It keeps getting better

• Cisco first introduced numbered ACLs in the late 1980s
• With IOS 11.2, named ACLs were introduced
• With IOS 12.3, the ability to edit existing ACLs were improved

Standard IP Access Control Lists

IP Standard ACL Concepts

• IP ACLs filter traffic based on criteria defined by a network engineer
• Examines only the source IP
• Other uses
  • Filter routing updates
  • Match packets for prioritization
  • Match packets for VPN tunneling
  • Match packets for QoS implementation
  • Used as part of NAT configuration
• To filter packets, an engineer needs to consider:
  • Which packets to filter
  • Where on the network to place the filter
• An ACL’s filtering logic applies to packets either as they enter and interface or as they exit.
  • So to find where to put the ACL, decide what router to apply it on and decide whether to put in on that router’s incoming interface or the outgoing interface.
• ACLs key features:
  • Filter packets as they enter and interface
  • Filter packets as they exit an interface
  • Use Deny to filter a packet
  • Use Permit to allow a packet
  • Create an access list to configure the filtering logic
  • At the end of every access list, there is an implied “deny all traffic” statement. Therefore a packet is blocked if it doesn’t match any statements of the access list.
• Matching and Action
  • Each packet that traverses the interfaces that has the ACL defined is examined and compared to the statements in the access-list command.
  • If it matches the packet, the IP ACL will tell the router what to do with the packet. Either deny the packet and discard it, or permit the packet and let it go through.
• Access Control Lists
  • A list of multiple entries that the received packets are compared against.
  • The logic is done sequentially until the first statement is matched.
  • If not match is made, the deny action is performed

Wildcard Masks

• The configuration of IP ACL allows the router to decide whether to match the whole IP address or just a part of the IP address.
  • That is, you can define a specific IP to be matched (such as 10.2.11.10) or you can specify to match all hosts on a subnet (such as all hosts in subnet 10.2.11.0)
• The wildcard mask is used to decide what part of the address should be examined. It is similar to what a subnet mask does.
• The wildcard mask, though similar to what a subnet mask does, is different. The 0 bits in the mask tell the router that that bit part of the address should be compared to the logic. The 1 bits tell the router to ignore that corresponding bit in the address being matched.
  • For example, a wildcard mask of 0.0.0.255 tells the router to examine the first 24 bits for matching and ignore the last 8 bits.
  • 0.0.15.255 (00000000.00000000.00001111.11111111) tells the router to match the first 20 bits and ignore the last 12.
  • 0.0.15.255 is the wildcard mask to match a whole subnet with subnet mask 255.255.240.0. In order to get the wildcard value, simply invert the binary 1s and 0s of the subnet mask. That is 255.255.240.0 (11111111.11111111.11110000.00000) inverted yields 0.0.15.255 (or 00000000.00000000.00001111.11111111)

A Quicker Alternative for Interpreting Wildcard Masks

• Use the subnet number as the address value in the access-list command.
• Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255

255.255.255.255
-255.255.240.0
+0. 0. 15.255

• In order to find the subnet mask from the wildcard mask, just reverse the order:

255.255.255.255
- 0. 0. 15.255 .
255.255.240.0

Standard IP Access List Configuration

• The syntax to configure a standard IP ACL:
  • access-list access-list-number {deny | permit} source [source-wildcard]
• You can configure a series of access-list commands using the same number. The access list statements will be added in the list in the same order that they are configured into the router.
• The number range for ACLs is 1 to 99 and 1300 to 1999.
• Standard ACLs should be placed near the destination of the packets.
• Configure on or more access-list global commands to create the ACL.
• The list is searched sequentially. If the packet is matched on the list, the search is done, and will not go on to other list even if there’s a subsequent statement that would’ve matched the packet.
• If the packet does not match anything on the list, the packet is discarded (deny).
• To enable the ACL, configure the interface subcommand:
  • ip access-group number {in | out}

Standard IP ACL: Example

interface Ethernet0
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out
!
access-list 1 remark stop all traffic whose source IP is 172.16.3.10
access-list 1 deny 172.16.3.10 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255

• The output of the above configuration changes slightly in IOS when the show running-config command is issued.

interface Ethernet0
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out

access-list 1 remark stop all traffic whose source IP is 172.16.3.10
access-list 1 deny host 172.16.3.10
access-list 1 permit any

• Notice the changes (in blue) the IOS does on the output. That is the newer style of configuration versus the older style used in the original example.
• You can pick any ACL number from 1-99 and 1300-1999 to represent the list. In this example we simply used ACL number 1.
• The access-list commands are global configuration commands
• The ip access-group command is enabled on interface ethernet0 and it is applied no the outbound direction of the interface (as it leaves e0).
• We can refer to this access list as ACL 1.
• The logic denies the whole ip 172.16.3.10 (as all bits are matched by 0.0.0.0) from going out of the interface.
• The last statement permits all other (0.0.0.0) IP addresses and to ignore them all (255.255.255.255)

Extended IP Access Control Lists

Extended IP ACL Concepts

• As opposed to standard IP ACL, which can only match source IP addresses or portion of the source IP using wildcard mask, Extended IP Access Control List can match:
  • Destination IP address
  • Portion of the destination IP using wildcard mask
  • Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others)
  • Source Port
  • Destination Port
  • All TCP flows except the first
  • IP TOS
  • IP Precedence

Matching TCP and UDP Port Numbers

• The access-list command must use the protocol keyword tcp to be able to match TCP ports and the udp keyword to match UDP ports. The ip keyword does not allow for matching the port numbers
• The source port and destination port parameters on the access-list command are positional. Meaning, their location in the command determines if the parameter examines the source or destination port.
• ACLs can match packets sent to a server by comparing the destination port to the well-known port number, but ACLs need to match the source port for packets sent by the server.

Extended IP ACL Configuration

• Extended ACLs should be placed as close to the source packet being filtered as possible.
• The command can use numbers between 100-199 and 2000 – 2699.
• Operators that can be used with the commands:
  • eq – equal to
  • neq - not equal to
  • lt - less than
  • gt – greater than
  • range – range of port numbers
• Command syntax:
  • access-list access-list-number {deny|permit} protocol source-ip source-port dest-ip dest-port
  • access-list 101 deny tcp any gt1023 host 10.1.1.1 eq 23

Advances in Managing ACL Configuration

Named IP Access Lists

• Introduced with IOS version 11.2
• Instead of numbers, named words are used to identify the ACLs
• With the introduction of named ACLs also came the ability to delete individual lines in a named IP access list. (Eventually, IOS 12.3 also allowed numbered lists to be deleted individually)
• Before IOS 12.3, when you delete a single line on a numbered ACL, the whole list is deleted. Not with named ACL.
• Two important configuration differences between old-style numbered ACLs and the newer named access lists:
  • The global command used for named access list puts the user in a named IP access list submode. From there the matching permit/deny logic is configured.
  • The second is that when a named statement is deleted, only that statement is deleted – not the whole list.
  • Example configuration:

Router(config)#ip access-list extended barney
Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any
Router(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255

Editing ACLs Using Sequence Numbers

• Before IOS 12.3, in order to delete a single line on a numbered ACL, you had to delete the entire access list. This caused a lot of issues becuase of the steps involved. You had to disable the ACL from any interfaces that uses it, delete the ACL, reconfigure the ACL, then enable it again on the pertinent interfaces.
• With named ACL (introduced in IOS 11.2) the engineer is allowed to delete a line from an ACL.
  • One drawback is that you were not allowed to insert a new permit or deny statement in between the list. Any new commands were added to the end of the list.
• With IOS 12.3, the feature sequence number is added. This applied to both named and numbered ACLs
  • This new feature added sequence numbers to each permit or deny statements, representing each sequence of statements in the ACL.
  • More features:
    • A single ACL statement can be deleted from the list simply by referencing the sequence number, while leaving the rest of the list intact
    • Any new permit or deny statements can be configured with a sequence number that tells the IOS where to place the statement.
    • If a new statement is added without a sequence number, IOS will give it a sequence number and automatically place it at the end of the list.

Miscellaneous ACL Topics

Controlling Telnet and SSH Access with ACLs

ACL Implementation Considerations

Reflexive Access Lists

Dynamic ACLs

Time-Based ACLs

The Lakers won last night on another tensed game. The more I watch them play the more I feel like they don’t deserve the trophy. For two nights in a row, they go up by 20 points against the Celtics only to give up the lead late in the game… again. I feel like they are just prolonging the inevitable – losing the champioship to the Celtics. As a fan, I obviously want to see them win. But I big part of me is very doubtful.

I’ll be taking my ICND2 test in 2 weeks. But just like the Lakers, I’ve hit the books strong for the last 3 months and took very detailed notes. And the last couple of days, I feel uninspired. Something must’ve gone wrong in the process because I now feel doubtful about passing this test come June 28th. The last few days have been incredibly difficult focusing. I pretty much wasted a huge portion of my free time over the weekend not studying. I did study but not enough as I could’ve. I took a good number of Boson exam prep questions and I was seriously tested. I was able to answer a good majority of them but I’m afraid I might run out of time on the exam like I did with the last test. I’m still very slow with subnetting. I’m pretty competent with my subnetting but I’m still slow. I rarely make mistakes on it, but that’s because I check and double check and triple check my subnetting math. I can say that I’m starting to feel the “second nature” skills start to come through but it’s still in its infancy. I need to start trusting my abilities otherwise that might prove to be my downfall in the exam. The last exam I took (ICND1) finished with 2 remaining questions unanswered. I still passed because of my strong performance in the beginning – similar to what the Lakers did last night. But I need to be sure I will pass this coming test with a solid and undeniable results.

I guess we’ll see. This weekend is passed so I now have today and the rest of the coming days to get better prepared.

VLSM

• Variable-length subnet masking (VLSM) – using more than one mask in a single classful network.
• An example would be an internetwork that uses the following ip scheme:
  • 10.1.4.0/30 on serial interfaces
  • 10.1.5.0/30 on serial interfaces
  • 10.1.6.0/24 on LAN interfaces
  • 10.1.7.0/24 on LAN interfaces
• Some routing protocols that support VLSM (which also implies that they send the mask in the routing updates):
  • RIP-2
  • EIGRP
  • OSPF

Overlapping VLSM Subnet

• With VLSM, there is potential that there are overlapping subnets created due to careless planning.
• In order to verify correct ip addressing and no overlapping subnets, use the following methods:
  1. Find the range of the IP address for each subnet by calculating the subnet number and subnet broadcast
  2. Compare the range of addresses and make sure there is no overlap.

Designing a Subnetting Scheme Using VLSM

Example:

Create a IP addressing scheme for the following network, given the Class C network of 204.15.5.0/24, satisfying the requirements for number of hosts. Use VLSM to develop the subnetting scheme.

NetA: must support 14 hosts
NetB: must support 28 hosts
NetC: must support 2 hosts
NetD: must support 7 hosts
NetE: must support 28 host

First determine the mask needed to satisfy the required number of hosts for each network.

NetA: requires a /28 (255.255.255.240) mask to support 14 hosts (24 Network bits, 4 subnet bits, 4 host bits gives you at least 14 hosts)
NetB: requires a /27 (255.255.255.224) mask to support 28 hosts (24 N-bits, 3 S-bits, and 5 host bits gives you at least 24 hosts)
NetC: requires a /30 (255.255.255.252) mask to support 2 hosts
NetD: requires a /28 (255.255.255.240) mask to support 7 hosts
NetE: requires a /27 (255.255.255.224) mask to support 28 hosts

Start assigning subnet numbers with the largest subnet first (the one with the smallest number of subnet bits)

NetB: 204.15.5.0/27 host address range 1 to 30
NetE: 204.15.5.32/27 host address range 33 to 62
NetA: 204.15.5.64/28 host address range 65 to 78
NetD: 204.15.5.80/28 host address range 81 to 94
NetC: 204.15.5.96/30 host address range 97 to 98

Adding a New Subnet to an Existing Design

VLSM Configuration

• VLSM cannot be enabled or disabled on a router. Instead, it is used by configuring at least two ip addresses on interfaces with addresses in the same classful network but with different subnet mask.
• Support for VLSM by routing protocols is not enabled or disabled either. It is simply a property inherent with the routing protocol

Manual Route Summarization

• Reduces the size of the routing table by aggregating a group of routes into a single route that is advertised to the other routers. As a result, there is speedier process in routing packets as well as less amount of processing power is consumed.
• Needs to be configured in order for it to occur

• To manually configure summary route with EIGRP (or RIP v2), use the interface subcommand ip summary-address

R1(config-if)#ip summary-address eigrp 1 10.2.0.0 255.255.0.0

R2(config-if)#ip summary-address eigrp 1 10.3.0.0 255.255.0.0

Route Summarization Strategies

The following example illustrates a method of summarize a group of subnets.

10.3.4.0/24
10.3.5.0/24
10.3.6.0/24
10.3.7.0/24

1. Convert the addresses to binary
2. Find the all the common bits from left to right
3. Convert all the bits that are in common back to decimal, and leave all the rest of the bits to zero.
4. The number of bits that are in common will be their subnet mask

10.3.4.0: 00001010 00000011 00000100 00000000
10.3.5.0: 00001010 00000011 00000101 00000000
10.3.6.0: 00001010 00000011 00000110 00000000
10.3.7.0: 00001010 00000011 00000111 00000000

The bits in red are the common bits. When the bits in red are converted back to decimal, the end result is 10.3.4.0. This is the summary subnet.

To calculate the mask, count all the bits in red. There are 22 bits. Therefore the summary route is 10.3.4.0/22 or subnet mask 255.255.252.0

Autosummarization

• Autosummarization by definition only allows summarization such that the summary route is an entire classful class A, B, or C network.
  • Versus Route (manual) summarization, which can only be supported by classless routing protocols. It requires the subnet mask information to be advertised to the routing protocols update.
• Requires networks to be contiguous in order for autosummarization to work properly.
• It occurs automatically without any specific configuration
• RIP v1 cannot perform manual route summarization because it is a classful routing protocol.

Discontiguous Network

• A discontiguous network is a classful network where packets sent to a a pair of subnets has to pass through a different classful network. For example, a packet sent from 10.2.0.0 must pass through a network in a 172.16.0.0 network to get to network 10.3.0.0.
  • 10.2.0.0 —— 172.16.0.0 —— 10.3.0.0
  • Autosummarization causes a problem on a discontiguous network.

Classful and Classless Defaults

.

.

IP Routing and Addressing

IP Routing

• When a packet is sent by a host, the packet’s destination IP address is compared to what the host/sender believes is the valid range of IP addresses in the connected subnet. The comparison is made based on the host’s IP address and subnet mask.
  • If the destination IP address is in the same subnet, the packet is sent directly to the destination host. ARP is used to find the MAC address of the destination host
  • If destionation is not on the same subnet, use ARP to find MAC address of the default gateway and send the packet there.
• Routers logic:
  1. For each frame that is received, use frame’s FCS to check for errors. Discard frames if there are errors.
  2. Check the frame’s destination MAC address. Process only if addressed to this router’s MAC address or to a broadcast/multicast address.
  3. Strip off the frame’s old data-link header and trailer, leaving the IP packet.
  4. Compare the destination IP address with the router’s routing table to find a matching route. This route should tell the packet what the outgoing interface is on that router, as well as the next-hop router (or the destination host).
  5. Determine the destination’s MAC address for forwarding the packet to the next router or the destination host.
  6. Encapsulate the packet with a new data link header and trailer (Ethernet, PPP, HDLC, etc.) that contains info for the next device.

IP Addressing and Subnetting

• Classful IP network: Class A, B, and C
• A subnet is a subset of a classfull network
• A subnet mask allows the determination of an IP addresses subnet, range of valid IP addresses, and broadcast address for that subnet.
• Devices in the same subnet should use the same subnet mask to prevent confusion on the range of IP addresses in that subnet
• Devices in a single VLAN should be in the same subnet, and conversely, devices in different VLANs should be in different subnets.
• Hosts separated by a router must be in different subnets
• A router needs to perform routing when exchanging data between different subnets
• Point-to-point serial links need to be in a different subnet than the LAN segment. In a p2p, you only need two IP addresses because there’s only two interfaces involved.
• Need to Master Subetting!!!
• The following is a list suggested tasks that need to be mastered with the amount of time you should solve them by:

• Given a dotted decimal mask, convert it to prefix notation, or vice versa. (Suggested time for exam readiness: 5 seconds)
• Given an IP address and mask, find the subnet number, range of addresses, and subnet broadcast address. (Suggested time: 15 seconds)
• Given a subnet mask and class (A, B, or C) of a network, determine the number of subnets and hosts per subnet. (Suggested time: 15 seconds)
• Given a class of network (A, B, or C) and design requirements for a number of subnets and number of hosts per subnet, find all masks that meet the requirements, and choose the mask that either maximizes the number of subnets or the number of hosts per subnet. (Suggested time: 30 seconds)
• Given a classful network and a single subnet mask to use for all subnets, list the subnet

• IP Forwarding by Matching the Most Specific Route
  • When there is more than one route in a routers IP routing table that match a certain destination IP address, the route that is most specific is the one that gets used. As clue, the route with the longest prefix is the most specific route.
  • Consider the following example listing several routes that all match the destination IP address 172.16.1.1:
    • 172.16.1.1/32
    • 172.16.1.0/24
    • 172.16.0.0/22
    • All the routes on the above list match the destination 172.16.1.1. But because the first route (172.16.1.1/32) is the most specific – the longest prefix of all the matching routes – that is the route that is used.

DNS, DHCP, ARP, ICMP

• The following list shows a step by step process of how these protocols are used:
  1. The host use DHCP to acquire its IP address, subnet mask, DNS IP address, and default gateway.
  2. The host makes a DNS request to resolve a host name to its IP address
  3. A host uses ARP to discover the data link address of a next hop device and use that information to build the ethernet frame.
  4. If a ping command is used, the IP packet sends an ICMP echo request to it’s destination address, and it receives an ICMP echo reply back from the original destination.

Fragmentation and MTU

• Maximum Transmission Unit (MTU) is the maximum length of an IP packet. For ethernet interfaces, the MTU is 1500 bytes.
• Routers cannot forward a packet if the packet is bigger than the MTU. In order for the packet to be transmitted, a process is used to break down this packet into smaller packets. This process is called Fragmentation.
  • mtu – interface subcommand to change mtu size. Sets MTU for all Layer 3 protocol.
  • ip mtu – interface subcommand that sets the mtu setting for the IP protocol.
  • If both are configured on an interface, ip mtu command takes precedence. However, if mtu command is configured after the ip mtu, the ip mtu value is reset to whatever the mtu command sets it to.

Routes to Directly Connected Subnets

The router will automatically add the route to a subnet, connected to each interface, in its routing table under two conditions:

• The interfaces are up/up
• The interfaces have ip addresses

Secondary IP Addressing

• The method secondary ip addressing allows the use of multiple networks or subnets on the same LAN segment. This is typically employed if a particular segment runs out of IP address and the enterprise needs to add more IP addresses to that segment in a way that the new IP scheme will not overlap with the current ip addresses.
• For this to work, a single router will need to have two IP addresses from each subnet. The hosts in each of those subnets can then use these addresses as their respective default gateway.
• A sample configuration:

interface fa0/1
ip address 192.168.100.1 255.255.255.0
ip address 192.168.200.1 255.255.255.0 secondary

Supporting Connected Routes to Subnet Zero

• The zero subnet is the one subnet in each classful network that has all binary 0s in the subnet part of the address. It turns out that the zero subnet address is the same as the classful network number
  • for example, 172.16.2.5/22 is in the subnet 172.16.0.0 which is its zero subnet, as well as the classful network number.
• ip subnet-zero command allows the router to accept it as a valid route.
  • The ip subnet-zero is on by default starting with IOS 12.0 and later
  • In the exam, assume that the ip subnet-zero is configured unless specified.
• no ip subnet-zero command disallows the configuration of an ip address in the zero subnet range.

ISL and 802.1Q Configuration on Routers

Sample configuration with ISL Encapsulation

interface fastethernet 0/0.1
ip address 10.1.1.1 255.255.255.0
encapsulation isl 1
!
interface fastethernet 0/0.2
ip address 10.1.2.1 255.255.255.0
encapsulation isl 2
!
interface fastethernet 0/0.3
ip address 10.1.3.1 255.255.255.0
encapsulation isl 3

Sample configuration with 802.1Q encapsulation

interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
!
interface fastethernet 0/0.2
ip address 10.1.2.1 255.255.255.0
encapsulation dot1q 2
!
interface fastethernet 0/0.3
ip address 10.1.3.1 255.255.255.0
encapsulation dot1q 3

!

An alternative to configuring the physical interface, you can configure another subinterface:

!

interface fastethernet 0/0.1
ip address 10.1.1.1 255.255.255.0
encapsulation dot1q 1 native

• The alternative command with encapsulation dot1q 1 native tells the router that the subinterface is in VLAN 1, and native keyword tells the router not to use 802.1Q headers.
• The port on the switch needs to be configured with either a switchport mode trunk or switchport trunk encapsulation dot1q interface subcommand. This is because routers do not perform dynamic negotiation of trunking so the switch has to do it.

Static Routes

Configuring Static Routes

R1#configure terminal

R1(config)#ip route 10.1.2.0 255.255.255.0 10.1.128.252

R1(config)#ip route 10.1.3.0 255.255.255.0 10.1.130.253

NOTE: The next-hop IP address should be an IP address in a directly connected subnet.

• The ip route command can either refer to the next-hop ip address as shown above or use the outgoing interface of the router. This is typically used for interfaces that connect on a point-to-point interface links

Static Default Route

• A default route is a route that matches all packet destination. It is also known as gateway of last resort. It is used when there is no other known route that exist for a certain ip destination. In a typical setup, the default route is set to point to a router that has a route to the Internet or to the service provider for that enterprise

Default Route Using the ip route Command

• ip route 0.0.0.0 0.0.0.0 12.217.21.2
• This command creates a route to destination 0.0.0.0 with mask 0.0.0.0 using the 12.217.21.2 as the next hop router. This configuration basically matches any and all IP destinations.
• In the routing table, this best route is marked as the gateway of last resort.
• If there’s two or more defualt routes in the routing table, the router will mark each default route with an asterisk in its routing table and it will pick the best route. This best route is chosen as the gateway of last resort.

Default Routes Using the ip default-network Command

• The command ip default-network can be used on a router to tell that router to build its default route based on an already learned route – from his routing table. So the syntax of the command actually uses the classful IP network as its parameter.
• ip default-network 10.0.0.0
• To summarize:
  • Default Static routes can be statically configured using the ip route 0.0.0.0 0.0.0.0 next-hop-address or the ip default-network net-number command.
  • When a router only matches a packet with the default route, the router uses the forwarding details listed in the gateway of last resort line

Classful and Classless Routing

• Classless Routing – Use the default route if a packet does not match any other routes.
• Classful Routing – If a packet does not match any other routes and matches only the default route:
  • Use the default route if the router does not have any routes in the same classful network as the destination IP address
  • Discard the packet if there is a route that matches the classful network that the destination IP address belongs to.

I just read the latest posting from CCIE Pursuit on the matter that has recently been surrounding Ethan Banks. If I’m reading it correctly, it appears that the fact that Ethan Bank’s site is currently down could have something to do with the latest allegations by Mr. Robert Williams of Certguard that Ethan cheated on his CCIE exam.

Now, I have had admiration towards what Mr Williams has been doing in the past, raising awareness to the inappropriate and destructive behaviors of these “cheaters”, as I have strong convictions toward cheating on the Cisco exams – particularly, for the fact that it cheapens the value of the certifications that many have worked hard for.

But since following this debacle from the start, I started to lose confidence and trust in what Mr. Williams represents. The blunt carelessness in his accusations has probably hurt those who care about this profession more than the ones he is trying to go after. There are many of us who follow Ethan and admire the things that he has accomplished.

There’s no question that Mr. Williams read Ethans blog – otherwise, how would he have come to this allegations of cheating? But did he really read his posts? Because if he did, he would have been able see past what he accuses Ethan of – his alleged “self-incriminating statements” – and see the incredible discipline and meticulous preparations that Ethan had done to pass this test. I can’t guarantee anything, but I’m pretty sure there is little or no damage done by Ethan even mentioning the inappropriate study materials. If there’s anything that Ethan has taught us (“Ethan’s followers” as Mr. Williams would say), he inadvertently showed us how to put value in true hard work in the same fashion that he had undertaken.

I really don’t understand how anyone as smart as Mr. Williams can summarily sentence someone who has done more good to this profession than anyone out there. I really feel that Certguard has cheated us of a wonderful mentor and a great leader for engineers to follow. Mr Williams has done a lot of things right. But I think he’s got this one wrong. Really wrong!

Sure!

I was on Amazon.com to look at some of the next books I will be reading to prepare for the CCNP. While browsing around I found this article written by one of the member customers. I thought this list could be pretty helpful for me to give me ideas of the things I can be learning to be a good engineer.

Here’s the link for complete page. Below is the complete excerpt (minus all the pretty pictures)..

So You’d Like to… be a Network (or Cisco) Engineer

by. M. Hawk

No doubt if you’ve scanned job postings, you’ll see that there is a wide definition of “Network Engineer” that exists in the marketplace. This guide is for what I consider to be a traditional network engineer – someone who designs data networks and configures and manages Cisco, Juniper, Foundry, or other top line routers, switches, firewalls, and network appliances.

.

Fundamentals and TCP/IP
First, a solid grounding in TCP/IP is needed. The most valuable network engineers have an in-depth knowledge of TCP – including the “three-way handshake”, MSS, windowing and congestion avoidance. Additionally, they can apply that knowledge to real-world networks. Start with Computer Networking: A Top-Down Approach Featuring the Internet (3rd Edition). Not only does this book cover TCP/IP, but it also provides an excellent overview of many network topics. It is a great start to get a taste of everything from the application layer to the physical layer, including HTTP, TCP, UDP, IP, routing protocols, multicast, security, and more.

.

However, to become a TCP/IP guru, you must purchase the bible of everything TCP/IP – TCP/IP Illustrated, Volume 1: The Protocols (Addison-Wesley Professional Computing Series). Stevens is a legend for his three part series, though volume I is the most useful for Network Engineers. You’ll learn the details of how TCP works, and see the transaction process for common protocols like traceroute, FTP, etc.

.

Basic Networking
After getting a handle on TCP/IP, it’s time to improve practical network skills. The best way to start is by obtaining a certification, such as the CCNA – Cisco Certified Network Associate. The CCNA has two options – a comprehensive single test, or two separate tests. This certification process will insure a basic knowledge of standards, router and switch capabilities, and configurations. It is an excellent resume builder to get your foot in the door. Start with CCNA Certification Library (CCNA Self-Study, Exam #640-801) (Self Study).

.

Note that other vendors also offer quality certifications. I recommend starting with Cisco, as Cisco gear is still the most widely deployed throughout a variety of industries. The fundamentals learned from the Cisco certifications can be applied to other vendors gear, too.

.

After obtaining the CCNA, it is strongly recommended to pursue the next level of certification – CCNP – Cisco Certified Network Professional. This certification requires 4 additional tests specializing in Routing, Switching, Troubleshooting, and Remote Access. The four tests can be taken over a period of time, and can be taken several months apart. The most beneficial place to start is with routing or switching, as these fundamentals apply to almost all networks. These tests will insure a solid knowledge of RIP, OSPF, and EIGRP routing, along with spanning tree and basic router and switch configuration. Next, the remote access tset will help provide a knowledge of WAN protocols. The troubleshooting test introduces additional commands and processes to use to isolate/repair problems.

.

These books are beneficial in studying for and learning the content of these tests:

• CCNP: Routing Study Guide Exam 640-503 (With CD-ROM)

• CCNP Practical Studies: Routing (Practical Studies)

• CCNP(R) Practical Studies: Switching (CCNP Self-Study) (Practical Studies)

• CCNP Practical Studies: Remote Access (CCNP Self-Study) (Practical Studies)

• CCNP Practical Studies: Troubleshooting (CCNP Self-Study) (Practical Studies)

.

However, if you want to take some time off from studying for certifications, consider reading Radia Perlman’s classic, Interconnections: Bridges, Routers, Switches, and Internetworking Protocols (2nd Edition) (Addison-Wesley Professional Computing Series). Like TCP/IP Illustrated, this is a must-read for network engineers. Interconnections provides fundamental knowledge in networking, including routers, bridges, switches, routing protocols, IPv6, multicast, and more. Radia’s writing style makes it an easy read.

.

UNIX and Scripting (Automation)
The most valuable network engineers are excellent UNIX scripters. You can get by without knowing much UNIX, but nothing beats being able to automate tasks with some simple Perl or Shell scripts. Before you can script, you must learn vi (or vim), the most powerful text editor in UNIX. Learning the vi Editor (6th Edition). Next, basic shell scripting. Unix Shell Programming (3rd Edition) Then step up to Perl, which is perhaps the simplest, most powerful scriptinglanguage. If you aren’t overly enthused about scripting, you could probably hold off on learning Perl for awhile. But if you take the plunge, the O’Reilly series of books is the way to go. Learning Perl, Fourth Edition Programming Perl (3rd Edition) Learning Expect programming is also beneficial. Expect is a language that allows for interactive programming (i.e. allowing interaction with a router or switch, such as responding with a certain response based on the output of the issued command). Exploring Expect: A Tcl-based Toolkit for Automating Interactive Programs (Nutshell Handbooks)

.

Specializing
Network engineering is such a vast field, at some point you’ll want to specialize. Areas of specialization include network security (firewalls, VPN), datacenter networks (more switching oriented), backbone networks (BGP routing, MPLS, QoS), Voice over IP (VoIP), and more. You may encounter other vendors with unique hardware and software (i.e. Juniper, Foundry, Force10, etc). Below are additional recommendations for various specializations.

.

Security

• Network Security: Private Communication in a Public World (2nd Edition) (The Radia Perlman Series in Computer Networking and Security) – Destined to be a classic

• Firewalls and Internet Security: Repelling the Wily Hacker (2nd Edition) (Addison-Wesley Professional Computing Series) – A classic

• CCSP Self-Study: Cisco Secure PIX Firewall Advanced (CSPFA) (2nd Edition) (Self-Study Guide) – Useful if considering a Cisco Security Certification

• Incident Response and Computer Forensics, Second Edition – General data forensics processes and procedures

.

Datacenters

• Data Center Fundamentals – Overview of many datacenter topics, including IBM networking

• The Switch Book: The Complete Guide to LAN Switching Technology – Solid LAN switching reference

.

Backbone Networks

• Internet Routing Architectures (2nd Edition) (Networking Technology) – the de facto standard for learning Cisco BGP

• BGP Design and Implementation (Networking Technology) – Practical optimizations for BGP

• Definitive MPLS Network Designs (Networking Technology) – MPLS is the enabler of high performance, multi-service networks

• OSPF: Anatomy of an Internet Routing Protocol – Written by the creator of OSPF, John Moy

• End-to-End QoS Network Design: Quality of Service in LANs, WANs, and VPNs (Networking Technology) – Backbones are multi-service, so QoS is needed

.

Voice over IP

• Voice over IP Fundamentals – An overview book

• End-to-End QoS Network Design: Quality of Service in LANs, WANs, and VPNs (Networking Technology) – QoS is important to voice traffic

• SIP Beyond VoIP: The Next Step in the IP Communications Revolution – The SIP protocol is the future of VoIP

Ok, so if you have managed to get to this site, that means you either clicked on someone else’s link to get here or you were redirected here from my old site. Regardless, here your are to my new home site. Other than the major construction going on under the hood, there should only be minimal differences from the old one to this. Most notable, of course, is the new domain name. It is now officially, routemyworld.com, without the “wordpress” taggin’ along. There are still some minor things I need to fix (like gravatars/avatars, stat counter, some wayward links, etc.) but most of the meat should be intact.

Welcome to my new site.

I had a full schedule of studying planned for this weekend, but due to some recurring neck injury, it was very hard to focus. It started on Saturday morning when I woke up and I had a kink on my right neck/shoulder area. It’s the kind of thing you get when you sleep wrong at night. Except, I still get it even when I sleep the right way. This is nothing new for me as I have had this bothering me for years. I blame all those early years in college when I used to play a lot more aggresively in basketball and always got hammered under the rim. I’ve seen doctors, chiropractors, sports medicine people, and all sorts of healers but no one seems to be able to fix it.

Anyway, this whole weekend, I was not able to keep my head upright for longer than an hour without getting really tired. So I had to lay my head down constantly. That also meant studying was painful. It was hard to concentrate because I constantly had to massage my neck.

I thought if I rested it enough I would be able to keep the pain in check. I might have had a fighting chance if I had slept well last night. But the neighbor had a bday party go on until 2am with loud music blasting incessantly. So my head kept getting pounded by relentless old school beats by Debbie Deb (Look Out Weekend, and When I Hear Music, et al) and Zapp and Roger (Doo Wa Ditty, Computer Love). And to make things worse, I had to be up by 5:45 to get ready for church because I had to cantor for the 7AM Mass.

Other notables:

• I hit a bird with our van on the way to church this morning instantly killing the poor thing. My 2 year old seems to find it amusing as he kept repeating, “papa hit a baby bird” over and over on the way to church.
• We lost our basketball game today after trailing again (we trailed last week too, only to win by 1 point on a buzzer-beating 3-pointer) by as much as 12 points. We caught up by 2 points but could not overcome in the end.
• Lakers lost after trailing Boston by 24 with only 7 minutes left, cutting the deficit to only 2 with under a minute to go, but eventually losing by 6 points.

On a good note, tommorow is another day.

Below is a summary of the chapter 3, troubleshooting section from Wendell Odom’s ICND2 OECG book. It doesn’t look like much, but there’s a ton of conceptual and foundational skills that can be built upon that outline. I’ve spent the last couple of days reviewing and working on switching technologies. I’ll probably finish it off this weekend and move on to the routing portion.

Text in red are my notes.

Troubleshooting LAN Switching Data Plane

Step 1 Verify the accuracy of and complete the information listed in the network diagram using CDP.

• show cdp neighbors
• show cdp entry
• pay attention to diagram not matching information on the CDP output.
• End-user PCs do not show up on CDP output.
  

Step 2 Check for interface problems as follows:

a. Determine the interface status code(s) for each required interface, and if not in a connect or up/up state, resolve the problems until the interface reaches the connect or up/up state.

• sh interfaces fa0/1 status

b. For interfaces in a connect (up/up) state, also check for two other problems: duplex mismatches and some variations of port security purposefully dropping frames.

• sh interface fa0/1
• To check for duplex mismatches, pay attention to counters like runts, collisions, late collisions, etc
• Also consider PC duplex settings match that of the switch, and vice versa.
  

Step 3 Check for port security problems as follows:

a. Identify all interfaces on which port security is enabled (show running-config or show port-security).

b. Determine whether a security violation is currently occurring based in part on the violation mode of the interface’s port security configuration, as follows:

o shutdown: The interface will be in an err-disabled state.

o restrict: The interface will be in a connect state, but the show port-security interface command will show an incrementing violations counter.

o protect: The interface will be in a connect state, and the show port-security interface command will not show an incrementing violations counter.

c. In all cases, compare the port security configuration to the diagram as well as the “last source address” field in the output of the show port-security interface command.

Step 4 Check VLANs and VLAN trunks as follows:

a. Identify all access interfaces and their assigned access VLANs, and reassign into the correct VLANs as needed.

• show interface status
• show interfaces fa0/1 status
• switchport access vlan 3 - interface subcommand to assign an interface to VLAN 3
  

b. Determine whether the VLANs both exist (configured or learned with VTP) and are active on each switch. If not, configure and activate the VLANs to resolve problems as needed.

• show vlan id 3
• show vlan brief

c. Identify the operationally trunking interfaces on each switch, and determine the VLANs that can be forwarded over each trunk.

• show interfaces trunk