One of our CCNA students requested some command practice for ICND2 – here is one I put together for him. Please give me feedback in the comments if you find practice tools like this helpful.
ICND2 Command Recall Practice Tool 1
Aug 18
As you may have noticed, INE does a wide variety of training in the Cisco space. 
This blog post goes out to all those folks who have recently begun their Cisco training.
This month we delivered new live classes on CCNA and CCNP. We are excited for and encourage our students at every level in their journey. In that light, we have gathered a collection of Videos Answers, targeted at the CCNA level, with a few topics leaking into security and CCNP. These videos were primarily created as quick (under 10 minutes each) Video Answers to questions that various learners have had.
Take a look at the list of topics, and if there are 1 or 2 you feel you would benefit from, feel free to enjoy them.
Here are a few of the topics (in no particular order):
- How the network statement really works in IOS
- Setting up SSH
- Initial commands for sanity sake
- NAT with overload
- Router on a stick
- VRFs
- SDM Security Audit
- Adding your own PC to interact with GNS3 routers
- IPv6 basic implementation
- Converting Multicast address to MAC address for that group
- Frame relay mappings
- VLSM implementation
- SVIs
- HUBs Swtiches and Routers comparison
- Configure IOS to be a Frame Switch
- EIGRP offset lists
- Multicast GET VPN
- Context Based Access Control
- Zone Based Firewalls
- Dot1q Trunking
- ARP cache tutorial
and more…
You can view them using this link here on YouTube
You may also use this link: http://www.youtube.com/user/Keith6783
If you want to look further into learning, we offer a full suite of self-paced workbooks, videos, and interactive learning tools.
Best wishes, and happy studies-
Keith
Aug 07
Congratulations to the winners of the CCNA Live Bootcamp.
If your email address is listed below then you will be enrolled into the CCNA Live Bootcamp scheduled to start Monday, August 9th at 9:00 a.m. PDT. You will receive an additional email from your bootcamp coordinator, Marla Horstkotte (mhorstkotte@ine.com), confirming your enrollment. You will also receive the recorded version of the bootcamp once it is completed.
The winners are:
cret###an@gmail.com
en###5@itelgua.com
eu###ashkin@gmail.com
vr###om@gmail.com
esla###iny@gmail.com
A Special Offer From INE
We would like to thank everyone who signed up for the opportunity to win a seat in the upcoming CCNA Live Bootcamp. Due to the overwhelming demand, we would like to extend you an offer to purchase this excellent class for 50% off. Offer is good until Monday, August 9th and includes both the live class and the recorded class-on-demand version. Use discount code LIVECCNA when you purchase the CCNA Live Bootcamp. Even if you are unable to attend the live version of this class, this is a great opportunity to get the class-on-demand for only $247.50!
Aug 04
Looking to pass your CCNA exam? Or you are a CCNP/CCIE candidate looking to get a better understanding of the fundamentals. Starting August 9th at 9:00 a.m., we will be running a live on-line CCNA bootcamp covering both the ICDN1 and ICDN2 exams! More information on this class can be found here.
We will be selecting five lucky winners to attend the live class free of charge. Just sign-up and confirm your email address below. This is a great opportunity to get the best training in the world absolutely free, with no strings attached. We will notify the five lucky winners on Friday, August 6th.
Update: Winners Selected!
Apr 25
Here ye, here ye, VTP experts. (We are not referring to the Vandenberg Test Program, although they are very likely experts in their field as well. )
Can you predict the results of a 3 switch VTP client/server scenario?
SW1-3, are connected, as shown in the diagram.
Here is the initial output of show VTP status, and show VLAN brief on each. Note that SW1 and SW3 are servers, while SW2 is a client. We will be adding a failure to the network in just a moment.
SW1#show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : INE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x2C 0x04 0x21 0x2B 0x10 0xFE 0x03 0x50
Configuration last modified by 0.0.0.0 at 3-1-93 00:05:40
Local updater ID is 0.0.0.0 (no valid interface found)
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gig0/1
Gig0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SW1#
SW2#show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Client
VTP Domain Name : INE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x2C 0x04 0x21 0x2B 0x10 0xFE 0x03 0x50
Configuration last modified by 0.0.0.0 at 3-1-93 00:05:40
SW2#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Gig0/1, Gig0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SW2#
SW3#show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : INE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x2C 0x04 0x21 0x2B 0x10 0xFE 0x03 0x50
Configuration last modified by 0.0.0.0 at 3-1-93 00:05:40
Local updater ID is 0.0.0.0 (no valid interface found)
SW3#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig0/1
Gig0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SW3#
So here is the scenario for the question. The Fa0/24 connection is suddenly broken between SW1 and SW2, and while that is down, a new VLAN (we will use 999) is created on SW3 like this:
SW3(config)#vlan 999
And then, a few minutes later, SW3 is completely powered off, shipped to another city, and removed completely from this network forever.
If we then restore the Fa0/24 connection between SW1 (the server) and SW2 (the client) what will happen to the VTP/VLAN information on the two switches? Will there be an update on either switch, will SW1 wait for a Server advertisement or will something else happen all together?
Take a moment, and let us know what you think.
Best wishes,
Keith
PS We’ll post the results as a after you have had some time to consider the results.
A few hours have passed, and we have had over 50 comments , ideas and theories.
I appreciate you taking the time to work through this. May your hard work pay off with a successful lab.
And the correct answer is:
SW1, will see that its configuration revision number is lower than SW2, and even though SW2 is a “client” SW1 will use the updated information in the VTP advertisement from SW2 to update to its VLAN database, and get in “sync” with the rest of the VTP domain, including knowing about VLAN 999. The configuration revision number would also move to 4.
Here is SW1, after the connection to SW2 is restored:
SW1#show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : INE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x45 0x1D 0x6E 0xF0 0xB7 0xC2 0x84 0xFA
Configuration last modified by 0.0.0.0 at 3-1-93 00:11:43
Local updater ID is 0.0.0.0 (no valid interface found)
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gig0/1
Gig0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
999 VLAN0999 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SW1#
Here is SW2:
SW2#show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
VTP Operating Mode : Client
VTP Domain Name : INE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x45 0x1D 0x6E 0xF0 0xB7 0xC2 0x84 0xFA
Configuration last modified by 0.0.0.0 at 3-1-93 00:11:43
SW2#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gig0/1
Gig0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
999 VLAN0999 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SW2#
Thanks again everyone, and happy studies!
Keith
Mar 22
One of our students asked me for a concise example of SNMPv3. James, here you go! This blog has examples and explanations of the features used in SNMPv3.
Older versions of SNMP didn’t provide all the features of SNMPv3. V3 supports a User-based Security Model (USM) for authentication, and a View-based Access Control Model (VACM) to control what that user account may access. Of course the user accounts don’t represent end users, they are just the configuration elements we configure on the SNMP devices, primarily for creating the connection to or from the SNMP device.
With version 3 we may use the following methods:
- noAuthNoPriv: requires username, but no MD5 validation of that user, and no encryption
- authNoPriv: requires username, provides MD5 validation, but no encryption
- authPriv: You guessed it. Requires username, uses MD5 validation, and encrypts too.
Let’s configure the router to support a SNMPv3 manager who will be communicating with it. First, we assign an engineID. This is optional, as the router would have automatically assigned one, but helpful due to the fact that we may need to configure the engineID on the remote manager and by hard coding it on the router we will know what the value is beforehand. (Note: the 00 in food, are Zero Zero, as the engineID is in hexadecimal. )
R1(config)#snmp-server engineID local badf00dbabe
Next we can define a view that specifies what may be managed (VACM, see above). In this example, the two views refer to mib-2 and Cisco object IDs respectively.
R1(config)#snmp-server view MYVIEW mib-2 included R1(config)#snmp-server view MYVIEWRW cisco included
So far, these views are not worth much, as they are just sitting in the config, and not being called on. We can verify the views exist, and also see the other default views present on the router.
R1#show snmp view *ilmi system - included permanent active *ilmi atmForumUni - included permanent active MYVIEW mib-2 - included nonvolatile active MYVIEWRW cisco - included nonvolatile active v1default iso - included permanent active v1default internet.6.3.15 - excluded permanent active v1default internet.6.3.16 - excluded permanent active v1default internet.6.3.18 - excluded permanent active v1default ciscoMgmt.394 - excluded permanent active v1default ciscoMgmt.395 - excluded permanent active v1default ciscoMgmt.399 - excluded permanent active v1default ciscoMgmt.400 - excluded permanent active
Let’s set up some groups and users, so that a remote SNMP manager may get information from this router and/or configure via SNMP. We have options. If we want to allow the manager station to request data, but not require a MD5 hash validation of the user, nor require encryption for the SNMP traffic, we could create a group that doesn’t require MD5 authentication nor encryption. The group and user that we might put in this group may look like this:
R1(config)#snmp-server group groupone v3 noauth read MYVIEW R1(config)#snmp-server user keith groupone v3 Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait...
Note, this would not be much better than SNMPv1, with simple plain text passwords. To verify the group and user, we can use a few simple show commands.
R1#show snmp group groupname: ILMI security model:v1 readview : *ilmi writeview: *ilmi notifyview: row status: active groupname: ILMI security model:v2c readview : *ilmi writeview: *ilmi notifyview: row status: active groupname: groupone security model:v3 noauth readview : MYVIEW writeview: notifyview: row status: active R1#show snmp user User name: keith Engine ID: BADF00DBAB0E storage-type: nonvolatile active Authentication Protocol: None Privacy Protocol: None Group-name: groupone
Next, we create another group, still with NO authentication or encryption, but we will add the ability to write via SNMP based on the view named MYVIEWRW.
R1(config)#snmp-server group grouptwo v3 noauth read MYVIEW write MYVIEWRW R1(config)#snmp-server user anthony grouptwo v3
Notice, the show group and user commands include both users and groups. Grouptwo has a writeview specified, just as we configured it.
R1#show snmp group <snip> groupname: groupone security model:v3 noauth readview : MYVIEW writeview: notifyview: row status: active groupname: grouptwo security model:v3 noauth readview : MYVIEW writeview: MYVIEWRW notifyview: row status: active R1#show snmp user <snip> User name: anthony Engine ID: BADF00DBAB0E storage-type: nonvolatile active Authentication Protocol: None Privacy Protocol: None Group-name: grouptwo
Now, lets add some MD5 authentication . No encryption yet, but we are making progress over groupone and grouptwo.
R1(config)#snmp-server group groupthree v3 auth read MYVIEW R1(config)#snmp-server user marvin groupthree v3 auth md5 marvin-passwd
Notice in the show command, that the new group includes “auth”. We are beginning to use the features that makes SNMPv3 desireable.
R1#show snmp group groupname: groupone security model:v3 noauth readview : MYVIEW writeview: notifyview: row status: active groupname: grouptwo security model:v3 noauth readview : MYVIEW writeview: MYVIEWRW notifyview: row status: active groupname: groupthree security model:v3 auth readview : MYVIEW writeview: notifyview: row status: active R1#show snmp user <snip> User name: marvin Engine ID: BADF00DBAB0E storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: None Group-name: groupthree R1#
Now, we will add a group and user, that leverages the authentication and encryption.
R1(config)#snmp-server group groupfour v3 priv read MYVIEW R1(config)#snmp-server user scott groupfour v3 auth md5 scott-passwd priv des crypt-key R1#show snmp group groupname: groupfour security model:v3 priv readview : MYVIEW writeview: notifyview: row status: active R1#show snmp user User name: scott Engine ID: BADF00DBAB0E storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: DES Group-name: groupfour R1#
Our final group and user will use authentication and encryption, along with the ability to write to the SNMP device based on the view MYVIEWRW. This is the most secure of all the examples shown here.
R1(config)#snmp-server group groupfive v3 priv read MYVIEW write MYVIEWRW R1(config)#snmp-server user petr groupfive v3 auth md5 peter-passwd priv 3des crypt-key R1#show snmp group <snip> groupname: groupfive security model:v3 priv readview : MYVIEW writeview: MYVIEWRW notifyview: row status: active R1#show snmp user User name: petr Engine ID: BADF00DBAB0E storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: 3DES Group-name: groupfive R1#
SNMPv3 has the ability to communicate via TRAPs and INFORMs. A TRAP is an SNMP message sent from one application to another, probably the manager station. Unfortunately, TRAPs are not acknowledged so the router doesn’t know if the remote device received it. SNMPv2 and v3 may use an INFORM, which is nothing more than an acknowledged TRAP.
To set up traps and informs, we can use the syntax below. Note that the traps are being sent using an account that doesn’t use MD5 authentication, or encryption, based on the user account configured to send it. The inform destination is using an account that uses authentication, but not encryption. A better use would be to include authentication and encryption, using an account that is assigned to groupfive. The SNMP manager would need to be properly configured with the correct user account information to receive these traps and inform PDUs. The parameters at the end of the command indicate what will trigger the traps/informs.
R1(config)#snmp-server host 10.0.0.100 version 3 noauth keith snmp ipsla hsrp cpu R1(config)#snmp-server host 10.0.0.100 informs version 3 auth marvin cpu syslog
Note: Any names used in the demonstration are purely intentional. Thanks to some of my fellow CCIE comrades, namely Anthony, Marvin, Scott and Petr.
Thanks again James for your request, and best wishes to all in your studies.
Keith
Dec 09
Our 2010 CCIE bootcamp schedule has been released along with new simplified pricing. All on-site one week bootcamps in the US are just $1995 and two week bootcamps are $3990. Our London one week bootcamps are just $2495 and two week bootcamps are $4990. This is standardized pricing for all CCIE tracks! [...]
Oct 20
The latest lesson for CCNA is complete!
Sep 24
Check out the latest lesson of our CCNA course!
Aug 27
Here is the latest (and previous) lessons of our upcoming CCNA course. Enjoy!
Module 1 Lesson 1 Advanced Switching Technology
Module 1 Lesson 2 VLANs
Module 1 Lesson 3 VLAN Configuration
Module 1 Lesson 4 VLAN Trunking
