Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
 
  • Post
  • Reply
CheeseSpawn
Sep 15, 2004
Doctor Rope
For those of you who have taken a cisco netacademy class before and missed the 640-801 deadline, you should still be eligible to still take the old exam.

I was checking out the prepcenter to try and see some of the new test questions when I stumbled back into the netacademy site. I decided to log back in and check out the site. I found access to packet tracer and the coupon voucher for the old exam. I took this class at least 1.5 years ago.

Thrilled, I tried to schedule an exam by phone in the upcoming week and it worked. If you have the code and a netacademy id, you should be good to go. I won't mind looking over the new material after I pass the exam. cheers

* # ¿ Dec 28, 2007 18:41
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 28, 2024 19:05
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

Harry Totterbottom posted:


Right now I've just got a massive port list on permit

code:
tcp/1024-65535, tcp/135, tcp/137, tcp/1512, tcp/3268, tcp/3269, tcp/42, tcp/445, tcp/88, tcp/domain, tcp/ldap, tcp/ldaps, 
tcp/netbios-ssn, udp/135, udp/1512, udp/445, udp/88, udp/domain, udp/nameserver, udp/netbios-dgm, udp/netbios-ns

Ever use object groups? Does your ASA use object groups? This would be a good time to learn or use them for this type of stuff.

* # ¿ Feb 14, 2011 21:54
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

tortilla_chip posted:


If you have any desire to work in a service provider environment this is a great opportunity. Despite the alphabet soup of requirements in the description, what we're really looking for is someone with a solid routing and switching foundation. MPLS infrastructure experience is a plus, but not a hard requirement.



If any of you goons really want to go the networking route(like CCIE), are hard-working and bright, and a quick learner, I strongly suggest you try and jump on this. You will learn a whole lot from the service provider side.

* # ¿ Feb 20, 2011 20:21
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

Zuhzuhzombie!! posted:


Could someone give me an idea on BE and BC when it comes to setting policy maps?

Example:

Let's say I have a customer requesting 300mb connection.


code:
policy-map police-300mb
  class access-match
   police cir 300000000 bc 7812500 be 15625000 conform-action transmit exceed-action drop violate-action drop policy-map
This is what I see currently the hardware. CIR limits th bandwidth to 300mb, correct? BE is excess burst, correct? Meaning if there is some congestion they could go over their limit by roughly 15mb?


What I don't understand is why CIR is in bits, but bc and be are in bytes.


I havent worked much off our policy maps for rate limiting but on our end the bc matches the be values. According to the cisco press book, "the cir and bc keywords define the first token bucket. be defines the second token bucket. So I guess when we keep bc and be values the same, we keep a single token bucket since it's a single rate policier?

CIR is in bits and bursts are in bytes cause that's just Cisco being Cisco.

* # ¿ Mar 17, 2011 20:05
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

FatCow posted:

Or just don't apply to jobs that need clearance? I don't see why having clearance locks you into working for the government.


I think he means fed jobs typically require clearance for working with them and not much else outside public office require them. Having clearance pretty much guarantees you finding a job, whether it's contracting or a job with an agency. Getting clearance is another issue on its own.

* # ¿ Mar 23, 2011 18:33
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

Bob Morales posted:

There are only something like 25,000 CCIE's in the world (I'm probably off one way or the other). You need thousands of dollars in lab equipment, thousands in books and tests, and even more in time and travel to actually take the test.

http://www.ccie4you.info/wordpress/

http://ccie-in-3-months.blogspot.com/

As long as you have the passion, you can get it.

ragzilla posted:

What's the largest environment you've been involved in to make that comment?. Layer <= 3 networking in a small/mid enterprise environment is no fun- however that changes significantly once you enter the realm of SP networking, or large enterprise, and you start getting to use things like BGP and MPLS.


I just finished the Skillport CCIP video for MPLS/VPN architectures. I have a good grasp overall on how MPLS works from the PE end. As soon as I get my GNS server working again, I cant wait to build some labs I've seen online so I can see more into the core side.

I'm going to watch them one more time for notes and move on to BGP. It's pretty awesome how things come together and make sense.

* # ¿ Apr 13, 2011 02:20
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

Tony Montana posted:


Got your CCIEs yet? How far off are you?


I'd say bout at least two or four years before I get there. I had gotten my CCNA in Jan 2008 with a three year break. It took my CCNA almost expiring to get my rear end back on the horse because I'll be damned if I stay at the status quo or let that work go to waste. I want to move forward.

So it really depends on how much time and practice I can get in per day to keep this timeline. I plan on my CCIP/ CCNP this year. I already have ROUTE and I'm working on MPLS + BGP by late May or early June. Then finish QOS by the summer and switch and tshoot over the fall and winter.

Working for a SP is a huge advantage since everything is built. I get real world examples to observe and piece together stuff in my lab for the picky details.

The drawback is, I dont have much exposure to switches and IGPs such as EIGRP/ OSPF. I will have to revisit ROUTE again before I do TSHOOT.

* # ¿ Apr 13, 2011 16:58
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

jbusbysack posted:

I prefer SecureCRT solely because it will log all outputs. Also multiple devices connected via tabs is nice, but mainly it's the logging that won my heart.

^^^

Securcrt has the multiple sessions in one window feature which by itself does not see much but it goes a long way once you need 3+ windows open. Putty is a good lightweight program to get the job done.

* # ¿ Apr 19, 2011 16:07
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

lol internet. posted:

Quick question, for Cisco ASA. Does anyone use the CLI to configure\manage access rules? Or is everyone using the ASDM?

I prefer CLI because notepad is my best friend. Also prefer the show commands for the troubleshooting.

* # ¿ Jul 18, 2012 21:51
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

GOOCHY posted:

static (inside, outside) <public host> <private host> netmask 255.255.255.255
!
access-list outside_access_in extended permit tcp any host <public host> eq smtp log notifications
!
access-group outside_access_in in interface outside

1:1 NAT map - allow traffic inbound via SMTP

That's what I would do for inbound requests. The DNS option sounds like it might be required as well depending on how their DNS servers are setup.

static (inside, outside) <public host> <private host> netmask 255.255.255.255 dns

code:
access-list inside_outbound_nat0_acl extended permit ip any 10.10.0.0 255.255.0.0
nat-control
global (outside) 10 123.123.123.123 
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
It looks like the access list for outbound traffic is reversed? Any reason for the nat 0 bypass?

* # ¿ Nov 15, 2012 21:35
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

Mierdaan posted:

Yeah, what GOOCHY wrote is exactly what we're doing for all our public-facing services. This is the first time I've wanted to modify our setup for outbound traffic, though.


There's actually 4 entries in that ACL. :

code:
access-list inside_outbound_nat0_acl extended permit ip (internal IP range) (VPN pool range)
access-list inside_outbound_nat0_acl extended permit ip any (VPN pool range)
access-list inside_outbound_nat0_acl extended permit ip any (internal IP range)
access-list inside_outbound_nat0_acl extended permit ip (internal IP range) (overseas location's range, site-to-site VPN)
Is the NAT 0 bypass there so that there's no translation performed between these internal ranges?


Yeah, Nat 0 would bypass the the NAT translation. It's looks like there's a lot more you have going on on your ASA that we can see. I'm guessing the nat0_ACL is being applied on some other interface. To me, it doesnt seem like that is the ACL you need to place your outbound ACL rule at because they dont make sense to me in an outbound direction. I should see something similar to below where there is a something going to any as a destination unless your traffic is going to here <ip any (internal IP range)> and then going out to the internet there which is weird and redundant.

access-list outbound_ACL extended permit ip 10.10.0.0 255.255.0.0 any

NAT STATEMENTS

access-group outbound_ACL in interface inside

* # ¿ Nov 16, 2012 00:42
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

squidflakes posted:

I've got several branch offices with two outside network connections. One is from an MPLS provider that is only supposed to handle traffic for internal inter-office addresses, we'll say anything on the 10.x.x.x/16 network. The other is for anything else, is sitting on a regular internet connection and goes to a firewall.

The MPLS side is using EIGRP to advertise all of the routes with a gateway of last resort pointing at the internet firewall. The idea there being that the routes advertised by EIGRP are going to be hit first, and if they go down, all traffic should go out the internet side.

Once the MPLS connection comes back up and EIGRP rebuilds the neighbor table, how long should I expect traffic to keep going to the gateway of last resort? I've done a few tests and if the MPLS connection goes down and comes back up more than a few times in a row, it seems like traffic never stops using the 0.0.0.0 route.

Does that sound normal?

Technically, once the EIGRP MPLS router rebuilds the table, your routes should go that way since the more specific route is there and not go via the the default route but also metrics could come into play. What does the traceroutes look like when you do this? It could be that the way you are bouncing the router, it doesnt have those routes as stable so maybe the routing table isnt converged? I'm dont work with EIGRP much but that's my routing guess.

Sounds like some details are missing as well. If the MPLS connection is down with the default in place, it'll route towards the internet circuit and die unless you build a VPN tunnel to that destined site?

* # ¿ Mar 26, 2013 17:22
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

routenull0 posted:


It is a flat 3yr term for the total certification once earned. I use to think that while doing the CCNP, you could pass one exam a year and practically get the NP over the course of 3 years, but I thought I read in this thread you now have to pass all 3 within a year.


I'm dont think there is a timer expiration in an upgrade path scenario unless a certain test is retiring. I had taken ROUTE back in Jan 2011 and took BGP+MPLS and QoS July and Aug in 2012 for my CCIP. I plan on taking SWITCH AND TSHOOT later this year once I settle in to my job.

* # ¿ Apr 25, 2013 05:43
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

madsushi posted:

One of the issues I've heard of with using the same AS for multiple sites is that if your sites aren't truly connected on the back-end (via direct or VPN or something), some peers won't advertise your other site's prefixes to you.

Example:

Site A - 10.10.10.0/24
Site B - 10.20.20.0/24

When your peer at Site A sees the prefixes for Site B, it might not advertise them to Site A since Site A is the AS that did the advertising. This can cause issues sometimes, depends on if your carrier is willing to force those prefixes.

iBGP requires a full mesh for peers ideally for full route exchanges but there was ways to get past this via RR or confeds. Routes wont pass beyond one peer or accept routes from an AS it traversed (loop avoidance). Here's a great easy read on this. If you're using a provider for MPLS VPNs on layer 3, they can bypass this with AS override.

The different ASes you see in that mess is to get routes around.

* # ¿ Jun 21, 2013 06:02
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 28, 2024 19:05
  • Quote
CheeseSpawn
Sep 15, 2004
Doctor Rope

jwh posted:


BGP stuff

I'm stumped.

Yeah, I'm a month late to this but I would like to have seen what the path looked like from cogent's looking glass a month ago compared to now. Oh well. Little strange to see internap prepending now then I suppose what you had before.

BGP routing table entry for 64.95.69.0/24, version 1764577848
Paths: (1 available, best #1, table Default-IP-Routing-Table)
2828 14742 14742 19592
154.54.9.6 (metric 10102021) from 154.54.66.76 (154.54.66.76)
Origin IGP, metric 4294967294, localpref 100, valid, internal, best
Community: 174:10031 174:20666 174:21000 174:22013
Originator: 66.28.1.9, Cluster list: 154.54.66.76, 66.28.1.69, 66.28.1.89

CheeseSpawn fucked around with this message at 09:16 on Sep 27, 2013

* # ¿ Sep 27, 2013 08:05
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)