The picture on the left illustrates the Cisco Certification Pyramid. If you are familiar with the pyramids of Egypt, you must know by now that they have stood the test of time, withstanding harsh climate conditions for thousands of years. When we are looking at a pyramid, instinctively we look at the tip first, and then our eyes move down to the base. The same happens with the Cisco certification pyramid. The Architect and Expert certifications are looked at with amazement, and every network engineer’s wish is to obtain one of these prestigious qualifications. However, the base of the pyramid is what makes it strong and robust. Therefore, in my opinion the most important Cisco certifications are the ones you see on the base, that is the entry level and associate level (I.e CCNA) certifications.
So, if you really want to be a successful CCIE or Architect, you must become a successful CCNA and CCNP first. If you become master in CCNA and CCNP certifications, it is a sure fire way to become a successful CCIE, and hence a successful high-level professional.
Indeed, the reasons that the pyramids of Egypt are so strong and the reason they have lasted for thousands of years, is that their foundation (base) is so strong. The same analogy can be drawn for Cisco career certifications. If you built a strong foundation (CCNA, CCNP), then the skills that you will acquire from these levels will follow you and support your whole future career. Therefore, becoming a CCIE depends on how strong your knowledge base is. Indeed, your CCNA studies are the most important studies of your career as a network engineer. If you don’t master basic concepts, such as subnetting, IP addressing, basic routing and switching functionality, binary math, routing protocols functionality and so on, how do you think you will become a successful CCIE? So, keep this in mind: When you’re studying for your CCNA, you’re not just studying for a certification exam – you’re building the foundation for the rest of your Cisco certifications and the rest of your career.
So, take your CCNA studies seriously, learn as much material and theory as you can absorb, and you will not be disappointed. My 15 years in the field of networking have taught me that .
This is a question that I get from time to time in my work environment either from colleagues or customers. I will show you a couple of ways to do this.
In ASA, for traffic to pass through interfaces, several conditions must be met. Since we are talking here for inside and outside interfaces, this means from higher security level (inside) to lower security level (outside). The most important conditions to examine here is the NAT (if used) and the access control list. Lets see more details below:
Traffic from inside to outside using NAT
This is the most common scenario. NAT is most commonly used in real networks to hide the internal network range and to translate the non-routable private addresses (internal network) to publicly routable IP addresses on the outside.
We can have two types of NAT:
- Dynamic NAT (with Port Address Translation – PAT being a subcategory of this)
- Static NAT (internal addresses are permanently mapped to external public addresses)
Here we will examine the most common scenario which is PAT. This is a many-to-one translation which allows us to translate all internal IP addresses into a single public IP address which is assigned to us by the ISP and exists on the outside of the ASA. For ASA to keep track of all these many-to-one translations, it uses port numbers. A different port number (out of the range of 65000) is assigned to a different internal IP address.
Lets see the configuration for allowing all traffic from inside to outside using PAT:
Assume the following:
inside LAN range: 192.168.1.0/24
Public IP addresses available: 100.100.100.1 – 100.100.100.32
ASA outside interface IP address: 100.100.100.1
Option1:
Using the ASA interface IP (100.100.100.1) to translate all internal addresses:
ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa(config)# global (outside) 1 interface
Commands for ASA version 8.3 and later:
ciscoasa(config)# object network internal_lan
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface
Option2:
Using one of the other available public IP addresses for translation:
ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa(config)# global (outside) 1 100.100.100.2 netmask 255.255.255.255
Commands for ASA version 8.3 and later:
ciscoasa(config)# object network internal_lan
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic 100.100.100.2
After taking care of the NAT commands, we need to see our access-list commands. By default, if you don’t have an access-list applied on the inside interface, then all traffic is allowed to pass because the inside is the highest security level (100). However, if for any reason you apply an access-list to the inside interface, then you must explicitly allow all IP traffic to pass using the ACL.
ciscoasa(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside
Traffic from inside to outside without NAT
There are some cases where we don’t want to have NAT between inside to outside. In this scenario, the ASA works like a router but it still applies firewall inspection to the traffic. All you have to do here is to disable NAT and then allow traffic with an ACL:
ciscoasa(config)#no nat-control
ciscoasa(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside
Thats it.
One of the most important skills that a network engineer must learn and develop is troubleshooting. I have designed, configured and managed hundreds of networking projects. Its very rare to configure a network (especially complex ones) and have everything running as expected from the first shot. Most of the times a lot of troubleshooting activity needs to take place in order to bring everything up and have your network run flawlessly.
For CCNA/CCNP candidates, the troubleshooting skill is of paramount importance. In the exam, you need to analyze configurations and find what the problem and what the solution is, check debug output data to find what’s going wrong on the router or switch, and in general show your ability to troubleshoot in addition to configuring devices.
Troubleshooting, therefore is an essential skill to learn and to practice. A Cisco CCNA/CCNP engineer will need to perform a lot of it in their career. Ofcourse, if you are a newcomer in the field of networking you will not have enough time from the very beginning to develop and practice your troubleshooting skills. Also, you will not be able to “play” around on the live network of your company or of your clients in order to find out how to solve and troubleshoot problems. So my suggestion is to build a cheap home lab with 1-2 routers and a switch. The troubleshooting skills that you will acquire will be gold knowledge for your career in the future.
We know that a Layer 2 VLAN is an isolated Broadcast Domain and for communicating between VLANs a Layer 3 Device is required for inter-VLAN Routing. A Private VLAN gives us the opportunity to divide a VLAN into Sub VLANs. In the case of PVLAN, a normal VLAN is mapped on Secondary VLANs. This helps us to restrict devices being connected in the same normal VLAN (subnet) to communicate with each other. Catalyst 3560 and higher models support PVLAN.
Often PVLANs are used in cases where servers are located in a DMZ on the same Layer2 Vlan and we want to restrict these servers to communicate between them. This helps a lot in security. If the servers are publicly accessible from the Internet, when one of the servers is compromised by hackers, we can block the attacker to access the other servers on the same Vlan. Of course we can do this with a L3 device or firewall, but in this case each server should have it’s own VLAN and as a result we’ll get a complex network. In the case of PVLAN, we’ll have one network (VLAN) and we’ll restrict the connection between servers by creating secondary VLANs.
Private VLAN Types and Port Types:
Promiscuous (P): Usually connects to a router (Default gateway) and also to span port – a type of a port which is allowed to send and receive frames from any other port on the Primary VLAN.
Isolated (I): This type of port is only allowed to communicate with P-ports – they are “stub”. This type of port usually connects to hosts. Only one isolated VLAN is created. The ports, which are in isolated VLAN, can communicate to each other.
Community (C): The ports in the same Community can communicate with each other and also are connected to Promiscuous port. There are multiple Communities available.
Community ports are allowed to talk to their buddies, sharing the same group (of course they can talk to P-ports).
Let’s see how to configure PVLANs
Equipment Used in this LAB:
Cisco Catalyst 3560 – C3560-IPSERVICES-M Version 12.2(50)SE
Cisco Router 2801 - C2801-ADVIPSERVICESK9-M Version 12.4(9)T4
Scenario: Create one Community vlan, in which SRV1 and SRV2 will belong to. Create also an Isolated VLAN, in which SRV3 and SRV4 will belong to. Make Ge0/1 promiscuous and connect to default gateway (router). According to this configuration, SRV1 and SRV2 can talk to each other and also with Router (Default Gateway). On the other hand, Servers in Isolated VLAN (SRV3 and SRV4) will not communicate between each other and also will not be able to talk with F0/0 (Router-Default Gateway).
Before starting PVLAN configuration, switching VTP Mode to Transparent is required. If VTP works in other mode, PVLAN will not work.
!switch to Transparent mode
Switch(config)# vtp mode transparent
Setting device to VTP TRANSPARENT mode.
!Create Isolated VLAN
Switch(config)# vlan 102
Switch(config-vlan)# private-vlan isolated
!create community vlan
Switch(config)# vlan 101
Switch(config-vlan)#private-vlan community
!Create Primary VLAN and map with secondary vlans
Switch(config-vlan)# vlan 100
Switch(config-vlan)# private-vlan primary
switch(config-vlan)# private-vlan association 101 102
Our Complete Configuration looks Like This:
vlan 100
private-vlan primary
private-vlan association 101 102
!
vlan 101
private-vlan community
vlan 102
private-vlan isolated
! Create promiscuous port and map with the other vlans
Switch(config)# interface ge0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101 102
! association of Ge0/2 and Ge0/3 ports with Primary and Secondary VLANS. According to our scenario Ge0/2 and Ge0/3 should be in community Vlan.
Switch(config)# interface range ge0/2-ge0/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101
! association Ge0/4 and Ge0/5 ports with Primary and Secondary VLANS. According to our !scenario Ge0/4 and Ge0/ should be in Isolated Vlan.
Switch(config)# interface range ge0/4-ge0/5
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102
Configuration is completed now so let’s see how the output looks like.
Switch# show interface status
Port Name Status Vlan Duplex Speed Type
Gi0/1 connected 100 a-full a-100 10/100BaseTX
Gi0/2 connected 100,101 a-full a-100 10/100/0BaseTX
Gi0/3 connected 100,101 a-full a-100 10/100BaseTX
Gi0/4 connected 100,102 a-full a-100 10/100BaseTX
Gi0/5 connected 100,102 a-full a-100 10/100BaseTX
Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus
CLICK HERE TO DOWNLOAD EBOOKS
