Example:
Your goal is to allow FTP access to the HR server from the internet, while blocking out all other traffic. Which of the access list configurations below will fulfill your goal?
A. Access-list 101 Permit tcp any 192.168.44.252 0.0.0.0 eq 21
B. Access-list 101 Permit tcp any 192.168.44.252 0.0.0.0 eq 20
C. Access-list 101 Permit tcp 192.168.44.252 0.0.0.0 any eq 20
D. Access-list 101 Permit tcp 192.168.44.252 0.0.0.0 any eq 21
E. Access-list 101 Deny tcp any 192.168.44.255 0.0.0.0 gt 21
F. Access-list 101 Permit tcp 192.168.44.255 0.0.0.0 any gt 21
Answer: A, B
Saturday, January 6, 2007
Named Access List
If your router is running IOS 11.2 or higher, you can create named access lists. Instead of choosing a number between 1-99 for standard IP access lists, you can use a custom name allowing for more lists and more convenient management. The commands to create a named access list are different for standard and extended access lists.
To create a named access list, use the following command in global configuration mode:router(config)#ip access-list {standard extended} name
This command will take you into access-list configuration mode where you can define the deny and permit rules. For example to create a named access list with the name wwwfilter and permit only access from the networks 192.168.132.0, 172.17.0.0 and 10.0.0.0 use the following commands:
router(config)#ip access-list standard wwwfilter
router(config-std-nacl)#permit 192.168.132.0 0.0.0.255
router(config-std-nacl)#permit 172.17.0.0 0.0.255.255
router(config-std-nacl)#permit 10.0.0.0 0.255.255.255
Use the exit command to exit access-list configuration mode.A named list is applied to an interface in the same way as with numbered lists:
router(config-if)#ip access-group wwwfilter out
Which of the following answer choices are correct characteristics of named access list?
A. You can delete individual statements in a named access list
B. Named access lists require a numbered range from 1000 to 1099.
C. Named access lists must be specified as standard or extended.
D. You can use the ip access-list command to create named access lists.
E. You cannot delete individual statements in a named access list.
F. You can use the ip name-group command to apply named access lists.
Answer: A, C, D
To create a named access list, use the following command in global configuration mode:router(config)#ip access-list {standard extended} name
This command will take you into access-list configuration mode where you can define the deny and permit rules. For example to create a named access list with the name wwwfilter and permit only access from the networks 192.168.132.0, 172.17.0.0 and 10.0.0.0 use the following commands:
router(config)#ip access-list standard wwwfilter
router(config-std-nacl)#permit 192.168.132.0 0.0.0.255
router(config-std-nacl)#permit 172.17.0.0 0.0.255.255
router(config-std-nacl)#permit 10.0.0.0 0.255.255.255
Use the exit command to exit access-list configuration mode.A named list is applied to an interface in the same way as with numbered lists:
router(config-if)#ip access-group wwwfilter out
Which of the following answer choices are correct characteristics of named access list?
A. You can delete individual statements in a named access list
B. Named access lists require a numbered range from 1000 to 1099.
C. Named access lists must be specified as standard or extended.
D. You can use the ip access-list command to create named access lists.
E. You cannot delete individual statements in a named access list.
F. You can use the ip name-group command to apply named access lists.
Answer: A, C, D
Friday, January 5, 2007
Subnet Masks to Remember and their decimal notations
I find that it's really time wasting something to derive the decimal notations from the / notation. In exam, its time-contraint. So better to remember the common ones:
/ Notation <-> Decimal (last octet)
30 <-> 252
29 <-> 248
28 <-> 240
27 <-> 224
26 <-> 192
25 <-> 128
/ Notation <-> Decimal (last octet)
30 <-> 252
29 <-> 248
28 <-> 240
27 <-> 224
26 <-> 192
25 <-> 128
EIGRP is Distance Vector or Link State?
According to cisco, EIGRP is consider Distance Vector. Search Cisco, and you will know.
This link provides all answers on EIGRP (Must Go Through!)
http://www.cisco.com/en/US/tech/tk1330/tsd_technology_support_technical_reference_chapter09186a00807598ad.html
This link provides all answers on EIGRP (Must Go Through!)
http://www.cisco.com/en/US/tech/tk1330/tsd_technology_support_technical_reference_chapter09186a00807598ad.html
EIGRP Tables - sure come out in exam!
•Like OSPF, EIGRP keeps this information in several tables, or databases.
–Neighbor table
–Topology table
–Routing table
–Successor
–Feasible Successor
•Successor – Current Route
–A successor is a route selected as the primary route to use to reach a destination.
–Successors are the entries kept in the routing table.
•Feasible Successor - A backup route
–A feasible successor is a backup route.
–These routes are selected at the same time the successors are identified, but they are kept in the topology table.
–Multiple feasible successors for a destination can be retained in the topology table.
Neighbor table - lists adjacent routers
Topology table - contain Feasible Successor
Routing table - contain Successor
–Neighbor table
–Topology table
–Routing table
–Successor
–Feasible Successor
•Successor – Current Route
–A successor is a route selected as the primary route to use to reach a destination.
–Successors are the entries kept in the routing table.
•Feasible Successor - A backup route
–A feasible successor is a backup route.
–These routes are selected at the same time the successors are identified, but they are kept in the topology table.
–Multiple feasible successors for a destination can be retained in the topology table.
Neighbor table - lists adjacent routers
Topology table - contain Feasible Successor
Routing table - contain Successor
Thursday, January 4, 2007
Routing Metrices
By default, IGRP chooses a route based on bandwidth and delay.
But it can support Bandwidth, Delay, Reliability, Load, MTU.
Be default OSPF uses bandwidth for its metric.
Q. How does OSPF calculate its metric or cost?
A. OSPF uses a reference bandwidth of 100 Mbps for cost calculation. The formula to calculate the cost is reference bandwidth divided by interface bandwidth. For example, in the case of Ethernet, it is 100 Mbps / 10 Mbps = 10.
The formulat is cost=10 Power 8 / bandwidth
RIP uses hop count.
But it can support Bandwidth, Delay, Reliability, Load, MTU.
Be default OSPF uses bandwidth for its metric.
Q. How does OSPF calculate its metric or cost?
A. OSPF uses a reference bandwidth of 100 Mbps for cost calculation. The formula to calculate the cost is reference bandwidth divided by interface bandwidth. For example, in the case of Ethernet, it is 100 Mbps / 10 Mbps = 10.
The formulat is cost=10 Power 8 / bandwidth
RIP uses hop count.
Spanning Tree Protocol Timers
There are several STP timers, as this list shows:
hello—The hello time is the time between each bridge protocol data unit (BPDU) that is sent on a port. This time is equal to 2 seconds (sec) by default, but you can tune the time to be between 1 and 10 sec.
forward delay—The forward delay is the time that is spent in the listening and learning state. This time is equal to 15 sec by default, but you can tune the time to be between 4 and 30 sec.
max age—The max age timer controls the maximum length of time that passes before a bridge port saves its configuration BPDU information. This time is 20 sec by default, but you can tune the time to be between 6 and 40 sec.
hello—The hello time is the time between each bridge protocol data unit (BPDU) that is sent on a port. This time is equal to 2 seconds (sec) by default, but you can tune the time to be between 1 and 10 sec.
forward delay—The forward delay is the time that is spent in the listening and learning state. This time is equal to 15 sec by default, but you can tune the time to be between 4 and 30 sec.
max age—The max age timer controls the maximum length of time that passes before a bridge port saves its configuration BPDU information. This time is 20 sec by default, but you can tune the time to be between 6 and 40 sec.
OSPF and EIGRP Hello Timings
EIGRP
Hello—Interval time in seconds that a router sends an OSPF hello packet. On broadcast and point-to-point links, the default is 10 seconds. On NBMA, the default is 30 seconds.
EIGRP
EIGRP routers establish adjacencies with neighbor routers by using small hello packets.
Hellos are sent every 5 seconds by default.
•Hold time tells the router how long it should consider the neighbor alive if it has not received any EIGRP packets (Hello, EIGRP updates, etc.)
•Hold time is normally three times the configured Hello interval.
•Both the Hello and Hold time intervals are configurable on a per interface basis, and do not have to match neighbor.
•EIGRP routers exchange routing information the same way as other distance vector routing protocols, but do not send periodic updates.
•EIGRP updates are only sent when a network is added or removed from the topology database, when the successor for a given network changes, or when the locally used metric is updated.
Hello—Interval time in seconds that a router sends an OSPF hello packet. On broadcast and point-to-point links, the default is 10 seconds. On NBMA, the default is 30 seconds.
EIGRP
EIGRP routers establish adjacencies with neighbor routers by using small hello packets.
Hellos are sent every 5 seconds by default.
•Hold time tells the router how long it should consider the neighbor alive if it has not received any EIGRP packets (Hello, EIGRP updates, etc.)
•Hold time is normally three times the configured Hello interval.
•Both the Hello and Hold time intervals are configurable on a per interface basis, and do not have to match neighbor.
•EIGRP routers exchange routing information the same way as other distance vector routing protocols, but do not send periodic updates.
•EIGRP updates are only sent when a network is added or removed from the topology database, when the successor for a given network changes, or when the locally used metric is updated.
Administrative Distances RIP, OSPF, IGRP, EIGRP
Default Distance Value Table
This table lists the administrative distance default values of the protocols that Cisco supports:
Connected interface 0
Static route* 1
Enhanced Interior Gateway Routing Protocol (EIGRP) summary route 5
External Border Gateway Protocol (BGP) 20
Internal EIGRP 90
IGRP 100
OSPF110
Intermediate System-to-Intermediate System (IS-IS) 115
Routing Information Protocol (RIP) 120
Exterior Gateway Protocol (EGP) 140
On Demand Routing (ODR) 160
External EIGRP 170
Internal BGP 200
Unknown** 255
* A static route that points to the next hop IP address has an Administrative distance of 1. If the static route points to an outgoing interface, the static route has the Administrative distance of 0.
** If the administrative distance is 255, the router does not believe the source of that route and does not install the route in the routing table.
This table lists the administrative distance default values of the protocols that Cisco supports:
Connected interface 0
Static route* 1
Enhanced Interior Gateway Routing Protocol (EIGRP) summary route 5
External Border Gateway Protocol (BGP) 20
Internal EIGRP 90
IGRP 100
OSPF110
Intermediate System-to-Intermediate System (IS-IS) 115
Routing Information Protocol (RIP) 120
Exterior Gateway Protocol (EGP) 140
On Demand Routing (ODR) 160
External EIGRP 170
Internal BGP 200
Unknown** 255
* A static route that points to the next hop IP address has an Administrative distance of 1. If the static route points to an outgoing interface, the static route has the Administrative distance of 0.
** If the administrative distance is 255, the router does not believe the source of that route and does not install the route in the routing table.
CCNA 640-801 Overview Tips - What you need to know in this version!
Following on from my certification that has expired after 3 years and it was renewal time!
The CCNA exam has changed a lot over the last 4 years, the current one is now dubbed 640-801, and this page is a list of tips and helpful notes on what you need to know and how to learn it all.
Firstly, the goals of what you need to know. The following list is the things you need to know really well - in other words, you should be able to recall these things instantly.
Subnetting. You need to be able to calculate subnet numbers ( subnet address, broadcast address, first and last useable IP addresses ) in your head, and fairly quickly for any IP class and number of subnet bits.
Routing protocols. These include RIP, RIP2, IGRP, EIGRP and OSPF. You'll need to know the types for each ( distance vector, link state, hybrid ), the metrics ( bandwidth, speed ) and administrative distances for each one. A fair idea of the types of tables that each uses will be useful.
WAN protocols. Know all the encapsulation types ( PPP, DLCI, Frame Relay, etc ) and the quirks of each one. In particular, remember the default encapsulation for router interfaces.
Note this : the exam was a little harder than the questions in the book and trial exams you find in CD or online.
You need to practice setting up and fault-finding on routers and switches. You should practice until you can fully configure a pair of routers from scratch to talk to each other over serial interfaces within a minute or two.
Switches are much simpler than routers, and you may be able to get away with not having one to practice on depending on how confident and experienced you are.
Use Packet Tracer. At a bare minimum, you'll be wanting a couple of 1600 series routers with a serial WIC in each and a serial crossover cable. Make sure they're running a fairly recent version of IOS such as 12.3 or higher. The good thing about this is that you can actually touch and see the cables, power-off the routers, and do stuff like messing with the configuration register and recovering the enable password. Great fun.
Get comfortable before you start. You've usually got a bit of time to do a "test introduction" - its a good idea to do this just to calm your nerves and get used to the types of questions that you'll be facing.
Watch your time. You could be very busy : I found the exam took more work than the trial exams in Todd Lammle's Sybex book.
Use pencil and paper only when you need to. Because there isn't much time to work things out by hand.
You can usually eliminate one or two of the multi-choice answers straight away. Get used to this process by doing lots of trial exams and eliminate answers quickly and consistently in your head ( not on paper, remember? ).
If you see questions that you haven't studied for, then eliminate the bogus answers, take your best guess and move on. Don't sweat it out. Some questions are "trial" questions which may be outside the current CCNA syllabus and you won't be marked on these.
Be prepared for "complex" questions. For example, single questions that demand knowledge of subnetting and routing protocols or questions that may show a moderately complex network and ask you to find the fault in it.
Quick LinksA few quick links to get you started.
Cisco CCNA page
Cisco CCNA Prep Centre
Prometric - for booking exams
Well, that's about it. The good thing about the CCNA exam is not that it teaches you a lot about Cisco specific products, but that you will learn a lot about TCP/IP networking. And these days, such knowledge is really essential to get a good job in IT. I've met many people in IT that don't understand basic things like subnetting, VLANs and WAN protocols and they often get into trouble when tackling simple problems and designing what should be simple solutions.
The CCNA exam has changed a lot over the last 4 years, the current one is now dubbed 640-801, and this page is a list of tips and helpful notes on what you need to know and how to learn it all.
Firstly, the goals of what you need to know. The following list is the things you need to know really well - in other words, you should be able to recall these things instantly.
Subnetting. You need to be able to calculate subnet numbers ( subnet address, broadcast address, first and last useable IP addresses ) in your head, and fairly quickly for any IP class and number of subnet bits.
Routing protocols. These include RIP, RIP2, IGRP, EIGRP and OSPF. You'll need to know the types for each ( distance vector, link state, hybrid ), the metrics ( bandwidth, speed ) and administrative distances for each one. A fair idea of the types of tables that each uses will be useful.
WAN protocols. Know all the encapsulation types ( PPP, DLCI, Frame Relay, etc ) and the quirks of each one. In particular, remember the default encapsulation for router interfaces.
Note this : the exam was a little harder than the questions in the book and trial exams you find in CD or online.
You need to practice setting up and fault-finding on routers and switches. You should practice until you can fully configure a pair of routers from scratch to talk to each other over serial interfaces within a minute or two.
Switches are much simpler than routers, and you may be able to get away with not having one to practice on depending on how confident and experienced you are.
Use Packet Tracer. At a bare minimum, you'll be wanting a couple of 1600 series routers with a serial WIC in each and a serial crossover cable. Make sure they're running a fairly recent version of IOS such as 12.3 or higher. The good thing about this is that you can actually touch and see the cables, power-off the routers, and do stuff like messing with the configuration register and recovering the enable password. Great fun.
Get comfortable before you start. You've usually got a bit of time to do a "test introduction" - its a good idea to do this just to calm your nerves and get used to the types of questions that you'll be facing.
Watch your time. You could be very busy : I found the exam took more work than the trial exams in Todd Lammle's Sybex book.
Use pencil and paper only when you need to. Because there isn't much time to work things out by hand.
You can usually eliminate one or two of the multi-choice answers straight away. Get used to this process by doing lots of trial exams and eliminate answers quickly and consistently in your head ( not on paper, remember? ).
If you see questions that you haven't studied for, then eliminate the bogus answers, take your best guess and move on. Don't sweat it out. Some questions are "trial" questions which may be outside the current CCNA syllabus and you won't be marked on these.
Be prepared for "complex" questions. For example, single questions that demand knowledge of subnetting and routing protocols or questions that may show a moderately complex network and ask you to find the fault in it.
Quick LinksA few quick links to get you started.
Cisco CCNA page
Cisco CCNA Prep Centre
Prometric - for booking exams
Well, that's about it. The good thing about the CCNA exam is not that it teaches you a lot about Cisco specific products, but that you will learn a lot about TCP/IP networking. And these days, such knowledge is really essential to get a good job in IT. I've met many people in IT that don't understand basic things like subnetting, VLANs and WAN protocols and they often get into trouble when tackling simple problems and designing what should be simple solutions.
Trunk Mode
I remember there is a question on the type of trunk mode and you have to select about 3 answers out of 5. I cant remember the question exactly. It's like a mix of on, desireable, forwarding, transparant, blocking.
However, to answer it correctly regardless of the exact questions, its important to know these.
The Trunk mode can be on,off,desirable,auto,nonegotiate
Understanding VTP Modes
You can configure a Catalyst 4000 family switch to operate in any one of these VTP modes:
Server—In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain. VTP servers advertise their VLAN configuration to other network devices in the same VTP domain and synchronize their VLAN configuration with other network devices based on advertisements received over trunk links. VTP server is the default mode.
Client—VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.
Transparent—VTP transparent network devices do not participate in VTP. A VTP transparent network device does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2, transparent network devices do forward VTP advertisements that they receive out their trunking LAN interfaces.
A VLAN can be created or modified on a switch in which of the following VTP modes? (Choose all that apply.)
Server
Access
Client
Transparent
Root
Regarding VTP configuration revision numbers, which of the following statements are true? (Choose all that apply.)
A transparent switch will always have a higher configuration revision number than any other switch on the network.
VTP configuration revision numbers are changed on a switch when a VLAN is created, deleted, or modified.
If a switch with a higher configuration revision number is added to an existing network with the same VTP domain name, it will have no effect on the VLANs on all the functioning switches.
VTP configuration revision numbers can be reset to 0 by changing the VTP to transparent mode and then back to server or client.
You can view a switch's current VTP configuration revision number by issuing the command show vtp status.
Choose the commands that force an IOS switch to perform trunking on a FastEthernet interface 0/12. (Choose the best answer.)
set trunk on
interface Fa0/12 trunk on
switchport mode trunk
interface Fa0/12 mode trunk
interface Fa0/12 then switchport mode trunk
Which of the following is the default mode for a Layer 2 port on an IOS switch?
switchport mode access
switchport mode dynamic auto
switchport mode nonegotiate
switchport mode dynamic desirable
switchport mode trunk
Which of the following commands you can use to see which VLAN a port is assigned to? (Choose all that apply.)
show interface trunk
show interface type slot/port
show vtp status
show interface status
show vlan brief
show interface type slot/port switchport
However, to answer it correctly regardless of the exact questions, its important to know these.
The Trunk mode can be on,off,desirable,auto,nonegotiate
Understanding VTP Modes
You can configure a Catalyst 4000 family switch to operate in any one of these VTP modes:
Server—In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain. VTP servers advertise their VLAN configuration to other network devices in the same VTP domain and synchronize their VLAN configuration with other network devices based on advertisements received over trunk links. VTP server is the default mode.
Client—VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.
Transparent—VTP transparent network devices do not participate in VTP. A VTP transparent network device does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2, transparent network devices do forward VTP advertisements that they receive out their trunking LAN interfaces.
A VLAN can be created or modified on a switch in which of the following VTP modes? (Choose all that apply.)
Server
Access
Client
Transparent
Root
Regarding VTP configuration revision numbers, which of the following statements are true? (Choose all that apply.)
A transparent switch will always have a higher configuration revision number than any other switch on the network.
VTP configuration revision numbers are changed on a switch when a VLAN is created, deleted, or modified.
If a switch with a higher configuration revision number is added to an existing network with the same VTP domain name, it will have no effect on the VLANs on all the functioning switches.
VTP configuration revision numbers can be reset to 0 by changing the VTP to transparent mode and then back to server or client.
You can view a switch's current VTP configuration revision number by issuing the command show vtp status.
Choose the commands that force an IOS switch to perform trunking on a FastEthernet interface 0/12. (Choose the best answer.)
set trunk on
interface Fa0/12 trunk on
switchport mode trunk
interface Fa0/12 mode trunk
interface Fa0/12 then switchport mode trunk
Which of the following is the default mode for a Layer 2 port on an IOS switch?
switchport mode access
switchport mode dynamic auto
switchport mode nonegotiate
switchport mode dynamic desirable
switchport mode trunk
Which of the following commands you can use to see which VLAN a port is assigned to? (Choose all that apply.)
show interface trunk
show interface type slot/port
show vtp status
show interface status
show vlan brief
show interface type slot/port switchport
Subscribe to:
Posts (Atom)