 Cisco Certification FAQ Part 3 Workshop (3:00:01)
Archive-Name: Certification/Cisco/Frequently Asked Questions
Version: 03:00:00 Part 3 of 3
Posted: Weekly (Thursday)
Title: Part 3 - Workshop
Index:-
Part 1 - Introduction
=====================
10.0 Statement of objectives
11.0 Administrivia
12.0 What is Cisco accreditation
13.0 Testing
14.0 Learning resources
15.0 Getting practical experience.
16.0 Dealing with Cisco.
16.1 Cisco Connection Online Account
17.0 Links
18.0 Credits
Part 2 - Certifications
=======================
21.0 Q: What accreditation is offered?
22.0 Q: What is the Network Installation and Support stream?
23.0 Q: What is the Network Installation and Support (WAN) stream?
24.0 Q: What is the Network Engineering and Design stream?
25.0 Q: What is the Network Engineering and Design (WAN) stream?
26.0 Q: What is the Communications and Services stream?
27.0 Q: What are Specialist Designations?
28.0 Q: What are the Cisco Partner Specialisation Exams?
29.0 Entry Level CCNA, CCNA(WAN), CCDA
210.0 Journeyman Level CCIP, CCNP, CCNP(WAN), CCDP
211.0 Professional Level CCIE
212.0 Specializations
213.0 Spare
214.0 The Lost Exams Home
215.0 Cisco Certification Renewal Policy
216.0 Beta Exams
Part 3 - Practical Issues
=========================
31.0 Q: What is involved in a Home Laboratory?
---------------------------
31.0 Introduction
31.1 Q: What should I look for in a router?
31.2 Q: What should I look for in a switch?
31.3 Q: What sort of Lab is required for the CCNA?
31.4 Q: What sort of Lab is required for the CCNP?
31.5 Q: What sort of Lab is required for the CCIE?
31.7 Q: What would be a good lineup of equipment for a router lab?
31.8 Q: Where's the best place to buy cheap lab equipment?
31.9 Miscellaneous questions.
32.0 Router basics.
------------------------
32.1 Software
32.2 Password recovery
32.3 Connecting routers together
33.0 Switch Basics.
------------------------
34.0 Internet Basics
------------------------
34.1 Subnet Masks
34.2 CIDR and VSLM
34.3 What are the unallocated IP address blocks?
34.4 Which rfc 1918 address block should I use?
35.0 Access Lists
---------------------
35.1 What are access lists and why should I care?
35.2 Access list basics
35.3 How do I apply access lists?
35.4 Where do I apply access lists?
35.5 How are access lists evaluated?
36.0 Links
--------------
==============================
==============================
====================
31.0 Home Laboratories
==========================
31.0 Introduction
---------------------
The following is really a discussion of what would be good for the
exams listed in the various sections.
It is difficult to be too specific about equipment types as what
is going to end up in a home lab will be more often a compromise
between what is available at a particular time, the price you are
willing to pay, what you wish to achieve and the timeframe in which
study will undertaken.
I hope that this will start discussion of what is really required.
31.1 What should I look for in a router?
--------------------------------------------
31.1.1 Q: What type of LAN port(s) is the router fitted with?
A: LAN ports are either ethernet or token ring. Ethernet is
preferred
because most exams are ethernet based and most user equipment is
ethernet based.
31.1.2 Q: What type of WAN ports is it fitted with?
A: Serial ports are preferred as they are easiest to connect
together.
Integrated CSU/DSU ports are also easy to connect together. ISDN is
difficult to connect together without either access to two ISDN
services via a telco or an ISDN simulator.
31.1.3 Q: What version of IOS is it fitted with?
31.1.3.1 Q: What version of IOS is it fitted with?
A:
Cisco has a whitepaper: "Cisco IOS Reference Guide" available on
the
Cisco website for further information. Dated but highly
recommended.
31.1.3.2 Q: Are there other router operating systems than IOS?
A: Some models such as the 700 series acquired by purchase of the
company which developed them and the products incorporated into the
Cisco product line. These companies used proprietary operating
systems
which are not compatible with IOS.
31.1.3.3 Q: What is the current version of IOS?
A: The newest version of IOS is 12.2.x
31.1.4 Q: What feature set is fitted?
A: Cisco IOS is sold with various capabilities. Most routers come
with
IP only, which is the minimum. The other feature sets for a
particular
model router enable greater functionality such as IPX/appletalk in
a
desktop feature set and security/ firewall in others.
Full information on the IOS, feature set and router model is
available
on the Cisco site.
You need a login to access this feature.
Consultant access is easy to obtain and suitable to access this
feature.
Cisco has a whitepaper: "Cisco IOS Reference Guide" available on
the
Cisco website for further information. Dated but highly
recommended.
31.1.5 Q: What quantity of Flash Memory is fitted?
A: IOS is saved into flash memory. Newer releases and enhanced
feature
sets usually require more flash memory. This may entail purchase of
additional flash memory or booting the IOS from a TFTP server if
your
intention is to upgrade IOS but not to add flash. This requires
additional DRAM though, but this is usually cheaper than flash.
31.1.6 Q: What quantity of RAM is fitted?
A: Many routers come with minimum RAM.
31.1.7 Q: What type of memory is fitted?
A: Many memory types are used in various models, with the option of
parity and non-parity memory. Many router memory types are industry
standard and in a Lab situation can be enhanced with standard
memory.
31.1.8 Q: Where can I find information on a router I an considering?
A: CCO has documentation on most equipment current and obsolete.
http://www.cisco.com
31.1.9 Q: I cannot find the model on this list?
A: When looking for information look also at the end of life and
end of
sales section at the bottom of the catalogue page.
31.1.10 Q: What is End Of Sales (EOS)?
A: This is the last date that the equipment was for sale.
31.1.11 Q: What is End of Engineering (EOE)?
A: This is the last date that engineering work will be/ was
performed.
31.1.12 Q: What is End Of Life (EOL)?
A: This is the last date that support will be/ was available from
Cisco.
31.2 What should I look for in a switch?
--------------------------------------------
31.2.1 Q: What type of LAN port(s) is the switch fitted with?
A: switches have 10 or 10/100 LAN ports. Uplink ports may be 100
Mb/s
or 1Gb/s and capable of FEC or GEC.
31.2.2 Q: What type of operating system is installed?
A: Most of the early Cisco switch models were acquired by
purchasing
other companies and their product lines. These have been
rationalized
to two types of operating system, the Cisco IOS based switches and
the
"set" based operating system of the 5000 series switches.
31.2.3 Q: What version of IOS is it fitted with?
31.2.4 Q: How much memory is fitted?
31.2.5 Q:
31.2.6 Q:
31.3 Q: What sort of Lab is required for the CCNA?
------------------------------------------------------
31.3.1 Q: What is the critical requirement of the CCNA exam?
A: The critical requirement is to gain access to a router and
switch
for familiarization with router IOS and the switch OS
31.3.2 Q: What is the Hardware required?
A: A router and a switch. The switch may be optional. The use of
two routers will allow demonstration of routing table updates.
31.3.3 Q: What is required of the routers?
IOS Support RIP, IGRP, IPX
Feature set Desktop feature set (IP, IPX and Appletalk).
IP only may be used, but IPX cannot be configured.
Memory To suit feature set
Serial ports One serial, two preferred. Integrated CSU/DSU also useful.
LAN Ports At least one ethernet per router.
31.3.4 Q: What is required of switches?
A: One 1900 series switch. Enterprise feature set required.
31.3.4 Q: Where can I find configuration exercises?
A: Most certification guides offer configuration exercises.
31.3.9 Q: What is a good lineup of equipment for the CCNA?
A: 800 series is *okay* for the CCNA. 2500 series is better. One
will
get you by, two is better. Although you need to learn the material,
buying a switch for CCNA is overkill. (JRE)
31.4 Q: What sort of Lab is required for the CCNP?
------------------------------------------------------
31.4.0 Q: What are the elements of the CCNP?
A: There are four exams for the CCNP qualification. Each have
different
demands on equipment.
31.4.1 Q: What is required for the BSCN Exam?
-----------------------------------------------
31.4.1.1 Q: What is the critical requirement for the BSCN exam?
A: The critical element is that the IOS on the router used supports
EIGRP, OSPF and BGP routing protocols.
31.4.1.2 Q: What is the hardware required?
A: Minimum Three routers
more useable five routers.
31.4.1.3 Q: What is required of the routers?
IOS Support EIGRP, OSPF and BGP4 routing protocols. 12.X.X
preferred.
Feature set IP only. (Lower model routers, 1600/1700 series may require
IP+)
Memory Enough to support IOS and feature set employed.
Serial ports Two on each router, One router with four serial is desirable.
LAN ports Ethernet or Token Ring. At least two with ethernet is
desirable.
31.4.1.4 Q: Where can I find configuration exercises?
A: "Building Scalable Cisco Networks" Paquet and Teare, Cisco Press
has
a configuration in appendix "H".
31.4.2 Q: What is required for the BMSCN Exam?
------------------------------------------------
31.4.2.1 Q: What is the critical element of the BMSCN exam?
A: The critical element is the configuration of switches, trunking
and
HSRP
31.4.2.2 Q: What hardware is required?
A: An IOS based switch, 1900 series, 2900XL series
A set based switch, 5000 series or model 2900.
A Router capable of ISL and 802.1Q trunking.
31.4.2.3 Q: What is required of the routers?
A: One Fast ethernet port compatible with ISL and 802.1Q
31.4.2.4 Q: What additional equipment is required?
31.4.3 Q: What is required for the BCRAN Exam?
------------------------------------------------
31.4.3.1 Q: What is the critical element of the BCRAN exam?
A: To configure remote networks using ISDN (BRI and PRI), Analog
MODEMs
and Frame/ serial links.
31.4.3.2 Q: What equipment is required?
A: Routers of the 1600/1700 series, 2500 series with ISDN BRI and
serial ports. One router with at least four serial ports for use as
a
frame switch.
Routers with PRI interfaces.
ISDN BRI Simulator or two ISDN services.
Analog line simulator or two telephone lines.
MODEMS.
31.4.3.3 Q: What is required of the routers
IOS Support 12.X.X preferred. 12.2.x preferred for ISDN PRI
Feature set IP only.
Memory Enough to support IOS and feature set employed.
Serial ports Two on each router, One router with four serial is desirable.
Support for async. Desirable.
ISDN ports Two routers with ISDN BRI
ISDN ports Two with ISDN PRI desirable, but not necessary.
LAN ports Ethernet or Token Ring. At least two with ethernet is
desirable.
31.4.3.4 Q: What additional equipment is required?
A: IDSN BRI simulator OR two ISDN services
Analog line simulator OR two analog telephone lines.
31.4.3.5 Q: Where can I find configuration exercises?
A: BCRAN certification guides.
31.4.4 Q: What is required for the CIT Exam?
----------------------------------------------
31.4.4.1 Q: What is the critical element of the CIT exam?
A: To faultfind the configurations of the earlier exams.
31.4.4.2 Q: What is the hardware required?
A: The equipment from the previous three exams.
A freeware sniffer package would also be useful.
31.4.9 Q: What is a good lineup of equipment for the CCNP/ DP?
A: At least three 2500 series, and a CatOS switch if you can get
your
hands on one (they're pricey). (JRE)
31.5 What sort of Lab is required for the CCIE?
---------------------------------------------------
31.5.9 Q: What is a good lineup of equipment for the CCIE?
CCIE: Link to Cisco's CCIE Lab equipment list.
http://www.cisco.com/warp/public/62...routing.html#45
for Routing and Switching (JRE)
I would also suggest the link http://www.ccbootcamp.com/ccielab.htm
http://www.ccprep.com/
Look for Lab White papers (dmann)
31.7 Q: What would be a good lineup of equipment for a router lab?
----------------------------------------------------------------------
"J. R.
Ford"
31.7.1
CCNA 800 series is *okay* for the CCNA. 2500 series is better. One will
get you by, two is better. Although you need to learn the material,
buying a switch for CCNA is overkill.
CCNP: At least three 2500 series, and a CatOS switch if you can get your
hands on one (they're pricey).
CCIE: Link to Cisco's CCIE Lab equipment list.
http://www.cisco.com/warp/public/62...routing.html#45
for Routing and Switching (JRE)
I would also suggest the link http://www.ccbootcamp.com/ccielab.htm
http://www.ccprep.com/
Look for Lab White papers (dmann)
31.7.2 What would be a good lab?
----------------------------------
NB: the following is for discussion only.
31.7.2.1 Q: What routers are required?
1 Off 700 series router.
2 Off 2514 or equivalent (2501 would do, but 2514 better)
2 Off 2503 or equivalent (Could be token ring 2504)
1 Off 2520 or four serial port router.
1 Off 262x series router. (replace 2520 series with a NM-4A/S
module)
Note: A 3600 series router would be a useful replacement for the 262x
series router if configured with a fast ethernet module, multiple serial
module, BRI and a PRI modules (3/4 modules, not all required
simultaneously). Cost is the main problem though!!!
31.7.2.2 Q: What switches are required?
1 Off switch 1900EN or 2900XL
1 Off switch 5000 series or 2900 series (Non-XL)
31.7.2.3 Q: What additional equipment is required?
A: Cisco serial crossover cables, (or DCE/DTE pairs)
IDSN BRI line simulator (Or two ISDN services)
Analog line simulator (Or telephone lines)
For Ethernet
Ethernet patch cables, crossover and straight through.
Miscellaneous hubs.
AUIs for routers without RJ45 connectors.
For Token ring
MSAU to connect workstations/ Routers
Media Filters (9 Pin "D" to shielded RJ45)
Cables
Token Ring NICs.
31.8 Purchasing equipment
-----------------------------
31.8.1 Q: Where's the best place to buy cheap lab equipment?
A: IMO, start with eBay. (JRE)
31.9 General Questions
--------------------------
31.9.1 Q: What is the main requirement for CCNA/ CCNP study?
A: The main requirement is for a router to use Cisco IOS. These are
800
series and above. The 7xx series do not use IOS and are not useful.
An IOS image that supports IPX might be useful, but IP may be all
right.
31.9.2 Q: Is token ring equipment useful?
A: Token ring equipment is cheap particularly 2502, 2504, 2512
routers.
Usefulness depends on application.
31.9.3 Q: What are useful models of equipment?
A: The most useful models are those with at least one synchronous
serial interface. (805, 1005, 1601, 2501, 2503, 2514 etc)
Almost as useful are those with integral CSU/DSU, provided they
are
obtained in pairs or an external CSU/DSU is obtained for use with a
router with a serial interface.
32.0 Router Basics
======================
As with all things Cisco there is much information available on the Cisco
connection online site. This includes hardware and software manuals for many
models of Cisco equipment, including some not currently supported. This also
includes wiring diagrams of Cisco cables. With any router query, look on the
Cisco site first.
32.1 Software
-----------------
32.1.1 Q: I have blown my software on my router - How do I get another
copy.
A: Cisco sells the operating software independent of the hardware.
Expect to be asked to purchase a new copy. Look to auction sites
such
as eBay as an alternative. It is advised to back up the IOS to a
TFTP
server before experimenting with it.
32.1.2 Q: The software feature I want is not supported on my router.
A: Cisco sell their operating software in various feature sets.
Check the software manual for your router to see if the features
are
supported. Check eBay etc to purchase an enhanced version if not.
32.2 Password Recovery
--------------------------
Q: I have lost/ never had the password(s) for my router, how do I
recover from this situation.
A: Search CCO - www.cisco.com for "password recovery" and model of
equipment.
32.3 Terminals
------------------
32.3.1 Q: What do I require to connect my PC to the console port for
router
configuration?
A: You require a computer with a free serial communications port,
a suitable RS232 cable and a suitable terminal program.
Quite a few routers and switches use a RJ45 rollover cable and an
appropriate adaptor (DB9/25) to connect the computer serial port to
the
console port on the Cisco equipment.
It is not unknown for older equipment to use other cable standards.
32.3.2 Q: I find that I am unable to use the break key to interrupt the
router
bootup sequence.
A: There is a well-known problem with various hyperterm
implementations
not correctly implementing break. Download an update from
hilgraeve,
use terminal from Windows 3.1 or search the web for an alternative
terminal emulator. You can download a number of alternatives for
free
e.g Tera Term Pro.
32.4 Q: How do I connect two routers serial ports together.
---------------------------------------------------------------
32.4.1 Several third party cable manufacturers provide cables to connect
serial ports together with one cable. Usually they must have the
same
connector on both pieces of equipment. Findable with a websearch.
32.4.2 If a direct connection cable is not available, connect together two
cables for a WAN connection such as V34, X21. You require a DTE and
a
DCE cable to suit the appropriate routers.
32.4.3 One cable end is DCE and a serial clock must be sourced from that
end.
The other end is the DTE end and uses clocking from the DCE end for
data transfer. Use the clock rate command on the router DCE
port(s).
(Internal strapping in connector identifies to the router whether
the
attached cable is DTE/DCE)
32.4.4 CSU/DSU may be connected together using:-
http://www.isp-lists.isp-planet.com...7/msg01342.html
32.5 TFTP Servers
---------------------
Q:What is a Good TFTP server?
A: There are various TFTP servers available on the Web. Cisco, 3Com
etc
offer them and there are several others. Solarwinds
<solarwinds.net>
offer a multithreaded TFTP server as a demonstration.
32.6 Q: How do I find out what type of cable is connected to a serial
port?
-------------------------------------------------------------------------------
A: show controllers serial (x) will give the type of cable,
DTE/DCE,
and clockrate.
33.0 Switch Basics
======================
As with all things Cisco there is much information available on the
Cisco connection online site. This includes hardware and software manuals
for
many models of Cisco equipment, including some not currently supported. This
also includes wiring diagrams of Cisco cables. With any switch query, look
on
the Cisco site first.
33.1 Q: What versions of IOS are available?
<Help!!!>
33.2 Q: What are the advantages and disadvantages of IOS?
<Help!!!>
33.3
33.4
34.0 Internet Basics
========================
34.1 Subnet masks
---------------------
34.1.1 Q: What are subnet masks?
A: An IP address consists of a network portion and a host portion.
The
routing process works on network addresses rather than host
addresses
Subnet masks are used to extract the network address from an IP
address.
34.1.2 Q: How are subnet masks represented?
A: Most subnet masks are a 32 bit binary number with bits to be
matched
indicated as one or zero in the appropriate location.
These masks may be represented in any number system but usually
dotted
decimal format with each group of eight bits converted to the
equivalent decimal number separated with a decimal point.
34.1.3 Q: What is a conventional all ones subnet mask?
A: The number 255.255.255.254 is an all ones mask - all bits to be
matched except the last.
34.1.4 Q: Are inverted subnet masks used?
Inverted masks are also used where the bit zero is the bit to be
matched and the bit 1 is the bit to be ignored. Access lists and
OSPF
use inverted masks. 0.0.0.1 - all bits are to be matched except the
last.
34.1.5 Q: What is the slash "/xx" notation
A: This is a shorthand way of representing the number of network
address bits in the subnet mask. E.g 192.168.9.65 /26 represents a
subnet mask of 255.255.255.192
Caveat: Cisco use this differently in the router set up script when
booting with no configuration. It represents the number of bits in
excess of the default address class mask. E.g 192.168.1.0 /3 -> 8
subnets on a class "C" network. E.g. 255.255.255.224
34.2 CIDR and VLSM
----------------------
34.2.1 Q: What is CIDR?
A: CIDR is a suite of techniques increase flexibility in the use of
IP
addresses
34.2.2 Q: Why is CIDR required?
A: With the shortage of IPv4 addresses, organisations are no
longer allocated IP addresses on the traditional address class
boundaries. For example, a block of 64 addresses from a class "B"
ISP
block may be allocated to an organisation. That organisations
network
address consists of both IP address and subnet mask, both of which
must
be sent in route updates.
34.2.3 Q: What is route aggregation/ summarization?
A: To limit the number of routes required in internet routing
tables,
aggregated addresses are used. The ISP providing the service may
advertise the /28 subnet mask of the above example as part of the
Isp's
/16 (if lucky enough to have a whole /16 block)
This leads to the extensive use of variable length subnet masks.
34.2.4 Q: What happens if route aggregation/ summarization is not carried
out
correctly?
A: One or more networks may be unreachable.
34.2.5 Q: What is VLSM? (Variable Length Subnet Mask)
A: VLSM is required when the number of host addresses/ networks are
not
the same in all the subnets in a block of IP addresses.
It is used in association with an IP address to decide which
network an
address belongs to.
34.2.6 Q: Can I use VLSM in my network?
A: VLSM is a technique, which can be used by an organisation to
allocate IP addresses flexibly within its own networks.
34.2.7 Q: What is the advantage of using VLSM?
A: Classfull address allocation requires a consistent subnet mask.
VLSM
allows the address blocks to be sized to suit what the network is
used
for. E.g Maximize available addresses in subnets which require a
large
number of hosts and minimize addresses on WAN links (/30 mask).
34.2.8 Q: What do I require to use VLSM?
A: The choice of the appropriate routing protocol. RIP version 1
and
IGRP are "classfull" and do not support VLSM. RIP version 2 and
most
other modern routing protocols can be used.
34.2.9 Q: What is the difference between CIDR and VLSM
Classless Internet Domain Routing (CIDR) uses a number of
techniques to
obtain flexibility in the allocation and use of IP address blocks.
VLSM
is one technique used to achieve this objective.
34.3 Q: Which are the unallocated IP address blocks?
--------------------------------------------------------
There are several unusable address blocks
0.0.0.0 (If you see this in a routing table, it indicates a
default route)
Has the meaning "This network"
127.0.0.0 Loopback (typically 127.0.0.1)
255.255.255.255 Broadcast - not allowed for general propagation
Used by DHCP to find address server
The following may also not be useable:-
128.0.0.0 - 128.0.255.255 (One Class "B") (First class "B")
191.255.0.0 - 191.255.255.255 (One Class "B") (Last class "B")
192.0.0.0 - 192.0.0.255 (One Class "C") (First class "C")
223.255.255.0 - 223.255.255.255 (One Class "C") (Last class "C")
The following are known as the rfc 1918 addresses and are reserved
for
private use, and are not to be forwarded outside the organisation
using
them without translation to a proper assigned address.
10.0.0.0 1 Class "A" Block (End 10.255.255.255)
172.16.0.0 16 Class "B" address blocks (End 172.31.255.255)
192.168.0.0 256 Class "C" address blocks (End 192.168.255.255)
The following allocation may not be covered by an RFC
169.254.0.0 - Reserved by IANA for Automatic Private IP Addressing.
169.254.255.255 As a result, Automatic Private IP Addressing provides
an address that is guaranteed not to conflict with
routable addresses. (Win 2K)
For use on Windows boxes if an address cannot be obtained
via
DHCP. Apple Macintosh computers may also use this address
range.
34.4 Q: Which rfc 1918 address block should I use?
------------------------------------------------------
A: rfc 1918 recommends using the 10 block as it is the most
scalable
when adding many subnets. If you do not wish to subnet, the 172 and
the
192 block can be used. Refer rfc 1918.
Effectively the 172 and 192 blocks are pre-subnetted. (14/254
networks)
35.0 Access Lists
=====================
35.1 What are access lists and why should I care?
-----------------------------------------------------
35.1.1 Q: What are access lists and why should I care?
A: Access lists are a means of controlling traffic flow within a
network of Cisco routers.
Once a network is established and traffic is flowing it is found
desirable to control what traffic is flowing and its ultimate
destination.
Access lists offer basic security along with traffic control.
35.2 Access list basics
---------------------------
35.2.1 Q: What types of access lists are there?
A: The two basic types of access list are Standard and Extended.
35.2.2 Q: What is the form of a Standard access list?
A: access-list [number][permit/deny][source address][mask]
35.2.3 Q: What does a standard access list block?
A: A standard access list permits or denies all traffic from the
address(es) specified in the statement.
35.2.4 Q: What is a typical use of a standard access list?
A: Where it is desirable to
35.2.5 Q: What is the form of an Extended access list?
A: access-list [number][permit/deny][protocol][source
address][mask]
--> [destination address][ mask][port]
35.2.6 Q: What does an extended access list block?
A: As little or as much as is specified in the access list
statement.
35.2.7 Q: Can Standard and Extended access lists be mixed?
A: Both types can be mixed.
35.2.8 Q: How many access lists can I have?
A: One per interface, per protocol, per direction.
35.2.9 Q: What is the mask?
A: The mask allows either a single or a group of addresses to be
combined in an access-list statement.
35.2.10 Q: What are the components of the mask?
A: The mask is an inverse mask where 0 requires a match and a
1 represents a don't care
35.2.11 Q: What is the difference between the network mask and the
access-list
mask?
A: The network mask requires the subnet bits to be used in order
from
right to left in order. The wildcard mask allows any bit to be
used,
irrespective of bit order.
35.2.12 Q: What is the best way to derive the mask?
A: The best way is to convert the addresses to binary and derive
the
mask from there. Binary representation of the numbers will give a
better appreciation of the numbers being operated on.
"If you start from a false assumption, you may end up at a strange
destination"
35.2.14 Q: What are words with special meaning in access lists?
A: < host > has the meaning of mask 0.0.0.0 applied to the address
supplied.
< any > has the meaning of any address.
35.3 How do I apply access lists to an interface?
-----------------------------------------------------
35.3.1 Q: How do I apply access lists to an Interface?
A: Access lists are applied to a selected interface using the
access-group statement.
config-if access-group [number][direction]
35.4 Where do I apply access lists?
---------------------------------------
35.4.1 Q: Where should I apply a standard access list?
A: A standard access list filters on source address only and should
be
applied at a destination.
35.4.2 Q: Where should I apply an extended access list?
A: An extended access list can use both source and destination
address,
protocol and port to filter and can be placed at the source.
35.4.3 Q: I am in the real world and how does this differ?
A: In the real world you are faced with the problem that you do not
have full control over source and destination. The type of access
list
and where it is placed will depend on a number of factors including
physical location, security, maintainability, traffic generated and
company policy.
35.5 How are access lists evaluated?
----------------------------------------
35.5.1 Q: How are access lists evaluated?
A: Access lists are evaluated sequentially from top to bottom. The
packet is tested against the access list statements until a match
is
made and the action specified in the statement is performed. Once a
match is made, no tests are made against the remaining statements.
35.5.2 Q: What happens when processing reaches the bottom of the list?
A: If testing reaches the bottom of the list and a match has not
been
made, there is an implicit deny all which causes the packet to be
rejected.
35.5.2.1 Q: How else could you describe this?
A: Once a valid access list is applied to an interface, all traffic
which is not permitted by an access list statement is denied.
35.5.3 Q: What effect does an access list have on router performance?
A: An access list can slow down the switching of packets within a
router.
35.5.4 Q: How can this be minimised?
A: The placement of access list statements is important. Statements
which effect large amounts of traffic should be placed towards the
top
of the access list
35.5.5 Q: How is the order of access list statements set?
A: The statements are evaluated in the order that they are entered
from
the console.
35.5.6 Q: How can I change the order that access list statements are
evaluated?
A: This requires the deletion of the old access list statements and
re-
entering of the access-list statements in the new order.
35.5.7 Q: Is there a short cut to this process?
A: The process is:-
o Perform a show-running configuration command on the router.
o Locate the required access list statements in the terminal
program
buffer.
o Copy those statements to notepad or a text editor.
o Eliminate the access list statements from the router
configuration
o Re-order the access list statements in notepad.
o Copy the access list statements from notepad.
o Paste the access list statements back to the terminal program.
35.5.8 Q: What happens if you do not eliminate the old access list
statements?
A: The new access list statements are added to the bottom of the
old
access list statements.
36.0 Links
==============
36.1 Cisco Links
---------------------
RFCs ftp://ftpeng.cisco.com/fred/rfc-index/rfc.html
Configuration Fundamentals Command Reference (11.3)
http://www.cisco.com/univercd/cc/td.../113ed_cr/fun_r
/index.htm (watch line wrap)
Internetwork Design Guide
http://www.cisco.com/univercd/cc/td.../idg4/index.htm
Internetwork Case studies
http://www.cisco.com/univercd/cc/td...k/ics/index.htm
Internetwork technology Overview
http://www.cisco.com/univercd/cc/td...o_doc/index.htm
Sniffing FAQ
http://www.robertgraham.com/pubs/sniffing-faq.html
IANA Home Page
http://www.iana.org/
IETF Home Page
http://www.ietf.org/
I have no objection to this FAQ being posted on other sites, I only ask that
the claim of copyright not be deleted, the FAQ be posted in its entirety and
that it be updated as this FAQ is updated.
[colo
r=darkred]
>>>---- End Of Part 3 of 3 ---<<<[/color]
Report this post to a moderator
|
03-27-03 12:24 PM
