|
Bardlebee posted:Does the CCNA even cover OSPF? That is my main fear. I have the ICND1, but if the ICND2 doesn't cover something that you need to know for employment. Then.... its kinda silly. Yep, it covers the basics like single area OSPF. The big thing to know is that it is a link state protocol and not distance-vector like EIGRP, the base metric is cost and not bandwidth/delay, and the steps it uses to build the tables (LSAs and LSDBs using Djikstra). You may get into some basic troubleshooting, but nothing multi-area IIRC.
|
#
?
Oct 28, 2010 01:54
|
|
|
|
| # ? May 14, 2024 04:23 |
|
|
OSPF is covered in the CCNA. RIP, OSPF, EIGRP.
|
|
#
?
Oct 28, 2010 01:55
|
|
|
BelDin posted:Dynamic routing protocols? We just use static routes for everything! If static routing is good enough for the PSTN, it's good enough for my network 
|
|
#
?
Oct 28, 2010 02:06
|
|
|
Cavepimp posted:Uh oh...maybe I'm rustier than I thought. Not necessarily, but they do come in handy for rapid convergence and the use of redundant infrastructure protocols such as HSRP and GLBP. Again, shake that voodoo stick and explain that using L3 switches with routed interfaces (no switchport)does not introduce loops in your network at L2. The last time a switch went down on our network edge due to a DSL line problem, the IT manager kept harping about spanning tree and how it was causing issues in the network. He then went on blaming the recently implemented VLANs (rather than everything running on VLAN 1 with separate switches and lines) and trunks between switches (Running PVST+) causing network instability. They were physically moving lines between switches in network closets. These lines use two pair of a CAT5 cable going to 110 blocks that are cross linked to the infrastructure lines at the work cubes. Remember kids, you only need four wires for Ethernet! 
|
|
#
?
Oct 28, 2010 02:07
|
|
|
ragzilla posted:If static routing is good enough for the PSTN, it's good enough for my network NPAC would like to talk to you. LERG for IP would be awesome. *Makes route update* *Waits 3 months for the effective date* *network becomes unreachable as only 1/2 the other networks load the update*
|
|
#
?
Oct 28, 2010 02:07
|
|
|
ragzilla posted:If static routing is good enough for the PSTN, it's good enough for my network Fair enough, but then again, you don't typically get a helpdesk guy promoted to sole network administrator/engineer in a PSTN. (at least not without serious skills) It's bad enough that our 600 client LAN is expected to scale 4x over a large campus in three months.
|
|
#
?
Oct 28, 2010 02:11
|
|
|
FatCow posted:NPAC would like to talk to you. If I had to make an SS7 dip on every call that traversed the network... I'd be buying stock in Syniverse.
|
|
#
?
Oct 28, 2010 02:14
|
|
|
FatCow posted:NPAC would like to talk to you. I can imagine it now... *helpdesk call*  :Why can't I get to icanhazcheezburger? I NEED to get there for business purposes!: Because the NSFNet got taken down by a backhoe and BGP, rear end, and ASNs haven't been invented yet?
|
|
#
?
Oct 28, 2010 02:24
|
|
|
BelDin posted:Dynamic routing protocols? We just use static routes for everything! Sometimes I wonder how people like that scammed their way into a paycheck.
|
|
#
?
Oct 28, 2010 14:22
|
|
|
inignot posted:Sometimes I wonder how people like that scammed their way into a paycheck. Work as a government contractor, such as myself. You'll be amazed at the level of incompetence across the board.
|
|
#
?
Oct 28, 2010 16:01
|
|
|
BelDin posted:Work as a government contractor, such as myself. You'll be amazed at the level of incompetence across the board. Annnnd how!  Also "IA professionals". 
|
|
#
?
Oct 28, 2010 16:22
|
|
|
Tremblay posted:Annnnd how! I cringe every time I have to refer to myself as "Cyber Security" for that very reason. I've gone from helpdesk, applications administrator, systems administrator, and network administrator over my career. Don't lump me in with the IA grad that can write policies, watch logs, and not much else. The best INFOSEC guys I have worked with over time have been the ones that had technical jobs before treating security as a specialization, not a degree program.
|
|
#
?
Oct 28, 2010 16:39
|
|
|
BelDin posted:I cringe every time I have to refer to myself as "Cyber Security" for that very reason. I've gone from helpdesk, applications administrator, systems administrator, and network administrator over my career. Don't lump me in with the IA grad that can write policies, watch logs, and not much else. Agree, sadly you/them are the minority in an ocean of poo poo.
|
|
#
?
Oct 28, 2010 17:02
|
|
|
BelDin posted:Work as a government contractor, such as myself. You'll be amazed at the level of incompetence across the board. I've done mostly federal work for the past seven years, and yes, it's full of fools. Actually I think any large organization tends to be dominated by fools. Anyway, it still boggles my mind that the kind of goofball that would think you can make a network run faster by changing the bandwidth statement on an interface once sat in an interview and was judged the most competent man for the job. And I concur that IA people are laughable. One of the more recent eye rollingly bizarre IA edicts is that using vlan 1 for anything is bad. Because one is an easily guessed number. Of course, the switches they are moaning about are in data centers with no end users attached. So I suppose they are concerned attackers will remotely send crafted dot1q headers over the internet (in IA world layer 2 headers somehow persist across layer 3) ...and then something bad happens. Cripes, based on default behavior on Cisco switches, vlan 1 is never tagged anyway. I'm considering pursuing the ISSEP just to spite them. Or I may just start asking for CERT or Mitre advisory numbers on these alleged issues to see if I can force them to admit it's all unsubstantiated. How did risk analysis become risk fabrication?
|
|
#
?
Oct 29, 2010 02:48
|
|
|
inignot posted:I've done mostly federal work for the past seven years, and yes, it's full of fools. Actually I think any large organization tends to be dominated by fools. Anyway, it still boggles my mind that the kind of goofball that would think you can make a network run faster by changing the bandwidth statement on an interface once sat in an interview and was judged the most competent man for the job. I like to think of myself as an up and coming security engineer with a management day job.  I don't like using VLAN 1 for anything because we keep it the default, not because it is the default. The primary reason that we are taught not to use VLAN 1 is misconfiguration. Some goober plugging a computer in a DTP enabled port can make for a bad day. We actually enforce access ports and set nonegotiate by default so that double tagging and VLAN hopping aren't easily possible. Risk analysis became risk fabrication when there was money to be made in selling fear. It's been a long time now. More on topic: I had one of my guys get concerned once I pushed going to VLANs and trunking.  : Be sure to turn on port security for all the switch ports to make everything more secure! : Even trunk lines? : Especially trunk lines, they are the most vulnerable because you can get on all the VLANs with them! : ...
|
|
#
?
Oct 29, 2010 03:45
|
|
|
BelDin posted:I had one of my guys get concerned once I pushed going to VLANs and trunking. I'm not calling you out, but this is almost too ridiculous to believe 
|
|
#
?
Oct 29, 2010 04:57
|
|
|
Martytoof posted:I'm not calling you out, but this is almost too ridiculous to believe This guy is not IT, he's a physical security / policy writer type who was a floor supervisor for about 20 years before moving into security (in the 90s) . He then took some MCSE classes (but hasn't passed an MCP exam) to get into the exciting field of Cyber Security. To his credit, he doesn't know much about networking and doesn't need to for his job duties. Give him an information security topic (non computer), and he'll beat you to death with paper. That's his forte, and I keep him corraled in that area for reasons like this. Very useful against auditors. You're right that this is the condensed version of the conversation... he didn't know what trunk lines were, so I had to explain them to him. This was the result of that talk. He asked it in more of a questioning tone. Call it artistic license, if you will. I can't grumble too much, he's one of the two reasons why I got hired. Enough derailing.... new Cisco short question choices: 1) Has anyone here taken the SNAF exam? How bad was it? 2) For those who use port security, what is a good aging time? We're currenly using sticky macs on most workstation ports, and all equipment moves are updated manually. My understanding is that the static entries from the stickies will not get cleared during aging and only the ports without stickies will age.
|
|
#
?
Oct 29, 2010 06:04
|
|
|
At my old job I believe we had the aging time said to 300 seconds (5 mins). As for sticky mac addresses, they don't age as far as I'm aware - buuut if you don't write the config, the entries will vanish on reboot. Out of curiosity, why do you want to enable this feature?
|
|
#
?
Oct 29, 2010 07:57
|
|
|
abigserve posted:At my old job I believe we had the aging time said to 300 seconds (5 mins). We have a problem where certain IT cubes that have port security on are not aging out MAC addresses properly due to desktop switches. The recent event is that an IT worker with a workstation switch in their cube is hooked to a switch with port security (no sticky) and imaged a bunch of machines. When we went to deploy the computer (on the same infrastructure switch) it err-disabled because the MAC was still hanging on the IT worker's port. I figured we would turn it on across the board if it didn't affect sticky macs. We use the stickies on our workstations so that people can't move computers or hook new ones up on the network. It triggers an err-diable, and we have to bring the interface back up after we bludgeon the user. We have a NAC appliance sitting in the corner to remove the need for stickies, but are so busy putting out fires that we haven't got it put in yet.
|
|
#
?
Oct 29, 2010 15:33
|
|
|
CrazyLittle posted:who the hell still uses EIGRP anyways? We use it exclusively. Both over our MPLS Cloud and at our Datacenter. We use Sticky Mac as well and for IT people who need to reimage multiple machines, they are in a seperate VLAN and their particular ports are not stickied. Eventually we may move to NAC, but who knows when that will be rolled out. ate shit on live tv fucked around with this message at 15:56 on Oct 29, 2010 |
|
#
?
Oct 29, 2010 15:50
|
|
|
BelDin posted:We have a problem where certain IT cubes that have port security on are not aging out MAC addresses properly due to desktop switches. I don't think aging timers work with sticky since sticky adds the mac to the config.
|
|
#
?
Oct 29, 2010 17:42
|
|
|
inignot posted:I've done mostly federal work for the past seven years, and yes, it's full of fools. Actually I think any large organization tends to be dominated by fools. Anyway, it still boggles my mind that the kind of goofball that would think you can make a network run faster by changing the bandwidth statement on an interface once sat in an interview and was judged the most competent man for the job. For Cisco stuff VLAN 1 traffic is largely punted to the CPU. You can DoS a 6k pretty quick if you know the kind of traffic to smack it with. It's actually one of the less stupid items on the checklists.
|
|
#
?
Oct 29, 2010 17:43
|
|
|
Tremblay posted:I don't think aging timers work with sticky since sticky adds the mac to the config. That's the behavior I want so that I can push it out on all public interfaces stickied or otherwise. Then we don't have to tell the fill in admins another configuration item to look for when moving people from cube to cube. Explaining to systems administrators why we want to have small frame violation rates, broadcast and multicast storm control, etc. on workstation ports was enough of a headache to last me a lifetime.
|
|
#
?
Oct 29, 2010 20:18
|
|
|
inignot posted:(in IA world layer 2 headers somehow persist across layer 3) I like my IT Security staff, but periodically they do say things that make me grit my teeth, such as 'VLAN hopping is possible, so we need to buy more firewalls," or "why can't you identify the machine based on MAC address?" (when the machine is very far away, outside of our environment.) You have to just roll with it, though, because the alternative is a brain aneurysm.
|
|
#
?
Nov 1, 2010 17:27
|
|
|
What's the most reliable JRE version for accessing ASDM? I wind up configuring a few ASAs a year, typically by CLI, but to make customers satisfied I leave them with ASDM to muck around in. The problem is, every time I get an ASA I wind up going through hours of searching for the "correct" Java version. I believe it's been 6u7, but I'm currently having issues with 7.0.
|
|
#
?
Nov 1, 2010 18:21
|
|
|
vty posted:What's the most reliable JRE version for accessing ASDM? I wind up configuring a few ASAs a year, typically by CLI, but to make customers satisfied I leave them with ASDM to muck around in. We configure various ASAs running ASDM between 5 and 6.3(1) (so ASA/PIX versions 7 through 8.3(1)) and I haven't run into any problems running the latest Java off Sun's site.
|
|
#
?
Nov 1, 2010 18:46
|
|
|
jwh posted:"why can't you identify the machine based on MAC address?" (when the machine is very far away, outside of our environment.) I have this poo poo out of people in my own group. At first I thought I was being trolled, then I realized that he doesn't know a loving thing. What is worse is that people are going to this retard asking him questions and I have to spend about 20% of my day fixing his loving retarded mistakes. Although, there really is nothing more entertaining than asking him to explain how a mac table is built or how voip works. Seriously, if you have the Senior level title, you should be able explain the loving basics. loving christ...
|
|
#
?
Nov 2, 2010 03:38
|
|
|
"Ok so I have this machine I don't know the IP, can you figure out the IP based on the mac-address?"
|
|
#
?
Nov 2, 2010 15:11
|
|
|
That should be possible if you're on the same layer 2 segment, at least in theory.
|
|
#
?
Nov 2, 2010 15:27
|
|
|
I know that part. But the networking part is any mac-address can be any arbitrary IP Address (or it might not even have an IP Address at all, maybe its using IPX, or TokenRing, who knows?). There is no way to take a device with a mac-address and just know its IP address without some kind of layer 3 process occurring, like in your example, an ARP request.
|
|
#
?
Nov 2, 2010 16:57
|
|
|
Powercrazy posted:There is no way to take a device with a mac-address and just know its IP address without some kind of layer 3 process occurring, like in your example, an ARP request. What about CDP  This is the Cisco thread, after all
|
|
#
?
Nov 2, 2010 22:22
|
|
|
Rad Boss posted:What about CDP Unless there is a Cisco softphone installed CDP is no help for PCs.
|
|
#
?
Nov 2, 2010 23:24
|
|
|
Find out the switchport it's connected to and r-span that poo poo rasta.
|
|
#
?
Nov 3, 2010 02:18
|
|
|
Anyone happen to know if there's a huge gap in difference between Cisco Unified Contact Center Enterprise and Express? Or are they essentially the same just different scalability? The main thing I'm trying to figure out is if I taking a UCCX class will give me enough info that I can manage the UCCE environment that might be getting dropped in my lap.
|
|
#
?
Nov 3, 2010 23:58
|
|
|
I'm in the market for an entry-level dual WAN firewall. I have 2 AT&T Bell South nettopia routers in bridge mode doing PPPoE. I realize that bonding is probably something that won't work, and have settled on load balancing as an alternative. Are there any gotchas with either of the below devices? Is there a comparable ASA that wouldn't blow my mind to configure? I have a watchguard right now and I want to set the thing on fire. http://www.cisco.com/en/US/prod/collateral/routers/ps9923/ps9925/data_sheet_c78-501225.html http://www.cisco.com/en/US/prod/collateral/routers/ps9923/ps9926/data_sheet_c78-501227.html (Is there any difference besides the number of ports between these two?) I actually have 4 DSL lines in so if there is something <$1,000 that will work with all 4 I'd rather do that. Can pfsense do that (easily and reliably)?
|
|
#
?
Nov 4, 2010 07:36
|
|
|
American Jello posted:I'm in the market for an entry-level dual WAN firewall. I have 2 AT&T Bell South nettopia routers in bridge mode doing PPPoE. I realize that bonding is probably something that won't work, and have settled on load balancing as an alternative. Are there any gotchas with either of the below devices? Is there a comparable ASA that wouldn't blow my mind to configure? I have a watchguard right now and I want to set the thing on fire. I don't have much experience with the non-consumer linksys stuff so I can't comment on that. Unless there was a change made in 8.3. ASA's dual WAN support is limited to primary and backup connection. You can't use both at the same time.
|
|
#
?
Nov 4, 2010 16:44
|
|
|
I'd buy a Palo Alto PA-500 instead, personally. edit: Although those are >$1k, so maybe that's out of the question. jwh fucked around with this message at 16:59 on Nov 4, 2010 |
|
#
?
Nov 4, 2010 16:54
|
|
|
Juniper SSG
|
|
#
?
Nov 4, 2010 20:14
|
|
|
American Jello posted:I'm in the market for an entry-level dual WAN firewall. I have 2 AT&T Bell South nettopia routers in bridge mode doing PPPoE. I realize that bonding is probably something that won't work, and have settled on load balancing as an alternative. Are there any gotchas with either of the below devices? Is there a comparable ASA that wouldn't blow my mind to configure? I have a watchguard right now and I want to set the thing on fire. I recommended Mikrotik earlier in this thread, I'd take it over Linksys any day. Hell their $40 RB750's would do this. I have many RB493's doing all sorts of stuff (ospf, bgp, mpls, etc). RB1100's are awesome if you can find them in stock ($400, 13gig-e interfaces) * Routerboard models * Load balacing over multiple gateways
|
|
#
?
Nov 7, 2010 17:03
|
|
|
|
| # ? May 14, 2024 04:23 |
|
|
Tremblay posted:Unless there is a Cisco softphone installed CDP is no help for PCs. LLDP?
|
|
#
?
Nov 7, 2010 19:14
|
|