Cisco Home Lab

So you want to get your CCNA and you need to buy a router for your CCNA home lab? Now the question is which router should you get? I have been in your shoes and know when you are just starting out, it is tough to make sense of all the different models of Cisco Routers available. The good news is there are a lot of good options available to get a good CCNA router for a fair price.

I recommend getting a Cisco 2611 Router or a Cisco 2621 Router because they have two Copper ports instead of one and offer the most training flexibility. If the cost isn’t much different, go for the 2621 because it offers 2 10/100 Ethernet ports and has 128MB of memory versus the 2611 that has 2 10Mb ports with 64MB of memory. Don’t forget to buy 2 routers as most of the CCNA Labs require two routers. You could also get 3 routers, but from my experience, you will rarely actually need 3 routers to practice for your CCNA.

Another issue that comes into play is the IOS. If you can get a router with 12.4 already installed, you are way ahead of the game. Remember, the only legal way you can get a copy of the IOS is to buy a Cisco Smartnet contract for your router. If worse comes to worse, look for 12.3, but do your best to avoid 12.2. While it is a solid IOS for production, the new CCNA really focuses on the newer 12.4 version and some commands may be different from what you are learning.

This recommendation is for building a CCNA Home Lab. If you plan on building a CCNP Home Lab, then you should check back later for a post about which router you should buy for CCNP. The great part is even though the routers for CCNP are more expensive, if you buy them while working on your CCNA, you can use them for both certifications.

Also, if you have the money, you may be better off buying a complete CCNA Home Lab. You can usually find a complete CCNA Lab Kit including 2 or more routers and 1 or more Cisco Switches. Just keep in mind what I said about the routers.

I was setting up a new ASA the other day and ran into a problem that drove me nuts. I’ve configured local access on tons of switches and routers, but this is the first time I had to configure access to a firewall from scratch. I thought I would share my experiences in case anyone else ran into the same problem.

I went through all the standard steps to setup SSH on the ASA.

ASA# conf t
ASA(config)# hostname {hostname}
newasa(config)#domain-name {domain}
newasa(config)#crypto key generate rsa modulus 2048
newasa(config)# ssh 0.0.0.0 0.0.0.0 inside (This will allow any ip on your inside interface to access the asa. For security purposes, I would tighten this down. You can repeat this command multiple times if you need to define 3 or 4 non-contiguous IP’s for access to the ASA)
newasa(config)# ssh version 2

next, I added a user.

newasa(config)# username {myuser} password {mypassword} encrypted privilege 15

Don’t forget to update the default enable password.

newasa(config)# enable password {password}

Now the most important part, actually the part that got me. You have to set up aaa authentication to the local users. If that isn’t set up, it will continue to deny access.

newasa(config)# aaa authentication ssh console LOCAL

And strangely enough, I typed local instead of LOCAL and it didn’t like it. So be sure to type LOCAL in all uppercase letters.

If you’ve read my original post on Gigabit Autonegotiation, you already know how I feel. Today, this hit me smack dab in the face. We were on a conference call with EMC. We are about to install a very expensive EMC NAS and were going over all the settings and details.

Right there on the worksheet, it said to use hard coded Gigabit Full. I couldn’t believe my eyes. This thing cost as much as a Lexus and EMC is suppose to know their stuff. When I told them I wanted to use Gigabit Autonegotiation, they balked. I couldn’t believe what I was hearing. They said they tested and found it worked best. I call bull shit on that one. Then they had the nerve to ask what Cisco thought.

Screw what Cisco thinks, this is an IEEE Standard, IEEE 802.3ab to be exact. Then they came back and said they had seen network performance problems when using Autonegotiation because it would slow down to 100Mbps on just one of the Etherchannel links. Well of course that’s a problem, but if you hard set it, then you’ll never know you have a problem, which in itself will create a bigger problem because now you have bad data constantly streaming across your lines.

Anyway, I know I’m worked up over this, but I see this all the time and it is so frustrating to me how many people just don’t get it.

If you don’t believe me, then please read this IEEE Interpretation Request on using hard coded Full Duplex Gigabitethernet. Remember, I am talking specifically about 1000Base-T “Copper” Gigabit Ethernet configuration.

All 1000BASE-T PHYs shall provide support for Auto-Negotiation (Clause 28)
and shall be capable of operating as MASTER or SLAVE. Auto-Negotiation is performed as part of the initial set-up of the link, and allows the PHYs at each end to advertise their capabilities (speed, PHY type, half or full duplex) and to automatically select the operating mode for communication on the link.

This indicates that although operating speed is allowed to be manually selected by disabling Auto-Negotiation in Control Register 0, selecting 1000BASE-T mode of operation still requires that Auto-Negotiation be used.

WoW! I really didn’t see this coming. While surfing the Cisco website, I stumbled onto some information regarding the new Cisco CCNA tests. Rather than bore you with the details, I will highlight some of the things I found.

There are three new tests:

CCNA Security 640-553 IINS
CCNA VoIP 640-460 IIUC
CCNA Wireless 640-721 IUWNE

While they are CCNA level tests, they have a prerequisite of holding a valid CCNA. Even more interesting is the fact that you will now be required to have a CCNA and a CCNA Security before you can work on your CCSP. The same applies to CCVP as you will be required to hold a CCNA and a CCNA VoIP before you can work on your CCVP.

Current CCNA candidates that were working towards a CCSP certification can take the 642-552 SND test instead of the CCNA Security. I did not see how long this exception will be available, but you might take advantage of it while you can.

I didn’t find a lot about the CCNA Wireless exam. The one thing I read that I thought was very interesting alluded to more advanced Wireless exams in the future. Cool, I love wireless.

On one hand, I think these new certifications are a great idea. It alleviates one of the problems I’ve seen in job postings where they say you must have a valid CCNA, but want you to be able to do Firewalls, VoIP, BGP and 6509’s. Of course, even if you take and pass these tests, it doesn’t necessarily mean you are reading to tackle advanced Firewall topics or even work on a 6509. But it is a step in the right direction.

On the other hand, it means more time studying, more money spent on study materials and a little longer to get your certification. And how many more certifications do we really need? I guess I’m jaded since I don’t have near as much time now as I use to.

What do you think? Are these new Cisco Certifications a good idea? Will you pursue one?

Repeat after me. I will not force a switch to 1000/Full, even if some idiot insists that I should.

Now we have that out of the way, let me give you a little background. I’ve had two instances where a “network” admin/engineer argued with me about hard coding Gigabit settings on a switch and server to 1000/Full. In both cases, I provided irrefutable proof that it is a bad idea and still they insisted.

Why Is Hard Setting Gigabit Ethernet to 1000 Full a Bad Idea?

Here’s the deal. Gigabit Ethernet is a very misunderstood standard.
Continue Reading »

It still lacks a lot of information, but it seems to be easier to get around than Cisco’s regular website. It doesn’t appear to be open to editing from outside users, but it’s a start in the right direction.

http://supportwiki.cisco.com/

I’ll admit it, I’ve become a lazy, fat Cat.

Once I got away from Cisco 5000’s, I stopped caring if I used a crossover cable or a straight through cable. A little thing called Auto-MDIX caused me to be that way. In the old days, the crossover cable rules went like this:

If you are connecting like devices, you must use a crossover cable. So, switch to switch was crossover.

If you are connecting two different devices, you must use a straight through cable. This is also know as a standard Cat 5 cable. So, switch to computer or switch to router required a straight through.

Along the way, Cisco decided to make life easier by using Auto Sensing to figure out of the cable in use was a straight through or a crossover. And so, something meant to make life easier, has in a sense, made things more complicated.

Now, you have things like 4 Port HWIC’s which add more ethernet ports to a router and guess what, they have Auto-MDIX, so you could connect a router to a router via the 4 port HWIC, without using a crossover cable. UGH!

Does your head hurt yet?

Mine does….
Continue Reading »

It really depends on who you are. Some people will refer to it as a CCNA Lab, others will call it a CCNA Kit and some people will even refer to it as a CCNA Lab Kit. From what I have seen, people selling a prebuilt Cisco Lab Kit usually throw in some sort of additional labs to work through or add a Certification ebook of some kind. Then again, so do a lot of sellers who make prebuilt CCNA Labs. In the end, it doesn’t matter. Here a few suggested tips for finding the right prebuilt Cisco Home Lab.

No matter what they call it, make sure it meets your need to pass the current version of the Cisco Certification you are studying for. Nothing sucks worse than finding out after you start your Cisco Certification test that your home lab did not help you learn everything you need to know to pass the test.

My suggestion is to start with the Cisco Lab pages, then look over the Cisco Kit pages. Compare the two and make sure you are getting the best deal on equipment that you can actually use. In all cases, I suggest you get an IOS of 12.2(25) or higher. I am still running 12.2(25) on part of my network at work. This is really important. Make sure the IOS is installed on the equipment prior to purchasing because unless you have a costly Cisco Smartnet Account, you will not be able to upgrade. It also helps to verify the equipment has enough flash and NVRam to handle the IOS you need.

CCENT Home Lab
Minimum Suggested Equipment
2 x 2600 Routers and 1 x 2950 Switch

If you are going to take the two tests CCNA route, you should focus on getting the equipment to get you through both test. I recommend buying a CCNA Lab, even on the 640-822 ICND1 test.

Personally, I like having two switches to play with VLAN and Spanning Tree across multiple devices, but for the CCNA, one switch can get you by if money is tight.

See CCNA Lab & CCNA Kit.

CCNP Home Lab
Minimum Suggested Equipment
3 x 2600 Routers or 3600 Routers and 2 x 2950 Switches

Make sure they are using an enterprise IOS. These are usually designated by K9 on the image name. If it says Base, it will work for the CCNA, but with the third CCNP test, 642-895 ISCW, Implementing Secure Cisco Wide Area Networks, you will need the extra security features. Bare in mind that there are some export concerns with certain security features. You will need to verify this information if you live outside the US and are buying your equipment from the United States.

You also might consider picking up a Cisco Aironet Wireless Card and a Cisco Wireless Access Point for 642-812 BCMSN, Building Cisco Multilayer Switched Networks.

See CCNP Lab & CCNP Kit.

This started out as a quick rundown. It is longer than I expected, but there is a still a lot more to cover. This should get you started for now.

Thinking back to my days as a new CCNA, I am shocked at how many times I would do a sh run or sh conf and hit the space bar over and over until I saw what I needed. And if I was using a console connection with Hyper Terminal and got a bit anxious, what I was looking for would scroll past into the scrambled mess of Hyper Terminals buffer.

Since then, I have looked for various ways to make things easier on myself, especially when doing a sh run. Here are the best ways I’ve found to make life easier.

show run interface gigabitethernet 1/1
sh ru int gig1/1

This command is great. It will show you the configuration of an interface and only that configuration. I use this all the time on bigger switches like 4506’s and 6509’s.

show run | include snmp
sh ru | inc snmp

Here is another useful command, but you have to think about what you are doing. I use this to see what snmp info is configured on a switch. However, it will only show lines that include snmp in them.

show run | begin ntp
sh ru | beg ntp

Here is another handy shortcut I use a lot. The other day I was setting up ntp on a network. I wanted to see what ntp info was configured and since I knew ntp was at the end of the config, it made sense that I could start showing the config at the start of the ntp statements.

Another great way to use this is sh run | beg 4/1. This will start showing your config at interface 4/1. Just be careful because a description with 4/1 can mess this up.

There is one shortcut that I remember finding at one point, but forgot and no matter how hard I search, I can’t seem to find any info on it. If my memory serves me, it may not even be a shortcut, but rather a configuration command itself.

How many times have you wanted to do a sh run so you can capture it in a buffer and save it to your local machine, but have to hit space over and over to continue? Then you have to go into the download and clean out all the more statements?

Well, there is a way around it and if someone knows it, please post in the comments so I can add it to the post.

The last Cisco IOS shortcut I am going to talk about is how to show contents of a running configuration while you are in config mode, but without having to exit config mode. It’s the do command and it works like this.

prompt>conf t
enable#do sh run int gig 1/1

This last command will show you the running config of interface gigabit 1/1 without having to exit out of enable and jump back in. There are a few caveats though. It is really picky and if my memory serves me correctly, it doesn’t support ? for the context help menu for a specific command. So, you have to know what you want.

There you have it. A few show run shortcuts that I wish I had paid attention to when I first starting working on my CCNA.