Is it worth it to getting CCNA Certified?

It depends on how much you can invest in it – The money and your time.
To answer this question, we also need to know about your goal. You can continue with other Cisco certifications or maybe, you can change the line and mix it with something else.

Let’s have a look, which jobs openings are on the job boards to take advantage of a CCNA certificate.

OnTheCCRoad
I- You have only a CCNA certificate and you are on the way to be a network professional
This means that you are beginning your journey to become a network expert. You can work as junior admin in an environment where experienced network professionals work. You will do some daily task including monitoring, hardware installations (as the second staff member), and routine things like configuration backup. You cannot earn too much money in this position; however, it is a good investment for your bright future. If you spend one or two years at this step while preparing for your CCNP, you will be rewarded for your efforts with a good income boost and job security. CCNA certificate is a mandatory and foundational step for CCNP.

JustCCNA
II- You have only a CCNA cert and you do not want to invest more in it
If you say, “CCNA is enough for me and I don’t want to waste more of my time and money for certifications”, then you can find a job in a mid-size company as system/network admin. You have to look after windows servers and maybe some other systems. You can make an acceptable amount of cash and work in an environment without too much hierarchy. If you are good at relationships and you are a practical kind of person, this is the exact job for you. CCNA certificate is sufficient for this position. It will be very helpful in your career.

MsCCNA
III- You have CCNA + some Microsoft certifications (like MCSE) + experience
In this case, your dominant skills are system administration skills. You already proved yourself in this area and can work in a Multinational Enterprise branch as senior system admin. You can handle network administration tasks with your CCNA certificate or better, in very large structures, it will let you lead a team composed of both system administrators and network administrators.

NetSecCCNA
IV- You have CCNA + Security certification (CISA+GIAC) + 3-4 years’ experience
You can work as System Security Engineer in Enterprise environment or you can work in a consulting company as information security auditor. Your CCNA certificate will let you have more expertise on network related issues and support your success.

ArchCCNA
V-You have CCNA + more than ten years’ experience on Windows & UNIX
If you have development skills, project management skills and you have spent a considerable amount of years in several areas of IT business, then a CCNA is not a big part of your skill set, but at least it shows that you are still in touch with the practicalities of network operations and it helps you to achieve the Enterprise Architect position.

As a step or as a component, CCNA is a valuable item in your personal inventory. It is worthy to get it and anybody can get the certificate, but you need other skills and experience to utilize it to the maximum extent. Initially you cannot expect high paying jobs, but with some experience, you can climb the ladder of success. For students, I strongly recommend participating in Cisco programs in colleges. This will help them make an easy start for their careers.

If you would ask, “How much money can you make with a CCNA certificate?” my first answer would be “No, CCNA itself does not make money for you.”

Before buying an RPS for Cisco Catalyst Switches

There are two issues that you have to be aware of when you are evaluating RPS solutions for fixed Cisco catalyst switches. Cisco has a product named Cisco Redundant Power System 2300 (RPS 2300) for the non-modular switch series like Catalyst 3560, Catalyst 3750. This is the successor of old Cisco Redundant Power System 675 (RPS 675).

You have only one bullet in your gun when you have an RPS

Switch draw power from the RPS after power fails
You can provide a limited redundancy to your network by installing an RPS for your Catalyst Switches. Switch survives without rebooting when the main power goes off. It draws power from RPS, but it never returns back to main power. An orange LED shows the switch powered by RPS. If you press the standby/active button on the RPS, your switch will reboot and become a normal operation. The only exception is E series switches + RPS 2300 combination. This combination could restore power state without rebooting.

RPS supports only one switch(in some cases two) at one time

Some of the switches will fail with a power circuit fail
You can attach up to 6 switches to an RPS, but if power Circuit 1 fails as shown in the above scenario then RPS only can support one switch and the rest will fail. RPS 2300 can support 2 switches if the power requirements are moderate, but no more.

Network Monitoring Tools

What are your daily duties as the network administrator? You have to keep your network up and running. You have to answer calls like “X location is down” or “Y location is so slow”. You should monitor your network as described below to fulfill your tasks.

  • You should monitor your network and react to device and line failures.
  • You should analyze line utilizations, errors on the line and be sure about network performance.
  • You should be aware of who talk with whom? How much bandwidth needed for every single application?
  • And sometimes you need to see exact data flow over the network.

If you have all these information people think twice before blame the network for every problem. How can you achieve this?
We need a layered approach to understand network monitoring. I am not talking about network layers but network monitoring layers? We have to involve closely to monitoring layers before decide about network monitoring software needs. A simple summary could be like below.

  • Preconditions of network monitoring.
  • Up/Down monitoring
  • Performance Monitoring / SNMP monitoring
  • Who talk with whom / Netflow monitoring
  • Data capture / Data sniffing

Preconditions of Network Monitoring
Network documentation is essential to monitor a network. Try set up network monitoring tools before documentation is just wasting time. You will see everything green on the screen but maybe while some of the redundant lines were down. And you will sit there, like a dumb without any alerts.
Documentation comes first.

Suggested tools: Powerpoint/Visio, NetViz

Up/Down monitoring
You have a map and some red and green lights on it. Green means up. Red means down. It is simple but powerful. You can immediately become aware of something goes down.
This is based on ping. Almost every IP devices support echo/echo reply. So you can monitor all IP devices in your network by using ping. To go one step further, you can monitor one application on a device instead of whole device. All network applications use TCP/UDP ports. You can monitor the applications by trying to telnet its TCP/UDP ports and if the port is open it means application is running.

Suggested tools: WhatsupGold, nmap

Performance monitoring / SNMP monitoring
The lines are up, the devices are up but life is not perfect. People complain about performance of data lines. Are they saturated? Do we have package losses on the lines? Are routers running out of memory? We need SNMP to monitor heart beat of the network.

Suggested tools: MRTG, Solarwinds Orion, PRTG

Who talk with whom / Netflow monitoring
You realized that the line is full. Someone / some applications make a high load of traffic. Who are they? Is it necessary traffic? In Cisco devices by using “ip accounting” command we can have an idea for current traffic sources and destinations. Nevertheless to analyze and to optimize the traffic we need flow monitoring. We need to know source and destination IP addresses and TCP/UDP ports and number of packages/bytes.
Everyone blame the network for slowness until you publish the network usage report which shows only 15% of the traffic is ERP traffic and rest is Internet access.
You should know that flow monitoring tools requires more server resources for the huge data they collect.

Suggested tools: Fluke Netflow monitor, Paasler

Data capture / RMON – Sniffer tools
Sometimes you need to see the exact data flow on the line instead of information about it. Just have a look to this sample scenario. After you find out the web service cause inappropriately high network traffic, the owner of the application just can say “No, we are not pushing this much of data to network. We just respond Yes or No in this web service and it is just 100 bytes” .Here you need to sniff the data flow on the line. Maybe you will find that web service respond yes or no (100 bytes) and the definition of web service (6 kilobytes).

Suggested tools: Wireshark,Gigamon

Reflexive Access Lists

Cisco IOS has statefull firewall features like reflexive access lists. By using this feature you can use your Cisco router as a second firewall (the choke point concept in Cisco firewall trainings) and increase your network security by layered approach.

You can use an access control list (ACL) for the filtering one way traffic but what about the responding packages. You have to add an incoming ACL but it should include only sessions started from internal. Reflexive ACLs helps us in this point.

Requirements
To use reflexive ACLs
1. You MUST use named access lists
2. You MUST add “reflect samplename” to the end of permit line.
3. You MUST create a second named access list and add “evaluate samplename” line for responding traffic.

Sample Scenario
In our example we have a proxy server (e.g. Microsoft ISA Server) with 122.22.22.1 IP address. This server needs access to internet via http (tcp 80) for web browsing and via dns (udp 53) for name resolution.

interface Serial0/0/0
description Internet connection
ip access-group INBOUND in
ip access-group OUTBOUND out
!
ip access-list extended OUTBOUND
permit tcp host 122.22.22.1 any reflect PROXYTCP
permit udp host 122.22.22.1 any eq domain reflect PROXYUDP
!
ip access-list extended INBOUND
evaluate PROXYTCP
evaluate PROXYUDP
!

We used reflect command to create reverse ACL and we added it to inbound ACL with evaluate command.

Last Words
This feature is really powerful tool to increase network security but you should not use it instead of a real firewall for Internet access. It should be used as another security layer.

The new 640-802 exam & CCNA

I just took 640-802 exam and got my CCNA certification. It may sound funny, but I have taken this exam after 10 long years of practical experience in networking and was very nervous!
Why do I need a Cisco Certified Network Associate certificate?
Actually, I did not have plans for certification. If I get a CCIE certification, then it would be good for my career (not for salary but to change my job). On the other hand, I was afraid of to take the CCIE exam. I do not have a good history with exams. I took ten years to finish my Computer Science degree (normal period is 4 years)!

Two months ago, I heard that 640-801 exams will be expired and Cisco added one more milestone to career path as CCENT. I told my wife about it and she gifted me exam fee to take up the exam. I had all this pressure on me.

Preparations and exam
I managed to get two days off, one day for preparation and one day for the exam. I also spent the last three evenings for this purpose. I did not attend any Cisco training class and use only CCNA Prep center (Exam Study tab) for preparation. This web site is very useful and the content provided is sufficient enough for experienced professionals. If you start from scratch, then it will be good for you to attend a Cisco CCNA class, but not a CCNA bootcamp. This is not a big deal. Don’t waste your money.

Exam day did not start very good. Whether was rainy. There was a traffic jam. I reached the exam center just 5 minute before my reservation. A cute girl told me that I can start two hours later because of some technical problems. I spent that time in a café (well known chain), near the exam center. I realized again, these cafes are not as good as people believe them to be (tables, pictures etc. fine but what about the taste). When I returned back to exam center another cute girl told me that they are just downloading the exam. I had to wait 15 minutes more. Cable paths caught my attention, I easily came to know that bad materials were used and it was installed by an inexperienced staff.

Lectures / Lessons Learned
– Time is enough, don’t hurry
– You need to know basic configuration of RIPv2,OSPF,EIGRP
– Basics of routing algorithms
– Be able to configure NAT
– Be able to configure DHCP
– Understanding of ACL
– Basics of wireless network, how WPA works
– No questions like binary equivalent of something
– But be able to calculate subnets
– Match given IPs to given topology/schema
– Differentiate the terms MAC,IP and TCP/UDP ports
– How a packet travels within network(ARP, encapsulation)
– OSI layers vs. TCP/IP layers
– Chose the exam center with pretty girls , they keep you lively!

In general, exam went better than I expected. Questions were mostly meaningful and for me it required just two days to study.

Advanced SSH settings for Cisco IOS

I mentioned about basic SSH setting in SSH@Cisco article. But I saw that there are other questions about SSH settings, so, I decided to delve a bit deeper. The settings mentioned below are tested with IOS 12.4, but I am not sure about exact version that supports below features.

Q1. What happens if I changed hostname or ip domain name after SSH settings has been done?
A1. Nothing. You need them to create rsa keys but, but afterwards, if you change them, only the key name changes and key data remain same.

ciscolab#sh crypto key mypubkey rsa
% Key pair was generated at: 13:08:15 UTC Aug 28 2007
Key name: ciscolab.mydomain.com
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B67A9F
EED05E82 FFE41EB0 0CE9BC9E 40D1DD1D CF7AA44F CB5C1029 9502C379 469BF37D
099082BD 9618CC4E 8314866E 3B26F01B BE3AC27E 33EC7A2D 7FE5B503 3C24500B
733B391A D2DC4AAF C322C549 8A4638F1 9EAA0FF1 0ABCACD3 B1DF9753 02790FD7
E6A29602 39EFBAB4 2D4D7119 5C95D403 E1E9EB40 E01A1679 231C2F93 53020301 0001
.
.
ciscolab#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ciscolab(config)#hostname sshrouter
sshrouter(config)#end
sshrouter#sh crypto key mypubkey rsa
% Key pair was generated at: 13:08:15 UTC Aug 28 2007
Key name: sshrouter.mydomain.com
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B67A9F
EED05E82 FFE41EB0 0CE9BC9E 40D1DD1D CF7AA44F CB5C1029 9502C379 469BF37D
099082BD 9618CC4E 8314866E 3B26F01B BE3AC27E 33EC7A2D 7FE5B503 3C24500B
733B391A D2DC4AAF C322C549 8A4638F1 9EAA0FF1 0ABCACD3 B1DF9753 02790FD7
E6A29602 39EFBAB4 2D4D7119 5C95D403 E1E9EB40 E01A1679 231C2F93 53020301 0001
.
.
sshrouter#

Q2. Is there any other way to create RSA keys?
A1. Yes, There is. You can create RSA keys which are labeled by you. In this case, you don’t need a hostname (Always, you will have one) and an IP domain name.

ciscolab(config)#crypto key generate rsa general-keys label TEST
The name for the keys will be: TEST
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

ciscolab(config)#

Nov 24 20:08:59: %SSH-5-ENABLED: SSH 1.5 has been enabled


Q3. May I create more than one key?

A3. You can create several keys and chose one of them to use with SSH.You do not need to define which key to be used, but if you want to define, then you have to issue “ip ssh rsa keypair-name” command in the configuration mode.

ciscolab#sh crypto key mypubkey rsa
% Key pair was generated at: 20:08:59 UTC Nov 24 2007
Key name: TEST
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00BDFABF
948EF1FC 1CFC6C5C F5863980 D7D7B9E6 B256D84F 8F279E2E 63303403 A26E6160
A2928C87 4F0A846E F8A9FB0A 7D92108F ABD5734C AE7555BC 94CB13D9 41E8E04C
1514A499 68CC9925 A3DB2CFA 3176A65E 2DC504EE EF5C209E 4D348B20 9C324CBC
230451DD 96EC090C 99C5FB58 E06876D3 161E758E 486987B7 CD147AB0 0F020301 0001
% Key pair was generated at: 20:08:59 UTC Nov 24 2007
Key name: TEST.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01720103 00036B00 30680261 00AEC9A3 4078450F
B1714135 F66FC617 3083F337 1309D493 654BC77D 4D08DE27 5A54FF44 C4CE0174
507385A9 99B93D70 4E980CE1 89465B14 00E2C26D A633F1FB C4D08A90 3A8EF761
EBB41B0D C3EB2190 E4FD1E4B E519A06E 4B6BAE46 4E1FA9D8 C1020301 0001
% Key pair was generated at: 20:11:56 UTC Nov 24 2007
Key name: CHECK
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01720103 00034B00 30480241 00CCB917 D58E9D45
BC5EFF15 E2945343 18E5338B 26E1ED9F 869C2B6F 77C27595 8AC0D7B7 9D503F31
192D08EF C5DE87B5 911779BD 464913CD BB93F883 6F23AE0A 91020301 0001
ciscolab#

ciscolab(config)#ip ssh rsa keypair-name CHECK

Q4. May I create more than one session from the same computer like Telnet?
A4. Yes.

Q5. Is it possible to use SSH1 and SSH2 at the same time?
A5. Yes. If you don’t fix the version with “ip ssh version” configuration command. You can use both protocols simultaneously as shown below.

ciscolab >sh ssh
Connection Version Encryption State Username
0 1.5 3DES Session started sshtest
Connection Version Mode Encryption Hmac State Username
1 2.0 IN aes256-cbc hmac-sha1 Session started sshtest
1 2.0 OUT aes256-cbc hmac-sha1 Session started sshtest
ciscolab>

As you can see here SSH1 uses 3DES and SSH2 uses AES.

Q6. Does SSH cause a slowdown on my device?
A6. No. I made some tests with both SSH1 and SSH2. Tests have been done on Cisco 7206 VXR, Cisco 3845 and Cisco 1841 with size of key modulus 2048. In the 1841 router, key generation took some time (30-40 seconds). There was a small delay (1-2 second) when I first connected the device, but the rest of the interaction was same like the telnet. CPU utilization was at %1 and memory was OK.

Q7. I have copied my whole router / switch configuration but SSH does not work. Why?
A7. Did you create an RSA certificate? Crypto key generate command is a configuration mode command, but it is not a part of the configuration. It will be used for creating your RSA certificate then it is gone. So, just copying configuration is not enough.

Please leave a comment if you have any other questions.