CCNA Security – 210-260 IINS passed..

15 05 2016

Passed the 210-260 last weekend. I was obviously pretty happy about this, but, what I was even more happy about was the updated syllabus for the cert.

I would estimate around 30-40% difference in content. The general security concepts (which make the first part of the course pretty dry, depending on whether it’s stuff you’re already pretty familiar with or not), remained, as expected, as did a lot of the details about L2/3 security on Cisco devices.

The major changes were the complete removal of CCP to manage routers (with Zone Based Firewall config); this gave way to Cisco ASA configuration – certainly much more relevant to my role and reflective of industry too. Configuration for the ASA was only via ASDM too; if I remember rightly, this was via the command line in the last syllabus and very basic in comparison.

In addition, the way the course is delivered, via online labs rather than locally hosted equipment (which I had to use, and share last time) is superb.

NTP on Cisco switches / routers

23 07 2014

Have been looking recently to review processes and introduce efficiencies where possible. One of the monthly tasks that I set myself was to ensure the time hadn’t slipped too far on my Cisco devices, and to correct it if it had.

A power cut in one of the offices caused all my Cisco devices to reset their time to the default of Mar 1993.

These two factors combined triggered some research into implementing NTP on all Cisco devices.

Commands I used on all devices are as follows. Devices were a combination of Catalyst 3560 and 3750 switches. Routers were already configured accordingly.

#clock timezone GMT 0
#clock summer-time BST recurring 4 SUNDAY MARCH 01:00 4 SUNDAY OCTOBER 02:00 60
#ntp server x.x.x.x
#ntp server x.x.x.x

This sets the timezone to GMT, specifies BST (British Summer Time) as the daylight savings timezone, set it to recur, starting from the 4th Sunday of March to the 4th Sunday of October, and specifies the NTP servers to use. I’ve found that Server 2008 R2 Domain Controllers work pretty well as a reference NTP server for a number of different device types including Linux based (Check Point firewalls / Coyote Point load balancers) as well as Cisco devices.. my environment doesn’t require nanosecond accuracy, but we do need to be able to correlate times in logs with specific events, which Server 2008R2 provides.

For troubleshooting / verification, I used these commands:

#show clock detail

The output of this is:

11:33:32.081 BST Wed Jul 23 2014
Time source is NTP
Summer time starts 01:00:00 GMT Sun Mar 23 2014
Summer time ends 02:00:00 BST Sun Oct 26 2014

It shows the time, time source, and start / end of the summer time – useful stuff. Time source is ‘user configured’ if NTP has not been used.

#show ntp associations

This shows the IP addresses of the NTP servers configured, what their reference clock sources are, and their ‘stratum’ (the output is largely IP address related, hence leaving it out here).

#show ntp status

Clock is synchronized, stratum 4, reference is x.x.x.x
nominal freq is 119.2092 Hz, actual freq is 119.2076 Hz, precision is 2**18
reference time is D77A0BC8.3817A4F2 (11:24:08.219 BST Wed Jul 23 2014)
clock offset is -18.8268 msec, root delay is 120.00 msec
root dispersion is 159.91 msec, peer dispersion is 28.58 msec

The shows a bunch of info – the most important part is ‘Clock is synchronised’.

Info provided without warranty, please test before implementing. I don’t have the luxury of a test environment myself, but due to the low-potential for negative impact in this case, implemented the above on a switch with minimal ports in use before implementing network-wide.


16 07 2014

Passed the SWITCH quite comfortably on the third attempt on Monday 14th July. Now on to the ROUTE!

My CCNA is already reflecting the new expiry date on the Certification portal – this was previously due to expire in October.

I’ve purchased the Chris Bryant CCNP ROUTE e-book, as I found his SWITCH book incredibly good, and it’s about a quarter of the price of the other books on the market, and more importantly, a much, much easier read, being written in a very casual tone rather than the somewhat stuffy, formal styles associated with Cisco Press etc. I also bought his CCNP SWITCH video series on Udemy, so may well go for the ROUTE equivalent. I already have the CBTNuggets video series for the ROUTE, so I have enough to keep me going.

Aiming to get it passed by the end of the year, although it took 2.5 years to get there with the SWITCH! The fact that all three CCNP exams have to be passed within three years of each other makes this slightly more urgent though.

Teaming with Broadcom NICs

25 04 2013

I’m in the process of installing new Cisco 3570 switches to replace some ageing Dell models. The setup for the servers will be a minimum of two network cards, each uplinked to a different node of the two node 3750 stack.

When everything is working this will mean 2Gbps aggregate bandwidth between the server and the switch, and any other servers or switches connected with at least a 2-port etherchannel, but if an individual switch in the stack or individual NIC fails, the network connectivity will drop to 1Gbps (kicking off lots of network monitoring alerts) but still function. Therefore there is no *single* point of failure.

My “practise” server had two Broadcom NICS, so I installed the BACS4 software available on the Broadcom site. I have BACS3 on another server already so was relatively familiar with the user interface.

However, try as I might, I could not get a context menu to appear when right-clicking on the “Teams” menu item to create a new team.

Short answer – this is caused by User Account Control (UAC), and can be remedied by launching the Broadcom Control Suite 4 from the Control Panel ‘As Administrator’.

While I’m writing about this, I may as well detail the settings.

I chose the “802.3ad Link Aggregation using Link Aggregation Control Protocol (LACP)” option in the BACS software. This is the industry-standard link aggregation protocol (as opposed to PAgP, for instance, the Cisco-proprietary link aggregation protocol).

On the Cisco switch end, I used the following config to create the Port-channel:

interface po X

switchport mode access

switchport access vlan XX

no shut

I then configured the individual switch ports as follows

int gi 1/0/XXX

switchport mode access

switchport access vlan XX

channel-group X active

no shut

int gi 2/0/XXX

switchport mode access

switchport access vlan XX

channel-group X active

The X in the “channel-group” command must match the number defined in the port-channel config in order to add the port to the port-channel.

A number of commands can be used to troubleshoot – firstly I’d use show int po X to get the standard interface statistics. This will give an indication of whether the port-channel has been configured properly, as it will show the full bandwidth in the first couple lines of output, for instance:

MTU 1500 bytes, BW 2000000 Kbit, DLY 10 usec,

Here, there are two * 1Gbps interfaces in the port-channel, so it shows 2000000 Kbps as the “bandwidth” (BW).

If you have more than one port in the port-channel, the bandwidth should reflect the combined bandwidth of all of the ports combined.

Other things to note of course, are pretty standard – all ports should be the same speed and type (access or trunk); LACP doesn’t support half-duplex, no individual transfer will ever be faster than the speed of one of the interfaces, in this case, 1Gbps.etc etc.

Now on to the “production” servers!

Catalyst 3750 switch stacking commands

15 05 2012

Installed my 3750 stack recently, and thought I’d record some useful diagnostics commands.

switch#show switch

Shows the members of the stack, their respective MAC addresses and their priority. A higher priority number is better.

switch#show switch stack-ports

Shows the status of the stacking ports. I used this, in combination with swapping cables to diagnose a faulty stacking port on a reconditioned 3750 I purchased.

#show switch stack-ports summary

Shows Port status, cable lengths, link statuses.

#show switch stack-ring speed

Another useful one to verify that stacking cables and ports are working correctly. If there are two cables between switches in a two switch stack, they should be running at 32G / “Full”.

First Cisco device upgrade

17 04 2012

So, read about it plenty of times but never actually done it – until today. Have to say, it’s a hair raising few moments waiting for the device to start booting from the new image but very satisfying when it does. These are the steps I took – no warranty implied, do it at your own risk.

1. Install TFTPD32 on computer, verify upload of file from a Cisco device with known good connectivity

2. Upload the .bin file from the device where the OS is to be upgraded to the TFTP server. This is to ensure that there is a fall-back plan if the new image doesn’t work. It was not possible in this case to store both images at the same time on the switch.

3. Upload the image from the switch with the desired OS version to the TFTP server

4. Delete the old image from the switch to be upgraded.

5. Download the desired image from TFTP to the flash of the to-be-upgraded device

6. Configure the switch to boot from the new image:
Switch(config)#boot system switch all flash:/c3750-imgname.bin
Switch#copy run start

7. Verify the boot variable:
Switch#Show boot

8. Clench, and reload the switch 😉

Passed ICND2

5 10 2011

Took the ICND2 again at the same test centre yesterday, and passed! Score was 860. As preparation, I carried out hours and hours of subnetting, binary conversion and VLSM practise, and was glad I did.

Knowing that time would be my greatest enemy, I had already decided that I would be confident in my answers and move on from each question as quickly as possible, rather than reviewing which I’d normally do. I got a similar VLSM question to one I got last time, quite early on in the test, which I was glad of, and then smashed through the questions as fast as possible.

The switch simulation was very near the end, which was great, because I had lots of time to spare by this point and as it was similar to the last one which I was pretty sure I got right, I was quite confident about the answer.

As NAT / access lists was my weakest area last time, I paid special attention to these in my studies, and was glad I did, achieving 100% on this section compared to 33% last time.

Finally finished with 10 minutes to spare. Had a hairy moment when I clicked “End Exam” in order to get my score without messing around with surveys etc, and the screen skipped straight to the login screen, bypassing the score page!

Practically ran out to reception, worried that I’d ended the process early and lost my score, but fortunately, my score sheet was already being printed. I jumped up and down screaming “yes!” when I saw the pass mark.

So, I strongly advise candidates for this one to know the material very well before taking, and to practise binary conversion, subnetting and VLSM til you’re blue in the face – it’s so important to be able to calculate these quickly during the exam.