|
Can you lay out the topology including which interfaces/in what directions the ACL is applied, and share the contents of the ACL?
|
#
?
May 10, 2024 16:36
|
|
|
|
| # ? Jun 11, 2024 09:34 |
|
|
I’ve got two switches and a router connected in a triangle, from one switch it runs to a PC and a server both in their own VLANs. For the ACL I’ve got Permit tcp any any range telnet 443 Deny ip any any I tried applying it to the physical interface connected to the PC as well as the VLAN interface in both in and out. Nothing would stop ftp until I made a similar ACL for the router and applied it to the logical interface that runs to the VLAN for the PC
|
|
#
?
May 10, 2024 17:40
|
|
|
It sounds like you are trying to apply a “layer 3” ACL on a “layer 2” switchport interface, which is why it isn’t working but works when configured on the router.
|
|
#
?
May 10, 2024 17:56
|
|
|
Yeah that tracks, I knew it couldn’t be anything complicated but I don’t have the networking experience to see through simple stuff like that yet. Lots of poking away at it
|
|
#
?
May 10, 2024 18:02
|
|
|
Cyks posted:It sounds like you are trying to apply a “layer 3” ACL on a “layer 2” switchport interface, which is why it isn’t working but works when configured on the router. That's not really true - we use L3 DACLs on all our switchports and they work as expected. In saying that, packet tracer is just a simulator so it may not work there.
|
|
#
?
May 10, 2024 22:55
|
|
|
A lot of things don't seem to work with it, but my other option was GNS3 and several students on reddit told me to use packet tracer. I'm supposed to be able to log ACL violations in syslog but packet tracer does not have the capability. Why even give us the option?
|
|
#
?
May 10, 2024 23:26
|
|
|
I don't recall if Packet Tracer uses custom images which are based on ones used for real hardware or if it uses standard images directly, but either way I bet they left the command set recognized by the parser alone and just changed how the simulator reacts to unsupported commands. I remember CCNA and CCNP exams years ago listing off all kinds of commands if you use '?', but many of them didn't work at all and just produced a response saying they were not supported.
|
|
#
?
May 10, 2024 23:49
|
|
|
Yeah, Packet Tracer will just lie to you about what's supported a lot of the time. GNS3 is relatively slow and probably still only supports ancient IOS images if you want to emulate physical Cisco hardware but it'll actually do it accurately. It does support VIRL images (ASAv, IOSv, etc) so if you have access to those, you can run modern IOS/ASA software in the same sort of virtual environment that Cisco's own lab software does.
|
|
#
?
May 11, 2024 03:32
|
|
|
Containerlab is better than packet tracer, GNS3, and EVE-NG if you're comfortable at all with defining network state via a yaml file, either automatically or manually (ideally automatically). For just a personal lab with full VMs, I like EVE-NG. Regardless of the one you run, yeah you will have a fair number of features that just don't work quite right if you're doing something strange.
|
|
#
?
May 11, 2024 15:28
|
|
|
Unfortunately the school only allows us to use GNS3 and Packet Tracer, and at this point I'm deep enough into the project that I'm not sure I'd have time to set it up again using GNS3. I've got 20 days to finish otherwise I'm paying for another term
|
|
#
?
May 11, 2024 15:42
|
|
|
What I generally see from people in the cert world is to just stick with packet tracer through CCNA. It’s pretty lovely but I guess the attitude is you won’t be unable to do anything required for that level of material. E: that is a strange problem but I would agree, the first layer 3 interface being hit in your setup must be the one on the router. FWIW I find that the ACL log command is super unreliable on live equipment. You’re not missing much. Tetramin fucked around with this message at 00:40 on May 14, 2024 |
|
#
?
May 14, 2024 00:36
|
|
|
Telnet is 23 and FTP is 21 ?
|
|
#
?
May 16, 2024 12:15
|
|
|
Traditionally yeah
|
|
#
?
May 16, 2024 12:45
|
|
|
gonna implement port knocking by having someone transmit valid telnet option packets on the FTP port
|
|
#
?
May 16, 2024 12:59
|
|
|
I have a close friend who is just starting down the path to get his CCNA cert and I wanted to get him (and myself) some cheap equipment that'll be enough to go over everything for the cert. I have precisely zero Cisco experience, but I have plenty of other network equipment and experience to draw from and I want to be there each step so I can help him. I've seen on eBay there's a lot of 10/100 equipment that's deprecated and super cheap, but I don't have a good frame of reference with the CCNA to know what would be enough equipment. I've got him playing with Packet Tracer, but I *really* want to get him some hands-on experience. Does anyone have some good suggestions (or links!) for hardware? It doesn't need to be bottom-of-the-barrel cheap, but I'm definitely looking for quantity over quality so we can both get into making more complex labs. I've done a bit of searching already, but so far every place has had totally different suggestions, and that doesn't fill me with confidence.
|
|
#
?
May 17, 2024 19:40
|
|
|
The consensus for a while was that the hardware bundles you could buy were people essentially shifting e-waste and Packet Tracer is more than enough for a CCNA. I guess it depends if someone has any hands-on experience with any networking hardware at all though and it might have a small bit of value in those situations.
|
|
#
?
May 17, 2024 20:12
|
|
|
I think you can probably get ISR G3s (4000 series) for cheap on eBay now but even those are basically e-waste without a boost license because Cisco intentionally strangled those boxes to shaft people on per-device license costs. The 4331 is limited to 100 Mbps aggregate throughput with the base license, 300 Mbps with the "performance" license, and can theoretically push 1500 byte packets at 2 Gbps with the boost license (though since the boost license just turns off the CPU limiter, every feature you turn on lowers your throughput). That being said I'm still using the same 48-port gigabit PoE 2960-S in my home network that I have been for ages, and it is by far the loudest thing in my network/compute stack, so I guess at least that's "functional" e-waste. e: christ it's hard to get good throughput information out of Cisco these days. It's impressive how enshittified everything about that company has gotten in the past five years alone. Kazinsal fucked around with this message at 20:24 on May 17, 2024 |
|
#
?
May 17, 2024 20:18
|
|
|
Thanks Ants posted:The consensus for a while was that the hardware bundles you could buy were people essentially shifting e-waste and Packet Tracer is more than enough for a CCNA. I guess it depends if someone has any hands-on experience with any networking hardware at all though and it might have a small bit of value in those situations. I don't have specific recommendations but I would argue there is some value in a (small, cheap) physical lab if you've never even seen ~enterprise~ network equipment before. Surely every geek has touched ethernet but a lot less have dealt with fiber. Not sure if it would even come up in the course of the CCNA exam. But your first week on the job when your boss hands you some SFPs and fiber, it would be nice not to look like a deer in the headlights.
|
|
#
?
May 17, 2024 20:39
|
|
|
Taking a stab I'd just get a 4x 3750X and a few 29xx series routers if it were me. It's been a while but the 29xxs could have all licensing enabled on IOS 15 but I think they started locking it down in later releases. This might be really bad advice these days because my Cisco experience largely stopped in 2012.
|
|
#
?
May 17, 2024 23:53
|
|
|
I think the 2900 is still all RTU . 3750s have bad flash and power supply caps I wouldn’t pay for those . You can book free limited lab time in the CML sandbox so you can lab for free too.
|
|
#
?
May 18, 2024 00:26
|
|
|
RTU goes as high as 16.8.1 (3850s) and then after a bunch of versions they went to CSLU which is basically RTU once you get the initial licence on there (or buy them grey market already on there).
|
|
#
?
May 22, 2024 13:58
|
|
|
Is it true that Cisco is killing off all their non-8000/9000 series routers? I’m trying to find a mid-tier router to connect to smart jack. Due to the way our ISP does networking it has to be a router device. We could use an L3 switch but I’d rather get a router instead of using router on a stick. Any alternatives to Cisco for non-sd wan routers? I’m a little out of touch.
|
|
#
?
May 24, 2024 12:36
|
|
|
Our main ISP uses cheap Juniper SRX boxes as CPE routers, they seem pretty rock solid
|
|
#
?
May 24, 2024 13:53
|
|
|
tadashi posted:Is it true that Cisco is killing off all their non-8000/9000 series routers? The ISR4000s are End of Life but aren't dead until 2028, this is a solid box which should be pretty cheap if you want to go Cisco: https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/select-isr4k-series-platform-eol.html
|
|
#
?
May 24, 2024 14:33
|
|
|
Cisco's website is funny, they don't consider themselves to make routers any more. You have to pick SD-WAN and routers are then a subset of that.
|
|
#
?
May 24, 2024 16:27
|
|
|
Do you really need a "router"? Or is your ISP making poo poo up and you just need an edge device that can speak PPPoE? Because there are several vendors that make firewalls that do full PPPoE while also cranking out multi-gigabit speeds without needing to fork upper five figures over to Cisco for the hardware alone.
|
|
#
?
May 24, 2024 16:33
|
|
|
tadashi posted:Is it true that Cisco is killing off all their non-8000/9000 series routers? What are the hard requirements? Seems odd.
|
|
#
?
May 24, 2024 16:35
|
|
|
Anyways, you want a Palo Alto or a Juniper SRX.
|
|
#
?
May 24, 2024 16:37
|
|
|
Patton has CPE devices that will do that as well for another option .
|
|
#
?
May 24, 2024 18:46
|
|
|
|
| # ? Jun 11, 2024 09:34 |
|
|
Not Cisco-related but I figured I'd post this here anyway, support for proxy-mode inspection on 2GB RAM FortiGate models is being ended as of FortiOS 7.4.4: https://docs.fortinet.com/document/...elated-features. This change locks you out of quite a few features like ZTNA, explicit/transparent proxies and virtual server load balancing. For production environments it's not really an issue as 7.4 is still a feature branch and not yet a mature branch like 7.0 and 7.2. However if has implications if you want to test newer features or when 7.4 does become a mature branch (Guessing that will happen when 7.6 is released).
|
|
#
?
Jun 5, 2024 10:18
|
|
