+ Reply to Thread
Page 1 of 3 1 23 Last
Results 1 to 25 of 61
  1. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #1

    Default Its happening! CCNP here I go...

    After a discussion with some regulars here and some people on Linkedin I have decided to begin CCNP work despite having only 18 months of work experience.

    I am familiar with the arguments against CCNP with that little experience. I am prepared to battle my way through the interview hell that this may bring on me. But that is all for a later date & time.

    For right now, I am focusing on 300-115 (SWITCH) first since it is what I have the most experience with and will provide the most benefit to me in my current role. I am enrolled full time in school (BS in Info Sec), typically work about 50 hours a week and have a family that comes first. With that said...

    Here is the plan for SWITCH:
    • Read FLG / build lab / familiarize myself with the objectives
    • Watch Chris Bryants videos on Udemy / Lab along / makes notes
    • Read OCG / More labbing / make notes
    • Combine notes into study guide / find weak spots, reaserch/lab them
    • Crush exam
    • ???
    • profit

    Lab setup:
    2x 3750
    2x 2950 (for STP participation)
    2x 1841s (unknown use at this point)

    I think this style lab will get me through everything on the objectives, does anyone have some ideas or criticism? I plan on setting up QinQ with GNS3 for the ROUTE exam when I finish up SWITCH.

    I have finished chapters 1,2 & 3 in the FLG. So far a lot of review that I needed and some new ideas that I can actually use in my day-to-day work already. I can tell the exam content is going to teach me some things I really need to know.

    I will be posting here with questions and looking for advice from others as I move through the material. The timeline is a long one, about 12 months for all three exams.
    Last edited by --chris--; 10-07-2015 at 04:55 PM.


    Reply With Quote Quote  

  2. SS -->
  3. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #2
    First question: Looking over the ROUTE objectives I ran across something I had never seen before, so I googled it.

    VRF-lite
    Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(25)EW - Configuring VRF-lite [Cisco Catalyst 4500 Series Switches] - Cisco

    In the description it says, "A VPN is a collection of sites sharing a common routing table".

    The word VPN is being used differently than I am familiar with. When I think VPN, I think IPsec and SSL...this doesn't appear to be that. Is VPN being used to mean something completely different here?


    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Sep 2013
    Location
    Sweden
    Posts
    862

    Certifications
    CCNP
    #3
    Quote Originally Posted by --chris-- View Post
    Is VPN being used to mean something completely different here?
    Yes, but it'll make sense once you get to VRFs so don't worry about it. A VRF's basically a separate routing table that only certain interfaces belong to, and using various techniques, that can be used to create VPNs. It's "private" in the sense that forwarding from one VPN to another is prevented. It doesn't have anything to do with encryption.
    Last edited by fredrikjj; 10-07-2015 at 09:03 PM.
    Reply With Quote Quote  

  5. Exploring Life.... 10Linefigure's Avatar
    Join Date
    Nov 2013
    Location
    USA
    Posts
    323

    Certifications
    CCNA R&S, Security+, Network+, A+
    #4
    Get it man! You will knock it out of the park. Good luck
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jan 2015
    Location
    England
    Posts
    322

    Certifications
    CCNP: R&S, CCNA: Sec
    #5
    Welcome onboard!
    Reply With Quote Quote  

  7. Senior Member devils_haircut's Avatar
    Join Date
    Jul 2013
    Location
    Indiana
    Posts
    280

    Certifications
    CCNA:Sec, CCNA:R&S, VCA-DCV, Linux+, A+, Net+, Sec+, 70-685, Proj+, A.A.S.
    #6
    Good luck! I just passed my CCNP: SWITCH exam last night (2nd attempt), and it's a good feeling to have that accomplished. It was tougher than I was expecting, but looking over my notes and what topics I studied, it's not as broad as the CCNA was. It's much, much more focused on the details of spanning tree (STP, RSTP, MST), HSRP, Etherchannel, AAA, and VACLs.

    I think you and I are at similar experience/skill levels. I've only been officially on my company's network team for less than a year, but I was handling a lot of Layer 2 and server issues before I got promoted. I don't think it's such a big deal to have limited experience + your CCNP. All having the CCNP proves is that you know and understand the topics on the CCNP exams (hopefully); it doesn't mean you are automatically some sort of network wizard. If you have limited experience, just be honest about that in interviews.

    I think your plan and equipment list looks good. I managed with 2 x 2950's, 3 x 3550's, 1 x 3750G, 1 x 1841, and 2 x 2621's (didn't really need those routers, though). Also highly recommend the Chris Bryant videos...I used those as well.

    I'm gonna take a few days off, then start on ROUTE.
    Reply With Quote Quote  

  8. Member
    Join Date
    Feb 2014
    Location
    TX
    Posts
    41
    #7
    You got this Chris. I'm about to finish my CCNA. I'll try to keep up with you.
    Reply With Quote Quote  

  9. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #8
    Quote Originally Posted by stylezunknown View Post
    You got this Chris. I'm about to finish my CCNA. I'll try to keep up with you.

    This is something I would recommend if you know ccnp is in your future. This feels like it picks up right where CCNA left off.


    The 3750 24fs-s i just picked up is pure 100base fx. Will this sfp work with the sfp slots I have in this switch? I'll get two if this will work.


    New Cisco Compatible 10/100/1000BASE-T Gigabit Ethernet Auto Negotiation Copper SFP Optical Transceiver Module -Fiberstore


    Reply With Quote Quote  

  10. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #9
    Quote Originally Posted by fredrikjj View Post
    Yes, but it'll make sense once you get to VRFs so don't worry about it. A VRF's basically a separate routing table that only certain interfaces belong to, and using various techniques, that can be used to create VPNs. It's "private" in the sense that forwarding from one VPN to another is prevented. It doesn't have anything to do with encryption.
    So this is sort of like security through obscurity?

    This makes sense, and will probably be a good summary of how a lot of ROUTE will go. New (to me) technologies with names I associate with other ideas.


    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Sep 2013
    Location
    Sweden
    Posts
    862

    Certifications
    CCNP
    #10
    Quote Originally Posted by --chris-- View Post
    So this is sort of like security through obscurity?
    No, if you get an MPLS VPN based connection you are prevented from sending packets into another customer's VPN, assuming correct configuration of course. Since the VRF your router is connected to only the SP side only has routes to your sites, there's no trick you can do to make the router forward packets to a different customer.

    However, the service provider can see every customer's traffic since there's no encryption of the packets. Therefore you must either not care about the contents of the packets getting into the wrong hands, or trust your service provider, or add some form of encryption on top of the MPLS VPN service.
    Last edited by fredrikjj; 10-13-2015 at 05:53 AM.
    Reply With Quote Quote  

  12. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #11
    Quote Originally Posted by fredrikjj View Post
    No, if you get an MPLS VPN based connection you are prevented from sending packets into another customer's VPN, assuming correct configuration of course. Since the VRF your router is connected to only the SP side only has routes to your sites, there's no trick you can do to make the router forward packets to a different customer.

    However, the service provider can see every customer's traffic since there's no encryption of the packets. Therefore you must either not care about the contents of the packets getting into the wrong hands, or trust your service provider, or add some form of encryption on top of the MPLS VPN service.
    Ahh I got it.

    Whats the most common thing to do here? Trust the ISP or encrypt all data on MPLS?


    Reply With Quote Quote  

  13. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #12
    1/3 of the way through the FLG, still feel like its 50% review and 50% building on things I have worked with or wondered "how exactly did that just happen on its own....?" Too be honest, the VLAN, VTP, Etherchannel and (R)STP sections feel almost identical to the CCNA material but with an added 20-30% of depth on certain topics (like tuning PVST+ & how MST works).

    Main takeaway for anyone following along - I wish I would have started this sooner after passing the CCNA. I have some "rust" that would not have been there if I started this 6 months ago.


    Reply With Quote Quote  

  14. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #13
    I ordered 2 of those SFP's above to make my cheap 3750 work in my lab. I will review them since they are about 1/5 the cost of Cisco branded SFPs.


    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Jan 2015
    Location
    England
    Posts
    322

    Certifications
    CCNP: R&S, CCNA: Sec
    #14
    Quote Originally Posted by --chris-- View Post
    Too be honest, the VLAN, VTP, Etherchannel and (R)STP sections feel almost identical to the CCNA material but with an added 20-30% of depth on certain topics (like tuning PVST+ & how MST works).
    This is how I feel, the later chapters in the book do go into more depth with DHCP snooping, SPAN etc. It's a pretty good read overall, I have about 1 chapter to go and my exam is booked in D:!

    The start is very samey.
    Reply With Quote Quote  

  16. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #15
    Quote Originally Posted by Simrid View Post
    This is how I feel, the later chapters in the book do go into more depth with DHCP snooping, SPAN etc. It's a pretty good read overall, I have about 1 chapter to go and my exam is booked in D:!

    The start is very samey.
    I wish I had more time to devote to this book, every time I pick it up I fill in apiece of knowledge I wish I knew previously (so that's why that failed at client Y...).

    Good luck on SWITCH!

    I come today with a question: SWITCHPORT AUTOSTATE EXCLUDE

    The best explanation I have found for this is that you use this command when you need to keep an SVI up/up even after all participant ports in that vlan go down/down. Is this correct?

    And if that is correct, what is the use case for this? I need to tie it to a purpose to help retain it...the only thing I can think of is if you wanted the SVI to participate in L3 routing protocol....if it were to go down, then the routing protocol would have to recalculate causing possible outages?


    Reply With Quote Quote  

  17. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #16
    I have some ideas on a few STP/RSTP concepts, maybe someone here can let me know if I am on the right path with these...
    • BPDU Guard: Used only on access ports; protects against loops by shutting down the port if it receives a BPDU; can be enabled globally...if globally enabled instead of putting the port that received a BPDU into err disabled it removes the port-fast state from the interface and the interface will begin to work through the listening/learning stages
    • BPDU Filter: Should be used with caution; should only be used on access ports; keeps BPDUs from being sent & received from port - presents the opportunity for a loop because it will stay in a forwarding state
    • Root Guard: This protects the root bridge; discards superior BPDUs if received on the port with Root Guard enabled; not sure why this would be used if you can control root bridge through other methods..
    I have other questions regarding this technologies, but my battery is about dead. I will post them later.


    Reply With Quote Quote  

  18. Senior Member shortstop20's Avatar
    Join Date
    Dec 2006
    Location
    South Dakota
    Posts
    138

    Certifications
    CCNA R&S
    #17
    Quote Originally Posted by --chris-- View Post
    I have some ideas on a few STP/RSTP concepts, maybe someone here can let me know if I am on the right path with these...
    • BPDU Guard: Used only on access ports; protects against loops by shutting down the port if it receives a BPDU; can be enabled globally...if globally enabled instead of putting the port that received a BPDU into err disabled it removes the port-fast state from the interface and the interface will begin to work through the listening/learning stages
    • BPDU Filter: Should be used with caution; should only be used on access ports; keeps BPDUs from being sent & received from port - presents the opportunity for a loop because it will stay in a forwarding state
    • Root Guard: This protects the root bridge; discards superior BPDUs if received on the port with Root Guard enabled; not sure why this would be used if you can control root bridge through other methods..
    I have other questions regarding this technologies, but my battery is about dead. I will post them later.
    Root Guard ensures that if an unauthorized switch has a priority of 0 that it can't become the root. You can't set what should be root to a lower priority than 0 so Root Guard must be used in that situation.
    Studying CCNP Route.

    CCNP Switch passed, 12/10/2015
    Reply With Quote Quote  

  19. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #18
    Quote Originally Posted by shortstop20 View Post
    Root Guard ensures that if an unauthorized switch has a priority of 0 that it can't become the root. You can't set what should be root to a lower priority than 0 so Root Guard must be used in that situation.
    So it protects from rogue switches with a priority of zero. This makes sense, thanks!


    Reply With Quote Quote  

  20. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #19
    Just finished the HSRP chapter. I will have to go back and re-read the HSRP stuff from ICND2 but I feel like it was almost verbatim the same things...

    The plan is to finish this book within the month, start OCG and crank up the labing portion of this adventure.

    In other new, I was invited to interview for a Tier 2 or 3 NOC position. Tier 2 would be all switch & routers, Tier 3 would be fire-walling. I declined for two reasons; the commute would be about 1h 20m each way and the pay was pretty low for "tier 2/3" at $41000 and $46000 respectively.


    Reply With Quote Quote  

  21. Senior Member koz24's Avatar
    Join Date
    Nov 2014
    Location
    Boston, MA
    Posts
    758

    Certifications
    CCNP: R&S
    #20
    That's a nightmare commute. I also bet they are constantly filling that position at that rate. Seems like an ideal place to get experience and get out as soon as you find something better.
    Reply With Quote Quote  

  22. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #21
    I considered it, but I would be making quite a bit less once you factor the gas/commute/personal vehicle costs. I am buying a house right now...the last thing I need is to increase my DTI ratio.


    Reply With Quote Quote  

  23. Member
    Join Date
    May 2012
    Location
    CT
    Posts
    51

    Certifications
    VCP5, CCNA, CCNA:Sec, N+, S+
    #22
    I'm retaking SWITCH tomorrow and have started reading for ROUTE. I completely agree with you about SWITCh, it really felt like the CCNA with a little more detail. I do deal with vlans and L2 stuff in general at work, so I might not realize how much exposure I have to it. Route is feeling a bit more overwhelming because I don't have much experience with it.
    Reply With Quote Quote  

  24. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #23
    Quote Originally Posted by daba View Post
    I'm retaking SWITCH tomorrow and have started reading for ROUTE. I completely agree with you about SWITCh, it really felt like the CCNA with a little more detail. I do deal with vlans and L2 stuff in general at work, so I might not realize how much exposure I have to it. Route is feeling a bit more overwhelming because I don't have much experience with it.
    That sounds like me in a nutshell. I feel like I don't get much L2 exposure at work, but I must get some because a lot of this are things I have worked with on client sites.

    I too also fear ROUTE, I have no exposure to routing protocols in a prod environment.


    Reply With Quote Quote  

  25. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #24
    Just about ready to finish up the FLG, working through its security section. I am struggling with understanding how/why the vlan access-map command is used. T think its used in the following way...but I really dont know.

    Create the VLAN acl's. Then using the access-map command to combine ACL's into what you are trying to achieve. Then you apply the access-map to the ports you want to filter.

    Am I on the right path?


    Reply With Quote Quote  

  26. Member
    Join Date
    Jan 2014
    Posts
    98

    Certifications
    CCNP R&S
    #25
    I've just refreshed that after someone else asked the same thing.
    In short: Yes you're on the right path. With a vlan filter/VACL you can permit/deny traffic inside the same vlan and couple it with Mac ACLs too.

    I.e. you can deny all HTTP/tcp80 traffic just by making an acl like:
    access-list 123 permit tcp any any eq www
    and inside a vlan access-map you drop the matched acl:
    match ip address 123

    action drop

    And a new sequence number with just an "action forward" to allow everything else inside the VLAN filter.
    Something like:
    access-list 123 permit tcp any any eq 80
    vlan access-map Deny-http 5
    match ip address 123
    action drop
    vlan access-map Deny-http 10
    action forward
    vlan filter Deny-http vlan-list 10 (apply the "Deny-http" access-map to vlan-list with vlan10)

    All TCP/80 traffic inside vlan 10 is denied by matching all tcp/80 trafic in your ACL 123 after adding the vlan10 in the vlan filter command.
    To clarify a bit more: They can control access for packets bridged/forwarded inside a vlan or routed across VLANs(think SVIs). They just don't have any control if its inbound or outbound - it's both.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 3 1 23 Last

Social Networking & Bookmarks