All Cisco-Network Study Notes: Controlling Acquisition Amend Traffic

Controlling Acquisition Amend Traffic

Controlling the acquisition table of the amount block has several advantages:

• Reduces the admeasurement of the acquisition table at the amount block acceptance it to action packets faster.

• Prevents users from accepting to networks that acquire not been advertised unless they acquire a

static or absence avenue to get there.

• Prevents incorrect advice from breeding through the amount block.

Two methods are accessible for authoritative the acquisition advice that is beatific to the amount block,

as follows:

• Avenue summarization—Depending on the acquisition agreement used, a abbreviated admission of

all the accessible routes of the about-face block can be beatific from the administration band to the

core.

• Administration lists—A administration account can be acclimated to announce what routes the distribution

layer can acquaint to the core, or conversely, what the amount can acquire from the switch

block.

NOTE Avenue summarization is addition way to absolute the admeasurement of the acquisition table at the amount block, but

this adjustment is not covered here.

Configuring Avenue Filtering

The basal adjustment for configuring avenue clarification is by application the distribute-list command. This

method is acclimated frequently in ample baffled networks but can be acclimated by Avenue About-face modules

(RSMs) in a ample switched arrangement as well.

The basal command syntax for configuring avenue clarification for entering acquisition updates is

R1(config-router)# distribute-list access-list-number | name in [type number]

Similarly, the command syntax for configuring avenue clarification for outbound acquisition updates is

R1(config-router)# distribute-list access-list-number | name out [interface-name]

routing-process | autonomous-system-number

414 Affiliate 12: Authoritative Admission in the Campus Environment

The command arguments for the distribute-list command are declared as follows:

• access-list-number—Number of the ahead created accepted admission list.

• in | out—Define the clarification on either admission acquisition updates (in) or approachable routing

updates (out).

• interface-name—Name of the interface. Indicates that the networks in the admission account will

be filtered if they came from or are activity to a specific interface.

• routing-process autonomous-system-number—Name of the acquisition action including the

keywords of changeless and connected. This advantage applies alone to outbound distribution

filters.

You can clarify acquisition amend cartage for any agreement by defining an admission account and applying it

to a specific acquisition protocol.

To configure a filter, accomplish the afterward steps:

Step 1 Identify the arrangement addresses that you appetite to clarify and actualize a

standard admission list.

Step 2 Determine whether the acquisition agreement should be filtered

incoming or approachable on the interface.

Step 3 Assign the admission clarify to acquisition updates.

IP Avenue Filtering

Consider the arrangement accessory bureaucracy in Figure 12-7.

Figure 12-7 IP Avenue Filtering

140.20.15.0 140.20.16.0

int VLAN 10

Core Band Action 415

The command syntax in Example 12-11 indicates that the acquisition action of Enhanced Interior

Gateway Acquisition Agreement (EIGRP) will accelerate the arrangement of 140.20.0.0 255.255.0.0 in its

routing updates out E0/0 (Ethernet) but will clarify all added networks. If the amount is affiliated to

VLAN10, it will accept alone 140.20.15.0 and alone 140.20.15.0.0 will be accustomed to traverse

the core.

The options for the networks of 140.20.x.0, except 140.20.16.0, accommodate the following:

• All added networks will be able to accelerate and accept abstracts in the about-face block but will not

be accustomed to get to any added about-face block or to the amount block. For this bureaucracy to work, a

static or absence avenue will acquire to be configured.

• All added networks will not be apparent by the amount block and added about-face blocks. A default

or changeless avenue will acquiesce them to accelerate and accept abstracts to added about-face blocks, including

the core.

Core Band Policy

The amount block is amenable for affective abstracts quickly. All the accessories that are advised to be

core block solutions are optimized to move abstracts as bound as possible. For this reason, the core

block should acquire little to no policy.

The alone behavior that should be activated at the amount block are those that chronicle to affection of

service (QoS) commands for bottleneck administration and bottleneck avoidance.

QoS implementations vary, depending on accouterments acclimated and versions of IOS. Please see your

IOS-specific affidavit for details.

Example 12-11 Configuring IP Avenue Filtering

router eigrp 100

network 140.20.0.0

distribute-list 7 out int VLAN10

access-list 7 admittance 140.20.15.0 0.0.0.255

416 Affiliate 12: Authoritative Admission in the Campus Environment

Foundation Summary

The Foundation Arbitrary is a accumulating of tables and abstracts that provides a acceptable review

of abounding key concepts in this chapter. For those of you already adequate with the capacity in

this chapter, this arbitrary could advice you anamnesis a few details. For those of you who aloof read

this chapter, this analysis should advice coalesce some key facts. For any of you accomplishing your final

preparation afore the exam, these tables and abstracts will hopefully be a acceptable way to

review the day afore the exam.

Table 12-3 Avenue About-face Module or Router and About-face Commands

Command Description

access-list access-list Creates an admission list

distribute-list access-list [in | out] Applies an admission account to a acquisition protocol

line line-type line-number Selects a band to configure

information

privilege approach akin akin command Enters the commands accessible at a advantage level

username username countersign countersign Creates a username admission in the bounded database

username username advantage cardinal Assigns a advantage akin to username

Switch command: set anchorage security

mod_num/port_num…enable mac address

Creates anchorage aegis application MAC address

Q&A 417

Q&A

The questions and scenarios in this book are added difficult than what you should acquaintance on

the absolute exam. The questions do not attack to awning added across or abyss than the exam;

they are designed, however, to accomplish abiding that you apperceive the answer. Rather than acceptance you

to acquire the acknowledgment from clues hidden central the catechism itself, the questions claiming your

understanding and anamnesis of the subject. Questions from the “Do I Apperceive This Already?” quiz

from the alpha of the affiliate are again actuality to ensure that you acquire baffled the

chapter’s affair areas. Hopefully, these questions will advice absolute the cardinal of assay questions

on which you attenuated your choices to two options and again guess.

The answers to these questions can be begin in Appendix A, on folio 477.

1 Define an admission policy.

_______________________________________________________________________

2 What is the admission band authentic as?

_______________________________________________________________________

3 Is HTTP admission frequently enabled on a Cisco router? What is the capital purpose of using

HTTP?

_______________________________________________________________________

4 Name at atomic two apparatus apropos to authoritative admission to arrangement devices.

_______________________________________________________________________

5 What way of accessing a arrangement accessory requires a password?

_______________________________________________________________________

418 Affiliate 12: Authoritative Admission in the Campus Environment

6 What affection of the Cisco IOS protects a animate affiliation larboard unattended?

______________________________________________________________________

7 What does the access-class command do back activated to a basic terminal configuration?

______________________________________________________________________

8 What VLAN is the absence VLAN for a Catalyst about-face and why is it a acceptable abstraction to change

this?

______________________________________________________________________

9 What does anchorage aegis do on a Catalyst alternation switch?

______________________________________________________________________

10 What is the ambit of after representation of a accepted IP admission list? An extended

access list?

______________________________________________________________________

11 Should a accepted or an continued admission account be acclimated back clarification a accurate host?

______________________________________________________________________

Q&A 419

12 Back implementing avenue filtering, what blazon of admission account is used—a accepted or an

extended admission list?

_______________________________________________________________________

13 In general, what blazon of behavior should be implemented in the amount layer?

_______________________________________________________________________

14 Which concrete admission adjustment of a Cisco router should be disabled if not used?

_______________________________________________________________________

15 What is the basic terminal affiliation frequently called?

_______________________________________________________________________

16 What does the banderole do?

_______________________________________________________________________

17 Why is it important to acquire concrete aegis for a arrangement device?

_______________________________________________________________________

18 What does the Cisco command login bounded do on a router?

_______________________________________________________________________

420 Affiliate 12: Authoritative Admission in the Campus Environment

Scenarios

Please accredit to the Book Figure 12-8 beneath as a advertence to Book 12-1 and

Scenario 12-2.

Figure 12-8 Book 12-1 and 12-2 Network

Scenario 12-1

Given the arrangement depicted in Figure 12-8, acknowledgment the afterward questions accompanying to this

scenario.

1 Assume you are affiliated to the animate anchorage of the RSM on About-face A. Authorize a

console login with a countersign of san-jose.

2 While still affiliated to the console, authorize a Telnet login with a countersign of san-fran.

3 Assume that a administration VLAN (VLAN1) exists on About-face 1 and About-face A. Further, a

workstation is affiliated to VLAN1 off of About-face 1. Set up an admission account on the RSM on

Switch A to acquiesce alone the workstation to Telnet to About-face A. Assume the workstation has

the IP abode of 192.168.1.12.

4 Afterward the agreement in Exercise 3 for this scenario, add HTTP admission to the RSM

on About-face A. Assume bounded affidavit with a username of web and countersign of cisco.

5 Configure About-face 1 such that the above workstation is the alone one accustomed to

be affiliated on anchorage 4/5. The workstation has a MAC abode of 00-00-0e-12-34-56.

Switch 1

Switch A

Switch 2

Switch B

Access Administration Core

Scenario 12-2 421

Scenario 12-2

1 Set a banderole bulletin aloft login to About-face B. It should read, “Unauthorized admission will

be prosecuted.”

2 Set an continued admission account 101 such that alone SMTP cartage is accustomed to and from the

RSM About-face B on Interface VLAN 100.

3 About-face B has a VLAN 200 that connects to amount Router Y. The RSM on About-face B is

running EIGRP with a action ID of 225. Construct a administer account that allows alone routes

from 172.16.100.0 to bisect into the core.

4 Construct a new advantage akin on About-face 2 that allows the user to log in as the operator

with countersign of cisco. This advantage akin allows alone one thing—to appearance the startup

configuration.

422 Affiliate 12: Authoritative Admission in the Campus Environment

Scenarios Answers

Scenario 12-1 Answers

1 The animate login should attending article like the agreement that follows:

RSM(config)#line animate 0

RSM(config-line)#login

RSM(config-line)#password san-jose

2 The Telnet or vty login statements attending actual agnate to that of the console. The correct

answer is as follows:

RSM(config)#line vty 0 4

RSM(config-line)#login

RSM(config-line)#password san-fran

3 The actual agreement is as follows:

RSM(config)#access account 1 admittance 192.168.1.12

RSM(config)#line vty 0 4

RSM(config-line)#access-class 1 in

4 The actual agreement is as follows:

RSM(config)#access account 1 admittance 192.168.1.12

RSM(config)#line vty 0 4

RSM(config-line)#access-class 1 in

RSM(config)ip http server

RSM(config)ip http access-class 1 in

RSM(config)ip http affidavit local

RSM(config)username web countersign cisco

5 This affection is implemented on About-face 1 and designates alone one accurate MAC address

access to the port:

Switch1(enable)set anchorage aegis accredit 4/5 00-00-0e-12-34-56

Scenario 12-2 Answers

1 The actual acknowledgment is as follows:

Switch1(enable)set banderole motd "Unauthorized admission will be prosecuted!"

2 The actual agreement is as follows:

interface VLAN100

access-group 101 out

access account 101 admittance tcp any any eq smtp

Scenario 12-2 Answers 423

3 The actual agreement is as follows:

router eigrp 225

network 172.16.0.0

distribute-list 5 out VLAN200

access-list 5 admittance 172.16.100.0 0.0.0.255

4 The agreement that accomplishes the ambition for this exercise is as follows:

privilege configure akin 3 username

privilege exec akin 3 appearance run

enable abstruse akin 3 cisco

username abettor countersign cisco

This affiliate covers the afterward capacity that you will charge to adept for the CCNP

Switching Exam:

• Ecology Cisco Switches—This area covers the methods accessible and

commands acclimated for ecology Cisco switches.

• Accepted Troubleshooting Model—This area reviews a accepted archetypal for

troubleshooting arrangement devices, including Cisco switches.

• Troubleshooting Cisco Switches with appearance Commands—This area discusses

and defines the assorted commands that can be acclimated to troubleshooting Cisco switches.

• Concrete Band Troubleshooting—This area discusses the accoutrement complex in

troubleshooting the concrete layer.