|
Anjow posted:Edit: Just figured I'd tack this on - what does SDM stand for in this context? Is it 'Security Device Manager'?
|
#
?
Aug 13, 2008 02:05
|
|
|
|
| # ? May 15, 2024 02:43 |
|
|
Okie dokie next question! I'm making a small network to practice on PacketTracer. I have been using 2621XM routers running IOS (tm) C2600 Software (C2600-I-M), Version 12.2(28). I've got a few running OSPF and that's all working fine and now I'm introducing another section that runs EIGRP. My problem is this: I'm trying to get one to redistribute the OSPF data to EIGRP - it has both protocols but when I go into EIGRP 100 the redistribute command isn't there. The running config can be found here: http://pastebin.com/f2470dea0 Is redistribution not supported with that version or something? I know in the classes I did we were using 12.3(11 I think).
|
|
#
?
Aug 14, 2008 18:03
|
|
|
I don't think packet tracer can do route redistribution. I could be wrong. edit: I don't think Packet Tracer 4.x can do route redistribution. Looks like maybe 5.x can.
|
|
#
?
Aug 14, 2008 18:41
|
|
|
Ahh bummer, I'm on 4.1. Thanks very much for the info.
|
|
#
?
Aug 14, 2008 19:02
|
|
|
I should mention that we're looking for a CCNP or someone of similar or equivalent skill set. It's in a tertiary market, in the Northeast (about a hundred miles West of Boston), and our pay band is something like $60k - $85k. Just in case anybody is looking to relocate.
|
|
#
?
Aug 14, 2008 20:08
|
|
|
If you have legally-obtained IOS images, dynamips/dynagen is a good virtual machine for running router instances for testing and learning. As far as I can tell, if the router and interfaces you need are supported, you'll have (nearly) 100% feature coverage for that router. So, no more XXX is unsupported unless you upgrade to version 5.0.
|
|
#
?
Aug 15, 2008 00:24
|
|
|
Why doesn't any simulator incorporate switches? Are switches really that difficult to emulate, or do the just expect everyone to hack routers together and call them siwtches? I want my Vlans damnit.
|
|
#
?
Aug 15, 2008 04:57
|
|
|
Powercrazy posted:Why doesn't any simulator incorporate switches? Are switches really that difficult to emulate, or do the just expect everyone to hack routers together and call them siwtches? The dynamips guy says it's because it's hard to emulate the asics. Although he supports etherswitch NM's, or claims to- I've never tried to work with them. What do you need to do? You can configure dot1q subinterfaces on ethernet interfaces provided you have an appropriate image. Or you could buy some 2924s (what I did).
|
|
#
?
Aug 15, 2008 05:09
|
|
|
How much is everyone making? From what I've read entry/newbie CCNA'rs are making ~50k/y. This just seems way too good to be true for several months of studying, or am I wrong?
|
|
#
?
Aug 15, 2008 05:18
|
|
|
Tab8715 posted:How much is everyone making? From what I've read entry/newbie CCNA'rs are making ~50k/y. Yes, it's too good to be true. If you don't have a college degree and just have a CCNA and zero experience, don't expect to make more than 40k a year (and that's being generous).
|
|
#
?
Aug 15, 2008 07:02
|
|
|
I've got a college degree and will hopefully have a CCNA and I'm afraid no one will employ me because I don't have experience. I'd be ecstatic to earn more than £20,000 given my situation. As for Powercrazy's question about switches I am confused - do the simulators not implement a full features set or something? I am using VLANs in my current simulation. I'd be ecstatic to get a job with no experience full stop. It seems like such a catch 22, everyone wants experience and so you can't get experience. Sir Sidney Poitier fucked around with this message at 09:04 on Aug 15, 2008 |
|
#
?
Aug 15, 2008 09:01
|
|
|
It also depends a lot on where you live, so it's really impossible to say what a CCNA should be paid without considering her other experience, location, the industry itself, etc. Dynamips has a built in switch option that you can use. It's not a managed switch, but you can configure it to connect your virtual routers together. If you need real switch features, jwh has the right idea. Edit: Dynamips doesn't implement the virtual hardware to run a switch, except in the case of those NM modules that act like a switch. The author says it's hard to replicate all the functionality. Other simulators may or may not have the same problem, but other simulators I have seen don't run full instances of IOS, they simulate IOS by providing a subset of available commands. Dynamips isn't a router simulator so much as it is a virtual machine for cisco routers, so much in the same way you might run a virtualized instance of Windows XP, you could run a virtualized instance of IOS, complete with all available features. Different companies will value certifications vs experience differently. The way I started was to take the low paying helpdesk job and work up from there. In my experience, candidates who are driven will work their way to the top and not be satisfied answering phones or doing tickets all day. If you have plenty of certifications but lack experience, there will be companies who will be interested in you as a candidate. Ninja Rope fucked around with this message at 09:21 on Aug 15, 2008 |
|
#
?
Aug 15, 2008 09:05
|
|
|
It really depends on what you know, and how long you've known it- I don't have a college degree or any Cisco certifications. Some employers care more about pedigree, and others care more about your ability to get the job done. I look for CCNA and CCNP on resumes as a shortcut to understanding the skill set of the applicant, but I would never go solely by that measure. That's not the case with every employer, however, as some employers do go solely by that measure. I'm sure we all have anecdotes about the <insert certification here> that didn't know anything. The nice thing about this stuff, is that so much information is free for the taking- there's nothing stopping somebody with a modicum of interest from becoming a real expert. This is in contrast to a lot of other fields, where information is either jealously guarded, or protected by a number of barriers meant to keep the uninitiated out. I try and gauge whether a candidate is focused on what they know, or what they don't know- Dunning-Kruger and all that. There's a good chance that if somebody is downplaying their abilities, it's because they know just how much they don't know, and it's hard to know what you don't know. It's like that saying, "confidence is the feeling you have before you understand the situation." Long story short, fifty-thousand for a CCNA right off the boat probably exists, but I wouldn't bank on it bringing in that kind of money, nor getting you hired in the first place.
|
|
#
?
Aug 15, 2008 17:25
|
|
|
jwh posted:The dynamips guy says it's because it's hard to emulate the asics. Its jsut a general bitch. I've got access to the Cisco WebIOU simulators (they run actual IOS images on a solaris box). But they can't do switches either, and every single simulator program I've seen doesn't do switches. Its bizaar to me because it seems like routing would be more difficult to emulate then switching is. But apparently its easier to simulate routers then it is to simulate switches. Oh well. I should be taking my CCNA/CCDA in like 4 or 5 days at most, I'll be doing the combined test and I've gotten Frame Relay, OSPF, and ACLs down for the most part so I should be ok. Then CCNP in like 3 months. Woohoo getting paid to cert is awesome. ate shit on live tv fucked around with this message at 18:48 on Aug 15, 2008 |
|
#
?
Aug 15, 2008 18:43
|
|
|
jwh posted:I try and gauge whether a candidate is focused on what they know, or what they don't know- Dunning-Kruger and all that. There's a good chance that if somebody is downplaying their abilities, it's because they know just how much they don't know, and it's hard to know what you don't know. It's like that saying, "confidence is the feeling you have before you understand the situation." My own personal corollary to Dunning-Kruger is, "The dumbest people are always the loudest.".
|
|
#
?
Aug 15, 2008 20:02
|
|
|
inignot posted:I have dim memories of receiving a demo AP from Cisco that was configured in lightweight mode. I couldn't make any config changes until I converted it to autonomous mode. The conversion procedure was different from a typical password recovery. This may or may not apply to your issue: I'm going through this process right now, but don't have access to the IOS files cause Cisco's site is being a bitch. I inherited a few 1131s and reset them because the enable was unknown. Now I have to do all the TFTP BS.
|
|
#
?
Aug 16, 2008 00:25
|
|
|
Powercrazy posted:But apparently its easier to simulate routers then it is to simulate switches. All Dynamips does is emulate a CPU that's capable of understanding the IOS image. The "core" in most routers is just a CPU and some DRAM. Only recently have companies (thinking of Cisco here, not sure if Juniper does this or not, but IIRC they don't really deal with routers, but more just modular switching platforms that can do routing) been starting to stick stuff like port ASICs in routers to get better performance out of them. If you look at the various port adapters that Dynamips does support, the selection is somewhat limited, again because it has to do with loading code that supports/emulates the chipsets used on those port adapters. I loaded up a couple 7200's each with the single GigE port adapter and connected them up and attempted to ping across the links. The throughput was god-awful. Even with low-end stuff like serial or regular 10Mb Ethernet, the throughput isn't that great but it's good enough to get routing protocols to converge and use debugs and the like. With a switch you have (again) things like port ASICs, TCAM, various buses (in modular hardware), fabric-enabled modules, non-fabric enabled, etc. This would be pretty hard to emulate. quote:Then CCNP in like 3 months. Woohoo getting paid to cert is awesome. Good luck with that... atticus fucked around with this message at 06:51 on Aug 16, 2008 |
|
#
?
Aug 16, 2008 05:56
|
|
|
Yea that makes since about switches, which is why I said its just a general bitch. Thanks for the luck, I'll definetly need it.
|
|
#
?
Aug 16, 2008 16:43
|
|
|
atticus posted:Yes, it's too good to be true. Well, I have experience doing generic A+ and some small networking things - eg "make me a wireless network". Curious, how a CCNA with a Minor in Computer Programming look? EDIT : How physically intensive is being a Cisco tech? I've seen someone really large pieces of equipment and I've got a bad back. Of course I could lift somethings once in a while, but I'd perfer not to at all. Gucci Loafers fucked around with this message at 22:51 on Aug 16, 2008 |
|
#
?
Aug 16, 2008 22:44
|
|
|
Tab8715 posted:EDIT : How physically intensive is being a Cisco tech? I've seen someone really large pieces of equipment and I've got a bad back. Of course I could lift somethings once in a while, but I'd perfer not to at all. Unless you are in a lab environment, it should be pretty rare that you move anything at all. The aggregation Switches and Routers (7609's and 6509's) are pretty light once you take all the line cards out. The Core routers and switches (GSR's and CRS-1's) you'll rarely see and NEVER move. Some of the smaller switches (4948's, 3560's, 3750's) are kind of heavy, but you should be able to move them easilly in groups of 2 or 3 (I think they are around 15lbs). So in short, don't worry about the physical aspect, you'll rarely encounter it and when you do you'll certainly have some help.
|
|
#
?
Aug 16, 2008 23:52
|
|
|
Powercrazy posted:Unless you are in a lab environment, it should be pretty rare that you move anything at all. The aggregation Switches and Routers (7609's and 6509's) are pretty light once you take all the line cards out. The Core routers and switches (GSR's and CRS-1's) you'll rarely see and NEVER move. I believe the standard for most IT work is "can you lift and handle 75 lbs?", when powercrazy is calling 7609s and 6509s 'light' that means they're around 50lbs or so unloaded but they're also really easy to rack since they come with slide rails that they sit on, so you just have to have a guy on each side to lift it up.
|
|
#
?
Aug 17, 2008 01:31
|
|
|
So, it's not a Cisco Tech's job too mount racks and all that? By the way, how does the minor in CS sound? I'd probably also get Server + and Network +
|
|
#
?
Aug 17, 2008 02:00
|
|
|
Tab8715 posted:So, it's not a Cisco Tech's job too mount racks and all that? When I was working in a lab environment, the heavy poo poo (fully loaded CRS-1's and 7609's etc) was all put in place by either the shippers, or our hourly facilities guys. The configuring etc, was the part that we did. Sure occasionally we had to move things between racks etc, but for the most part everything is pretty static. I assume when you say cisco tech you mean a network tech, and other than moving edge switches around, the "hard" part (i.e. the part you were hired for) is configuring the devices. As far as your degree is concerned a BS in some kind of technical background is good. I guess you have a BA with a minor in CS? I'm sure for a network admin job your certs and general knowledge are going to be good enough to get you hired I'd wager. If I was hiring a cisco network guy, I'd be more concerned with famialrity of the products and IOS rather than what their major was, so don't worry about it too much.
|
|
#
?
Aug 17, 2008 03:03
|
|
|
Well, I went school but I never graduated but I could see how getting at least a minor CS would be helpful. If I went for a major in CS I don't see why anyone would bother going into Cisco stuff.
|
|
#
?
Aug 17, 2008 03:10
|
|
|
I used to work with a CCIE who had a degree in Geology. Draw your own conclusions.
|
|
#
?
Aug 17, 2008 13:02
|
|
|
Tab8715 posted:So, it's not a Cisco Tech's job too mount racks and all that? Depends on the company. When I'm working on an implementations team, we might have to rack some 6513s, 4510Rs, 4506s, and a number of 3750s, 2960s, etc, as part of the implementation. And program them. I've even had to run cable every now and again. But, we're generally set up so that if you can't do heavy lifting, there are plenty of other things you can do, and plenty of other people to help out.
|
|
#
?
Aug 17, 2008 18:05
|
|
|
Tab8715 posted:Well, I went school but I never graduated but I could see how getting at least a minor CS would be helpful. If I went for a major in CS I don't see why anyone would bother going into Cisco stuff. It depends on what the company needs. I would give my left nut right now for a really competent programmer that understands OSPF/BGP and routers really well. For larger networks, there is a strong trend towards automation in the management of the network, and as there are probably no off the shelf solutions that will fit "your" network you will have to build something in house. Of course, one of the best CCIE's that I worked with had a major in aerospace engineering. It really is not what your degree is in (or if you have a degree, as I do not) but how you apply yourself to the job. I do strongly believe that some CS background is generally useful for troubleshooting computers and anything computer related, just so you get a feel for the underlying methodology of how programs work. As for physically intensive, it is not really. I run the lab for my group, and the heaviest things that I have to move around on a routine basis are blade-servers. I racked an empty 7609 by myself without too much trouble, but it was going on the bottom of the rack so I cheated. If it is heavier, you normally just grab a coworker and make them help you (or in the case of a CRS-16, the union guys so if they drop it you can blame them). Now, I am curious what program people use to generate network traffic (preferably something with replay capability and 1g throughput) in their test labs? I have an IXIA chassis, but not the license for the latest software that would give me the ability to generate specific payloads - finance is too cheap at the moment to let me upgrade.
|
|
#
?
Aug 17, 2008 18:41
|
|
|
mezoth posted:Now, I am curious what program people use to generate network traffic (preferably something with replay capability and 1g throughput) in their test labs? I have an IXIA chassis, but not the license for the latest software that would give me the ability to generate specific payloads - finance is too cheap at the moment to let me upgrade. Our lead engineer that developed our lab used a combination of IXIA hardware and a few FreeBSD boxes with high performance NICs installed in them. He compared using the IXIA to a surgeon using a scalpel (finely tuned control/granularity) and using the FreeBSD boxes as cannons in terms of generating huge amounts of traffic. I think the FreeBSD setup involved using bpf to generate said large amounts of traffic, but I'm not sure what type of replay capability is available for that solution. I know IXIA's stuff is both pretty powerful for generating a ton of different types traffic, and also very expensive.
|
|
#
?
Aug 17, 2008 20:47
|
|
|
In the lab I was working at we used Spirent SmartBits to generate routes, tcp traffic, layer 2 and everything in between. But that is an expensive solution so I think that disqualifies you. However if you talk to Spirent they will sometimes let you borrow a chassis for awhile, we had one in our lab that we borrowed for so long that they just let us keep it  Of course we spent a crazy amount of money with spirent so that probably had more to do with it.
|
|
#
?
Aug 18, 2008 17:49
|
|
|
So the IXIA chassis and software that I am currently using seems to be able to generate traffic and routes along arbitrary guidelines, but (and I may just be stupid) it does not seem to be able to replay TCP sessions or even generate specific payloads for packets. They are cannons too, we have some 10g cards for them and they actually do line rate 10g. My understanding is that there is a software upgrade that permits the IXIA chassis to do part of what I want (specific data segments in packets of arbitrary type) but not the TCP replay capability. My ideal solution would be a medium performance software package (up to 100k pps) with tcp replay capability on some sort of generic hardware platform running linux. It would also be able to rewrite the IP header at replay-time (for things like many generic source-addresses) and preferably intelligently rewrite the layer4 header as well (new tcp seq# that increment along the replay). To bring this back on topic, the reason I am looking for this is that I am doing some performance testing on 7600 and CRS in relation to the routing engine protection mechanisms. Sadly, both of these products have relatively immature routing engine protection mechanisms and I am finding bugs in them - but some bugs are hard to find without realistic looking traffic to simulate an "attack". As a side note, the juniper platform's RE protection methods are far more robust (but they also have their caveats!).
|
|
#
?
Aug 19, 2008 06:05
|
|
|
When you say 'routing engine protection mechanisms', what are you referring to? CoPP?
|
|
#
?
Aug 19, 2008 15:50
|
|
|
mezoth, what company are you working with? If it is IBM or ATT or Verizon or something like that I might be able to help you out.
|
|
#
?
Aug 19, 2008 20:02
|
|
|
jwh, COPP is the 7600 mechanism, and I forget the acronym they use for the CRS - functionally the same in the end, just a slightly different mechanism (and only available in 3.6.0 and later). Power, it is one of the big ISPs, but I will actually not say which one - being publicly associated with a specific ISP just leads to trouble, either people wanting things/info that you cannot give or hating you for some imagined slight that you had no control over. :\ I can talk about my experiences with COPP in detail, if desired! It definitely has some issues still, but the newer code (SRC+) seems to have ironed some of them out. That is the code I am trying to complete my testing on currently for COPP and why I am looking to generate traffic. The CRS I am just now implementing the protections on as the mechanisms are brand new, and it needs the same gamut of tests.
|
|
#
?
Aug 20, 2008 05:59
|
|
|
I'm having issues upgrading to ACS 4.2. We originally had version 3.3 and it worked great. We started encountering database errors and people could not log in. Our backup server kicked in and we were all good. One of the techs called in to Cisco support and they basically told us to upgrade from 3.3 to 4.2. we received approval, got the software, and then I upgraded. I imported as many settings as I could and set everything up. The thing still doesn't work. I left the backup server alone running 3.3 and it is working fine for TACACS+ as well as RADIUS. I have a 2801 in a test environment that I have been using for the 4.2 upgrade. Here is the debug tacacs authentication (I included this because of the authentication errors): *Aug 20 13:34:16.295: TPLUS: Queuing AAA Authentication request 4 for processing *Aug 20 13:34:16.299: TPLUS: processing authentication start request id 4 *Aug 20 13:34:16.299: TPLUS: Authentication start packet created for 4(******) *Aug 20 13:34:16.299: TPLUS: Using server 10.******** *Aug 20 13:34:16.299: TPLUS(00000004)/0/NB_WAIT/67C3B570: Started 5 sec timeout *Aug 20 13:34:16.299: TPLUS(00000004)/0/NB_WAIT: socket event 2 *Aug 20 13:34:16.303: TPLUS(00000004)/0/NB_WAIT: wrote entire 37 bytes request *Aug 20 13:34:16.303: TPLUS(00000004)/0/READ: socket event 1 *Aug 20 13:34:16.303: TPLUS(00000004)/0/READ: Would block while reading *Aug 20 13:34:16.359: TPLUS(00000004)/0/READ: socket event 1 *Aug 20 13:34:16.359: TPLUS(00000004)/0/READ: read entire 12 header bytes (expect 43 bytes data) *Aug 20 13:34:16.359: TPLUS(00000004)/0/READ: socket event 1 *Aug 20 13:34:16.359: TPLUS(00000004)/0/READ: read entire 55 bytes response *Aug 20 13:34:16.359: TPLUS(00000004)/0/67C3B570: Processing the reply packet *Aug 20 13:34:16.359: TPLUS: Received Authen status error *Aug 20 13:34:16.359: TPLUS(00000004)/0/REQ_WAIT/67C3B570: timed out *Aug 20 13:34:16.363: TPLUS: Choosing next server 10.******* *Aug 20 13:34:16.363: TPLUS(00000004)/1/NB_WAIT/67C3B570: Started 5 sec timeout *Aug 20 13:34:16.363: TPLUS(00000004)/67C3B570: releasing old socket 0 *Aug 20 13:34:16.363: TPLUS: Authentication start packet created for 4(*****) *Aug 20 13:34:16.363: TPLUS(00000004)/1/NB_WAIT/67C3B570: timed out, clean up *Aug 20 13:34:16.363: TPLUS(00000004)/1/67C3B570: Processing the reply packet % Authentication failed Here is the "relevant" config: aaa new-model ! ! aaa authentication login default local group tacacs+ aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 1 default none aaa authorization commands 15 default none aaa accounting exec default start-stop group tacacs+ aaa accounting commands 9 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ! aaa session-id common tacacs-server host 10.******** tacacs-server host 10.********* tacacs-server directed-request tacacs-server key ************* I have been focusing on the line: aaa authentication login default local group tacacs+ at this point in time Also, debug AAA authentication output: *Aug 20 13:57:43.179: AAA/BIND(00000009): Bind i/f *Aug 20 13:57:43.179: AAA/AUTHEN/LOGIN (00000009): Pick method list 'default' *Aug 20 13:57:44.403: TPLUS: Queuing AAA Authentication request 9 for processing BoNNo530 fucked around with this message at 14:59 on Aug 20, 2008 |
|
#
?
Aug 20, 2008 14:22
|
|
|
mezoth posted:jwh, COPP is the 7600 mechanism, and I forget the acronym they use for the CRS - functionally the same in the end, just a slightly different mechanism (and only available in 3.6.0 and later). Well if it's a large American or Canadian SP you might be able to use the Cisco Service Provider labs. There are some located in Herndon, Virginia, as well as Richardson (Dallas), Texas. If you (or your account SE/AM) have CEC access you might try that. They've got all the test equipment you need, but it's typically only for the SP group within Cisco. Anyway it's something to try depending on your needs. They do remote labs as well, so if you just want to run some traffic across a 7600 and a CRS with a particular IOS image, you can certainly do that.
|
|
#
?
Aug 20, 2008 15:07
|
|
|
BoNNo530 posted:I'm having issues upgrading to ACS 4.2. BoNNo530 posted:I have a 2801 in a test environment that I have been using for the 4.2 upgrade. Here is the debug tacacs authentication (I included this because of the authentication errors): BoNNo530 posted:I have been focusing on the line: The rest of your configs look good. edit: What does your ACS failure log say? Is it getting the tacacs packets?
|
|
#
?
Aug 20, 2008 16:05
|
|
|
It's strange because there are things in the logs under accounting and administration- but no failed/successful attempts. I know it's hitting the server because it sends reply packets and then freaks out. In regard to the config, I need it to hit the local database first for the admin account. If I put it the other way it fails completely.
|
|
#
?
Aug 20, 2008 17:13
|
|
|
BoNNo530 posted:It's strange because there are things in the logs under accounting and administration- but no failed/successful attempts. I know it's hitting the server because it sends reply packets and then freaks out. Well, whatever works I guess - we tend to prefer the forced use of network authentication and authorization so long as it's available (which excludes local credentials), but if your configuration works for you, then it works for you. Have you tried rekeying both sides? Also, can you double check the network device group options are set correctly? And are you using local accounts in ACS, or is there an additional backend?
|
|
#
?
Aug 20, 2008 18:21
|
|
|
BoNNo530 posted:It's strange because there are things in the logs under accounting and administration- but no failed/successful attempts. I know it's hitting the server because it sends reply packets and then freaks out. Can you post your sh tacacs output from the 2801? Are you using a loopback address as the AAA client? If so you need to add something like: ip tacacs source-interface Loopback0
|
|
#
?
Aug 20, 2008 19:02
|
|
|
|
| # ? May 15, 2024 02:43 |
|
|
tortilla_chip posted:Can you post your sh tacacs output from the 2801? code:jwh posted:Well, whatever works I guess - we tend to prefer the forced use of network authentication and authorization so long as it's available (which excludes local credentials), but if your configuration works for you, then it works for you. ACS uses the external windows database. I have one local admin account. I'm going to try and put the key in again without using copy+paste.
|
|
#
?
Aug 20, 2008 19:13
|
|