Escolar Documentos
Profissional Documentos
Cultura Documentos
Study Guide
Table of Contents
By default, only one mac address per interface, and shuts down violation
change using switchport port-security maximum [1-132]
To change violation type, switchport port-security violation
Note: To automatically add the mac of the first frame sent on the port, use:
switchport port-security mac-address sticky
MaxAge: How long any bridge should wait after beginning to not hear hellos,
before trying to change the STP topology. Default is 20 seconds.
Forward Delay: Delay that affects the time involved when an interface changes
from blocking state to forwarding state.
Order: Blocking Listening Learning Forwarding
EtherChannel: Provides a way to prevent STP convergence from being needed when
only a single port/cable failure occurs. Combines from 2-8 parallel Ethernet trunks
between same pair of switch, which STP treats as a single link.
Also provides more bandwidth
*Both links to the same switch must fail for a switch to need STP convergence*
PortFast: Allows a switch to place a port in forwarding state immediately when the port
becomes physically active (only safely done when device is not a bridge/switch)
Used for end-user devices
Cisco BPDU Guard Feature, if enabled, tells the switch to disable PortFast ports
if BPDU is received on those ports.
Assignment to forwarding/blocking ports the same. RSTP can be used alongside 802.1d
STP (for switches that support RSTP). Main reason to use RSTP is to overcome
convergence time (default of 50 seconds).
RSTP Convergence
Edge-Type: RSTP immediately places Edge-Type into forwarding state (just like
PortFast).
Link-Type Point-to-Point: RSTP recognizes lost hellos must faster than STP (3
times the hello timer, of default of 6 seconds).
o Also removes the need for listening state
o Reduces time for learning state by actively negotiating new state w/
neighboring switches (Proposal and Agreement Messages)
Command Description
spanning-tree vlan [vlan #] root Global config that changes the switch to
the root switch. Priority switched to
24,576 or 100 less than current root
bridge.
Spanning-tree vlan [vlan ID] {priority} Global config that changes bridge
priority for the specified vlan
spanning-tree cost [cost] Interface subcommand that changes STP
cost to the specified value
channel-group {channel-group number} Enables EtherChannel on this interface
mode {auto | desirable | on}
show spanning-tree Exec command that displays STP on the
switch/each port
show spanning-tree [interface] Displays STP for specified interface
show spanning-tree vlan [vlan-id] Lists STP information for specified
VLAN
debug spanning-tree Causes switch to provide informational
messages about changes in STP topology
show etherchannel [channel-group #] Lists information about state of
{brief | detail | port | port-channel | summary} EtherChannel on the switch
ISL supports multiple spanning trees using Per-VLAN Spanning Tree (PVST+).
Cisco's PVST+ allows multiple STP instances over 802.1q trunks
802.1S: IEEE's new specification that adds to 802.1q specification, allowing multiple
spanning trees.
Native VLAN: 802.1q defines one VLAN on each trunk (by default, VLAN1), does not
encapsulate frames. When receiving switch receives frame not encapsulated, assumes it is
native VLAN.
ISL does not use a concept like this, all frame have an ISL header
VLAN Trunking Protocol (VTP): Cisco proprietary protocol (L2) that broadcasts
switch VLAN configuration information. Configure settings on one switch, and all other
switches learn the VLAN settings dynamically.
Broadcasts Include:
- Configuration Revision Number (each time switch modifies config, increment
by 1). When switch receives broadcast with larger revision number, updates
config.
- VLAN names/numbers
- Info about which switches have ports assigned to which VLAN
VTP Pruning: Since switches usually don’t have interfaces for every VLAN in the
network, bandwidth is usually wasted in broadcasting those updates. VTP pruning allows
switches to prevent broadcasts and unknown unicasts from going to switches with no
interfaces in those VLANs.
Broadcast is only flooded toward switches with ports in a given VLAN
switchport trunk {{allowed vlan vlan-list} | Refines the list of allowed VLANs, defines the 802.1Q
{native vlan vlan-id} | {pruning vlan vlan- native VLAN, and limits the range of VLANs for which
list}} pruning can occur.
show vlan [brief | id vlan-id | name vlan- EXEC command that lists information about
name the VLAN.
| summary]
show spanning-tree vlan vlan-id EXEC command that lists information about the spanning
tree for a particular VLAN.
*To configure multiple interfaces simultaneously for same VLAN, use these steps:
vlan database
vlan 1 name test1
exit (apply update/increments revision number – if abort used, no changes saved)
config t
interface range [fastEthernet 0/1 – 5]
switchport mode access (trunking negotiations disabled, ports are access ports)
switchport access vlan 1
exit
show vlan brief (to verify updates, VLAN name, status, and ports)
-or-
show vlan id 1
trunk Configures the port in permanent trunk mode. Always tries to trunk.
dynamic desirable The port negotiates to a trunk port if the Trunks to switches
connected device is in the trunk, dynamic set to the trunk,
desirable, or dynamic auto state. dynamic desirable, or
Otherwise, the port becomes a nontrunk port. dynamic auto state.
dynamic auto Lets a port become a trunk only if the Trunks to switches
connected device is in the dynamic desirable set to the trunk
or trunk state. dynamic desirable
state.
Extended Ping Command: Simulates a ping from ethernet host, but actually comes
from router itself. When a ping from a router works, but a ping from a host does not, the
extended ping could help you re-create the problem without needing to work with the end
user on the phone.
1. ping
2. Target Address (IP)
3. Extended Commands = y
4. Source Address (IP)
Advertise entire routing table (subnet number and metric) to directly connected
neighbors.
Key Points:
If a router learns multiple routes to the same subnet, it chooses the best route
based on the metric (# of hops).
Failure to receive updates after x amount of time results in removal of that route
Routers add directly connected subnets to their routing tables, even without a
routing protocol
Route Poisoning: Router notices link is down, continues to advertise the route, but with
very large metric (view as infinite and invalid). Other routers remove their routes to the
downed subnet.
RIP uses 16 as the infinite metric
Split Horizon: If 2 routers advertise tables at about the same time, with one link down,
they would continually exchange incorrect routing metrics (counting to infinity). Split
horizon doesn’t allow this because all routes with outgoing interface x are not included
in updates sent out that same interface x.
In other words, if route to subnet comes in through interface 1, don’t send update of
the same route out interface 1
Ex) Router A’s Ethernet goes down, set metric to 16 and send to neighbor. At the same
time, Router B sends update to Router A, using the old metric that the cost is 2. Now
Router A = 2, Router B = 16. After x amount of time, the two routers exchange routing
table and in turn switch the metrics. This process would repeat indefinitely.
Split Horizon with Poison Reverse (or Poison Reverse): Cisco’s proprietary distance
vector routing protocols use this (used by default). Spit horizon used when network links
up, but when link fails, allows broadcast of infinite metric (including previously blocked
port from Split Horizon).
Issue Solution
Multiple routes to the Either use the first route learned or put multiple routes to the
same subnet have same subnet in the
equal metrics routing table.
Routing loops occur Split horizon—The routing protocol advertises routes out an
due to updates passing interface only if they were not learned from updates entering
each other over a that interface.
single link
Split horizon with poison reverse—The routing protocol uses
split-horizon rules unless a route fails. In that case, the route is
advertised out all interfaces, including the interface in which
the route was learned, but with an infinite-distance metric.
Routing loops occur Route poisoning—When a route to a subnet fails, the subnet is
because routing advertised with an infinite-distance metric. This term
information loops specifically applies to routes that are advertised when the
through alternative route is valid. Poison reverse refers to routes that normally are
paths not advertised because of split horizon but that are advertised
with an infinite metric when the route fails.
EXEC Commands
Command Description
show ip route Shows the entire routing table, or a subset if parameters
are entered.
debug ip igrp transactions [ip address] Issues log messages with details of the IGRP updates.
debug ip igrp events [ip address] Issues log messages for each IGRP packet.
RIP Configuration
router rip
network [network address1] Use network number (address w/ normal class address)
network [network address2]
show running-config
IGRP Configuration
router igrp [as number] Note: All routers should use the same AS number
network [network address1]
network [network address2]
show running-config I = address found by IGRP, C = directly connected
Example
Bandwidth Defaults
LAN Interfaces = default reflects the correct bandwidth
Serial Interfaces = defaults to 1544 kbps (T1 speed)
Configure using the bandwidth [kbps] interface command
Additional Notes
- If multiple route exist, router chooses best metric route
- If routes tie, keep the first/pre-existing route
Command: maximum-paths 1 (default is maximum-paths 4)
valid range = 1-6
- When RIP places multiple routes, router balances traffic
Command to use lowest-cost: traffic-share min
Convergence time becomes almost instantaneous
Example: metric = 100, variance = 2, If value > (lowest metric * variance), add route
Link state protocols advertise a large amount of topological information about the
network (tells what every metric is for every link in the network)
Routers must calculate the metric (using Shortest path First Algorithm)
3. Each router places the learned topology information in its topology database.
4. Each router then runs the SPF algorithm against its own topology database to
calculate the best routes to each subnet in the database.
5. Each router finally places the best route to each subnet in the IP routing table.
OSPF Topology Database: Consists of lists of subnet numbers (links), list of routers
(and links they are connected to).
Uniquely identifier each router in this database using OSPF Router ID (RID)
Each Router chooses RID when OSPY is initialized (during initial loading of IOS). If
other interfaces come up after this, not used unless clear ip ospf process is issued.
o To confirm that a Hello Packet was received, next Hello Message will
include the sender’s RID within the list of neighbors.
Once router sees its RID included, two-way state achieved, and more
detailed information can be exchanged.
Sometimes Designated Routers (DR) are required before sending Database Description
(DD) packets.
DR’s always required on a LAN
Sometimes required with Frame Relay/ATM (depending on topology/config)
After DR is elected, all updates flow through the Designated Router (DR). This means
that the DR collects and distributes the routing updates to alleviate OSPF update
congestion.
** Since DR’s are so important, loss of one could cause delay in convergence, so
Backup DR (BDR) is also needed. **
To elect, neighboring routers hold an election, and look at two fields in the Hello Packet:
Router that sends the highest OSPF priority becomes DR
If there is a tie, the highest RID wins.
Other Notes:
Priority setting of 0 means router will never be DR
Range of valid priority values is 1-255 (to become a DR)
If DR is elected, then another router comes online with a higher priority, this
router will not become DR until both the DR and BDR fail.
Steady-State Operation: If Hello Interval is not received for [dead interval] amount of
time, the router believes the neighbor has failed.
Default dead timer is 4 times the hello interval
(10 second hello, 40 second dead timer)
Router marks as “down” in its neighbor table
Runs the dijkstra algorithm to calculate new routes, floods to inform other
routers of failed link
Loop Avoidance: Link state does not use SPF algorithm, but rather it relies on router
broadcasting downed link immediately. This is the main reason for fast convergence time
(distance vector uses hold time, split horizon, etc, while link state does not).
Scaling OSPF: If network has many routers (~50 or more, a few hundred subnets),
would result in:
EIGRP has some features that act like distance vector protocols, and some that act like
link-state protocols.
Similarities Differences
Both Cisco proprietary EIGRP converges faster
Same logic for equal-cost paths EIGRP sends routing info once to neighbor,
then again only when update occurs.
EIGRP Processes and Tables: Follows three general steps to be able to add routes to
routing table:
1. EIGRP neighbor table: Routers discover other EIGRP routers that are attached
to same subnet, form a neighbor relationship and keep a list in this table.
a. show ip eigrp neighbor
** EIGRP could have up to 9 tables, since it supports IP, IPX, and AppleTalk **
Hello Messages: Used to perform neighbor discovery, continually sent to notice when
connectivity has failed.
Interval determines how frequently it is sent
LANs/Point-to-point connections = 5 seconds
Multipoint WANS like Frame Relay = 60 seconds
Feasible Successors are in topology table, and are placed when the neighbor has a lower
metric for its route.
Diffusing Update Algorithm (DUAL) is used in query and reply process, when both
successor and feasible successor fail. Sends query to confirm route exists, reply verifies
route.
EIGRP Compared
IP Configuration Commands
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
router ospf 1
network 10.1.1.1 0.0.0.0 area 0
network 10.1.4.1 0.0.0.0 area 1
network 10.1.6.1 0.0.0.0 area 0
Useful Commands
show ip ospf interface Details IP address, area #, Router ID, Hello/Dead Interval, etc.
for all interfaces
show ip route Shows all routes known by the router (C – Connected, O – OSPF)
Remember that the RID is that router’s highest IP address on a physical interface when
OSPF starts running. Alternatively, if a loopback interface has been configured, OSPF
uses the highest IP address on a loopback interface for the RID, even if that IP address is
lower than some physical interface’s IP address.
OSPF Troubleshooting
View neighbors:
show ip ospf neighbor Output doesn’t show neighbors
Run debugging:
debug ip ospf hello Output shows mismatched Hello interval
EIGRP Configuration
R1 R2 R3
Route Summarization reduces the size of routing tables while maintaining routes to all
destinations in the network. Also improves convergence time (no longer has to announce
changes).
VLSM means that more than one subnet mask value is used.
Many networks use mask 255.255.255.252 for serial point-to-point links.
On LAN subnets, mask of 255.255.255.0 could be used as well.
VLSM is required in order to summarize routes
configure terminal
interface serial0/0
ip summary-address eigrp 1 [address][subnet mask]
Example:
10.2.1.0 = 0000 1010 0000 0010 0000 0001 0000 0000
10.2.2.0 = 0000 1010 0000 0010 0000 0010 0000 0000
10.2.3.0 = 0000 1010 0000 0010 0000 0011 0000 0000
10.2.4.0 = 0000 1010 0000 0010 0000 0100 0000 0000
Set the values that aren’t bold to 1, set all other values to 0, and use that as your mask:
255.255.248.0
Autosummarization: In classful routing, uses Static Length Mask (uses the traditional
Class A, B, and C masks).
RIP and IGRP perform this by default (can’t disable)
RIPv2 and EIGRP, can either be enabled or disabled
Contiguous Network: Single Class A, B, or C network for which all routes to subnets of
that network pass through only other subnets of that same single network.
Discontiguous Network: Only routes to one subnet pass through route of another subnet
of a different network.
Lower 48 states are contiguous because you can drive to any point without needing to go
through another country (subnet/network).
To get from Alaska to one of the lower 48 states, you must go through Canada (a separate
network), so it is discontiguous.
Default Routes are best when only a single path exists to a part of the network.
Also called Gateway of Last Resort
Configure:
ip route 0.0.0.0 0.0.0.0 [IP address of next hop]
-or-
ip default-network [address]
Classful Logic
Match network in routing table
Look up specific subnet
If exists, forward, otherwise, discard
Classless Logic
Lookup specific subnet
If exists, forward, otherwise, send to default gateway
Due to rapid increase in internet use, it was feared that IP addresses would be used up by
the mid-1990s.
Solutions
Increase size of IP address (IPv6), 128 bits
Network Address Translation (NAT) and private addressing
o Use private networks internally and still communicate w/ Internet
Classless Interdomain Routing (CIDR) allows ISPs to reduce wasting of IPs by
assigning a company a subset of a network number rather than the entire network.
CIDR
Help scalability of internet routers (fewer routes need to exist in routing table)
Assign subset of network numbers depending on customer needs
Private Addressing
Private addresses defined in RFC 1918, set of networks that will never be
assigned to any organization as a registered network number.
NAT
Changes the private IP addresses to publicly registered IP address inside each IP packet
Static NAT: Configures a 1-1 mapping between the private address and the registered
address that is used on its behalf.
Inside local = private address Inside Global = public address
Dynamic NAT: 1-1 mapping between inside local and inside global address. However,
this mapping occurs dynamically.
1. Sets up pool of possible inside global addresses
2. Router applies criteria to determine if NAT should be applied
3. If it should be applied, add entry to NAT table
4. Translate source IP address and forward the packet
*Dynamic mappings cleared out after set timeout expires with no activity, or you can use
the command: clear ip nat translation * command
If just NAT used, and all IPs already assigned, discard packet. User must try again
until a NAT entry becomes available
Allows scaling to support many client machines, and access to the internet with only a
few public addresses.
NAT table retains internal IP and port, and translates to global IP and port.
Since port field is 16 bits, support more than 65,000 port numbers
Can also translate overlapped/inappropriately assigned network numbers.
o Must translate both source and destination if used
NAT Configuration
Command
ip nat [inside | outside]
ip nat inside source
ip nat outside source
ip nat inside destination list
ip nat pool
ip nat inside source list
Command Description
show ip nat statistics Lists counters for packets and NAT table
entries
show ip nat translations Displays the NAT table
clear ip nat translation Clears some/all of the dynamic entries
debug ip nat Issues a log message describing each
packet whose IP address is translated with
NAT
Each interface still needs to be designated as either inside or outside, but static entries no
longer needed.
ip nat pool [pool name] [start address] [end address] netmask [subnet mask]
ip nat inside source list [ACL #] pool [pool name]
Turns on PAT
ICMP: Provides a variety of information about network’s health and operational status.
Actual messages sit inside IP packet.
Echo request/echo reply sent and received by ping command
(Refer to Ultimate CCNA INTRO Guide for additional information)
Redirect ICMP Message: If default route exists, but is later discovered to have a better
route, router will send a redirect message to the host to tell it to use the better route. The
host can either accept the better route or disregard it.
Secondary Addressing
If running out of subnets/addresses, you have the ability to use multiple subnets of the
same interface in order to increase the number of supported devices on that
subnet/segment.
TFTP uses small amount of memory and takes little time to load.
Use UDP.
Uses application layer recovery.
TCP defines maximum length for IP packet (Maximum Transmission Unit, or MTU)
Varies based on configuration and the interface’s characteristics.
By default, calculates based on max size of the data portion of the L2 frame
1500 for Ethernet interfaces
If packet larger than allowed MTU, fragments packet into smaller pieces
o IP header contains fields that aid in reassembling the packet
To change, can use mtu interface subcommand or ip mtu
o mtu sets the MTU regardless of L3 protocol
o ip mtu command takes precedence if both used, unless mtu command set
after ip mtu is (in which case ip mtu resets to current settings)
Use multiple logical subinterfaces on 1 physical interface that connects the router to the
switch.
ISL
interface fastethernet 0.[subinterface]
ip address [address] [subnet]
encapsulation isl [VLAN ID]
802.1q
(note that this uses native vlan, in which no VLAN ID is used on a certain trunk, which
by default is VLAN 1)
interface fastethernet 0
ip address [address][subnet mask]
Synchronous = CSU/DSU must operate at same speed on either end of the link. Allows
more throughput than asynchronous. Send frames continuously (idle frames when
nothing to actually send).
Receiver Ready: another name for the idle frames
** Note: **
Routers typically use synchronous connections, modem and end PC use asynchronous
HDLC
Flag Address Control Type Data FCS Flag
1 1 2 2 (Variable) 4 1
PPP
PPP Features
LCP Features
Looped Link: Bits that the router sends are “looped” back and received by the same
router. Router wouldn’t notice, because it is receiving information.
PAP
Username/Password
Waiting
Dialing
for Dial
Ack
CHAP
Challenge
Waiting Username/Password
(Hashed) Dialing
for Dial
Accepted
ISDN Channels
Both BRI and PRI have digital bearer channels (B channels)
B channels transport data, operate up to 64 kbps per channel
Signals new data calls with D, or signaling, channel (16 kbps on BRI, 64 kbps
otherwise)
ISND Protocols
Tips to Remember
ISND Switch Authentication: Service Profiler Identifier (SPID), uses free-form decimal
value
ISDN Interfaces
U = no other device required
S/T = cabled to function group NT1
Serial Interfaces
Function group Terminal Equipment 2 (TE2) and connect to Terminal Adapter (TA)
Reference Points
-or-
TE1 / TA NT1/NT2
** Note **
Home-based ISDN modems include TA and NT1, serial port connects to TA
PRI Encoding: Alternate Mark Inversion (AMI) or Binary 8 with Zero Substitution
(B8ZS). Match what the telco is using.
E1 only choice is High-Density Bipolar 3 (HDB3)
To assign by L3 Protocol
interface [interface]
dialer-list 1 protocol ip permit
To assign by permission
interface [interface]
access-list 101 permit top any host 172.16.3.1 eq 80
dialer-list 2 protocol ip list 101
3. Dial (signal).
a. configure the number to call (single connection):
dialer string [phone number]
b. For multiple routes, need a mapping (IP and their phone numbers)
Add username/password for CHAP support:
username [username] password [password]
dialer map ip [IP address] broadcast name [username] [phone #]
Use global command to tell the IOS what type of ISDN switch the router is connected to:
isdn switch-type [type]
Controller Configuration Mode allows you to configure physical layer parameters such
as encoding, framing, and channels that are in use.
Full PRI Configuration: All previous settings that were on BRI, plus the ones above.
* Note *
SPIDs are not configured, since PRIs do not use them.
Legacy DDR doesn’t support a single set of remote sites through configuration using
multiple BRIs or PRIs in a single router (only allows one set of sites per interface).
Dialer Profilers allow this by using Dialer profiler pools, that pool available B channels.
Virtual Interface called Dialer Interface
Commands
Multilink PPP
MLP can break larger packets into smaller segments, and send over multiple links
(receive faster over multiple lines) load balances them
MLP treats multiple links as a single link, with one route in the routing table. *
Commands
ppp multilink Enable MLP
dialer-load threshold load [inbound | outbound | either]
Distribute across if load is at this certain percentage (for example, 25)
Access Link
Local Management Interface: protocol that defines keepalive messages and other
messages.
Router’s identify the Virtual Circuit by encapsulating that data in a Data-Link Connection
Identifier (DLCI).
Term Description
Virtual Circuit (VC) Logical path that connects routers
Permanent Virtual Circuit (PVC) A predefined VC (equated to leased line)
Switched Virtual Circuit (SVC) Dial connection in concept
Data Terminal Equipment (DTE) Devices connected to Frame Relay Service
Data Communications Equipment Frame Relay switches, typically in service
(DCE) provider’s network.
Access Link Leased line between DTE and DCE
Access Rate (AR) Speed at which access link is clocked.
Data-link Connection Identifier (DLCI) Frame Relay address used in headers to
identify the VC
Nonbroadcast Multiaccess (NBMA) Broadcasts not supported, but more than 2
devices can be connected
Local Management Interface Used between DCE and DTE, manages the
connection (signaling messages, keepalive
messages).
DTE needs to know which LMI type to use (must be the same as the DCE type)
Autosense feature detects it automatically
To configure it manually, frame-relay lmi-type [type]
Can use either cisco, ansi, or q933a as the type
DLCI’s are locally significant, meaning they must have a unique value only on the local
access link.
Analogy
Global Addressing makes the DLCI’s appear as if they were unique LAN addresses,
makes it easier to understand DLCI addressing.
Switches change the DLCI before the receiver gets it
o Sender treats the DLCI as the destination address
o Receiver treats the DLCI as the source address
Broadcast Handling: Cisco IOS sends copies of the broadcasts across each VC. To
reduce lag in network, these are placed in different output queue than the one for user
traffic, and you can limit the amount of bandwidth this consumes.
Most use Asynchronous Transfer Mode (ATM) within the core of the Frame Relay
Network.
- 53-byte cells
- Better Quality of Service (QoS)
- Service Interworking is the use of ATM between Frame Relay switches
- FRF.5 is the specification that defines how to use ATM in Frame Relay
- FRF.8 is the specification that defines how two routers communicate when one is
using ATM, and the other is using Frame Relay
Command Description
encapsulation frame-relay [ietf | cisco] Frame relay encapsulation type
frame-relay lmi-type {ansi | q933a | cisco} LMI type configuration
bandwidth num Configure bandwidth in kbps
frame-relay map {protocol protocol-address Statically defines mapping between
dlci} payload-compression frf9 stac caim L3 address and a DLCI
[element-number] [broadcast] [ietf | cisco]
Show Commands
show interfaces
show frame-relay pvc [interface interface] [dlci]
show frame-relay lmi [type number]
interface serial0
encapsulation frame-relay
ip address [address][mask]
Router 1
interface serial0
encapsulation frame-relay
frame-relay lmi-type ansi
frame-relay interface-dlci 53 ietf
ip address [address][subnet]
Router 2
interface serial0
encapsulation frame-relay ietf
ip address [address][subnet]
Inverse ARP: Announces L3 addresses as soon as the LMI signals the PVCs are up.
Static Configuration
no frame-relay inverse-arp
frame-relay map ip [address][DLCI #] broadcast
Access Control Lists (ACLs): cause a router to discard some packets based on criteria
defined by the network engineer.
Prevent hackers
Prevent employees from using parts of the system
Filter routing updates
Match packets for VPN tunneling
Match packets for implementing QoS features
At the end of every access list, there is an implied “Deny All Access” list. If a packet
does not match any access list statement, the packet will be filtered.
Wildcard Masks
Access Lists match packets by looking at the IP, TCP, and UDP headers of the packet.
Standard Access lists only look at the Source IP Address
Wilcard masks define the portion of the IP packet that should be examined.
0 = match those bits
1 = ignore those bits
Examples
Wildcard Mask Description
0.0.0.0 The entire IP address must match.
0.0.0.255 The first 3 octets must match
0.0.255.255 The first 2 octets must match
0.0.15.255 The first 20 bits must match.
Command Description
access-list access-list number {deny | permit} source Global command for standard number
[source-wildcard] [log] access lists.
access-list access-list-number remark text Remark that comments what the list does
ip-access group {number | name [in | out]} Interface subcommand that enable access
lists
access-class number | name [in | out] Line subcommand to enable standard or
extended access lists
Show Commands
show ip interface
show access-lists [access list number/name]
show ip access-list [access list number/name]
Explanation of Commands
** Note **
If you run show runn config, would say “deny host x” and “permit any”
The one key difference is the variety of fields in the packet that can be compared for
matching by extended access lists.
IP Header
* Note *
If TCP/UDP used, can filter on Source/Destination Port
Show Commands
Command Description
show ip interfaces [type number] References access lists enabled on the
interface
show access-lists [access-list-number | Shows details of access lists for all
access-list-name] protocols
show ip access-list [access-list-number | Show IP access lists
access-list-name]
Cisco recommends you locate Extended ACL as close to the source as possible.
Named ACLs: Identifies ACLs using names, can delete individual lines in a named IP
access list.
Use a global command that places the user in a named IP access list submode
When named matching statement is deleted, only that line is deleted
o With numbered lists, the deletion of any statement in the list deletes all
statements in the list
Controlling Telnet with ACLs: Can control who can telnet to/from a router
line vty 0 4
login
password cisco
access-class 3 in
1. Create ACLs using text editor outside the router, and copy/paste into
configuration. This makes fixing typos easier, allows for a backup of
configuration, which makes adding/deleting from them easier.
2. Place extended ACLs as close to the source of the packet as possible to discard
packets quickly.
5. Disable an ACL from its interface (no ip access-group) before making changes to
it.