Saturday, 28 May 2011

Creating Command Aliases


Problem

You want to create aliases for commonly-used or complex commands.

Solution

You can create command aliases on your router with the alias command:
Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#alias exec rt show ip route
Router1(config)#alias exec on show ip ospf neighbor
Router1(config)#end
Router1#
 

Discussion

Unix system administrators have been using command aliases for many years to help reduce typing and save time. These shortcut commands allow you to reduce long or complex command sequences down to a few simple characters. This is most useful for extremely common commands, or for those that are complex or difficult to remember. You can create an alias for any command, including some or all of its associated keywords or variables.
Here we have created the alias rt for one of the most common commands that we use every day, show ip route:
Router1(config)#alias exec rt show ip route
We can now use this simple two-letter command to display the routing table, saving time and typing:
Router1#rt
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
   
Gateway of last resort is 172.25.1.1 to network 0.0.0.0
   
S    192.168.10.0/24 [1/0] via 172.22.1.4
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.2.0 is directly connected, FastEthernet0/0.2
     172.20.0.0/16 is variably subnetted, 3 subnets, 3 masks
O       172.20.10.0/24 [110/74] via 172.20.1.2, 00:52:55, Serial0/0.2
C       172.20.1.0/30 is directly connected, Serial0/0.2
O       172.20.100.1/32 [110/65] via 172.20.1.2, 00:52:55, Serial0/0.2
     172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
D       172.22.0.0/16 is a summary, 20:31:03, Null0
C       172.22.1.0/24 is directly connected, FastEthernet0/1
Router1#

The key to choosing a good alias command name is to pick something that is short and easy to remember. Of course, it is critical to select an alias that does not conflict with an existing command. In our example, we choose rt as a short and memorable mnemonic for "route table." This abbreviation does not conflict with any existing IOS command.
You can also use a command alias as part of a longer command. For example, we could use our rt alias to shorten the command show ip route 172.16.2.0.
Router1#rt 172.16.2.0
Routing entry for 172.16.2.0/24
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via FastEthernet0/0.2
      Route metric is 0, traffic share count is 1
Router1#
Command aliases are most effective if you use them consistently among all of the routers that you manage. Otherwise, you'll have to remember a different set of alias commands for each group of devices. If you want to use this feature, we recommend that the entire network management team work together to develop a standard set of aliases before implementing them. We also recommend keeping the aliases simple. And, above all, resist the urge to alias every possible command. Instead, create aliases for only the most common commands.
Command aliases are also useful for scripting. You can build a script to perform a task on a router that might be slightly different on each router. For example, suppose you want to clear the counters of a particular access list on a weekly basis. But, some of your routers use a different access list number. You can simply build an alias with the same name on each router, but make the actual commands represented by the alias appropriate to each individual router. Finally, you can build a script to issue the command alias and automate what would otherwise be an extremely onerous task.
The show aliases command displays all of the command aliases configured on the router:
Router1#show aliases
Exec mode aliases:
  h                     help
  lo                    logout
  p                     ping
  r                     resume
  s                     show
  u                     undebug
  un                    undebug
  w                     where
  rt                    show ip route
  on                    show ip ospf neighbor
   
Router1#
If you type this command on any router, you will see that Cisco implements several command aliases by default.

Thursday, 26 May 2011

Redistributing Static Routes into RIP

Problem
You want RIP to redistribute static routes that you have configured on your router.

Solution

The redistribute static command tells RIP to forward static routes in addition to the directly connected routes and the routes that have been learned from other RIP routers, which it forwards by default:
Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip route 192.168.10.0 255.255.255.0 172.22.1.4
Router1(config)#router rip
Router1(config-router)#redistribute static
Router1(config-router)#end
Router1#
You can define how these routes look to other routers when they are redistributed:
Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip route 192.168.10.0 255.255.255.0 172.22.1.4
Router1(config)#router rip                  
Router1(config-router)#redistribute static metric 5
Router1(config-router)#distribute-list 7 out static
Router1(config-router)#exit
Router1(config)#access-list 7 permit 192.168.10.0
Router1(config)#end
Router1#

Discussion

The biggest potential problem that you will encounter with redistributing routes into RIP comes from breaking network class boundaries. RIP is classful, so you have to be rather careful about how you distribute routing information from other sources that may be classless. In this recipe, Router1 redistributes a static route for the Class C network 192.168.10.0. But if we tried instead to redistribute a larger range (such as 192.168.12.0/22), RIP would not generate any errors—the router would just quietly refuse to forward this route.
Looking at the RIP database on a router with IOS level 12.0(6)T or higher shows the redistributed static route:
Router1#show ip rip database 192.168.10.0 255.255.255.0
192.168.10.0/24    redistributed
    [5] via 0.0.0.0, 
Router1#
After configuring the second example, the output of show ip protocols includes information about the filtering. This command also tells you what protocols RIP is distributing:
Router1#show ip protocols 
Routing Protocol is "rip"
  Sending updates every 30 seconds, next due in 5 seconds
  Invalid after 180 seconds, hold down 180, flushed after 240
  Outgoing update filter list for all interfaces is not set
    Redistributed static filtered by 7
  Incoming update filter list for all interfaces is not set
  Redistributing: static, rip
  Default version control: send version 2, receive version 2
    Interface             Send  Recv  Triggered RIP  Key-chain
    FastEthernet0/0.1     2     2 
    Serial0/0.2           2     2                                    
    FastEthernet0/1       2     2                                    
   Automatic network summarization is in effect
  Maximum path: 4
  Routing for Networks:
    172.22.0.0
    172.25.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.25.1.7           120      00:00:03
    172.25.2.2           120      00:00:06
    172.22.1.4           120      00:00:08
  Distance: (default is 120)
Router1#
In addition to static routes, you can distribute information from other dynamic routing protocols with RIP simply by specifying which protocol's routes you want RIP to use. For example, if you have an EIGRP network that uses process number 65530 on the same router, you would redistribute the EIGRP routes into RIP like this:
Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#router eigrp 65530
Router1(config-router)#network 192.168.1.0
Router1(config-router)#exit
Router1(config)#router rip
Router1(config-router)#redistribute eigrp 65530
Router1(config-router)#end
Router1#
If you look at the show ip protocols command, you can see that RIP redistributes routes it learns from EIGRP, but EIGRP does not redistribute routes learned from RIP. If you also want EIGRP to redistribute RIP routes, you must explicitly configure it to do so. 
Router1#show ip protocols   
Routing Protocol is "rip"
  Sending updates every 30 seconds, next due in 0 seconds
  Invalid after 180 seconds, hold down 180, flushed after 240
  Outgoing update filter list for all interfaces is 
  Incoming update filter list for all interfaces is 
  Redistributing: static, rip, eigrp 65530
   

  Default version control: send version 1, receive any version
    Interface        Send  Recv   Key-chain
    FastEthernet0/0.1     2     2 
    Serial0/0.2           2     2                                    
    FastEthernet0/1       2     2                                    
   Automatic network summarization is in effect
  Maximum path: 4
  Routing for Networks:
    172.22.0.0
    172.25.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.25.1.7           120      00:00:03
    172.25.2.2           120      00:00:06
    172.22.1.4           120      00:00:08
  Distance: (default is 120)
   
Routing Protocol is "eigrp 65530"
  Outgoing update filter list for all interfaces is 
  Incoming update filter list for all interfaces is 
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  Redistributing: eigrp 65530
  Automatic network summarization is in effect
  Routing for Networks:
    192.168.1.0
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: internal 90 external 170
   

Wednesday, 25 May 2011

Study Cisco SDM without any router

This post illustrate how we can study Cisco SDM(Security Device Manager) without using a real router.


Step 1: Download and Install JAVA


JAVA download link
http://dl8-cdn-00.sun.com/s/ESD6/JSCDL/jre/6u17-b70/JavaSetup6u17-rv.exe?e=1258225115292&h=bdf397401ba01d188d6618881798a506%2F&filename=JavaSetup6u17-rv.exe


Step 2: Download and Install SDM


SDM download link.
http://ftp-sj.cisco.com/pub/web/sdm/SDM-V232.zip


Step 3: Download SDM demo , which make u use SDM without having a router , for learning purpose 


download link :

http://download-sj.cisco.com/pub/web/sdm/tool/SDM_demo_tool.zip


note :


Extract SDM demo in C:\ , read instruction file and follow it's procedure. SDM you will be able to access SDM using loopback IP 127.0.0.1 .


This is quite interesting and helpful try it..


If you want a complete guide of SDM please download it in below link:


http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/software/user/guide/SDM25ug.pdf

GNS 3 - Some interesting Configuration


1)Adding your own PC to GNS3 with MS Loopback





2)Connecting Virtual Machines in GNS3 to the Local Machine and to the Internet 



3) How to connect GNS3 to a real router or switch and to the internet




Monday, 23 May 2011

Frame Relay Switch Configuration By Chris Bryant, CCIE #12933


Many CCNA certification candidates want to add a frame relay switch to their Cisco router lab, but aren't quite sure how to configure one.


Other candidates aren't quite sure what a frame relay switch is, or what Cisco routers can serve as such a switch. This CCNA case study will examine how to add one of these pivotal devices to a Cisco lab.

A Cisco lab's frame relay switch is not a switch at all; it's a Cisco router. Almost any Cisco router can serve as your frame switch, but you will need multiple serial interfaces to make a router particularly effective in this role.

I recommend you get a Cisco router with at least four serial interfaces. Cisco 2520s make excellent frame switches, and by doing a search on eBay for "frame relay switch", you'll quickly find several others that can as well.

The frame relay switch is going to play the role of the frame provider in your lab. In essence, you've got a one-switch frame relay cloud, which gives you a tremendous opportunity to practice frame relay scenarios.

In this example, I've got three Cisco routers that are going to be the production routers in my lab - R1, R2, and R3. I have a fourth router that will serve as the frame relay switch. The DLCI assignments I've come up with are as follows:
  • R1 is the hub and will use DLCI 122 to reach R2, DLCI 123 to reach R3.
  • R2 is a spoke router and will use DLCI 221 to reach both R1 and R3.
  • R3 is a spoke router and will use DLCI 321 to reach both R1 and R2.
The physical connections are as follows. All connections are using DTE/DCE cables with the DCE end of the cable connected to the frame relay switch.
  • R1 is connected to the frame switch's Serial1 port.
  • R2 is connected to the frame switch's Serial2 port.
  • R3 is connected to the frame switch's Serial3 port.
On the frame switch, the global command frame-relay switching is required to make the router act as a frame relay switch. Let's take a look at the commands we'll need on the frame switch's Serial1 port, which is connected to R1.

interface Serial1
 no ip address
 encapsulation frame-relay
 logging event subif-link-status
 logging event dlci-status-change
 clockrate 56000
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 122 interface Serial2 221
 frame-relay route 123 interface Serial3 321

Note that there is no IP address on the port, and frame relay encapsulation is enabled. The clockrate command is necessary on the DCE end of the connection, so you see it here.

You also see that the interface is hard-coded as a DCE with theframe-relay intf-type dce command. Not all current IOS versions require this; just make sure you have the DCE end of the cable attached to the frame switch and verify that with show controller serial x.

Finally, we come to the frame-relay route command. The syntax seems a little tricky, but once you break it down it's pretty simple.
  • frame-relay route 122 = the incoming DLCI
  • interface serial2 = data coming in on DLCI 122 is sent out this port
  • 221 = data sent out interface serial2 will use this DLCI
Getting those statements correct is the hardest part of configuring your frame relay switch. The good part is that once you have your frame switch configured and working properly, you can just leave the configuration there.

We'll take a look at how to verify your frame switch configuration in just a moment, but first, let's review the important section of the frame switch configuration we've talked about here.

hostname FRAME_SWITCH
!
!
ip subnet-zero
no ip domain-lookup
frame-relay switching
!
!
!
interface Ethernet0
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial0
 no ip address
interface Serial1
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 logging event subif-link-status
 logging event dlci-status-change
 clockrate 56000
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 122 interface Serial2 221
 frame-relay route 123 interface Serial3 321

!
interface Serial2
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 logging event subif-link-status
 logging event dlci-status-change
 clockrate 56000
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 221 interface Serial1 122
interface Serial3
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 logging event subif-link-status
 logging event dlci-status-change
 clockrate 56000
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 321 interface Serial1 123

To verify that your frame relay configuration is functioning correctly, run the global command show frame route on the frame relay switch. If you see active next to all frame routes as shown below, you're in good shape.

CCNA Certification Lab  Frame Relay Switch Config

If you see anything else - say, the word "inactive" - then there is a problem.

Troubleshooting A Frame Relay Switch

The key to troubleshooting your frame switch is that you cannotconcentrate on the frame switch's config. You can get that part perfect, but if you're using other DLCIs on your routers or there's a physical issue - perhaps you forgot to open some interfaces - you're not going to get the active frame routes you want.

Just make sure you're got all the appropriate interfaces open, don't forget the clockrate and frame-relay route commands on the frame switch, and you'll successfully add this important device to your Cisco lab!

Scroll down for two CCNA training videos on frame relay switching - and take advantage of this exclusive CCNA training opportunity!



Saturday, 21 May 2011

A subnet question with answer

Question:


" On the Network 131.1.123.0/27, what is the last IP address that can be assigned to a host?"

1) 131.1.123.30
2) 131.1.123.31
3) 131.1.123.32

4) 131.1.123.33


Answer:


Your network address is 131.1.123.0 /27= 10000011.00000001.0111 1011.00000000

Always the first host is one greater that the network address.

So “First Host Address” = 131.1.123.1
 

The subnet is /27 which means first 27 bits represents network portion and last 5 bits represents host portion.

You find the broadcast by putting 1 for all your host portion of the network address.

So 10000011.00000001.01111011.000 00000   becomes
     10000011.00000001.01111011.000 11111 = 131.1.123.31

Which is your broadcast address.

Now the last host of your network address is one less that the broadcast address so it is 131.1.123.30
----------------
So Network address = 131.1.123.0
First host = 131.1.123.1
Last host = 131.1.123.30
Broadcast address = 131.1.123.31
-------------------

So I think the correct answer is 131.1.123.30

Ps:

The /27 means that the first 27 bits are used for the "network portion".
Total bits of your network ip are 32 so you left with 5 bits for yours host(s ) portion (2^5-1).
Your subnet mask is 1111 1111. 1111 1111.1111 1111.1110 0000 = 255.255.255.224.

Hope it was helpful !


Thursday, 19 May 2011

Collision Domain and Broadcast Domain

A collision domain is a physical network segment where data packets can collide with one another when being sent on a shared medium, in particular, when using the Ethernet networking protocol. A network collision occurs when more than one device attempts to send a packet on a network segment at the same time. Collisions are resolved using carrier sense multiple access or a variant thereof in which the competing packets are discarded and re-sent one at a time. This becomes a source of inefficiency in the network.[1]

This situation is typically found in a hub environment where each host segment connects to a hub that represents only one collision domain and only one broadcast domain. Collision domains are also found in wireless networking such as Wi-Fi. Only one device in the collision domain may transmit at any one time, and the other devices in the domain listen to the network in order to avoid data collisions. Because only one device may be transmitting at any one time, total network bandwidth is shared among all devices. Collisions also decrease network efficiency on a collision domain; if two devices transmit simultaneously, a collision occurs, and both devices must retransmit at a later time.
To relieve the network of collision domains, it is recommended to use a network switch which increases the number of collision domains while decreasing each collision domain's size. This is because each port on a switch is its own collision domain.A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments.

In terms of current popular technologies: Any computer connected to the same Ethernet repeater or switch is a member of the same broadcast domain. Further, any computer connected to the same set of inter-connected switches/repeaters is a member of the same broadcast domain. Routers and other higher-layer devices form boundaries between broadcast domains.

This is as compared to a collision domain, which would be all nodes on the same set of inter-connected repeaters, divided by switches and learning bridges. Collision domains are generally smaller than, and contained within, broadcast domains.

While some layer two network devices are able to divide the collision domains, broadcast domains are only divided by layer 3 network devices such as routers or layer 3 switches.

IPV6

Hexadecimal, in groups of sixteen bits.
E.g. 2000:0AD5:1F33:0000:0000:0000:013F:B043

There are a few rules which make it easier:
- A leading zero can be dropped.
So above addres becomes 2000:AD5:1F33:0:0:0:13F:B043
- Fields of four zero's may be left out, but only once in each address.
So you can also write: 2000:AD5:1F33::13F:B043

A few more usefull bits of information:
- The loopback-address (IPv4's 127.0.0.1) is all zero's with the last bit being one, or '::1'
- Subnetmasks are only written in the slash-notation.
E.g. 2000:AD5:1F33::13F:B043/64
- Broadcast addresses do no longer exists in IPv6 and have been replaced by the 'all-nodes' multicast group. So the last address in a subnet is useable.

Tuesday, 17 May 2011

Access-list questions part 2


Question 1
The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any
How will the above access lists affect traffic?
A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied

Answer: D
Explanation:
There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic. If we use the command “access-list 135 permit ip any any” at the end of this access list then the answer should be C – FTP traffic from 192.169.1.9 to any host will be denied.
Question 2
The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)

A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8

Answer: B D
Explanation
Below is the simple syntax of an extended access list:
access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]
Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:
Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.
Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered
Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.
Question 3
The following configuration line was added to router R1
Access-list 101 permit ip 10.25.30.0 0.0.0.255 any
What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations

Answer: A

Access-list questions part 1


Question 1
Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)

access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
A. source ip address: 192.168.15.5; destination port: 21
B. source ip address:, 192.168.15.37 destination port: 21
C. source ip address:, 192.168.15.41 destination port: 21
D. source ip address:, 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address:, 192.168.15.49 destination port: 23

Answer: D E

Question 2
Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)
accesslist2
A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any

Answer: B C
Question 3
Refer to the exhibit. Why would the network administrator configure RA in this manner?

A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network

Answer: B
Explanation
Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.
This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.
C is not correct as this access list allows administrators to access the console of RA.
F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.
(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)
Question 4
A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?
A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any

Answer: A
Explanation:
First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.
Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect
In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.
Question 5
As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?


A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out

Answer: C

Monday, 16 May 2011


Refer to the exhibit. What is the most efficient summarization that R1 can use to advertise its networks to R2?

A. 172.1.0.0/22
B. 172.1.0.0/21
C. 172.1.4.0/22
D. 172.1.4.0/24
172.1.5.0/24
172.1.6.0/24
172.1.7.0/24
E. 172.1.4.0/25
172.1.4.128/25
172.1.5.0/24
172.1.6.0/24
172.1.7.0/24

Answer: C
Explanation:
Network 172.1.4.0/25 and network 172.1.4.128/25 can be grouped to a single network 172.1.4.0/24
Network 172.1.4.0/24 + Network 172.1.5.0/24 + Network 172.1.6.0/24 + Network 172.1.7.0/24 can be grouped to a single network 172.1.4.0/22 because we have all 4 subnetworks so we can move left 2 bits (22=4)


RIP intro


Welcome to the wonderful world of dynamic routing protocols. Routing Information Protocol; aka: RIP, will be the first of 3 dynamic routing protocols you must know as a CCNA network engineer. RIP was widely deployed in 1982 due to the inclusion of its code in the BSD 4.2 Unix OS then a few years later, June of 1988 became an IETF Standard. RIP Replaced GGP (Gateway to Gateway Protocol) which is a protocol you’ll never hear about again as its long gone and turned into ash.
Before you jump onto the router lets first discuss a little bit of the technology relating to RIP;
RIP is a distance vector routing protocol which has an administrative distance of 120 and uses the Bellman-Ford Algorithm. RIP uses hop counts as a metric to determine the best path to a network. e.g; If 10.70.10.0/24 is 2 routers away then its effectively 2 hop counts away thus having a metric of 2. Keep in mind that if you have a PC trying to get to a server on a network and one path has 2 hop counts which uses T1′s links and the other path has 3 hop and uses 3 DS3′s then the lower metric will be chosen.
RIP operated at UDP Port 520 by default. Version 1 uses a broadcast delivery mechanism for updates whereas version 2 uses multicast. This will be discussed further in detail in the next lab.
By standard; RIP utilizes three different timers to function properly however if you’re running RIP on a Cisco router a 4th timer will be used called the Hold Down timer. Timer functions given below;
Update Timer: This interval at which “hello packets” are sent to neighboring routers. The Cisco Default is every 30 seconds +/- 5 Seconds to prevent synchronization
Invalid Timer: The invalid timer is the interval at which the router will mark the route(s) invalid by using a metric of 16 and advertise them with an unreachable metric (16). When a route is marked invalid on a Cisco router it is enters hold down. The Cisco default invalid timer is 180 Seconds.
Hold Down Timer: The hold down timer is the interval at which a specific route that has been previously marked invalid will be suppressed updates with an equal or greater metric. This timer is intended to prevent inaccurate routing updates (routing by rumor) till the topology has had the time to converge or a route with a better metric has been received.. The hold down timer is a Cisco extension of the RIP protocol and is not included int he IETF standard.
Flushed Timer: The interval at which after the invalid timer the router waits after a route has been marked invalid before it flushes it (removes it) from the routing table.

CCNA subnetting questions

Question 1

Given a subnet mask of 255.255.255.224, which of the following addresses can be assigned to network hosts? (Choose three)

A – 15.234.118.63
B – 92.11.178.93
C – 134.178.18.56
D – 192.168.16.87
E – 201.45.116.159
F – 217.63.12.192



Answer: B C D

Explanation

A subnet mask of 255.255.255.224 has an increment of 32 (the binary form of the last octet is 1110 0000) so we can’t use numbers which are the multiples of 32 because they are sub-network addresses. Besides, we can’t use broadcast addresses of these sub-networks (the broadcast address of the previous subnet is calculated by subtracting 1 from the network address). For example the network address of the 2nd subnet is x.x.x.32 then the broadcast address of the 1st subnet is 32 – 1 = 31 (means x.x.x.31).

By this method we can calculate the unusable addresses, which are (notice that these are the 4th octets of the IP addresses only):

+ Network addresses: 0, 32, 64, 96, 128, 160, 192, 224.
+ Broadcast addresses: 31, 63, 95, 127,159, 191, 223.

Question 2

Which of the following host addresses are members of networks that can be routed across the public Internet? (Choose three)

A – 10.172.13.65
B – 172.16.223.125
C – 172.64.12.29
D – 192.168.23.252
E – 198.234.12.95
F – 212.193.48.254



Answer: C E F

Explanation

Addresses that can be routed accross the public Internet are called public IP addresses. These addresses belong to class A, B or C only and are not private addresses.

Note:

Private class A IP addresses: 10.0.0.0 to 10.255.255.255
Private class B IP addresses: 172.16.0.0 to 172.31.255.255
Private class C IP addresses: 192.168.0.0 to 192.168.255.255

Class D addresses are reserved for IP multicast addresses and can’t be routed across the Internet (their addresses begin with 224.0.0.0 address).

Also we can’t use 127.x.x.x address because the number 127 is reserved for loopback and is used for internal testing on the local machine.

Question 3

A national retail chain needs to design an IP addressing scheme to support a nationwide network. The company needs a minimum of 300 sub-networks and a maximum of 50 host addresses per subnet. Working with only one Class B address, which of the following subnet masks will support an appropriate addressing scheme? (Choose two)

A – 255.255.255.0
B – 255.255.255.128
C – 255.255.252.0
D – 255.255.255.224
E – 255.255.255.192
F – 255.255.248.0



Answer: B E

Explanation

We need to remember the default subnet mask of class B is 255.255.0.0. Next, the company requires a minimum of 300 sub-networks so we have to use at least 512 sub-networks (because 512 is the minimum power of 2 and greater than 300). Therefore we need to get 9 bits for network mask (29=512), leaving 7 bits for hosts which is 27= 128 > 50 hosts per subnet.This scheme satisfies the requirement -> B is correct.

We can increase the sub-networks to 1024 ( 1024 = 210), leaving 6 bits for hosts that is 26= 64 > 50 hosts. This scheme satisfies the requirement, too -> E is correct.
Notice: The question asks “The company needs a minimum of 300 sub-networks and a maximum of 50 host addresses per subnet” but this is a typo, you should understand it as “”The company needs a minimum of 300 sub-networks and a minimum of 50 host addresses per subnet”.

Question 4
Which of the following IP addresses fall into the CIDR block of 115.64.4.0/22? (Choose three)
A – 115.64.8.32
B – 115.64.7.64
C – 115.64.6.255
D – 115.64.3.255
E – 115.64.5.128
F – 115.64.12.128

Answer: B C E
Explanation
CIDR stands for Classless In4ter-Domain Routing, the difference between CIDR and VLSM is slim and those terms are interchangeable at CCNA level.
To specify which IP addresses fall into the CIDR block of 115.64.4.0/22 we need to write this IP address and its subnet mask in binary form, but we only care 3rd octet of this address because its subnet mask is /22.
Question 5
Refer to the diagram. All hosts have connectivity with one another. Which statements describe the addressing scheme that is in use in the network? (Choose three)




A – The subnet mask in use is 255.255.255.192.
B – The subnet mask in use is 255.255.255.128.
C – The IP address 172.16.1.25 can be assigned to hosts in VLAN1.
D – The IP address 172.16.1.205 can be assigned to hosts in VLAN1.
E – The LAN interface of the router is configured with one IP address.
F – The LAN interface of the router is configured with multiple IP addresses.

Answer: B C F
Explanation
VLAN 2 has 114 hosts so we need to leave 7 bits 0 for the host addresses (27 – 2 = 126 > 114). Notice that we are working with class B (both Host A and Host B belong to class B) and the default subnet mask of class B is /16 so we need to use 16 – 7 = 9 bits 1 for the sub-network mask, that means the subnet mask should be 255.255.255.128 -> B is correct.
By using above scheme, C is correct because the IP 172.16.1.25 belongs to the sub-network of VLAN 1 (172.16.1.0/25) and can be assigned to hosts in VLAN 1.
For communication between VLAN 1 and VLAN 2, the LAN interface of the router should be divided into multiple sub-interfaces with multiple IP addresses -> F is correct.
Question 6
The network 172.25.0.0 has been divided into eight equal subnets. Which of the following IP addresses can be assigned to hosts in the third subnet if the ip subnet-zero command is configured on the router? (Choose three)
A – 172.25.78.243
B – 172.25.98.16
C – 172.25.72.0
D – 172.25.94.255
E – 172.25.96.17
F. 172.25.100.16

Answer: A C D
Explanation
If the “ip subnet-zero” command is configured then the first subnet is 172.25.0.0. Otherwise the first subnet will be 172.25.32.0 (we will learn how to get 32 below).
The question stated that the network 172.25.0.0 is divided into eight equal subnets therefore the increment is 256 / 8 = 32 and its corresponding subnet mask is /19 (1111 1111.1111 1111.1110 0000).
First subnet: 172.25.0.0/19
Second subnet: 172.25.32.0/19
Third subnet: 172.25.64.0/19
4th subnet: 172.25.96.0/19
5th subnet: 172.25.128.0/19
6th subnet: 172.25.160.0/19
7th subnet: 172.25.192.0/19
8th subnet: 172.25.224.0/19
In fact, we only need to specify the third subnet as the question requested. The third subnet ranges from 172.25.64.0/19 to 172.25.95.255/19 so A C D are the correct answers.