June 29, 2009 I obtained my very first Cisco certification: Cisco Certified Network Associate(CCNA). I sat and passed the 48 Questions including 5labs. It took me 6 months and 28 days to complete my study since i started on 1st day of the year. I have to say that my list of study materials is what really put me in front of this exam. Also burning desire to achieved this certification..

My study materials included:
Ccna study guide by todd lammle, CCNA press book
CbT nuggets (Jeremy), Trainsignal
packet tracer 5.1

It's hard for me to do self study CCNA since i have work but i use my spare time wisely to review and practice lab exercises
I considered it as a great acheivement because i really wanted to study ccna in college (as part of elective) but due to financial problem i wasn't able to enroll it..

email sent to me by cisco:

Dear Dincy Joseph Cagayan, Congratulations on successfully completing the CCNA certification requirements. Candidates are automatically assigned a unique Cisco ID number after taking a Cisco Career Certification exam. Your Cisco ID number is CSCO11621100. This Cisco ID number will be listed on your certificate and should be referenced when registering for additional Cisco exams to prevent delay on receiving proper credit for your exam(s). To ensure you receive your CCNA certificate with the correct spelling of your name, please verify your name and address by accessing your Personal Information on the Certification Tracking System at www.cisco.com/go/certifications/login.

Iwant to start my CCNP now but other things need to prioritized first.. i need to concentrate on our Design Project(Biped Robot) which is prerequsite to finish and obtain my bachelor degree..hope all goes well

Easy packet captures straight from the Cisco ASA firewall

Whether you are troubleshooting a difficult problem or chasing some interesting traffic, sometimes you need to pull a packet capture. Of course, you could configure and deploy a sniffer, but that is not the only solution you have at your fingertips. You can pull the packet capture directly from the Cisco ASA firewall. The Cisco ASA makes this an easy process.

There are at least two ways to configure your ASA to capture packets. If you prefer the GUI interface of the ASDM, you can use the Packet Capture Wizard tool by selecting it from the wizard menu.

However, I’ve found that if you don’t mind getting your hands dirty, so to speak, the CLI interface is the way to go. You can identify the traffic you are looking for with an ACL and then set your interface to capture based on the ACL results. Here’s an example of how easy it is to do this.

In this example, I want to capture all IP packets between a host at 192.168.80.51 and the test ASA at 192.168.81.52.

The first step is to set a quick ACL:

access-list testcap extended permit ip host 192.168.80.51 host 192.168.81.52

Then, we set up the capture using the capture command. We’ll reference our ACL (testcap) as our “interesting” traffic, and we’ll specify which interface we want to look at:

myasa# capture testcap interface inside

Admittedly, this is probably the command in its simplest form. There are many options you can configure as part of this command, including setting buffer sizes, setting a circular-buffer that overwrites itself when full, and selecting webvpn or isakmp traffic. The point is, with two quick commands, we’ve got a packet capture going! It just doesn’t get much easier than that.

A quick show capture command verifies my capture is running.

myasa# sh capture

capture testcap type raw-data interface INSIDE [Capturing - 4314 bytes]

To stop the capture, use the no form of this command.

myasa # no capture testcap

Now let’s look at the results. Here again, we have choices. We can look at the traffic via a browser directly from the ASA by opening an http link (Figure A) like the following

https://192.168.81.52/admin/capture/testcap






















While we see the traffic and much of the information, we cannot see all the detail of a regular packet capture. However, we can save this info as a libpcap file with the following command, and then open this file with Wireshark or such.

https://192.168.81.52/capture/testcap/pcap

Figure B shows this file when opened with Wireshark.














The command line also provides options for looking at your data.

myasa# show capture testcap ?

access-list Display packets matching access list

count Display of packets in capture

decode Display decode information for each packet

detail Display more information for each packet

dump Display hex dump for each packet

packet-number Display packet in capture

trace Display extended trace information for each packet

| Output modifiers



Let’s look at the first nine packets.

myasa# show capture testcap count 9

4532 packets captured

1: 13:46:31.052746 192.168.81.52.22 > 192.168.80.51.2057: P 1290581619:1290581687(68) ack 941116409 win 8192

2: 13:46:31.052884 192.168.80.51.2057 > 192.168.81.52.22: . ack 1290581687 win 65207

3: 13:46:38.374583 arp who-has 192.168.80.219 tell 192.168.82.51

4: 13:46:38.521655 arp who-has 192.168.80.204 tell 192.168.82.51

5: 13:46:39.803120 192.168.81.52.443 > 192.168.80.51.3968: P 787673978:787675438(1460) ack 3043311886 win 8192

6: 13:46:39.803150 192.168.81.52.443 > 192.168.80.51.3968: P 787675438:787675589(151) ack 3043311886 win 8192

7: 13:46:39.803257 192.168.81.52.443 > 192.168.80.51.3968: P 787675589:787677049(1460) ack 3043311886 win 8192

8: 13:46:39.803272 192.168.81.52.443 > 192.168.80.51.3968: P 787677049:787677200(151) ack 3043311886 win 8192

9: 13:46:39.803287 192.168.81.52.443 > 192.168.80.51.3968: P 787677200:787677883(683) ack 3043311886 win 8192

9 packets shown

We can also look at an entire packet from the CLI.

myasa# show capture testcap detail packet-number 5 dump

4532 packets captured

5: 13:46:39.803120 0022.5597.25b9 0014.3815.89fb 0x0800 1514: 192.168.81.52.443 > 192.168.80.51.3968: P [tcp sum ok] 787673978:787675438(1460) ack 30 43311886 win 8192 (ttl 255, id 54032)

0x0000 4500 05dc d310 0000 ff06 c052 c0a8 5134 E..........R..Q4

0x0010 c0a8 5033 01bb 0f80 2ef2 f37a b565 410e ..P3.......z.eA.

0x0020 5018 2000 5488 0000 1703 0106 4654 db31 P. .T.......FT.1

0x0030 b3d4 0a5b 3295 f719 d82a 8767 6b8b dae1 ...[2....*.gk...

0x0040 0a54 0ea8 c8c4 1c61 c45c e321 452e 6ab6 .T.....a.\.!E.j.

0x0050 ba80 4e94 3801 d973 b4fe 97d4 8b2f 9e77 ..N.8..s...../.w

*Only a partial result is displayed.

So save your hardware or laptop sniffers for other parts of your network. Use your ASA to gather those snippets of network traffic that you need. But remember: in general, be kind to your ASA. When possible, create specific ACLs to refine the traffic you want to capture. Monitor your ASA while capturing packets and adjust the buffers if you need to. And, as always, refer to www.cisco.com for more detailed information.

Internet broken, North America-Asia cables damaged

Interoute, the internet networks company, reports that three of the four internet sub-cables that run from Asia to North America have been damaged, according a post just published to the Times Online’s Tech Central blog.

The cables carry more than 75 percent of traffic between the Middle East, Europe and America. Clearly, if you’re reading this, it hasn’t reached you yet — but the AP is reporting mass outages in Egypt as of an hour ago.

According to Interoute via the post:

hearing that offices have lost their entire private network connectivity. As a result, users are unable to do their daily job over the internet and are turning to their mobile phones to communicate across the globe. This is having a knock on effect on the domestic voice networks, which are getting a surge of calls needing to be routed internationally. These calls need to be routed onto international gateways that pass voice traffic in longer directions around the world to avoid the cable breaks – causing more quality issues and risk more call failures, in turn causing more calls to be placed and increasing the pressure on local voice networks.

So expect to see a slowdown on mobile phone networks in those areas as a result of companies’ attempts to continue conducting business, the post reports. It also means there may be financial havoc coming as well, since trading could be compromised.

The Times Online adds that it’s a bit unusual to have this situation:

Major sub-sea cables break once a year. So companies have developed a fall-back plan. If one sub-sea cable is out, traffic is re-routed onto a second cable. In theory, a dual break, where both cables go out at once, is incredibly rare. Prior to January this year, it had not happened before.

The Bloomberg wire also has a story about the situation. Earlier this year, cable problems were reported between Africa and the Middle East.

UPDATED 5PM: The cause hasn’t yet been determined, but Interoute’s director of wholesale products, Jonathan Wright, said in a telephone interview with Bloomberg that it sometimes happens because of a ship’s anchor.

ALSO: Site Fibresystems.org has stats on the effect of nearby countries:

* Saudi Arabia: 55% out of service
* Djibouti: 71% out of service
* Egypt: 52% out of service
* United Arab Emirates: 68% out of service
* India: 82% out of service
* Lebanon: 16% out of service
* Malaysia: 42% out of service
* Maldives: 100% out of service
* Pakistan: 51% out of service
* Qatar: 73% out of service
* Syria: 36% out of service
* Taiwan: 39% out of service
* Yemen: 38% out of service
* Zambia: 62% out of service

The site also noted that “most of the B to B traffic between Europe and Asia is rerouted through the USA” and that “traffic from Europe to Algeria and Tunisia is not affected, but traffic from Europe to the Near East and Asia is interrupted to a greater or lesser extent,” as evidenced by the list above.

The site reports that the cut is located in the Mediterranean between Sicily and Tunisia, on sections linking Sicily to Egypt.

10 tech skills you should develop during the next five years

If you want a job where you can train in a particular skill set and then never have to learn anything new, IT isn’t the field for you. But if you like to be constantly learning new things and developing new skills, you’re in the right business. In the late 80s, NetWare and IPX/SPX administration were the skills to have. Today, it’s all about TCP/IP and the Internet.

Let’s take a look at some of the skills you should be thinking about developing to keep on top of things in the tech world in the next five years.

#1: Voice over IP

Many companies and consumers are already using VoIP for telephone services due to cost and convenience factors. According to a SearchVoIP.com article in June 2007, sales of pure IP PBX systems for the first quarter of 2007 increased 76% over the first quarter of the previous year.

More and more companies are expected to go to VoIP, to either supplement or replace their traditional phone lines. And because VoIP runs on the TCP/IP network, IT administrators will in many cases be expected to take responsibility for VoIP implementation and ongoing administration.

#2: Unified communications


Along with the growing popularity of VoIP, the concept of unified communications — the convergence of different communications technologies, such as e-mail, voicemail, text messaging, and fax — looks to be the wave of the future. Users will expect to have access to all their communications from a single interface, such as their Inbox, and from a variety of devices: PCs, laptops, smart phones/PDAs, traditional phones, etc.

Convergence makes networks more complex, and IT administrators will need to develop skills for managing converged networks to compete in tomorrow’s job market.

#3: Hybrid networks

The day of the all-Windows or all-UNIX network is already past, and networks are likely to grow more, rather than less hybridized in the future. As new versions of Linux, such as Ubuntu, become friendlier for end users, we’re likely to see some organizations deploying it on the desktop for certain users. However, it’s likely that other users will continue to use Windows because of application requirements and/or personal preferences, and there may very well be Macintosh users in the mix as well, especially in graphics environments.

IT pros will no longer be able to get by with expertise in only one platform; you’ll need to be able to support and troubleshoot different operating systems.

#4: Wireless technology


Wireless networking is still in its infancy in the enterprise. Companies are (often grudgingly) establishing wireless LANs for the use of employees and visitors because it’s the most convenient way for portable computers to connect to the network, but many organizations are still wary of wireless (rightly so), particularly its security implications.

But wireless isn’t going away, and the future promises faster and more secure wireless technologies. You’ll need to know about 802.11n, a new standard now in development and estimated to be released in late 2008, which will provide for a typical throughput of 74 Mbps with a theoretical maximum data rate of 248 Mbps and a longer range than current 802.11a/b/g standards (about 70 meters, or approximately 230 feet).

#5: Remote user support



The trend is toward more employees working off-site: executives taking their laptops on the road, telecommuters working from home at least a few days per week, personnel in the field connecting back to the LAN, and so forth. The IT staff will need to be able to support these remote users while maintaining the security of the internal network.

It will be important to learn skills relating to different VPN technologies (including SSL VPN) and technologies for health monitoring and quarantining of remote clients to prevent those that don’t meet minimal criteria (antivirus installed and updated, firewall enabled, etc.) from connecting to the LAN and putting the rest of the network at risk.

#6: Mobile user support


Cell phones, Blackberries, and other ultra-portable devices are becoming ubiquitous and will likely grow more sophisticated in the future. Employees will expect to get their corporate e-mail on their phones and in some cases (such as Windows Mobile devices), to use terminal services client software to connect these small devices to the company LAN.

IT staff members will need to develop a plethora of skills to support mobile users, including expertise in configuration of mail servers and knowledge of security implications of the devices.


#7: Software as a service


Web 2.0, the next generation of the Internet, is all about SaaS, or Software as a Service. SaaS involves delivering applications over the Web, rather than installing those applications on individual users’ machines. Some IT pundits have warned that SaaS will do away with IT administrators’ jobs entirely, but the more likely scenario is that the job description will change to one with less focus on deployment and maintenance of applications and more emphasis on broader-based planning, convergence, etc.

If SaaS takes off, the job market may also shift so that more jobs are concentrated in the application provider sector rather than in companies’ in-house IT departments. In that situation, IT pros who have the skills relating to service provision and multi-tenant architecture will have a head start when it comes to getting and staying employed.

#8: Virtualization


Virtualization has been around for a while, but now, with Microsoft heavily investing in the technology with its Windows hypervisor (Viridian), which will run on Windows Server 2008, VMWare offering VMWare Server for free, and Red Hat and SuSE planning to include Xen hypervisor technology in the next versions of their server products, we can expect the concept of virtual machines to go to a whole new level in the next few years.

Managing a VM-based network environment is a skill that will be not just handy, but essential, as more and more companies look to virtualization to consolidate servers and save on hardware costs.

#9: IPv6


Widespread adoption of the next generation of the Internet Protocol (IPv6) hasn’t come about as quickly as originally predicted, in large part because technologies such as NAT prevented the depletion of available IP addresses from happening as soon as anticipated.

However, with the number of hosts on the Internet growing steadily, the larger address space will eventually be critical to further expansion. IPv6 also offers better security with IPsec, a part of the basic protocol suite. Perhaps the inevitability of the transition is best indicated by the fact that Windows Vista, Windows Server 2008, Mac OS X 10.3, and the latest versions of other operating systems have IPv6 enabled by default.

With an entirely different address notation, called CIDR, and addresses written in hexadecimal instead of the familiar four octets of decimal numbers used by IPv4, there will be a learning curve for IT administrators. The time to tune up your IPv6 skills is now, before the transition becomes mandatory.

#10: Security

Smart IT pros have been developing their security skills for the last several years, but the future will bring new security challenges and new security mechanisms. Technologies such as VoIP and mobile computing bring new security issues and challenges. Authentication methods are evolving from a password-based model to multifactor models, and biometrics are likely to become more important in the future.

As threats become more sophisticated, shifting from teenage hackers defacing Web sites “just for fun” to well financed corporate espionage agents and cyberterrorists bent on bringing down the country’s vital infrastructure by attacking the networks that run it, security skills must keep up.

In addition to proactive measures, IT pros will need to know more about computer forensics and be able to track what is happening and has happened on their networks

10 mistakes new Windows administrators make

Maybe you’re a brand new network admin. You’ve taken some courses, you’ve passed some certification exams, perhaps you even have a Windows domain set up at home. But you’ll soon find that being responsible for a company network brings challenges you hadn’t anticipated.

Or maybe you’re an experienced corporate IT person, but up until now, you’ve worked in a UNIX environment. Now — either due to a job change or a new deployment in your current workplace — you find yourself in the less familiar world of Windows.

This article is aimed at helping you avoid some of the most common mistakes made by new Windows administrators.

Note: This information is also available as a PDF download.

#1: Trying to change everything all at once

When you come into a new job, or start working with a new technology, you may have all sorts of bright ideas. If you’re new to the workplace, you immediately hone in on those things that your predecessors were (or seem to have been) doing wrong. You’re full of all the best practices and tips and tricks that you learned in school. If you’re an experienced administrator coming from a different environment, you may be set in your ways and want to do things the way you did them before, rather than taking advantage of features of the new OS.

Either way, you’re likely to cause yourself a great deal of grief. The best bet for someone new to Windows networking (or to any other job, for that matter) is give yourself time to adapt, observe and learn, and proceed slowly. You’ll make your own job easier in the long run and make more friends (or at least fewer enemies) that way.

#2: Overestimating the technical expertise of end users

Many new administrators expect users to have a better understanding of the technology than they do. Don’t assume that end users realize the importance of security, or that they will be able to accurately describe the errors they’re getting, or that they know what you mean when you tell them to perform a simple (to you) task such as going to Device Manager and checking the status of the sound card.

Many people in the business world use computers every day but know very little about them beyond how to operate a few specific applications. If you get frustrated with them, or make them feel stupid, most of them will try to avoid calling you when there’s a problem. Instead they’ll ignore it (if they can) or worse, try to fix it themselves. That means the problem may be far worse when you finally do become aware of it.

#3: Underestimating the technical expertise of end users

Although the above applies to many of your users, most companies will have at least a few who are advanced computer hobbyists and know a lot about technology. They’re the ones who will come up with inventive workarounds to circumvent the restrictions you put in place if those restrictions inconvenience them. Most of these users aren’t malicious; they just resent having someone else in control of their computer use — especially if you treat them as if they don’t know anything.

The best tactic with these users is to show them that you respect their skills, seek out their input, and let them know the reasons for the rules and restrictions. Point out that even a topnotch racecar driver who has demonstrated the ability to safely handle a vehicle at high speed must abide by the speed limits on the public roads, and it’s not because you doubt his/her technology skills that you must insist on everyone following the rules.

#4: Not turning on auditing

Windows Server operating systems have built-in security auditing, but it’s not enabled by default. It’s also not one of the best documented features, so some administrators fail to take advantage of it. And that’s a shame, because with the auditing features, you can keep track of logon attempts, access to files and other objects, and directory service access.

Active Directory Domain Services (AD DS) auditing has been enhanced in Windows Server 2008 and can be done more granularly now. Without either the built-in auditing or third-party auditing software running, it can be almost impossible to pinpoint and analyze what happened in a security breach.

#5: Not keeping systems updated

This one ought to be a no-brainer: Keeping your servers and client machines patched with the latest security updates can go a long way toward preventing downtime, data loss, and other consequences of malware and attacks. Yet many administrators fall behind, and their networks are running systems that aren’t properly patched.

This happens for several reasons. Understaffed and overworked IT departments just may not get around to applying patches as soon as they’re released. After all, it’s not always a matter of “just doing it” — everyone knows that some updates can break things, bringing your whole network to a stop. Thus it’s prudent to check out new patches in a testbed environment that simulates the applications and configurations of your production network. However, that takes time — time you may not have.

Automating the processes as much as possible can help you keep those updates flowing. Have your test network ready each month, for instance, before Microsoft releases its regular patches. Use

Windows Server Update Services (WSUS) or other tools to simplify and automate the process once you’ve decided that a patch is safe to apply. And don’t forget that applications — not just the operating system — need to be kept updated, too.

#6: Getting sloppy about security

Many administrators enforce best security practices for their users but get sloppy when it comes to their own workstations. For example, IT pros who would never allow users to run XP every day logged on with administrative accounts think nothing about running as administrators themselves while doing routine work that doesn’t require that level of privileges. Some administrators seem to think they’re immune to malware and attacks because they “know better.” But this over confidence can lead to disaster, as it does in the case of police officers who have a high occurrence of firearms accidents because they’re around guns all the time and become complacent about the dangers.

#7: Not documenting changes and fixes

Documentation is one of the most important things that you, as a network admin, can do to make your own job easier and to make it easier for someone else to step in and take care of the network in your absence. Yet it’s also one of the most neglected of all administrative tasks.

You may think you’ll remember what patch you applied or what configuration change you made that fixed an exasperating problem, but a year later, you probably won’t. If you document your actions, you don’t have to waste precious time reinventing the wheel (or the fix) all over again.

Some admins don’t want to document what they do because they think that if they keep it all in their heads, they’ll be indispensible. In truth, no one is ever irreplaceable — and by making it difficult for anyone else to learn your job, you make it less likely that you’ll ever get promoted out of the job.

Besides, what if you got hit by a truck crossing the street? Do you really want the company to come to a standstill because nobody knows the passwords to the administrative accounts or has a clue about how you have things set up and what daily duties you have to perform to keep the network running smoothly?

#8: Failing to test backups

One of the things that home users end up regretting the most is forgetting to back up their important data — and thus losing it all when a hard drive fails. Most IT pros understand the importance of backing up and do it on a regular schedule. What some busy admins don’t remember to do regularly is test those backups to make sure that the data really is there and that it can be restored.

Remember that making the backup is only the first step. You need to ensure that those backups will work if and when you need them.

#9: Overpromising and underdelivering

When your boss is pressuring you for answers to questions like “When can you have all the desktop systems upgraded to the new version of the software?” or “How much will it cost to get the new database server up and running?”, your natural tendency may be to give a response that makes you look good. But if you make promises you can’t keep and come in late or over budget, you do yourself more damage than good.

A good rule of thumb in any business is to underpromise and overdeliver instead of doing the opposite. If you think it will take two weeks to deploy a new system, give yourself some wiggle room and promise it in three weeks. If you’re pretty sure you’ll be able to buy the hardware you need for $10,000, ask for $12,000 just in case. Your boss will be impressed when you get the project done days ahead of time or spend less money than expected.

#10: Being afraid to ask for help

Ego is a funny thing, and many IT administrators have a lot invested in theirs. When it comes to technology, you may be reluctant to admit that you don’t know it all, and thus afraid — or embarrassed — to ask for help. I’ve know MCSEs and MVPs who couldn’t bear to seek help from colleagues because they felt they were supposed to be the “experts” and that their reputations would be hurt if they admitted otherwise. But plunging ahead with a project when you don’t know what you’re doing can get you in hot water, cost the company money, and even cost you your job.

If you’re in over your head, be willing to admit it and seek help from someone more knowledgeable about the subject. You can save days, weeks, or even months of grief by doing so.

The industry’s 10 best IT certifications

IT certifications boast numerous benefits. They bolster resumes, encourage higher salaries, and assist in job retention. But which IT certifications are best?

Technology professionals generate much debate over just that question. Many claim vendor-specific programs best measure a candidate’s skills, while others propose vendor-independent exams are the only worthy way of measuring real-world expertise. Still other observers believe the highest-level accreditations — Microsoft’s MCSE or new Architect Series certification, Cisco’s CCIE, etc. — are the only credentials that truly hold value.

Myself, I don’t fully subscribe to any of those mindsets. The best IT certification for you, after all, is likely to be different from that for another technology professional with different education, skills, and goals working at a different company in a different industry. For that reason, when pursuing any professional accreditation, you should give much thought and care to your education, experience, skills, goals, and desired career path.

Once a career road map is in place, selecting a potential certification path becomes much easier. And that’s where this list of the industry’s 10 best IT certifications comes into play. While this list may not include the 10 best accreditations for you, it does catalog 10 IT certifications that possess significant value for a wide range of technology professionals.

Note: This information is also available as a PDF download.

#1: MCITP

The new-generation Microsoft Certified IT Professional credential, or MCITP for short, is likely to become the next big Microsoft certification. Available for a variety of fields of expertise — including database developer, database administrator, enterprise messaging administrator, and server administrator — an MCITP validates a professional’s proven job-role capabilities. Candidates must pass several Microsoft exams that track directly to their job role before earning the new designation.

As with Microsoft’s other new-generation accreditations, the MCITP certification will retire when Microsoft suspends mainstream support for the platforms targeted within the MCITP exams. By matching the new certification to popular job roles, as has been done to some extent with CompTIA’s Server+ (server administrator), Project+ (project manager), and A+ (desktop support) certifications, Microsoft has created a new certification that’s certain to prove timely, relevant, and valuable.

#2: MCTS

The new-generation Microsoft Certified Technology Specialist (MCTS) helps IT staff validate skills in installing, maintaining, and troubleshooting a specific Microsoft technology. The MCTS certifications are designed to communicate the skills and expertise a holder possesses on a specific platform.

For example, candidates won’t earn an MCTS on SQL Server 2008. Instead, they’ll earn an MCTS covering SQL Server business intelligence (MCTS: SQL Server 2008 Business Intelligence), database creation (MCTS: SQL Server 2008, Database Development), or SQL server administration (MCTS: SQL Server 2008, Implementation and Maintenance).

These new certifications require passing multiple, tightly targeted exams that focus on specific responsibilities on specific platforms. MCTS designations will expire when Microsoft suspends mainstream support for the corresponding platform. These changes, as with other new-generation Microsoft certifications, add value to the accreditation.

#3: Security+

Security continues to be a critical topic. That’s not going to change. In fact, its importance is only going to grow. One of the quickest ways to lose shareholder value, client confidence, and sales is to suffer a data breach. And no self-respecting technology professional wants to be responsible for such a breach.

CompTIA’s Security+ accreditation provides a respected, vendor-neutral foundation for industry staff (with at least two years of experience) seeking to demonstrate proficiency with security fundamentals. While the Security+ accreditation consists of just a single exam, it could be argued that any IT employee charged with managing client data or other sensitive information should, at a minimum, possess this accreditation. The importance of ensuring staff are properly educated as to systems security, network infrastructure, access control, auditing, and organizational security principles is simply too important to take for granted.

#4: MCPD

There’s more to information technology than just administration, support, and networking. Someone must create and maintain the applications and programs that power organizations. That’s where the new-generation Microsoft Certified Professional Developer (MCPD) credential comes into play.

The MCPD accreditation measures a developer’s ability to build and maintain software solutions using Visual Studio 2008 and Microsoft .NET Framework 3.5. Split into three certification paths (Windows Developer 3.5, ASP.NET Developer 3.5, and Enterprise Applications Developer 3.5), the credential targets IT professionals tasked with designing, optimizing, and operating those Microsoft technologies to fulfill business needs.

A redesigned certification aimed at better-measuring real-world skills and expertise, the MCPD will prove important for developers and programmers. Besides requiring candidates to pass several exams, the MCPD certification will retire when Microsoft suspends mainstream support for the corresponding platform. The change is designed to ensure the MCPD certification remains relevant, which is certain to further increase its value.

#5: CCNA

The Cisco Certified Internetwork Expert (CCIE) accreditation captures most of the networking company’s certification glory. But the Cisco Certified Network Associate (CCNA) might prove more realistic within many organizations.

In a world in which Microsoft and Linux administrators are also often expected to be networking experts, many companies don’t have the budgets necessary to train (or employ) a CCIE. But even small and midsize corporations can benefit from having their technology professionals earn basic proficiency administering Cisco equipment, as demonstrated by earning a CCNA accreditation.

As smaller companies become increasingly dependent upon remote access technologies, basic Cisco systems skills are bound to become more important. Although many smaller organizations will never have the complexity or workload necessary to keep a CCIE busy, Cisco’s CCNA is a strong accreditation for technology professionals with a few years’ experience seeking to grow and improve their networking skills.

#6: A+

Technology professionals with solid hardware and support skills are becoming tougher to find. There’s not much glory in digging elbow-deep into a desktop box or troubleshooting Windows boot errors. But those skills are essential to keeping companies running.

Adding CompTIA’s A+ certification to a resume tells hiring managers and department heads that you have proven support expertise. Whether an organization requires desktop installation, problem diagnosis, preventive maintenance, or computer or network error troubleshooting, many organizations have found A+-certified technicians to be more productive than their noncertified counterparts.

Changes to the A+ certification, which requires passing multiple exams, are aimed at keeping the popular credential relevant. Basic prerequisite requirements are now followed by testing that covers specific fields of expertise (such as IT, remote support, or depot technician). The accreditation is aimed at those working in desktop support, on help desks, and in the field, and while many of these staffers are new to the industry, the importance of an A+ certification should not be overlooked.

#7: PMP

Some accreditations gain value by targeting specific skills and expertise. The Project Management Professional (PMP) certification is a great example.

The Project Management Institute (PMI), a nonprofit organization that serves as a leading membership association for project management practitioners, maintains the PMP exam. The certification measures a candidate’s project management expertise by validating skills and knowledge required to plan, execute, budget, and lead a technology project. Eligible candidates must have five years of project management experience or three years of project management experience and 35 hours of related education.

As organizations battle tough economic conditions, having proven project scheduling, budgeting, and management skills will only grow in importance. The PMI’s PMP credential is a perfect conduit for demonstrating that expertise on a resume.

#8: MCSE/MCSA

Even years after their introduction, Microsoft Certified Systems Engineer (MCSE) and Microsoft Certified Systems Administrator (MCSA) credentials remain valuable. But it’s important to avoid interpreting these accreditations as meaning the holders are all-knowing gurus, as that’s usually untrue.

In my mind, the MCSE and MCSA hold value because they demonstrate the holder’s capacity to complete a long and comprehensive education, training, and certification program requiring intensive study. Further, these certifications validate a wide range of relevant expertise (from client and server administration to security issues) on specific, widely used platforms.

Also important is the fact that these certifications tend to indicate holders have been working within the technology field for a long time. There’s no substitute for actual hands-on experience. Many MCSEs and MCSAs hold their certifications on Windows 2000 or Windows Server 2003 platforms, meaning they’ve been working within the industry for many years. While these certifications will be replaced by Microsoft’s new-generation credentials, they remain an important measure of foundational skills on Windows platforms.

#9: CISSP

As mentioned with the Security+ accreditation earlier, security is only going to grow in importance. Whatever an organization’s mission, product, or service, security is paramount.

(ISC)², which administers the Certified Information Systems Security Professional (CISSP) accreditation, has done well building a respected, vendor-neutral security certification. Designed for industry pros with at least five years of full-time experience, and accredited by the American National Standards Institute (ANSI), the CISSP is internationally recognized for validating a candidate’s expertise with operations and network and physical security, as well as their ability to manage risk and understand legal compliance responsibilities and other security-related elements.

#10: Linux+

While pursuing my first Microsoft certification 10 years ago, I remember debating the importance of Linux with several telecommunications technicians. They mocked the investment I was making in learning Microsoft technologies. These techs were confident Linux was going to displace Windows.

Well, didn’t happen. Linux continues to make inroads, though. The open source alternative is an important platform. Those professionals who have Linux expertise and want to formalize that skill set will do well adding CompTIA’s Linux+ certification to their resumes.

The vendor-neutral exam, which validates basic Linux client and server skills, is designed for professionals with at least six to 12 months of hands-on Linux experience. In addition to being vendor-neutral, the exam is also distribution neutral (meaning the skills it covers work well whether a candidate is administering Red Hat, SUSE, or Ubuntu systems).

Cisco IOS access lists: 10 things you should know

Takeaway: Access control lists (ACLs) are a fundamental part of working with routers. How much do you know about managing these vital gatekeepers? David Davis lists 10 things every administrator should know about working with Cisco IOS ACLs.

If you work with Cisco routers, you're more than likely familiar with Cisco IOS access control lists (ACLs). But that doesn't mean you know all there is to know about these important gatekeepers. Access lists are an integral part of working with routers, and they're vital to security.

Because ACLs are a fundamental part of router administration, I want to address 10 things you should know about working with these lists. If you're new to working with Cisco routers, this list offers a good foundation to get you started. But even if you've worked with Cisco routers for a while, it never hurts to review the basics—you might even learn something new.

So, without any further ado, here are 10 things you need to know about Cisco IOS access lists, beginning with the basic definition of an ACL.

What is an access control list?

In the Cisco IOS, an access control list is a record that identifies and manages traffic. After identifying that traffic, an administrator can specify various events that can happen to that traffic.

What's the most common type of ACL?

IP ACLs are the most popular type of access lists because IP is the most common type of traffic. There are two types of IP ACLs: standard and extended. Standard IP ACLs can only control traffic based on the SOURCE IP address. Extended IP ACLs are far more powerful; they can identify traffic based on source IP, source port, destination IP, and destination port.

What are the most common numbers for IP ACLs?

The most common numbers used for IP ACLs are 1 to 99 for standard lists and 100 to 199 for extended lists. However, many other ranges are also possible.

• Standard IP ACLs: 1 to 99 and 1300 to 1999
• Extended IP ACLs: 100 to 199 and 2000 to 2699

How can you filter traffic using ACLs?

You can use ACLs to filter traffic according to the "three P's"—per protocol, per interface, and per direction. You can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g., FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).

How can an ACL help protect
my network from viruses?

You can use an ACL as a packet sniffer to list packets that meet a certain requirement. For example, if there's a virus on your network that's sending out traffic over IRC port 194, you could create an extended ACL (such as number 101) to identify that traffic. You could then use the debug ip packet 101 detail command on your Internet-facing router to list all of the source IP addresses that are sending packets on port 194.

What's the order of operations in an ACL?

Routers process ACLs from top to bottom. When the router evaluates traffic against the list, it starts at the beginning of the list and moves down, either permitting or denying traffic as it goes. When it has worked its way through the list, the processing stops.

That means whichever rule comes first takes precedence. If the first part of the ACL denies traffic, but a lower part of the ACL allows it, the router will still deny the traffic. Let's look at an example:

Access-list 1 permit any
Access-list 1 deny host 10.1.1.1
Access-list 1 deny any

What does this ACL permit? The first line permits anything. Therefore, all traffic meets this requirement, so the router will permit all traffic, and processing will then stop.

What about traffic you don't specifically address in an ACL?

At the end of an ACL is an implicit deny statement. Whether you see the statement or not, the router denies all traffic that doesn't meet a condition in the ACL. Here's an example:

Access-list 1 deny host 10.1.1.1
Access-list 1 deny 192.168.1.0 0.0.0.255

What traffic does this ACL permit? None: The router denies all traffic because of the implicit deny statement. In other words, the ACL really looks like this:

Access-list 1 deny host 10.1.1.1
Access-list 1 deny 192.168.1.0 0.0.0.255
Access-list 1 deny ANY

Can I name an ACL?

Numbers—who needs numbers? You can also name your ACLs so you can more easily identify their purpose. You can name both standard and extended ACLs. Here's an example of using a named ACL:

router(config)# ip access-list ?
extended        Extended Access List
log-update      Control access list log updates
logging         Control access list logging
resequence      Resequence Access List
standard        Standard Access List
router(config)# ip access-list extended test
router(config-ext-nacl)#
router(config-ext-nacl)# 10 deny ip any host 192.168.1.1
router(config-ext-nacl)# exit
router(config)# exit
router# show ip access-list
Extended IP access list test
 10 deny ip any host 192.168.1.1

What's a numbering sequence?

In the "old days," you couldn't edit an ACL—you could only copy it to a text editor (such as Notepad), remove it, edit it in notepad, and then re-create it. In fact, this is still a good way to edit some Cisco configurations.

However, this approach can also create a security risk. During the time you've removed the ACL to modify it, the router isn't controlling traffic as needed. But it's possible to edit a numbered ACL with commands. Here's an example:

router(config)# access-list 75 permit host 10.1.1.1
router(config)#^Z
router# conf t
Enter configuration commands, one per line.  End with CNTL/Z.

router(config)# ip access-list standard 75

router(config-std-nacl)# 20 permit any
router(config-std-nacl)# no 10 permit 10.1.1.1
router(config-std-nacl)#^Z


router# show ip access-lists 75
Standard IP access list 75
 20 permit any
router#

How else can I use an ACL?

ACLs aren't just for filtering traffic. You can also use them for a variety of operations. Let's look at some of their possible other uses:

• To control debug output: You can use the debug list X command to control debug output. By using this command before another debug command, the command only applies to what you've defined in the list.
• To control route access: You can use a routing distribute-list ACL to only permit or deny certain routes either into or out of your routing protocol.
• As a BGP AS-path ACL: You can use regular expressions to permit or deny BGP routes.
• For router management: You can use an ACL to control which workstation or network manages your router with an ACL and an access-class statement to your VTY lines.
• For encryption: You can use ACLs to determine how to encrypt traffic. When encrypting traffic between two routers or a router and a firewall, you must tell the router what traffic to encrypt, what traffic to send unencrypted, and what traffic to drop.

To wrap up this review, I'll leave you with one last tip: Don't forget to use remark statements in your ACLs. They'll come in handy when you have to troubleshoot something later.

Source: http://articles.techrepublic.com.com/5100-10878_11-5731134.h