Starting CCNP

devils_haircut

I sat the CCNP: Switch last 3 nights ago; failed with a 643. I don't have a ton of experience, only about 6 months doing switch work at my current job. I think I hurt myself by using the 642-813 book to study because I already had it on hand, and attempting to fill in the gaps with the Chris Bryant video series on Udemy.

Should've labbed a bit more. I knew the theory on certain topics, just not the specific way to configure it (which kinda defeats the purpose). Oh well, lesson learned...and at least now I'll know it this time. Re-taking it this coming Thursday, and I KNOW I'll pass this time.

TechGuru80

Hondabuff wrote: »

Pursuing CCNP, Have CCNA/S+/A+/N+ and shooting for a degree in Geography. I don't get it.

No kidding. You are wasting time either on certs...or your major. Time is something we can never get back or get more of so you probably should rethink what you are doing.

10Linefigure

@ Devils_Haircut: yea man you really need to lab it up. If you dont have a copy of the new 300-115 book then print the exam topics and read white pages on them.

@TechGuru80: I hope you read the rest of this thread before writing that. I don't think it's a waste of time at all to pursue your passion. And being 22, I've got plenty of time to do what I want in this life. I think that spending this time 'we can never get back' doing what you enjoy is most important. So with that, I just got back from Geography class and am going to continue Jeremy's CBT CCNP series

10Linefigure

I finished the CBT nuggets series by Jeremy on Monday, and moved on to the Transcender practice exams. Today I will start the hands on labbing along side Keith Barker's series. Scoring between 84-90% on practice exams. Hopefully ready in 15 days.

10Linefigure

So I can't figure it out. I took the test the past two Fridays and missed it each time. The first time was 750/790 and the second attempt was 770/790. Each time I had a 100% in Infrastructure Services and a 67% in Security. Only thing that changed was I went from a 75% to an 80% in Layer 2 Technologies. So after my first attempt there was really only 1 lab I could think of that was heavily focused on my Security grade. So I did some research and went back for seconds. This time, I added two commands that I had not used on the first attempt. And BAM! Same score, so I don't think those two commands helped.

Basically, I was hoping someone could explain VACL's to me and where / how I should apply them? I've done some reading and I can't figure out how VLAN's being a layer 2 technology, can work with a Layer 3 IP based ACL?

Thanks guys!

joetest

Think about the name VLAN ACL.. you put an ACL on a VLAN. Now where would one put an ACL which is made to permit/deny IP addresses and/or specific protocols/ports? On the Interface VLAN which has an IP address. It's an SVI - and Switched Virtual Interfaces are Layer 3 interfaces used for routing - it's just like any other interface. It's just not a physical one! It's used for routing and can be used via a physical port in that specific Vlan (L2). It's most likely a default gateway for clients in that vlan.

If you have two VLANs; say vlan 10 and vlan 20 on your Layer 3 switch:
Interface vlan 10
ip address 192.168.10.1 255.255.255.0
exit
interface vlan 20
ip address 192.168.20.1 255.255.255.0

and lets say you have a .10 client on vlan 10 and a .20 client on vlan 20. Each of these client sits on a physical L2 port with following config
int fa0/1
description client .10
switchport mode access
switchport access vlan 10
!
int fa0/2
description client .20
switchport mode access
switchport access vlan 20

How will the 192.168.10.10 client in VLAN 10 be able to reach the client 192.168.20.20 in VLAN 20? In what way will the traffic travel? Do the OSI-model.. be as specific as you can - go down the layers the best you can.

Think about the answer, and when you have it, think about this: How can I prevent this .10 client in VLAN 10 from reaching client .20 in VLAN 20 without deleting any routing config?


Hope this wasn't to obscure.

10Linefigure

@joetest Thank you for the reply. However, I am not sure that you have to apply ACL's to SVI's in order to get a vlan filter to work. This is from Cisco :

VLAN Access Map Configuration and Verification Examples

Assume IP-named ACL net_10 is defined as follows:

Router# show ip access-lists net_10

Extended IP access list net_10

permit ip 10.0.0.0 0.255.255.255 any


This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.

Router(config)# vlan access-map thor 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action forward

Router(config-access-map)# exit

Router(config)# vlan filter thor vlan-list 12-16

Its my understanding "VACLs have an implicit deny at the end of the map"

This information was sourced from : http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html


So from my understanding, this would then allow ONLY traffic within the 10.x.x.x subnet to traverse these VLANs, and deny everything else?

But I am not sure if it offers the whole picture. What are your guys thoughts?

joetest

You're absolutely correct. You allow net_10 to forward in/out of those VLANs specified in the vlan filter. (VLAN acls dont have a direction).
I mixed up the VACL with a normal ACL on the SVI, where you can do it in a specific direction. You just reminded me

The cool thing about a vlan filter/VACL is you can permit/deny inside the same vlan too and couple it with Mac ACLs too.
I.e. you can deny all HTTP/tcp80 traffic just by making an acl like
access-list 123 permit tcp any any eq www

and do a
match ip address 123
action drop

And a new sequence number with just an "action forward" to allow everything else inside the VLAN filter.

Something like:
vlan access-map Deny-http 5
match ip address 123
action drop
vlan access-map Deny-http 10
action forward
vlan filter Deny-http vlan-list 10


You just denied all TCP/80 traffic inside vlan 10..
To clarify a bit more:
They can control access for packets bridged/forwarded inside a vlan or routed across VLANs(think SVIs). They just don't have any control if its inbound or outbound - it's both!

10Linefigure

After 3 tries I finally got it. I originally wanted to finish this test by 30 October, however it took until 20 November. Heres a score time line:

750/790 FAIL 30 OCT 2015

75% Layer 2 Technologies
67% Security
100% Infrastructure

770/790 FAIL 6 NOV 2015

80% Layer 2 Technologies
67% Security
100% Infrastructure

853/790 PASS 20 NOV 2015

83% Layer 2 Technologies
100% Security
100% Infrastructure

On to Route

Looking back, it was actually a fair exam. I thought the multiple choice questions were easy and matched the exam blueprint. The simulators were okay, after failing twice I noticed they gave me the same (what I assume counted for) security lab, so I watched CBT nuggets that related to it and labbed it up some more. Good luck to everyone!