CCNA Security – 210-260 IINS passed..

15 05 2016

Passed the 210-260 last weekend. I was obviously pretty happy about this, but, what I was even more happy about was the updated syllabus for the cert.

I would estimate around 30-40% difference in content. The general security concepts (which make the first part of the course pretty dry, depending on whether it’s stuff you’re already pretty familiar with or not), remained, as expected, as did a lot of the details about L2/3 security on Cisco devices.

The major changes were the complete removal of CCP to manage routers (with Zone Based Firewall config); this gave way to Cisco ASA configuration – certainly much more relevant to my role and reflective of industry too. Configuration for the ASA was only via ASDM too; if I remember rightly, this was via the command line in the last syllabus and very basic in comparison.

In addition, the way the course is delivered, via online labs rather than locally hosted equipment (which I had to use, and share last time) is superb.





NTP on Cisco switches / routers

23 07 2014

Have been looking recently to review processes and introduce efficiencies where possible. One of the monthly tasks that I set myself was to ensure the time hadn’t slipped too far on my Cisco devices, and to correct it if it had.

A power cut in one of the offices caused all my Cisco devices to reset their time to the default of Mar 1993.

These two factors combined triggered some research into implementing NTP on all Cisco devices.

Commands I used on all devices are as follows. Devices were a combination of Catalyst 3560 and 3750 switches. Routers were already configured accordingly.

#clock timezone GMT 0
#clock summer-time BST recurring 4 SUNDAY MARCH 01:00 4 SUNDAY OCTOBER 02:00 60
#ntp server x.x.x.x
#ntp server x.x.x.x

This sets the timezone to GMT, specifies BST (British Summer Time) as the daylight savings timezone, set it to recur, starting from the 4th Sunday of March to the 4th Sunday of October, and specifies the NTP servers to use. I’ve found that Server 2008 R2 Domain Controllers work pretty well as a reference NTP server for a number of different device types including Linux based (Check Point firewalls / Coyote Point load balancers) as well as Cisco devices.. my environment doesn’t require nanosecond accuracy, but we do need to be able to correlate times in logs with specific events, which Server 2008R2 provides.

For troubleshooting / verification, I used these commands:

#show clock detail

The output of this is:

11:33:32.081 BST Wed Jul 23 2014
Time source is NTP
Summer time starts 01:00:00 GMT Sun Mar 23 2014
Summer time ends 02:00:00 BST Sun Oct 26 2014

It shows the time, time source, and start / end of the summer time – useful stuff. Time source is ‘user configured’ if NTP has not been used.

#show ntp associations

This shows the IP addresses of the NTP servers configured, what their reference clock sources are, and their ‘stratum’ (the output is largely IP address related, hence leaving it out here).

#show ntp status

Clock is synchronized, stratum 4, reference is x.x.x.x
nominal freq is 119.2092 Hz, actual freq is 119.2076 Hz, precision is 2**18
reference time is D77A0BC8.3817A4F2 (11:24:08.219 BST Wed Jul 23 2014)
clock offset is -18.8268 msec, root delay is 120.00 msec
root dispersion is 159.91 msec, peer dispersion is 28.58 msec

The shows a bunch of info – the most important part is ‘Clock is synchronised’.

Info provided without warranty, please test before implementing. I don’t have the luxury of a test environment myself, but due to the low-potential for negative impact in this case, implemented the above on a switch with minimal ports in use before implementing network-wide.





Passed CCNP SWITCH!

16 07 2014

Passed the SWITCH quite comfortably on the third attempt on Monday 14th July. Now on to the ROUTE!

My CCNA is already reflecting the new expiry date on the Certification portal – this was previously due to expire in October.

I’ve purchased the Chris Bryant CCNP ROUTE e-book, as I found his SWITCH book incredibly good, and it’s about a quarter of the price of the other books on the market, and more importantly, a much, much easier read, being written in a very casual tone rather than the somewhat stuffy, formal styles associated with Cisco Press etc. I also bought his CCNP SWITCH video series on Udemy, so may well go for the ROUTE equivalent. I already have the CBTNuggets video series for the ROUTE, so I have enough to keep me going.

Aiming to get it passed by the end of the year, although it took 2.5 years to get there with the SWITCH! The fact that all three CCNP exams have to be passed within three years of each other makes this slightly more urgent though.





Teaming with Broadcom NICs

25 04 2013

I’m in the process of installing new Cisco 3570 switches to replace some ageing Dell models. The setup for the servers will be a minimum of two network cards, each uplinked to a different node of the two node 3750 stack.

When everything is working this will mean 2Gbps aggregate bandwidth between the server and the switch, and any other servers or switches connected with at least a 2-port etherchannel, but if an individual switch in the stack or individual NIC fails, the network connectivity will drop to 1Gbps (kicking off lots of network monitoring alerts) but still function. Therefore there is no *single* point of failure.

My “practise” server had two Broadcom NICS, so I installed the BACS4 software available on the Broadcom site. I have BACS3 on another server already so was relatively familiar with the user interface.

However, try as I might, I could not get a context menu to appear when right-clicking on the “Teams” menu item to create a new team.

Short answer – this is caused by User Account Control (UAC), and can be remedied by launching the Broadcom Control Suite 4 from the Control Panel ‘As Administrator’.

While I’m writing about this, I may as well detail the settings.

I chose the “802.3ad Link Aggregation using Link Aggregation Control Protocol (LACP)” option in the BACS software. This is the industry-standard link aggregation protocol (as opposed to PAgP, for instance, the Cisco-proprietary link aggregation protocol).

On the Cisco switch end, I used the following config to create the Port-channel:

interface po X

switchport mode access

switchport access vlan XX

no shut

I then configured the individual switch ports as follows

int gi 1/0/XXX

switchport mode access

switchport access vlan XX

channel-group X active

no shut

int gi 2/0/XXX

switchport mode access

switchport access vlan XX

channel-group X active

The X in the “channel-group” command must match the number defined in the port-channel config in order to add the port to the port-channel.

A number of commands can be used to troubleshoot – firstly I’d use show int po X to get the standard interface statistics. This will give an indication of whether the port-channel has been configured properly, as it will show the full bandwidth in the first couple lines of output, for instance:

MTU 1500 bytes, BW 2000000 Kbit, DLY 10 usec,

Here, there are two * 1Gbps interfaces in the port-channel, so it shows 2000000 Kbps as the “bandwidth” (BW).

If you have more than one port in the port-channel, the bandwidth should reflect the combined bandwidth of all of the ports combined.

Other things to note of course, are pretty standard – all ports should be the same speed and type (access or trunk); LACP doesn’t support half-duplex, no individual transfer will ever be faster than the speed of one of the interfaces, in this case, 1Gbps.etc etc.

Now on to the “production” servers!