- •Warning and Disclaimer
- •Feedback Information
- •Trademark Acknowledgments
- •About the Author
- •About the Technical Reviewers
- •Dedication
- •Acknowledgments
- •Contents at a Glance
- •Contents
- •Icons Used in This Book
- •Command Syntax Conventions
- •Cisco’s Motivation: Certifying Partners
- •Format of the CCNA Exams
- •What’s on the CCNA Exams
- •ICND Exam Topics
- •Cross-Reference Between Exam Topics and Book Parts
- •CCNA Exam Topics
- •INTRO and ICND Course Outlines
- •Objectives and Methods
- •Book Features
- •How This Book Is Organized
- •Part I: LAN Switching
- •Part II: TCP/IP
- •Part III: Wide-Area Networks
- •Part IV: Network Security
- •Part V: Final Preparation
- •Part VI: Appendixes
- •How to Use These Books to Prepare for the CCNA Exam
- •For More Information
- •Part I: LAN Switching
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Brief Review of LAN Switching
- •The Forward-Versus-Filter Decision
- •How Switches Learn MAC Addresses
- •Forwarding Unknown Unicasts and Broadcasts
- •LAN Switch Logic Summary
- •Basic Switch Operation
- •Foundation Summary
- •Spanning Tree Protocol
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Spanning Tree Protocol
- •What IEEE 802.1d Spanning Tree Does
- •How Spanning Tree Works
- •Electing the Root and Discovering Root Ports and Designated Ports
- •Reacting to Changes in the Network
- •Spanning Tree Protocol Summary
- •Optional STP Features
- •EtherChannel
- •PortFast
- •Rapid Spanning Tree (IEEE 802.1w)
- •RSTP Link and Edge Types
- •RSTP Port States
- •RSTP Port Roles
- •RSTP Convergence
- •Edge-Type Behavior and PortFast
- •Link-Type Shared
- •Link-Type Point-to-Point
- •An Example of Speedy RSTP Convergence
- •Basic STP show Commands
- •Changing STP Port Costs and Bridge Priority
- •Foundation Summary
- •Foundation Summary
- •Virtual LANs and Trunking
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Review of Virtual LAN Concepts
- •Trunking with ISL and 802.1Q
- •ISL and 802.1Q Compared
- •VLAN Trunking Protocol (VTP)
- •How VTP Works
- •VTP Pruning
- •Foundation Summary
- •Part II: TCP/IP
- •IP Addressing and Subnetting
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •IP Addressing Review
- •IP Subnetting
- •Analyzing and Interpreting IP Addresses and Subnets
- •Math Operations Used to Answer Subnetting Questions
- •Converting IP Addresses from Decimal to Binary and Back Again
- •The Boolean AND Operation
- •How Many Hosts and How Many Subnets?
- •What Is the Subnet Number, and What Are the IP Addresses in the Subnet?
- •Finding the Subnet Number
- •Finding the Subnet Broadcast Address
- •Finding the Range of Valid IP Addresses in a Subnet
- •Finding the Answers Without Using Binary
- •Easier Math with Easy Masks
- •Which Subnet Masks Meet the Stated Design Requirements?
- •What Are the Other Subnet Numbers?
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Extended ping Command
- •Distance Vector Concepts
- •Distance Vector Loop-Avoidance Features
- •Route Poisoning
- •Split Horizon
- •Split Horizon with Poison Reverse
- •Hold-Down Timer
- •Triggered (Flash) Updates
- •RIP and IGRP
- •IGRP Metrics
- •Examination of RIP and IGRP debug and show Commands
- •Issues When Multiple Routes to the Same Subnet Exist
- •Administrative Distance
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Link-State Routing Protocol and OSPF Concepts
- •Steady-State Operation
- •Loop Avoidance
- •Scaling OSPF Through Hierarchical Design
- •OSPF Areas
- •Stub Areas
- •Summary: Comparing Link-State and OSPF to Distance Vector Protocols
- •Balanced Hybrid Routing Protocol and EIGRP Concepts
- •EIGRP Loop Avoidance
- •EIGRP Summary
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Route Summarization and Variable-Length Subnet Masks
- •Route Summarization Concepts
- •VLSM
- •Route Summarization Strategies
- •Sample “Best” Summary on Seville
- •Sample “Best” Summary on Yosemite
- •Classless Routing Protocols and Classless Routing
- •Classless and Classful Routing Protocols
- •Autosummarization
- •Classful and Classless Routing
- •Default Routes
- •Classless Routing
- •Foundation Summary
- •Advanced TCP/IP Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Scaling the IP Address Space for the Internet
- •CIDR
- •Private Addressing
- •Network Address Translation
- •Static NAT
- •Dynamic NAT
- •Overloading NAT with Port Address Translation (PAT)
- •Translating Overlapping Addresses
- •Miscellaneous TCP/IP Topics
- •Internet Control Message Protocol (ICMP)
- •ICMP Echo Request and Echo Reply
- •Destination Unreachable ICMP Message
- •Time Exceeded ICMP Message
- •Redirect ICMP Message
- •Secondary IP Addressing
- •FTP and TFTP
- •TFTP
- •MTU and Fragmentation
- •Foundation Summary
- •Part III: Wide-Area Networks
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Review of WAN Basics
- •Physical Components of Point-to-Point Leased Lines
- •Data-Link Protocols for Point-to-Point Leased Lines
- •HDLC and PPP Compared
- •Looped Link Detection
- •Enhanced Error Detection
- •Authentication Over WAN Links
- •PAP and CHAP Authentication
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •ISDN Protocols and Design
- •Typical Uses of ISDN
- •ISDN Channels
- •ISDN Protocols
- •ISDN BRI Function Groups and Reference Points
- •ISDN PRI Function Groups and Reference Points
- •BRI and PRI Encoding and Framing
- •PRI Encoding
- •PRI Framing
- •BRI Framing and Encoding
- •DDR Step 1: Routing Packets Out the Interface to Be Dialed
- •DDR Step 2: Determining the Subset of the Packets That Trigger the Dialing Process
- •DDR Step 3: Dialing (Signaling)
- •DDR Step 4: Determining When the Connection Is Terminated
- •ISDN and DDR show and debug Commands
- •Multilink PPP
- •Foundation Summary
- •Frame Relay
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Frame Relay Protocols
- •Frame Relay Standards
- •Virtual Circuits
- •LMI and Encapsulation Types
- •DLCI Addressing Details
- •Network Layer Concerns with Frame Relay
- •Layer 3 Addressing with Frame Relay
- •Frame Relay Layer 3 Addressing: One Subnet Containing All Frame Relay DTEs
- •Frame Relay Layer 3 Addressing: One Subnet Per VC
- •Frame Relay Layer 3 Addressing: Hybrid Approach
- •Broadcast Handling
- •Frame Relay Service Interworking
- •A Fully-Meshed Network with One IP Subnet
- •Frame Relay Address Mapping
- •A Partially-Meshed Network with One IP Subnet Per VC
- •A Partially-Meshed Network with Some Fully-Meshed Parts
- •Foundation Summary
- •Part IV: Network Security
- •IP Access Control List Security
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Standard IP Access Control Lists
- •IP Standard ACL Concepts
- •Wildcard Masks
- •Standard IP ACL: Example 2
- •Extended IP Access Control Lists
- •Extended IP ACL Concepts
- •Extended IP Access Lists: Example 1
- •Extended IP Access Lists: Example 2
- •Miscellaneous ACL Topics
- •Named IP Access Lists
- •Controlling Telnet Access with ACLs
- •ACL Implementation Considerations
- •Foundation Summary
- •Part V: Final Preparation
- •Final Preparation
- •Suggestions for Final Preparation
- •Preparing for the Exam Experience
- •Final Lab Scenarios
- •Scenario 1
- •Scenario 1, Part A: Planning
- •Solutions to Scenario 1, Part A: Planning
- •Scenario 2
- •Scenario 2, Part A: Planning
- •Solutions to Scenario 2, Part A: Planning
- •Part VI: Appendixes
- •Glossary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •“Do I Know This Already?” Quiz
- •Chapter 2
- •“Do I Know This Already?” Quiz
- •Chapter 3
- •“Do I Know This Already?” Quiz
- •Chapter 4
- •“Do I Know This Already?” Quiz
- •Chapter 5
- •“Do I Know This Already?” Quiz
- •Chapter 6
- •“Do I Know This Already?” Quiz
- •Chapter 7
- •“Do I Know This Already?” Quiz
- •Chapter 8
- •“Do I Know This Already?” Quiz
- •Chapter 9
- •“Do I Know This Already?” Quiz
- •Chapter 10
- •“Do I Know This Already?” Quiz
- •Chapter 11
- •“Do I Know This Already?” Quiz
- •Chapter 12
- •“Do I Know This Already?” Quiz
- •Using the Simulation Software for the Hands-on Exercises
- •Accessing NetSim from the CD
- •Hands-on Exercises Available with NetSim
- •Scenarios
- •Labs
- •Listing of the Hands-on Exercises
- •How You Should Proceed with NetSim
- •Considerations When Using NetSim
- •Routing Protocol Overview
- •Comparing and Contrasting IP Routing Protocols
- •Routing Through the Internet with the Border Gateway Protocol
- •RIP Version 2
- •The Integrated IS-IS Link State Routing Protocol
- •Summary of Interior Routing Protocols
- •Numbering Ports (Interfaces)
442 Chapter 12: IP Access Control List Security
ACL 101 looks a lot like ACL 101 from Example 12-6, but this time, the ACL does not bother checking for the criteria to match Larry’s traffic, because Larry’s traffic will never enter R3’s Ethernet 0 interface. Because the ACL has been placed on R3, near Bob, it watches for packets Bob sends that enter its Ethernet0 interface. Because of the ACL, Bob’s FTP traffic to 172.16.1.0/24 is denied, with all other traffic entering R3’s E0 interface making it into the network. Example 12-7 does not show any logic for stopping Larry’s traffic.
Extended IP Access Lists: Example 2
Example 12-8, based on the network shown in Figure 12-6, shows another example of how to use extended IP access lists. This example uses the same criteria and network topology as the second standard IP ACL example, as repeated here:
■Sam is not allowed access to Bugs or Daffy.
■Hosts on the Seville Ethernet are not allowed access to hosts on the Yosemite Ethernet.
■All other combinations are allowed.
Figure 12-6 Network Diagram for Extended Access List Example 2
Bugs Daffy
10.1.1.110.1.1.2
Subnet 10.1.1.0
|
E0 |
|
|
Albuquerque |
|
s0 |
s1 |
|
|
|
.128 |
.0 |
|
|
.1 |
|
|
|
10 |
|
|
|
Subnet |
|
|
|
|
|
|
|
|
s0
Subnet
10
. 1 .
130
. 0
s0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Subnet 10.1.129.0 |
|
|
|
|
|
|
|
|
|
|
|
|
||||
Yosemite |
|
|
|
|
|
s1 |
s1 |
|
|
Seville |
|||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||||||
|
|
|
|
|
|
|
|
E0 |
E0 |
||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||
|
|
|
|
|
|
|
|
|
Subnet 10.1.2.0 |
|
|
|
|
|
Subnet 10.1.3.0 |
||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sam |
Emma |
Elmer |
Red |
10.1.2.1 |
10.1.2.2 |
10.1.3.1 |
10.1.3.2 |