Access Control Lists (ACLs)

Access Control Lists (ACLs)
Access Control List (ACL) are filters that enable you to control which routing updates or packets are permitted or denied in or out of a network. They are specifically used by network administrators to filter traffic and to provide extra security for their networks. This can be applied on routers (Cisco).

ACLs provide a powerful way to control traffic into and out of your network; this control can be as simple as permitting or denying network hosts or addresses. You can configure ACLs for all routed network protocols.
The most important reason to configure ACLs is to provide security for your network. However, ACLs can also be configured to control network traffic based on the TCP port being used.
How ACLs work

A router acts as a packet filter when it forwards or denies packets according to filtering rules. As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.
To simplify how ACL or a router uses packet filtering work, imagine a guard stationed at a locked door. The guard's instruction is to allow only people whose names appear on a quest list to pass through the door. The guard is filtering people based on the condition of having their names on the authorized list.



When a packet arrives at the router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be dropped. Packet filtering process works at the Network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.
Why use ACLs

* Limits network traffic to increase network performance.
* ACLs provides traffic flow control by restricting the delivery of routing updates.
* It can be used as additional security.
* Controls which type of traffic are forwarded or blocked by the router.
* Ability to control which areas a client access.

Types of Access Control Lists



Standard access-list
Standard access lists create filters based on source addresses and are used for server based filtering. Address based access lists distinguish routes on a network you want to control by using network address number (IP). Address-based access lists consist of a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied.


Example of the command syntax for configuring a standard numbered IP ACL:
R1(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]


i. The first value {1-99} specifies the standard ACL number range.

ii. The second value specifies whether to permit or deny the configured source IP address traffic.

iii. The third value is the source IP address that must be matched.

iv. The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.


Extended access lists
Extended access lists create filters based on source addresses, destination addresses, protocol, port number and other features and are used for packet based filtering for packets that traverse the network.

Example of the command syntax for configuring an extended numbered IP ACL:
Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]


i. Like the standard ACLs, the first value {100-199 or 2000 - 2699} specifies the ACL number range.

ii. The next value specifies whether to permit or deny according to the criteria that follows.

iii. The third value specifies protocol type ( IP, TCP, UDP, or other specific IP sub-protocols). The source IP address and wildcard mask determine traffic source. The destination IP address and its wildcard mask are used to indicate the final destination of the network traffic. When the destination IP address and mask are configured, the port number must be specified to match, either by number or by a well-known port name, otherwise all traffic to that destination will be dropped.


Standard and Extended access lists can be applied base on the use of ip access-list command.

Access lists use the deny or permit statement to define which packet is allowed or denied entry into a server or network.
Masks

Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example, IP address 172.16.2.14 with a 255.255.255.0 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "no".

Note these ACL equivalents.

· The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any".

· The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2".

If you subtract 255.255.255.0 (normal mask) from 255.255.255.255, it yields 0.0.0.255.
Wildcards

The command below defines an ACL that permits this network 192.168.1.0 0.0.0.255.

access-list acl_permit permit ip 192.168.1.0 0.0.0.255

Inbound traffic to the router is compared to access lists entries based on the order that the entries occur in the router. The router looks through the entries until it has a match. If the router found no match when it reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. Single-entry access lists with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked.

Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists:

deny ip any any

If it is desirable to over-ride this implicit denial statement, enter a permit ip any any statement as the last entry in the access-list.

Inter VLAN Routing (part 1)

Network devices in different VLANs cannot communicate with one another without a router to route traffic between the VLANs. In most network environments, VLANs are associated with individual networks or subnetworks.

Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local. However, when an end station in one VLAN needs to communicate with an end station in another VLAN, interVLAN communication is required. This communication is supported by interVLAN routing. You configure one or more routers to route traffic to the appropriate destination VLAN.



When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed to that host. Switch A forwards the packet directly to Host B, without sending it to the router.

When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which receives the traffic on the VLAN 10 interface. The router checks the routing table, determines the correct outgoing interface, and forwards the packet out the VLAN 20 interface to Switch B. Switch B receives the packet and forwards it to Host C.

CCIE EXAM POLICY

CCIE EXAM POLICY (AS PER CISCO GUIDELINE )


•Age Requirements
In compliance with the Cisco Privacy Policy, age requirements for Cisco certification are as follows:
• Underage Minors are children under 13 who may not test or receive certification even w/parental consent
Minors are individuals between 13–17 years of age who may test and receive certification w/parental consent
Individuals 18 years or older are eligible for certification without any age-related restriction
For more information, please refer to the Cisco Career Certification and Confidentiality Agreement.
Conduct
Candidates must agree they will not compromise the integrity or confidentiality of any Cisco certification exam or certification program. Prohibited actions are described in the Cisco Career Certifications and Confidentiality Agreement. Remedies for violating the policy can include a lifetime ban on all future exams and voiding of all previous certifications.

Confidentiality
The questions and answers of the certification exams are the exclusive and confidential property of Cisco and are protected by Cisco's intellectual property rights. Candidates taking Cisco exams must agree they have read and will abide by the terms and conditions of the Cisco Career Certifications and Confidentiality Agreement before beginning each exam.


Correspondence
All official correspondence to certified CCIEs and candidates is sent to the email address in the CCIE database. This database is SEPARATE from the Cisco customer database. Changing an email address in the Cisco customer database does not automatically update the CCIE database. CCIEs and candidates must keep their CCIE email address updated in order to ensure they received all official correspondence.


Exam Discounts, Vouchers and Promotional Codes
Neither Cisco nor Pearson VUE, its primary test delivery partner, guarantees the authenticity of discount vouchers or promotional codes that are obtained from any individuals or entities other than Pearson VUE.

Individuals or Cisco affiliated partners who use certifications discount vouchers or promotional codes that are fraudulent or otherwise obtained from an unauthorized source (including legitimate vouchers for attempted re-use) may risk up to and including a lifetime ban on all future exams, the nullification of all previous certifications or other program sanctions at the discretion of Cisco. Cisco will not compensate candidates for fraudulent vouchers or vouchers obtained from an unauthorized source.


Exam Violations
Disclosure of test content is strictly prohibited. Please report any suspicious activity as described in Cisco's Exam Violation Rules.


Lab Exam: Double Booking
CCIE candidates are allowed to schedule only a single CCIE lab exam date at any location for each CCIE track. Double booking for lab exams in the same track, at either the same location or different locations, is not permitted by the database. Candidates will be allowed to simultaneously schedule lab exams for different tracks.


Lab Exam: Exam Rules
Candidates for the CCIE written exam or lab exam are not allowed to bring anything into the exam room or take anything out. This includes, but is not limited to: notes, documentation, watches, laptops, keyboards, pagers, PDAs, and mobile phones. DO NOT confer or consult with anyone about the exam while taking the exam or after the exam is completed. During an exam, you may only discuss your exam with the lab engineer.


Lab Exam: Payment

Price not confirmed and is subject to change until full payment is made.

Types. Lab sites in China and Japan will only accept payment via wire transfer. All other locations accept online credit card payment (American Express, Visa, Mastercard, or Eurocard) See “Lab Exam: Scheduling and Payment” for details. You are responsible for any fees your financial institution may charge to complete the payment transaction.

Due Date. Full payment must be received at least 90 days before the lab exam date. Only one e-mail notice is sent as a payment reminder. Payments generally take one to seven business days to process, so be sure to initiate payment in advance of the due date. It is important that if payment will be made by wire transfer, that the payment is scheduled well in advance to prevent the lab date being dropped. Exams for which payment is not received by the due date will be automatically dropped from the schedule. If you still wish to take the lab, you must rebook the exam online and complete your payment. There is no guarantee that your original date will still be available once it has been dropped for non-payment. If you book an exam for a date less than 90 days away, you must complete payment on the day you book the exam or the registration cannot be submitted. Candidates are ultimately responsible for making the lab payment in a timely manner and Cisco will not be held liable for any candidates automatically dropped due to non-payment.

Processing. Credit card payments entered into the system will be processed on the payment due date, exactly 90 days prior to your lab date, as will invoices for all payment types. Be sure the company name, invoicing address and email address are complete and accurate to ensure proper delivery of your invoice. No invoices will be generated before the lab exam due date.

Lab Exam: Rescheduling, Canceling and Postponing
Prior to Due Date. Cancellations or changes to the exam date, location, or track must be made prior to the payment due date--90 days before the scheduled lab date. To make any changes, you must log into the Lab Scheduling tool and drop your current lab. Then you can reschedule according to preferred date, location and track. You may book an exam for a date less than 90 days away, if you complete payment on the day you book the exam.

If you need to cancel an exam before the due date, and paid via a wire transfer that has already cleared, you are eligible for a full refund by requesting support via the Certifications Online Support tool.

After Due Date. Changes and cancellations are not permitted after the payment due date--90 days prior to the scheduled lab date--and no refunds will be issued. If you are not able to attend your scheduled lab date, contact support to let them know the lab seat will not be used. You will still forfeit your payment, but you will be allowed to book another exam date immediately. If you do not contact support, you will be marked as a "no show" for the exam and be barred from booking another exam for 30 days.

Candidates Requiring Visas. If you require a visa to attend your lab exam, it is strongly recommended you apply 10-12 weeks before your lab date. Candidates who fail to obtain required visas will still be bound by these cancellation policies and must cancel their lab exam before the payment due date to be eligible for a full refund. For more information in requesting a CCIE Invitation Letter, please visit our CCIE: Invitation Letter (Entrance Visa) Instant Answer.


Lab Exam: Reevaluation of Lab Results
Exam results appeals are available for the routing and switching, security, and service provider technology tracks. Only exams with potential to change from fail to pass will have the option to request an appeal, based on years of historical data. Appeals are not available for the voice or storage tracks due to equipment limitations.
An appeal consists of a second proctor loading your configurations into a rack to recreate the test and re-score the entire exam. This process takes up to three weeks after receipt of payment. Only one appeal per lab attempt is permitted.
The result of the appeal is a confirmation of the existing fail or an update to a pass.
Payment Terms
Make your request within 14 days following your exam date by using the "Request for Reread" link next to your lab record. Each appeal costs $250.00 USD plus any applicable local taxes. Payment is made online via credit card and your card will be charged upon receipt of the request. You may not cancel the appeal request once the process has been initiated. Refunds are given only when results change from fail to pass.
Lab Exam: Retakes
All candidates must wait 30 days between CCIE lab attempts. Please note the 30 days starts from the day after a failed lab exam.


Lab Exam: Scoring
You must obtain an overall score of at least 80% to pass the lab exam. You can view your lab exam results online (login required), usually within 48 hours. Results are Pass/Fail and failing score reports indicate major topic areas where additional study and preparation may be useful.


Lab Exam: Start Times
Start times for exams are indicated in email can also found on the web page associated with each lab location (for a list, see Lab Exam Locations). Pleaseverify your email address in your candidate profile so we can notify you of any changes. If you have any questions about the start time of your exam, please contact CCIE customer support through the Certifications Online Support tool . If you arrive more than two hours after the start of your exam, you will not be allowed to start. If you arrive less than two hours late, you will be allowed to start but you must finish with the rest of the group.


Logo Guidelines
Certified CCIEs may only use the CCIE logo as provided and in accordance with the published Logo Guidelines.


Recertification
To maintain active CCIE status, CCIEs are required to pass either a CCIE written exam of their choosing from among all of the currently available written exams, or a CCIE lab exam in a new track every 24 months. Candidates can only apply one passed written exam towards recertification for every 24 month recertification period. Certification candidates are responsible for keeping track of their certification expiration dates; your recertification deadline can be viewed online anytime (with login) at Certification Status. Subsequent recertification deadlines are always based on your original certification date, not on when you took your last recertification exam.

If your CCIE recertification requirements are not completed on or before the certification's expiration date, your CCIE certification will be suspended for one year. Candidates have one year to recertify their CCIE certification by passing the required written exam. If a candidate does not recertify prior to the one year suspension period, all CCIE certification requirements must be completed again to obtain the certification (pass both the written exam and the lab exam.) Please see Recertification for detailed information.


Travel Costs
Under no circumstances will Cisco reimburse travel costs for CCIE lab exams.


Written Exam: Expiration
Candidates must make an initial attempt of the CCIE lab exam within 18 months of passing the CCIE written exam. Candidates who do not pass must re-attempt the lab exam within 12 months of their last scored attempt in order for their written exam to remain valid. If a candidate does not pass the lab exam within three years of passing the written exam, he or she must retake the written exam before being allowed to attempt the lab exam again.

Written Exam: Retakes
There is no limit to the number of attempts that can be made on the written exam. However, candidates must wait 5 calendar days between exam attempts. Once a candidate passes a particular written exam, he or she may not retake that same exam for at least 180 days. (Though rare, this may occur in certain recertification situations.)
Written Exam: Scoring
Pass marks are set by using statistical analysis and are subject to change. The pass score is given on the Examination Score Sheet at the end of the test. Along with the candidate's score, there is a notation of either PASS or FAIL. Scores on written exams are automatically downloaded from testing vendors, but may take up to 10 days to appear in the CCIE database.
PROVIDED BY CISCO SYSTEMS

core knowledge exam removed from ccie track

Core Knowledge Questions Removed for CCIE R&S and Voice Lab Exams
With more than six months of exam results now available, Cisco is now able to report that the troubleshooting components of the CCIE R&S v4.0 and CCIE Voice v3.0 lab exams are performing well in validating expert level networking skills. Considering these results, Cisco has decided to eliminate the Core Knowledge questions from the current CCIE R&S v4.0 and CCIE Voice v3.0 Lab Exams. Beginning on May 10, 2010, CCIE R&S and CCIE Voice Lab Exams, in all global locations, will no longer include the four open-ended Core Knowledge questions. The total lab time will remain eight hours. For the CCIE R&S Lab Exam, this means candidates will begin with the two-hour Troubleshooting section, followed by a six-hour Configuration section. For CCIE Voice, candidates will have the full eight hours to complete the integrated exam. At this time, only the R&S and Voice certifications have been designed and validated to allow removal of Core Knowledge.

HSRP vs VRRP vs GLBP

Cisco Hot-Standby Router Protocol (HSRP):

Created by Cisco, for Cisco in 1994
Uses a default hello timer of 3 seconds with a hold timer of 10 seconds
u need unique IP add. as a virtual gateway ip.
active router
standby router

Virtual Router Redundancy Protocol (VRRP)

Created by the IETF in 1999
Works between multiple vendors
Has faster timers than HSRP by default - hello of 1 second, hold timer of 3 seconds
u haven't any need of unique IP add u can use any assigned physical ip as a virtual gateway.
master router
backup router

Gateway Load Balancing Protocol (GLBP)

Created by Cisco, for Cisco in 2005
Identical features to HSRP, but allows an active-active connection that adds load-balancing features
One AVG(active virtual gateway)
Many AVF(active virtual forwarders)

HSRP

HSRP stands for Hot Standy Routing Protocol which provides Automatic Router backup when an active router in the group fails. HSRP allows building resiliency in the networkgateways wherein should an Active Router fail in a HSRP group, the standby router assumes the role of the active router and continue routing packets.
HSRP works by sending multicast "Hello" messages (default: every 3 secs). If the Standby router do not receive any Hello packets from the active router for a preset time (default 10secs) then it assumes the active router is down and becomes the active router. Also, if we are tracking an interface and if the tracked interface is down, the Active Router reduces its priority so a Standby Router can assume to role of Primary Router.
A realtime example would be access to a service providers servers at a remote location. Lets say there are two distinct routes to the same server(s), each through individual routers. The clients on the internal network segment are configured to send the traffic through a gateway. The gateway being the HSRP Address. Then the Server is accessible through one service provider always (based on the active router). However, in a disaster situation when the active router goes down, the standby router assumes the active router role and continues to serve connection to the remote servers but using the other serviceprovider. This way routing redundancy is provided to a remote resource.



To setup HSRP on a pair of routers,
Router 1:

From the Interface Configuration Mode add the IP Address of the Interface
hsrp-router1#conf t
hsrp-router1(config)# int fa0/0
hsrp-router1(config-if)# ip address 192.168.0.2 255.255.255.0

Set the Virtual IP Address

Sets the Virtual IP Address for the interface where "1" is the HSRP group and "92.168.0.1" is the Virtual IP for the HSRP group.

hsrp-router1(config-if)# standby 1 ip 192.168.0.1

Enable Preempt

This is required to make the router from being a Standby Router to an Active Router when it finds the Active Router is down or if it has become the higher priority router in the group
hsrp-router1(config-if)# standby 1 preempt

Set Router Priority

The default priority is "100". We set here as "110" to make the Router 1 as active.
hsrp-router1(config-if)# standby 1 priority 110

Set Authentication String

This is an optional plain text 8 character string that can be used in the multicast "hello" packets to authenticate the HSRP group.

hsrp-router1(config-if)# standby 1 authentication LocalLAN
Set Timers

Sets the time period between the "hello" packets and the hold time before assuming an active router is down. Default is 3seconds and 10 seconds respectively.

hsrp-router1(config-if)# standby 1 timers 5 15

Track Interface

If you track interface to check link status then the following command will track an interface and when the tracked link is down, the active router will mark its priority low so as to allow a Standby router to take over.

hsrp-router1(config-if)# standby 1 track se0/0

Repeat the procedure altering the IP Address of the Local interface and the priority and the tracked interface.

Router 2:
hsrp-router2#conf t
hsrp-router2(config)# int fa0/0
hsrp-router2(config-if)# ip address 192.168.0.3 255.255.255.0
hsrp-router2(config-if)# standby 1 ip 192.168.0.1
hsrp-router2(config-if)# standby 1 preempt
hsrp-router2(config-if)# standby 1 priority 100
hsrp-router2(config-if)# standby 1 authentication LocalLAN
hsrp-router2(config-if)# standby 1 timers 5 15
hsrp-router2(config-if)# standby 1 track se0/0
Thats it. HSRP configuration is complete. You may test the connectivity to a remote route and see for yourself the redudancy in place.

Cisco EtherChannel Topologies(5)

Cisco EtherChannel Technology over CWDM

This figure shows a sample network where Gigabit links are used with Gigabit EtherChannel and CWDM technologies. In Figure 5, four gigabit links have been combined to obtain a total aggregated bandwidth of 4 gigabits. Without incorporating CWDM technologies into the solution, four runs of fiber need to be installed between the two campus points of presence (POPs). By employing CWDM GBICs and two CWDM add/drop multiplexers, the number of runs of fiber can be reduced to one. This translates into significant savings depending on the distance to be spanned by the EtherChannel connection.