From: dmann10@hotmail.com (David M) Subject: Cisco Certification FAQ Part 3 Workshop (3:00:01) Newsgroups: alt.certification.cisco Followup-To: alt.certification.cisco Date: Thu, 13 Mar 2003 11:32:27 GMT Archive-Name: Certification/Cisco/Frequently Asked Questions Version: 03:00:00 Part 3 of 3 Posted: Weekly (Thursday) Title: Part 3 - Workshop Index:- Part 1 - Introduction ===================== 10.0 Statement of objectives 11.0 Administrivia 12.0 What is Cisco accreditation 13.0 Testing 14.0 Learning resources 15.0 Getting practical experience. 16.0 Dealing with Cisco. 16.1 Cisco Connection Online Account 17.0 Links 18.0 Credits Part 2 - Certifications ======================= 21.0 Q: What accreditation is offered? 22.0 Q: What is the Network Installation and Support stream? 23.0 Q: What is the Network Installation and Support (WAN) stream? 24.0 Q: What is the Network Engineering and Design stream? 25.0 Q: What is the Network Engineering and Design (WAN) stream? 26.0 Q: What is the Communications and Services stream? 27.0 Q: What are Specialist Designations? 28.0 Q: What are the Cisco Partner Specialisation Exams? 29.0 Entry Level CCNA, CCNA(WAN), CCDA 210.0 Journeyman Level CCIP, CCNP, CCNP(WAN), CCDP 211.0 Professional Level CCIE 212.0 Specializations 213.0 Spare 214.0 The Lost Exams Home 215.0 Cisco Certification Renewal Policy 216.0 Beta Exams Part 3 - Practical Issues ========================= 31.0 Q: What is involved in a Home Laboratory? --------------------------- 31.0 Introduction 31.1 Q: What should I look for in a router? 31.2 Q: What should I look for in a switch? 31.3 Q: What sort of Lab is required for the CCNA? 31.4 Q: What sort of Lab is required for the CCNP? 31.5 Q: What sort of Lab is required for the CCIE? 31.7 Q: What would be a good lineup of equipment for a router lab? 31.8 Q: Where's the best place to buy cheap lab equipment? 31.9 Miscellaneous questions. 32.0 Router basics. ------------------------ 32.1 Software 32.2 Password recovery 32.3 Connecting routers together 33.0 Switch Basics. ------------------------ 34.0 Internet Basics ------------------------ 34.1 Subnet Masks 34.2 CIDR and VSLM 34.3 What are the unallocated IP address blocks? 34.4 Which RFC 1918 address block should I use? 35.0 Access Lists --------------------- 35.1 What are access lists and why should I care? 35.2 Access list basics 35.3 How do I apply access lists? 35.4 Where do I apply access lists? 35.5 How are access lists evaluated? 36.0 Links -------------- ================================================================================ 31.0 Home Laboratories ========================== 31.0 Introduction --------------------- The following is really a discussion of what would be good for the exams listed in the various sections. It is difficult to be too specific about equipment types as what is going to end up in a home lab will be more often a compromise between what is available at a particular time, the price you are willing to pay, what you wish to achieve and the timeframe in which study will undertaken. I hope that this will start discussion of what is really required. 31.1 What should I look for in a router? -------------------------------------------- 31.1.1 Q: What type of LAN port(s) is the router fitted with? A: LAN ports are either ethernet or token ring. Ethernet is preferred because most exams are ethernet based and most user equipment is ethernet based. 31.1.2 Q: What type of WAN ports is it fitted with? A: Serial ports are preferred as they are easiest to connect together. Integrated CSU/DSU ports are also easy to connect together. ISDN is difficult to connect together without either access to two ISDN services via a telco or an ISDN simulator. 31.1.3 Q: What version of IOS is it fitted with? 31.1.3.1 Q: What version of IOS is it fitted with? A: Cisco has a whitepaper: "Cisco IOS Reference Guide" available on the Cisco website for further information. Dated but highly recommended. 31.1.3.2 Q: Are there other router operating systems than IOS? A: Some models such as the 700 series acquired by purchase of the company which developed them and the products incorporated into the Cisco product line. These companies used proprietary operating systems which are not compatible with IOS. 31.1.3.3 Q: What is the current version of IOS? A: The newest version of IOS is 12.2.x 31.1.4 Q: What feature set is fitted? A: Cisco IOS is sold with various capabilities. Most routers come with IP only, which is the minimum. The other feature sets for a particular model router enable greater functionality such as IPX/appletalk in a desktop feature set and security/ firewall in others. Full information on the IOS, feature set and router model is available on the Cisco site. You need a login to access this feature. Consultant access is easy to obtain and suitable to access this feature. Cisco has a whitepaper: "Cisco IOS Reference Guide" available on the Cisco website for further information. Dated but highly recommended. 31.1.5 Q: What quantity of Flash Memory is fitted? A: IOS is saved into flash memory. Newer releases and enhanced feature sets usually require more flash memory. This may entail purchase of additional flash memory or booting the IOS from a TFTP server if your intention is to upgrade IOS but not to add flash. This requires additional DRAM though, but this is usually cheaper than flash. 31.1.6 Q: What quantity of RAM is fitted? A: Many routers come with minimum RAM. 31.1.7 Q: What type of memory is fitted? A: Many memory types are used in various models, with the option of parity and non-parity memory. Many router memory types are industry standard and in a Lab situation can be enhanced with standard memory. 31.1.8 Q: Where can I find information on a router I an considering? A: CCO has documentation on most equipment current and obsolete. http://www.cisco.com 31.1.9 Q: I cannot find the model on this list? A: When looking for information look also at the end of life and end of sales section at the bottom of the catalogue page. 31.1.10 Q: What is End Of Sales (EOS)? A: This is the last date that the equipment was for sale. 31.1.11 Q: What is End of Engineering (EOE)? A: This is the last date that engineering work will be/ was performed. 31.1.12 Q: What is End Of Life (EOL)? A: This is the last date that support will be/ was available from Cisco. 31.2 What should I look for in a switch? -------------------------------------------- 31.2.1 Q: What type of LAN port(s) is the switch fitted with? A: switches have 10 or 10/100 LAN ports. Uplink ports may be 100 Mb/s or 1Gb/s and capable of FEC or GEC. 31.2.2 Q: What type of operating system is installed? A: Most of the early Cisco switch models were acquired by purchasing other companies and their product lines. These have been rationalized to two types of operating system, the Cisco IOS based switches and the "set" based operating system of the 5000 series switches. 31.2.3 Q: What version of IOS is it fitted with? 31.2.4 Q: How much memory is fitted? 31.2.5 Q: 31.2.6 Q: 31.3 Q: What sort of Lab is required for the CCNA? ------------------------------------------------------ 31.3.1 Q: What is the critical requirement of the CCNA exam? A: The critical requirement is to gain access to a router and switch for familiarization with router IOS and the switch OS 31.3.2 Q: What is the Hardware required? A: A router and a switch. The switch may be optional. The use of two routers will allow demonstration of routing table updates. 31.3.3 Q: What is required of the routers? IOS Support RIP, IGRP, IPX Feature set Desktop feature set (IP, IPX and Appletalk). IP only may be used, but IPX cannot be configured. Memory To suit feature set Serial ports One serial, two preferred. Integrated CSU/DSU also useful. LAN Ports At least one ethernet per router. 31.3.4 Q: What is required of switches? A: One 1900 series switch. Enterprise feature set required. 31.3.4 Q: Where can I find configuration exercises? A: Most certification guides offer configuration exercises. 31.3.9 Q: What is a good lineup of equipment for the CCNA? A: 800 series is *okay* for the CCNA. 2500 series is better. One will get you by, two is better. Although you need to learn the material, buying a switch for CCNA is overkill. (JRE) 31.4 Q: What sort of Lab is required for the CCNP? ------------------------------------------------------ 31.4.0 Q: What are the elements of the CCNP? A: There are four exams for the CCNP qualification. Each have different demands on equipment. 31.4.1 Q: What is required for the BSCN Exam? ----------------------------------------------- 31.4.1.1 Q: What is the critical requirement for the BSCN exam? A: The critical element is that the IOS on the router used supports EIGRP, OSPF and BGP routing protocols. 31.4.1.2 Q: What is the hardware required? A: Minimum Three routers more useable five routers. 31.4.1.3 Q: What is required of the routers? IOS Support EIGRP, OSPF and BGP4 routing protocols. 12.X.X preferred. Feature set IP only. (Lower model routers, 1600/1700 series may require IP+) Memory Enough to support IOS and feature set employed. Serial ports Two on each router, One router with four serial is desirable. LAN ports Ethernet or Token Ring. At least two with ethernet is desirable. 31.4.1.4 Q: Where can I find configuration exercises? A: "Building Scalable Cisco Networks" Paquet and Teare, Cisco Press has a configuration in appendix "H". 31.4.2 Q: What is required for the BMSCN Exam? ------------------------------------------------ 31.4.2.1 Q: What is the critical element of the BMSCN exam? A: The critical element is the configuration of switches, trunking and HSRP 31.4.2.2 Q: What hardware is required? A: An IOS based switch, 1900 series, 2900XL series A set based switch, 5000 series or model 2900. A Router capable of ISL and 802.1Q trunking. 31.4.2.3 Q: What is required of the routers? A: One Fast ethernet port compatible with ISL and 802.1Q 31.4.2.4 Q: What additional equipment is required? 31.4.3 Q: What is required for the BCRAN Exam? ------------------------------------------------ 31.4.3.1 Q: What is the critical element of the BCRAN exam? A: To configure remote networks using ISDN (BRI and PRI), Analog MODEMs and Frame/ serial links. 31.4.3.2 Q: What equipment is required? A: Routers of the 1600/1700 series, 2500 series with ISDN BRI and serial ports. One router with at least four serial ports for use as a frame switch. Routers with PRI interfaces. ISDN BRI Simulator or two ISDN services. Analog line simulator or two telephone lines. MODEMS. 31.4.3.3 Q: What is required of the routers IOS Support 12.X.X preferred. 12.2.x preferred for ISDN PRI Feature set IP only. Memory Enough to support IOS and feature set employed. Serial ports Two on each router, One router with four serial is desirable. Support for async. Desirable. ISDN ports Two routers with ISDN BRI ISDN ports Two with ISDN PRI desirable, but not necessary. LAN ports Ethernet or Token Ring. At least two with ethernet is desirable. 31.4.3.4 Q: What additional equipment is required? A: IDSN BRI simulator OR two ISDN services Analog line simulator OR two analog telephone lines. 31.4.3.5 Q: Where can I find configuration exercises? A: BCRAN certification guides. 31.4.4 Q: What is required for the CIT Exam? ---------------------------------------------- 31.4.4.1 Q: What is the critical element of the CIT exam? A: To faultfind the configurations of the earlier exams. 31.4.4.2 Q: What is the hardware required? A: The equipment from the previous three exams. A freeware sniffer package would also be useful. 31.4.9 Q: What is a good lineup of equipment for the CCNP/ DP? A: At least three 2500 series, and a CatOS switch if you can get your hands on one (they're pricey). (JRE) 31.5 What sort of Lab is required for the CCIE? --------------------------------------------------- 31.5.9 Q: What is a good lineup of equipment for the CCIE? CCIE: Link to Cisco's CCIE Lab equipment list. http://www.cisco.com/warp/public/625/ccie/certifications/routing.html#45 for Routing and Switching (JRE) I would also suggest the link http://www.ccbootcamp.com/ccielab.htm http://www.ccprep.com/ Look for Lab White papers (dmann) 31.7 Q: What would be a good lineup of equipment for a router lab? ---------------------------------------------------------------------- "J. R. Ford" 31.7.1 CCNA 800 series is *okay* for the CCNA. 2500 series is better. One will get you by, two is better. Although you need to learn the material, buying a switch for CCNA is overkill. CCNP: At least three 2500 series, and a CatOS switch if you can get your hands on one (they're pricey). CCIE: Link to Cisco's CCIE Lab equipment list. http://www.cisco.com/warp/public/625/ccie/certifications/routing.html#45 for Routing and Switching (JRE) I would also suggest the link http://www.ccbootcamp.com/ccielab.htm http://www.ccprep.com/ Look for Lab White papers (dmann) 31.7.2 What would be a good lab? ---------------------------------- NB: the following is for discussion only. 31.7.2.1 Q: What routers are required? 1 Off 700 series router. 2 Off 2514 or equivalent (2501 would do, but 2514 better) 2 Off 2503 or equivalent (Could be token ring 2504) 1 Off 2520 or four serial port router. 1 Off 262x series router. (replace 2520 series with a NM-4A/S module) Note: A 3600 series router would be a useful replacement for the 262x series router if configured with a fast ethernet module, multiple serial module, BRI and a PRI modules (3/4 modules, not all required simultaneously). Cost is the main problem though!!! 31.7.2.2 Q: What switches are required? 1 Off switch 1900EN or 2900XL 1 Off switch 5000 series or 2900 series (Non-XL) 31.7.2.3 Q: What additional equipment is required? A: Cisco serial crossover cables, (or DCE/DTE pairs) IDSN BRI line simulator (Or two ISDN services) Analog line simulator (Or telephone lines) For Ethernet Ethernet patch cables, crossover and straight through. Miscellaneous hubs. AUIs for routers without RJ45 connectors. For Token ring MSAU to connect workstations/ Routers Media Filters (9 Pin "D" to shielded RJ45) Cables Token Ring NICs. 31.8 Purchasing equipment ----------------------------- 31.8.1 Q: Where's the best place to buy cheap lab equipment? A: IMO, start with eBay. (JRE) 31.9 General Questions -------------------------- 31.9.1 Q: What is the main requirement for CCNA/ CCNP study? A: The main requirement is for a router to use Cisco IOS. These are 800 series and above. The 7xx series do not use IOS and are not useful. An IOS image that supports IPX might be useful, but IP may be all right. 31.9.2 Q: Is token ring equipment useful? A: Token ring equipment is cheap particularly 2502, 2504, 2512 routers. Usefulness depends on application. 31.9.3 Q: What are useful models of equipment? A: The most useful models are those with at least one synchronous serial interface. (805, 1005, 1601, 2501, 2503, 2514 etc) Almost as useful are those with integral CSU/DSU, provided they are obtained in pairs or an external CSU/DSU is obtained for use with a router with a serial interface. 32.0 Router Basics ====================== As with all things Cisco there is much information available on the Cisco connection online site. This includes hardware and software manuals for many models of Cisco equipment, including some not currently supported. This also includes wiring diagrams of Cisco cables. With any router query, look on the Cisco site first. 32.1 Software ----------------- 32.1.1 Q: I have blown my software on my router - How do I get another copy. A: Cisco sells the operating software independent of the hardware. Expect to be asked to purchase a new copy. Look to auction sites such as eBay as an alternative. It is advised to back up the IOS to a TFTP server before experimenting with it. 32.1.2 Q: The software feature I want is not supported on my router. A: Cisco sell their operating software in various feature sets. Check the software manual for your router to see if the features are supported. Check eBay etc to purchase an enhanced version if not. 32.2 Password Recovery -------------------------- Q: I have lost/ never had the password(s) for my router, how do I recover from this situation. A: Search CCO - www.cisco.com for "password recovery" and model of equipment. 32.3 Terminals ------------------ 32.3.1 Q: What do I require to connect my PC to the console port for router configuration? A: You require a computer with a free serial communications port, a suitable RS232 cable and a suitable terminal program. Quite a few routers and switches use a RJ45 rollover cable and an appropriate adaptor (DB9/25) to connect the computer serial port to the console port on the Cisco equipment. It is not unknown for older equipment to use other cable standards. 32.3.2 Q: I find that I am unable to use the break key to interrupt the router bootup sequence. A: There is a well-known problem with various hyperterm implementations not correctly implementing break. Download an update from hilgraeve, use terminal from Windows 3.1 or search the web for an alternative terminal emulator. You can download a number of alternatives for free e.g Tera Term Pro. 32.4 Q: How do I connect two routers serial ports together. --------------------------------------------------------------- 32.4.1 Several third party cable manufacturers provide cables to connect serial ports together with one cable. Usually they must have the same connector on both pieces of equipment. Findable with a websearch. 32.4.2 If a direct connection cable is not available, connect together two cables for a WAN connection such as V34, X21. You require a DTE and a DCE cable to suit the appropriate routers. 32.4.3 One cable end is DCE and a serial clock must be sourced from that end. The other end is the DTE end and uses clocking from the DCE end for data transfer. Use the clock rate command on the router DCE port(s). (Internal strapping in connector identifies to the router whether the attached cable is DTE/DCE) 32.4.4 CSU/DSU may be connected together using:- http://www.isp-lists.isp-planet.com/isp-tech/0007/msg01342.html 32.5 TFTP Servers --------------------- Q:What is a Good TFTP server? A: There are various TFTP servers available on the Web. Cisco, 3Com etc offer them and there are several others. Solarwinds offer a multithreaded TFTP server as a demonstration. 32.6 Q: How do I find out what type of cable is connected to a serial port? ------------------------------------------------------------------------------- A: show controllers serial (x) will give the type of cable, DTE/DCE, and clockrate. 33.0 Switch Basics ====================== As with all things Cisco there is much information available on the Cisco connection online site. This includes hardware and software manuals for many models of Cisco equipment, including some not currently supported. This also includes wiring diagrams of Cisco cables. With any switch query, look on the Cisco site first. 33.1 Q: What versions of IOS are available? 33.2 Q: What are the advantages and disadvantages of IOS? 33.3 33.4 34.0 Internet Basics ======================== 34.1 Subnet masks --------------------- 34.1.1 Q: What are subnet masks? A: An IP address consists of a network portion and a host portion. The routing process works on network addresses rather than host addresses Subnet masks are used to extract the network address from an IP address. 34.1.2 Q: How are subnet masks represented? A: Most subnet masks are a 32 bit binary number with bits to be matched indicated as one or zero in the appropriate location. These masks may be represented in any number system but usually dotted decimal format with each group of eight bits converted to the equivalent decimal number separated with a decimal point. 34.1.3 Q: What is a conventional all ones subnet mask? A: The number 255.255.255.254 is an all ones mask - all bits to be matched except the last. 34.1.4 Q: Are inverted subnet masks used? Inverted masks are also used where the bit zero is the bit to be matched and the bit 1 is the bit to be ignored. Access lists and OSPF use inverted masks. 0.0.0.1 - all bits are to be matched except the last. 34.1.5 Q: What is the slash "/xx" notation A: This is a shorthand way of representing the number of network address bits in the subnet mask. E.g 192.168.9.65 /26 represents a subnet mask of 255.255.255.192 Caveat: Cisco use this differently in the router set up script when booting with no configuration. It represents the number of bits in excess of the default address class mask. E.g 192.168.1.0 /3 -> 8 subnets on a class "C" network. E.g. 255.255.255.224 34.2 CIDR and VLSM ---------------------- 34.2.1 Q: What is CIDR? A: CIDR is a suite of techniques increase flexibility in the use of IP addresses 34.2.2 Q: Why is CIDR required? A: With the shortage of IPv4 addresses, organisations are no longer allocated IP addresses on the traditional address class boundaries. For example, a block of 64 addresses from a class "B" ISP block may be allocated to an organisation. That organisations network address consists of both IP address and subnet mask, both of which must be sent in route updates. 34.2.3 Q: What is route aggregation/ summarization? A: To limit the number of routes required in internet routing tables, aggregated addresses are used. The ISP providing the service may advertise the /28 subnet mask of the above example as part of the Isp's /16 (if lucky enough to have a whole /16 block) This leads to the extensive use of variable length subnet masks. 34.2.4 Q: What happens if route aggregation/ summarization is not carried out correctly? A: One or more networks may be unreachable. 34.2.5 Q: What is VLSM? (Variable Length Subnet Mask) A: VLSM is required when the number of host addresses/ networks are not the same in all the subnets in a block of IP addresses. It is used in association with an IP address to decide which network an address belongs to. 34.2.6 Q: Can I use VLSM in my network? A: VLSM is a technique, which can be used by an organisation to allocate IP addresses flexibly within its own networks. 34.2.7 Q: What is the advantage of using VLSM? A: Classfull address allocation requires a consistent subnet mask. VLSM allows the address blocks to be sized to suit what the network is used for. E.g Maximize available addresses in subnets which require a large number of hosts and minimize addresses on WAN links (/30 mask). 34.2.8 Q: What do I require to use VLSM? A: The choice of the appropriate routing protocol. RIP version 1 and IGRP are "classfull" and do not support VLSM. RIP version 2 and most other modern routing protocols can be used. 34.2.9 Q: What is the difference between CIDR and VLSM Classless Internet Domain Routing (CIDR) uses a number of techniques to obtain flexibility in the allocation and use of IP address blocks. VLSM is one technique used to achieve this objective. 34.3 Q: Which are the unallocated IP address blocks? -------------------------------------------------------- There are several unusable address blocks 0.0.0.0 (If you see this in a routing table, it indicates a default route) Has the meaning "This network" 127.0.0.0 Loopback (typically 127.0.0.1) 255.255.255.255 Broadcast - not allowed for general propagation Used by DHCP to find address server The following may also not be useable:- 128.0.0.0 - 128.0.255.255 (One Class "B") (First class "B") 191.255.0.0 - 191.255.255.255 (One Class "B") (Last class "B") 192.0.0.0 - 192.0.0.255 (One Class "C") (First class "C") 223.255.255.0 - 223.255.255.255 (One Class "C") (Last class "C") The following are known as the RFC 1918 addresses and are reserved for private use, and are not to be forwarded outside the organisation using them without translation to a proper assigned address. 10.0.0.0 1 Class "A" Block (End 10.255.255.255) 172.16.0.0 16 Class "B" address blocks (End 172.31.255.255) 192.168.0.0 256 Class "C" address blocks (End 192.168.255.255) The following allocation may not be covered by an RFC 169.254.0.0 - Reserved by IANA for Automatic Private IP Addressing. 169.254.255.255 As a result, Automatic Private IP Addressing provides an address that is guaranteed not to conflict with routable addresses. (Win 2K) For use on Windows boxes if an address cannot be obtained via DHCP. Apple Macintosh computers may also use this address range. 34.4 Q: Which RFC 1918 address block should I use? ------------------------------------------------------ A: RFC 1918 recommends using the 10 block as it is the most scalable when adding many subnets. If you do not wish to subnet, the 172 and the 192 block can be used. Refer RFC 1918. Effectively the 172 and 192 blocks are pre-subnetted. (14/254 networks) 35.0 Access Lists ===================== 35.1 What are access lists and why should I care? ----------------------------------------------------- 35.1.1 Q: What are access lists and why should I care? A: Access lists are a means of controlling traffic flow within a network of Cisco routers. Once a network is established and traffic is flowing it is found desirable to control what traffic is flowing and its ultimate destination. Access lists offer basic security along with traffic control. 35.2 Access list basics --------------------------- 35.2.1 Q: What types of access lists are there? A: The two basic types of access list are Standard and Extended. 35.2.2 Q: What is the form of a Standard access list? A: access-list [number][permit/deny][source address][mask] 35.2.3 Q: What does a standard access list block? A: A standard access list permits or denies all traffic from the address(es) specified in the statement. 35.2.4 Q: What is a typical use of a standard access list? A: Where it is desirable to 35.2.5 Q: What is the form of an Extended access list? A: access-list [number][permit/deny][protocol][source address][mask] --> [destination address][ mask][port] 35.2.6 Q: What does an extended access list block? A: As little or as much as is specified in the access list statement. 35.2.7 Q: Can Standard and Extended access lists be mixed? A: Both types can be mixed. 35.2.8 Q: How many access lists can I have? A: One per interface, per protocol, per direction. 35.2.9 Q: What is the mask? A: The mask allows either a single or a group of addresses to be combined in an access-list statement. 35.2.10 Q: What are the components of the mask? A: The mask is an inverse mask where 0 requires a match and a 1 represents a don't care 35.2.11 Q: What is the difference between the network mask and the access-list mask? A: The network mask requires the subnet bits to be used in order from right to left in order. The wildcard mask allows any bit to be used, irrespective of bit order. 35.2.12 Q: What is the best way to derive the mask? A: The best way is to convert the addresses to binary and derive the mask from there. Binary representation of the numbers will give a better appreciation of the numbers being operated on. "If you start from a false assumption, you may end up at a strange destination" 35.2.14 Q: What are words with special meaning in access lists? A: < host > has the meaning of mask 0.0.0.0 applied to the address supplied. < any > has the meaning of any address. 35.3 How do I apply access lists to an interface? ----------------------------------------------------- 35.3.1 Q: How do I apply access lists to an Interface? A: Access lists are applied to a selected interface using the access-group statement. config-if access-group [number][direction] 35.4 Where do I apply access lists? --------------------------------------- 35.4.1 Q: Where should I apply a standard access list? A: A standard access list filters on source address only and should be applied at a destination. 35.4.2 Q: Where should I apply an extended access list? A: An extended access list can use both source and destination address, protocol and port to filter and can be placed at the source. 35.4.3 Q: I am in the real world and how does this differ? A: In the real world you are faced with the problem that you do not have full control over source and destination. The type of access list and where it is placed will depend on a number of factors including physical location, security, maintainability, traffic generated and company policy. 35.5 How are access lists evaluated? ---------------------------------------- 35.5.1 Q: How are access lists evaluated? A: Access lists are evaluated sequentially from top to bottom. The packet is tested against the access list statements until a match is made and the action specified in the statement is performed. Once a match is made, no tests are made against the remaining statements. 35.5.2 Q: What happens when processing reaches the bottom of the list? A: If testing reaches the bottom of the list and a match has not been made, there is an implicit deny all which causes the packet to be rejected. 35.5.2.1 Q: How else could you describe this? A: Once a valid access list is applied to an interface, all traffic which is not permitted by an access list statement is denied. 35.5.3 Q: What effect does an access list have on router performance? A: An access list can slow down the switching of packets within a router. 35.5.4 Q: How can this be minimised? A: The placement of access list statements is important. Statements which effect large amounts of traffic should be placed towards the top of the access list 35.5.5 Q: How is the order of access list statements set? A: The statements are evaluated in the order that they are entered from the console. 35.5.6 Q: How can I change the order that access list statements are evaluated? A: This requires the deletion of the old access list statements and re- entering of the access-list statements in the new order. 35.5.7 Q: Is there a short cut to this process? A: The process is:- o Perform a show-running configuration command on the router. o Locate the required access list statements in the terminal program buffer. o Copy those statements to notepad or a text editor. o Eliminate the access list statements from the router configuration o Re-order the access list statements in notepad. o Copy the access list statements from notepad. o Paste the access list statements back to the terminal program. 35.5.8 Q: What happens if you do not eliminate the old access list statements? A: The new access list statements are added to the bottom of the old access list statements. 36.0 Links ============== 36.1 Cisco Links --------------------- RFCs ftp://ftpeng.cisco.com/fred/rfc-index/rfc.html Configuration Fundamentals Command Reference (11.3) http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/fun_r /index.htm (watch line wrap) Internetwork Design Guide http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/index.htm Internetwork Case studies http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/index.htm Internetwork technology Overview http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/index.htm Sniffing FAQ http://www.robertgraham.com/pubs/sniffing-faq.html IANA Home Page http://www.iana.org/ IETF Home Page http://www.ietf.org/ I have no objection to this FAQ being posted on other sites, I only ask that the claim of copyright not be deleted, the FAQ be posted in its entirety and that it be updated as this FAQ is updated. >>>---- End Of Part 3 of 3 ---<<<