March 2012 Question:
HAL company has a warehouse with wireless coverage. They are using Cisco wireless controllers, Cisco wireless access points and Cisco POE switches. Everything was perfect until the HAL network engineer received a call about wireless problems at the warehouse. After a short investigation, network engineer realized one of the POE switches which supports access points is down. Network engineer replaced the switch with a non-POE switch because there were no POE switch spare on his stock. He also added Cisco power injectors for the ports of wireless access points. Wireless problems in the warehouse cannot be solved after this replacement. Now, network engineer can see the wireless access points from wireless controller but their radios are down.

What is missing? How to solve this problem?

Rules:
You can send your answer as a comment to this post until the end of the competition period (31th of March 2012 for this round). Please write your active e-mail address and do not add any personal information at this stage. We will reach to the winner over his/her e-mail. The qualified answer(s) will be chosen in the first week of the next month. If there is more than one qualified answer, there will be sweepstake to find a winner. The winner will have the chance to choose one of the below books (brand new) as his /her prize. Winner and other answers will be published over the competition period. International participants are also welcome. Delivery times can vary depending on your country.

Prize:
One of the below books

or

February 2012 Question:
XYZ Company has some partners’ computers on XYZ premises which are connected to a VLAN in XYZ network and they are accessing to 10.10.10.11 IP address over HTTP. There are redundant L3 switches(running HSRP) as gateway of this VLAN. All IP addresses given statically.

Network Engineer of XYZ created below access list and applied it in both L3 switches.

access-list 101 permit tcp any host 10.10.10.11 eq 80

interface vlan 500
ip access-group 101 in

What is wrong in this configuration?

Rules:
You can send your answer as a comment to this post until the end of competition period (29th of February 2012 for this round). Please write your active e-mail address and do not add any personal information at this stage. We will reach to the winner over his/her e-mail. The qualified answer(s) will be chosen in first week of the next month. If there is more than one qualified answer, there will be sweepstake to find winner. Winner will have chance to choose one of the below books (brand new) as his /her prize. Winner and other answers will be published after the competition period. International participants are also welcome. Delivery times can vary depending on your country.

Prize:
One of the below books

or

Answer
HSRP packets does not allowed in access list. L3 switches do not hear each others HSRP packets. Standby address will be active on both switches. There should be a line like below ;

access-list 101 permit udp any host 224.0.0.2 eq 1985

Winner
We do not have a winner for February. Unfortunately, there were no answer. If you are reading this sentence please go to this month’s question, answer it and take your book.

January 2012 Question:
XYZ Company has some partners’ computers on XYZ premises which are directly connected to XYZ network and they are communicating with a XYZ server. Network Engineer of XYZ already reserved 10.10.10.0/24 IP address block for partner connections. These partners do not need to communicate with each other.
For the first partner, network engineer created a VLAN and used 10.10.10.0/28 network. First partner started to use 10.10.10.3 and 10.10.10.4 for its computers.
For the second partner, network engineer created a VLAN and used 10.10.10.0/27 network. Second partner started to use 10.10.10.21 and 10.10.10.22 for its computers. Lowest IP on a network is the gateway. There is no firewall or NAT setting.
Does this setup work? Why or why not?

Rules:
You can send your answer as a comment to this post until the end of competition period (31st of January 2012 for this round). Please write your active e-mail address and do not add any personal information at this stage. We will reach to the winner over his/her e-mail. The qualified answer(s) will be chosen in first week of the next month. If there is more than one qualified answer, there will be sweepstake to find winner. Winner will have chance to choose one of the below books (brand new) as his /her prize. Winner and other answers will be published after the competition period. International participants are also welcome. Delivery times can vary depending on your country.

Prize:
One of the below books

or

Answer
Yes, it does. Because routing mechanism chooses most specific route when many of them exists. Most specific route for 10.10.10.3-4 is the first network and the second network for 10.10.10.21-22. However, this design is dead wrong.

Winner
This month’s winner is Arthur. You can find his answer below in comments. He preferred CVOICE 8.0 as his prize and confirmed that his book has been delivered.

Education / Certifications
Associate / Bachelor’s / Master’s Degree in Information Technology, Computer Science or a related discipline
CCNA / CCNP / CCIE certification or equivalent experience required
CompTIA Network+ certification

Technical Skills & Experience
Experience in an ISP / Enterprise / Academic environment strongly preferred
Expert knowledge of networking technology and concepts
Demonstrated experience with Cisco Switches, Routers and Firewalls
Experience with the configuration of Routers, to include IP addressing, routing and Access Control Lists
Experience with the configuration of network switches including VLANs and VLAN Trunking.
At least 5 years’ experience in operating large routed and meshed VPN
At least 3 years’ experience in troubleshooting, operating and maintaining both IPSEC and SSL client supporting VPN
At least 4 years’ experience with the configuration of network firewalls including access policies and VPN tunneling
At least 6 years in a lead role as a network administrator in a Cisco environment
Experience with network monitoring tools
Some experience with voice, telephony and VOIP systems

Nontechnical Skills
Experience in vendor negotiations
Strong leadership and interpersonal abilities
Strong documentation and/or technical writing skills
Ability to write reports, guidelines, and procedure manuals
Communicate effectively in both oral and written forms
Detail oriented and ability to work independently or as part of a team
Ability to use good judgment, problem-solving and decision-making skills
Have the ability to handle multiple tasks at the same time
Proven analytical, evaluative, and problem-solving abilities
Ability to effectively prioritize and execute tasks in a high-pressure environment
Ability to work in a deadline-driven environment and respond to multiple priorities
Excellent organization skills
Excellent customer service skills
Ability to read, analyze, and interpret corporate guidelines, standard documents, design templates
Ability to effectively present information and respond to questions
Ability to work well with people from many different disciplines with varying degrees of technical experience

Requirements
Valid driver’s license
Green card or U.S. Citizenship required for this position
U.S. citizenship required
Must meet eligibility requirements for access to classified information
SECURITY CLEARANCE REQUIRED: Must be able to maintain a clearance at the TOP SECRET/SCI level

Working Conditions
Willingness to work irregular hours on both weekdays and weekends
Willingness to put in extra hours as projects and priorities dictate
Willingness to sitting for long periods, speaking on the phone
The position may require travel to other domestic and international sites
Shift work is required
Ability to lift 50 lbs.

I used mainly Cisco learning network. Some practice question sets gave an impression about the exam. There are some preparation documents too. I also found some websites most of them were prepared for BSCI exam that could also be helpful for the new route exam. Of course, these statements were valid until exam date.

To keep it short I will summarize my findings.

• It would really help to have official training documents for ROUTE exam (at least the book CCNP ROUTE 642-902 Official Certification Guide)
• Things like BGP properties , OSPF LSAs should be memorized (to know something about them is not enough)
• You should make some configuration examples on a lab or simulator on every subject
• You should examine all related show commands (I mean in lab or simulator environment)
• Some of the questions can be time consuming, You should be steady, sure about your answer and do not pause after answering

I am not sure if I will be able to enter this exam again before my CCNA has expired. However, I am sure I will continue to study on these subjects as I mentioned above. This is something more than certification for me now. I realized that I am dulled in years and I have to fix this immediately.

speed auto
duplex auto
mdix auto

However Auto MDIX does not supported by all Cisco Catalyst switches.

Cisco Switches without Auto MDIX support
Catalyst 2950
Catalyst 3550
Catalyst 4948

Cisco Switches with Auto MDIX support
Catalyst 2940
Catalyst 2960
Catalyst 2970
Catalyst 3560
Catalyst 3750
Cisco IE 3000

FAQ Section:
Q1) Which pins are in use in MDI &MDIX type ports?
MDI : Pins:1 , 2 transmit 3 , 6 receive
MDIX : Pins:1 , 2 receive 3 , 6 transmit

Q2) Does it work if I use a crossover cable with an Auto MDIX port?
Yes, it does. Both straight-through and crossover cables work fine.

Q3) Can I fix speed & duplex and use Auto MDIX?
No. Auto MDIX uses speed negotiation process to recognize the other side’s port type. You have to use a crossover cable if you want to fix speed and duplex.

Q4) Do I need Auto MDIX on both interfaces to let it works?
No. It is enough if just one interface supports Auto MDIX but speed and duplex should be auto on both interfaces.

1. Monitoring without documentation
If you are monitoring your network and don’t have the complete network documentation, then it will not be clear whether monitoring is beneficial or not. How can you be sure about the reliability of your monitoring system without knowing the exact number of devices, their models and their interconnections?

2. Only network specialists should watch over a network.
Network specialists must setup network monitoring systems, but watching over them and taking the first action should not be their task. If you have network monitoring screens, then such screens should be watched over by -
• A monitoring team – if the network is big enough (e.g. a NOC)
• Help desk – if you have
• End user support team
Any alert (alerts, events, mails, SMSs) should be directed to help desk or end user support team. The receiver must be able to handle it immediately. Alertness is the key here and therefore this task should not be assigned to staff who is involved in projects and moving often. Help desk staff should be intimated first and then the information should move upwards based on the hierarchy, finally reaching the network admin to sort out the issue.

3. Unhandled alerts
All alerts should be checked and cleared. If there is expected maintenance on some devices, then they have to be excluded from the monitoring system (This is a must have for a network monitoring tool). If some alerts stay on the monitoring system for a long time, then it will cause alert blindness on the team. False alerts may also drop your confidence in the monitoring system.

4. Correct probe points & traffic behavior
You have to understand your routing infrastructure very well, especially for flow monitoring. Sometimes, you can find undesirable traffic so easily, but it does not happen always. In case of a huge download, you just have to look at the right point in the backbone. In case of an antivirus update, traffic is one to many, you have to summarize collected data by source or target upon direction of traffic and in the case of many to many traffic like virus infections, you have to know or guess the characteristics of undesired traffic (like tcp port). If you ignore these details, you can look at your Netflow monitor and can swear that all seen traffic is necessary.

5. No history
If you have your monitoring system ready, but you monitor just some nodes and think that you can monitor any necessary point if something untoward incident happens (I mean SNMP monitoring), then you are playing with the fire! When something happens, to analyze it you will have to compare this condition with the normal conditions but you will be too late for that. It won’t be possible to acquire this information anymore. Therefore, you must monitor all ports and the interfaces that have to be monitored from the first day. Your monitoring technique is correct only when it is complete.

6. We have a huge tool – problem is over
This is about the decision phase of network monitoring. You should define your needs well and choose fitting tool for your network. No more, no less. This decision is not just about cost. The concept will be clear with an example and a good example is Cisco Works. It is huge, capable and a brand that is trusted all over the world. However, if you don’t have a dedicated staff for this, then it is really hard to install and use it. I have come across many people who purchased Cisco in anticipation that it will be very beneficial to them, but did not make use of this powerful tool completely. It is like buying a truck and trying to park it in your car garage, which is a foolish decision!

7. Network monitoring is not a mission critical process
How much loss do you incur if your network monitoring system stops working? Is it going to stop production, sales or logistics? The answer is no. So, network monitoring system is not a mission critical system. This could be true. The network itself is mission critical. Everything stops when it stops. Network problems should be fixed immediately. You have to find the problem (here you need monitoring) in minutes. Nevertheless, your monitoring system can be down because it is not a mission critical system. If this is the case, you should connect each device separately and look for errors. It is similar to a situation in which you are driving on the highway with broken gauges (fuel, temperature, speed). Good luck!

These are the seven common mistakes in Cisco network monitoring. You are in charge of keeping them away from your network.

Recently, I made an upgrade on some of 6509 switches. I bought a totally new 6509-E system including chassis, fan, power, and some new line cards. I also insert my fiber line cards that I used in old 6509 with supervisor 2.
Everything was fine until I checked modules status with “show module” command. The switch was up, new line cards were functioning, but my old WS-X6516-GBIC’s were in PwrDown state. When I checked the switch logs I found

00:02:31: %C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot 2, power not allowed: The image for the card is not bundled in image.

What does it mean? I had a recent IOS and it does not support this card. I was not surprised because it happened to me before. I just checked the software advisor tool from Cisco and found another version. I tried it, but it did not work out.

A wise friend of mine told me that I should give a try to a safe harbor image. I was not aware of the safe harbor program until that time. Safe harbor images are tested images. They are stable, interoperable and solid. It was my last chance before I should have to escalate this problem.

I found out that there are some problems between Supervisor Engine 720 and WS-X6516-GBIC, but the problem was only valid for 5.0 to 5.3 Hw versions and I had 5.7. It should not be my problem but text mentioned about DFC Sub-modules. I focused on the DFC daughter card then. Everything becomes clear when I found “Catalyst 6500 Series DFC, DFC3A, DFC3B, and DFC3BXL Installation Note” document. I saw a note mentioned below

Note You cannot have a DFC in a system with a Supervisor Engine 720

I removed one DFC (WS-F6K-DFC) from one of the WS-X6516-GBIC and finally it started to work. I also changed the IOS images to safe harbor ones. I spent days to solve this problem and this turned out to be a simple issue for which I got the answer instantaneously from the web!

I was sitting lazily in the office; one of my colleagues came and said “if you want to order a book this year, find it on Amazon and send me the link until afternoon”. Some ideas flashed in my mind
- No, I don’t need a book
- Maybe, a reference book would be good. No, I am using the Cisco web site , everything is available and searchable.
- Exam preparation books maybe. No they are boring.
- I wanted to find a book, which I could read before sleep. It should be well written, easy to read, but not marketing mambo jumbo, and should have some real purified info.
I started hunting for such a book!

The book “Network Security first-step”

It has been written by Tom Thomas, published by Cisco Press in 2004. The ISBN number is 1-58720-099-6. It has a red cover with a lock on it, 431 pages. It has a price tag of $29.99 at the back of the book.

It is a must read for any IT guy who is into network “security” and has a job that deals with it. If you are teaching any kind of information security courses /classes, then you too need it. It is also a must read for all those who specialize in network security and also it is suitable for Information security auditors.

It is nice to read if you are CIO or IT technology manager/director and any kind of Networker.

The Content
It starts with the basics of hacking; terminology, methods and organizations that are working against the hackers.
The book speaks about security technologies like ACLs, NAT and TACACS, security protocols like DES, MD5, PPTP and SSH, A full chapter for firewalls, a full chapter for router security. A very clear and detailed VPN chapter has been followed by wireless security. Wireless security includes both technology related titles like WEP, EAP and history of war walking and wireless hacking tools. IDS chapter is so informative and honeypots was a new term for me explained in this chapter. The last chapter is about real world hacking tools.

The most interesting thing in this book for me was second chapter completely dedicated to security policies. Explains basics of building security policies and then it gives some reusable security policy samples.

Mentioned tools mostly open source tools which you can easily download from the Internet and work on your own in more detail. Related URLs has been given for tools and organizations. This will let you use this book as a start point for your further security studies.

He mentions about his own company (Granite Systems) in some points. I have to say there are some hidden advertising on it.

Conclusion
This book does the trick. Get one copy of it for your own. I am aware, this book has been published in 2004 and I am suggesting it in 2009. I know what I said. There is a second edition of this book that is not published yet. Some people complain about some typo errors in the book. I hope second edition will satisfy them too.

Let’s have a look, which jobs openings are on the job boards to take advantage of a CCNA certificate.

OnTheCCRoad
I- You have only a CCNA certificate and you are on the way to be a network professional
This means that you are beginning your journey to become a network expert. You can work as junior admin in an environment where experienced network professionals work. You will do some daily task including monitoring, hardware installations (as the second staff member), and routine things like configuration backup. You cannot earn too much money in this position; however, it is a good investment for your bright future. If you spend one or two years at this step while preparing for your CCNP, you will be rewarded for your efforts with a good income boost and job security. CCNA certificate is a mandatory and foundational step for CCNP.

JustCCNA
II- You have only a CCNA cert and you do not want to invest more in it
If you say, “CCNA is enough for me and I don’t want to waste more of my time and money for certifications”, then you can find a job in a mid-size company as system/network admin. You have to look after windows servers and maybe some other systems. You can make an acceptable amount of cash and work in an environment without too much hierarchy. If you are good at relationships and you are a practical kind of person, this is the exact job for you. CCNA certificate is sufficient for this position. It will be very helpful in your career.

MsCCNA
III- You have CCNA + some Microsoft certifications (like MCSE) + experience
In this case, your dominant skills are system administration skills. You already proved yourself in this area and can work in a Multinational Enterprise branch as senior system admin. You can handle network administration tasks with your CCNA certificate or better, in very large structures, it will let you lead a team composed of both system administrators and network administrators.

NetSecCCNA
IV- You have CCNA + Security certification (CISA+GIAC) + 3-4 years’ experience
You can work as System Security Engineer in Enterprise environment or you can work in a consulting company as information security auditor. Your CCNA certificate will let you have more expertise on network related issues and support your success.

ArchCCNA
V-You have CCNA + more than ten years’ experience on Windows & UNIX
If you have development skills, project management skills and you have spent a considerable amount of years in several areas of IT business, then a CCNA is not a big part of your skill set, but at least it shows that you are still in touch with the practicalities of network operations and it helps you to achieve the Enterprise Architect position.

Illustration of CCNA Career Paths

As a step or as a component, CCNA is a valuable item in your personal inventory. It is worthy to get it and anybody can get the certificate, but you need other skills and experience to utilize it to the maximum extent. Initially you cannot expect high paying jobs, but with some experience, you can climb the ladder of success. For students, I strongly recommend participating in Cisco programs in colleges. This will help them make an easy start for their careers.

If you want to see real jobs for CCNA holders, go to our job board and write CCNA in the keyword box and click “Search Jobs”.

If you would ask, “How much money can you make with a CCNA certificate?” my first answer would be “No, CCNA itself does not make money for you.”

To get the answer of “What is a CCNA worth?” as $ dollar figures, please have a look at below links.
Salary Survey Report for CCNA Certification
2006-2007 TCPMag.com Internetworking Salary Survey