versions and the clients will follow (cool). Put everything into transparent mode and moved on....

    Feel pretty comfortable with VTP, moving onto STP. Setup the 2950's for management, will config tomorrow for (maybe later today if remote access is working) STP labs.


    Reply With Quote Quote  

  14. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #38
    34 % through FLG again, much of it feels very familiar. I am making notes using Anki for review and retention, I will make these availible when I am finished.

    8% of the way through Chris Bryants Udemy course, labbing along with him. Spent this morning learning STP timer adjustment, priority, and shifting the root bridge around for different Vlans. I need more time working with port settings in STP, I understand how these work I just dont remember which setting does what without tabbing.

    I am going to start tracking lab time as well, including today (2 hours) I am up to 5 hours.
    Last edited by --chris--; 09-05-2016 at 01:03 PM.


    Reply With Quote Quote  

  15. Junior Member Registered Member
    Join Date
    Aug 2016
    Posts
    4

    Certifications
    CCNA R&S
    #39
    Nice topic, great idea to post things on Linkedin. I might give that a try aswell. Bood luck with your studies!
    Reply With Quote Quote  

  16. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #40
    37% on FLG, slower progress due to holiday weekend festivities. No progress made this morning, had a few hours of school work to nail down so I can focus on CCNP the rest of the week. Also, found out I have a week off between summer semester and fall semester, I did not know I had that! A week of nothing but SWITCH studies will help me achieve my goal!


    Reply With Quote Quote  

  17. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #41
    Had some trouble understanding Root Guard, this explanation helped me the most (and maybe help someone else!):

    BPDU Guard
    • BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP.
    • You must manually reenable the port that is put into errdisable state or configure errdisable-timeout. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.

    Root guard
    • Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs
    • The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state
    https://supportforums.cisco.com/disc...-vs-bpdu-guard


    Reply With Quote Quote  

  18. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #42
    43% through FLG, received OCG and poked around in it...much great level of detail compared to the FLG.

    Finished the STP chapter last night in FLG and feel like I only retained 50% of it. I can tell by the amount of time spent on STP in both the books and videos that mastery of the topics discussed will be required to pass CCNP.

    Anyone have any good resources for really understanding STP?

    30 min in lab; 5:30 total.


    edit: I did order the SWITCH lab manual (v2), maybe that will help in the STP/labbing?

    just waiting on BN.com to get it to me....as an aside, Amazon spoils us with two day shipping. I had $70 in gift cards to BN.com and thought why not use them to buy the FLG and switch lab books....its been 11 business days since I ordered them; the OCG arrived Friday (?) and the lab manual is somewhere between me and Illinois (about 200 miles). If I paid for these books without gift cards I might be upset lol.
    Last edited by --chris--; 09-07-2016 at 11:56 AM.


    Reply With Quote Quote  

  19. Senior Member Danielh22185's Avatar
    Join Date
    Apr 2012
    Location
    DFW Area
    Posts
    1,172

    Certifications
    CCNP R&S, CCNA, CCENT
    #43
    All I can say is repetition, repetition, repetition! Keep at it! Many times when I felt I didn't understand particular topics I would switch my study resource a bit. Sounds like you have 2 different books to bounce off of, which is good. You might also try looking into the CCNP Simplified Series. They are tailored for the older test BUT they have probably 85-90% of the current exam content covered, and typically advanced stuff that was not on the older tests or on the new ones. Stuff like STP, VTP, OSPF, EIGRP, etc... the core concepts will not change. You can get that entire library virtually for $30 on amazon.

    Also maybe try mixing up your study with video content, and different video content. I've learned to REALLY enjoy Chris Bryant's stuff (I wish I would have delved into his stuff earlier). Some people will call him a bit dry and his presentation method a bit simple but he gets right to the point and shows EVERYTHING in the CLI, which I felt was crucial to learning. Him doing everything in the CLI also gives you a great opportunity to easily create the same topology and follow along.

    My reading / video study method would be to first flat out read or watch through everything once. Then come back pen in hand ready to take extensive notes over the same exact content. Many of the professional trainers out there will mention they expect you to watch or read the content multiple times to get the content down and understood, which I fully agree with. I would even pop the videos on in my car rides to and from work to listen to as I drove to have that constant mental regurgitation.

    Labbing is obviously your friend (and a must!) which I more reserved for the end of my studies to apply what I learned.

    Everybody is different but those are my methods, so feel free to take from that what you may.
    Last edited by Danielh22185; 09-07-2016 at 01:54 PM.
    Currently Studying: IE Stuff...kinda...for now...
    My ultimate career goal: To climb to the top of the computer network industry food chain.
    "Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Nov 2009
    Location
    Indiana
    Posts
    316

    Certifications
    ITIL Foundation, Security+, CISSP, CCENT, CCNA R&S
    #44
    Thanks for those tips Daniel!
    Reply With Quote Quote  

  21. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #45
    Quote Originally Posted by Danielh22185 View Post
    All I can say is repetition, repetition, repetition! Keep at it! Many times when I felt I didn't understand particular topics I would switch my study resource a bit. Sounds like you have 2 different books to bounce off of, which is good. You might also try looking into the CCNP Simplified Series. They are tailored for the older test BUT they have probably 85-90% of the current exam content covered, and typically advanced stuff that was not on the older tests or on the new ones. Stuff like STP, VTP, OSPF, EIGRP, etc... the core concepts will not change. You can get that entire library virtually for $30 on amazon.

    Also maybe try mixing up your study with video content, and different video content. I've learned to REALLY enjoy Chris Bryant's stuff (I wish I would have delved into his stuff earlier). Some people will call him a bit dry and his presentation method a bit simple but he gets right to the point and shows EVERYTHING in the CLI, which I felt was crucial to learning. Him doing everything in the CLI also gives you a great opportunity to easily create the same topology and follow along.

    My reading / video study method would be to first flat out read or watch through everything once. Then come back pen in hand ready to take extensive notes over the same exact content. Many of the professional trainers out there will mention they expect you to watch or read the content multiple times to get the content down and understood, which I fully agree with. I would even pop the videos on in my car rides to and from work to listen to as I drove to have that constant mental regurgitation.

    Labbing is obviously your friend (and a must!) which I more reserved for the end of my studies to apply what I learned.

    Everybody is different but those are my methods, so feel free to take from that what you may.
    Thanks for all the suggestions, I am going to work these in! I have the Udemy and INE video's then the OCG and FLG and still waiting on the lab guide.

    Ill see what I can find on the simplified series if time permits / knowledge gaps still exists.


    Reply With Quote Quote  

  22. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #46
    No labbing today, worked on filling out my notes on:
    • Switch priority/config/verification
    • Path cost/config/verification
    • STP Timer/config/verification
    • RootGuard/config/verification
    • LoopGuard/config/verification
    Feel much more confident in those sections. I think spending a week or 10 days focusing on nothing but STP and how it relates to the SWITCH exam will be a big help instead of progressing through the books and videos in a linear fashion.


    Reply With Quote Quote  

  23. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #47
    Vacation has been much less productive than planned (as far as this cert is concerned).

    Can someone help me figure out which IOS support TCLSH? Is it only supported on 12.2+? Or is it dependent on image?

    I created a reset and a base config tclsh script on one switch, then tftp copied to another switch but I can not "call it"...the switch does not recognize any TCLSH command.

    The switch it works on is 12.2 / K9 image, the switch it does not work on is 12.1 / I5-M


    Reply With Quote Quote  

  24. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,402

    Certifications
    ITIL F, C|EH
    #48
    while attempting to telnet into a lab switch I get this prompt:




    Is it just me or is it weird I can reach a service provider device via private IP?


    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Dec 2013
    Location
    Trinidad and Tobago
    Posts
    120

    Certifications
    A+,CCENT,CCNAR&S,CCNA Security,CCNA Voice,CCNP R&S,BCNE2012,HCNA,ITIL Foundations,BCNP, BAIS,VCA-DCV
    #49
    Quote Originally Posted by --chris-- View Post
    while attempting to telnet into a lab switch I get this prompt:




    Is it just me or is it weird I can reach a service provider device via private IP?
    hahahah I hope that`s not your ISP router a SR 7750 is a pretty good triple play router, by chance who is your ISP?
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Sep 2014
    Location
    Minnesota
    Posts
    768

    Certifications
    CCNA:R&S, VCA6-DCV, Sec+
    #50
    I don't think it is supported on 12.1
    Cisco IOS Scripting with Tcl 12.3(2)T 12.3(7)T 12.2(25)S 12.2(33)SXH 12.2(33)SRC 12.2(33)SB Cisco IOS XE 3.1.0SG

    and you can always look it up:

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn.
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 3 First 12 3 Last

Social Networking & Bookmarks