Chapter 9: Multiarea OSPF Quiz

Questions and Answers

What does the access-class command do when configured in line configuration mode?

• It displays statistics for VTY access attempts.
• It defines which IPs are allowed remote access to the router EXEC process. (correct)
• It allows all IP addresses remote access to the router.
• It restricts administrative access to routers.

Why is it important to verify the ACL configuration used to secure VTY ports?

• To check the performance statistics of the router.
• To confirm that the VTY ports are correctly secured against unauthorized access. (correct)
• To ensure that all IP addresses are allowed access.
• To display the output of the SSH attempts.

What command can be used to clear the access-list counters?

• remove access-list stats
• clear access-list counters (correct)
• reset access list
• clear access-list

Which of the following statements is true regarding the incoming and outgoing connections restricted by the access-class command?

It can restrict both incoming and outgoing connections based on an access list. (B)

What is one main purpose of restricting VTY access on Cisco devices?

To prevent unauthorized remote access to the router. (B)

Which command is used to display the results after SSH attempts to connect to devices?

show access-lists (D)

What does the restriction of VTY access help to achieve?

Improved security by controlling access. (C)

How are the addresses restricted by the access-class command determined?

By specifying IP addresses in an access list. (A)

What is the primary purpose of an Access Control List (ACL)?

To control whether a router forwards or drops packets (A)

What is the role of a router designated as an ABR in an OSPF implementation?

It connects different areas within OSPF. (B)

What happens if an ACL has no permit statements?

All traffic will be explicitly denied (B)

Which layer of the OSI model can packet filtering occur according to ACLs?

Layer 3 or Layer 4 (B)

Which command would be used to view OSPFv2 neighbor relationships?

show ip ospf neighbor (C)

How do ACLs typically manage network traffic flow?

By comparing packets to each Access Control Entry in sequential order (A)

How can a router become an ABR in OSPFv3?

By having multiple interfaces in different areas. (A)

What is a characteristic of the last statement in an ACL?

It is always an implicit deny (A)

Which command provides a summary of OSPFv2-enabled interfaces and their costs?

show ip ospf interface brief (A)

Which type of network traffic can ACLs help filter?

Traffic based on services like FTP or HTTP (A)

What does the 'IA' notation in the output of the 'show ip route ospf' command signify?

Inter-area route (B)

In OSPFv2, what information is included when using the 'show ip ospf' command?

Routing protocols configured and number of areas (A)

What happens to packets originating from the router itself regarding ACLs?

They are bypassed for dropping or forwarding rules (C)

What is an Access Control Entry (ACE) in the context of ACLs?

A permit or deny statement within an ACL (C)

What is NOT a valid command for verifying multiarea OSPFv2 settings?

show ip route summary (B)

Which statement is true about special commands for multiarea OSPF implementation?

OSPF does not require special commands for multiarea configuration. (C)

What is the purpose of the hashing function applied to host statements in an ACL?

To optimize the search for a host ACL entry (D)

How does a router process packets when an ACL is configured on an inbound interface?

It strips off frame information before checking the ACL (C)

Which of the following is NOT a common error related to Standard IPv4 ACLs?

Entering ACEs in the correct sequence (A)

What happens if a packet matches an ACL statement?

The packet can be either permitted or denied (B)

What is a potential outcome if an ACL denies access incorrectly?

Important services will become unavailable to legitimate users (B)

What should be taken into consideration when applying an ACL to an interface?

The direction and interface type (B)

What may happen if PC2 is intended to be denied access to a server, but the ACL denies access for PC1 as well?

ACL rules must be re-evaluated for accuracy (A)

What does the 'show access-list' command indicate when a deny statement is present?

Specific traffic is being blocked (C)

What does the command 'access-list 101 deny tcp any any' match?

Any IP packet that has a TCP header (C)

Which of the following access-list commands blocks packets from a specific host with an IP address of 1.1.1.1 to 2.2.2.2?

access-list 101 deny ip host 1.1.1.1 2.2.2.2 (B)

Which command would deny all UDP packets from the subnet 1.1.1.0/24 to any destination?

access-list 101 deny udp 1.1.1.0 0.0.0.255 any (A)

What is the function of the command 'access-list 101 deny tcp any gt 49151 host 10.1.1.1 eq 23'?

Blocks TCP packets from source port greater than 49151 to a specific host (B)

Which of the following is NOT a well-known port number for a TCP application?

8080 (RTP) (A)

Which protocol is associated with the port number 69?

TFTP (D)

What does the option 'deny icmp any any' achieve?

Blocks all ICMP packets regardless of their source or destination (A)

In an extended access-list, what does 'eq 23' signify?

Indicates an exact match to the port number 23 (A)

Which access-list command would you use to permit HTTP traffic?

access-list 101 permit tcp any eq 80 (B)

What is the significance of using a named access control list?

They allow for more intuitive identification and management (A)

Which command can be used to match any TCP packet from any source to the host with IP address 10.1.1.1 on port 23?

access-list 101 deny tcp any host 10.1.1.1 eq 23 (C)

What is the purpose of using the 'telnet' keyword in an access-list instead of specifying port 23?

It simplifies the command by using a keyword. (C)

In an access-list, the command 'access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 any' primarily targets which type of packets?

UDP packets from any source using a port lower than 1023. (B)

What range of numbers should be used for defining an extended access-list?

100 to 199 or 2000 to 2699 (D)

Which command correctly logs extended access-list traffic?

access-list log (A)

What should be included in an access-list to match all hosts in the subnet 172.16.4.0/25?

access-list permit tcp 172.16.4.0 0.0.0.127 any (D)

Which access-list command denies traffic from IP address 192.168.7.200/26 to any host in the subnet 192.168.7.14/29?

access-list deny icmp 192.168.7.200 0.0.0.63 192.168.7.14 0.0.0.7 (A)

How would you construct an access-list entry to permit traffic from the web server at 10.2.3.4/23 to clients in the subnet of host 10.4.5.6/22?

access-list permit tcp 10.2.3.4 0.0.1.255 10.4.5.0 0.0.3.255 (A)

Flashcards

Multiarea OSPF Configuration

A technique used in OSPF where a router can belong to multiple OSPF areas.

ABR (Area Border Router)

A router that connects two or more OSPF areas.

OSPFv2

Version 2 of the Open Shortest Path First routing protocol.

OSPFv3

Version 3 of the Open Shortest Path First routing protocol, supporting IPv6 addresses.

show ip ospf neighbor

OSPF command to display neighbor relationships.

show ip route ospf

Command to show OSPF routing table.

show ip ospf interface brief

Command to quickly check OSPF interface settings.

show ip protocols

Command to view all routing protocols enabled on a router.

ACL

A series of IOS commands that control whether a router forwards or drops packets based on packet header information; not configured by default.

ACL Purpose

Controlling network traffic, providing security, verifying source of routing updates, and filtering by traffic type.

Access Control Entry (ACE)

A permit or deny statement within an ACL.

Packet Filtering

The process of analyzing incoming and outgoing packets using an ACL.

Implicit Deny

The last statement in an ACL that always blocks traffic not explicitly permitted.

ACL Operation

ACLs filter packets entering, relaying through, or exiting router interfaces, but not those originating from the router itself.

Layer 3/4 Filtering

Analyzing packets at data link and transport layers.

Traffic Flow Control

Control network traffic to enhance performance by, for instance, blocking video traffic.

Restricting VTY access

A security technique to control which IP addresses can access a router's command-line interface (CLI).

access-class command

A command used in line configuration mode to restrict incoming and outgoing connections to a VTY (virtual terminal).

access-list

A set of rules that define which traffic is allowed or denied.

VTY (Virtual Terminal)

A virtual channel used for remote access to a router's command-line interface (CLI).

show access-lists command

A command used to verify the access-list configuration and see which connections are allowed or denied.

Standard IPv4 ACL

A type of access control list used to filter IP traffic based on source and destination addresses.

clear access-list counters

A command used to reset the counters for testing purposes.

implicit command

Commands that are automatically configured without explicit settings.

Host ACL Entries Order

The IOS sorts host statements within an ACL using a special hashing function for efficient search. This ordering optimizes the process of finding the correct host ACL entry when a packet arrives.

Range ACL Entries Order

Range statements within an ACL are displayed in the order they were entered, unlike host statements that are sorted using a hashing function.

ACL Processing Logic

When a packet enters a router interface, the router performs a consistent processing routine regardless of whether an ACL is configured. If an ACL is present, the packet is checked against the ACL's statements. If permitted, the packet is sent to the outgoing interface, which may also have an ACL.

Why ACL Order Matters

Incorrectly ordered ACL entries can lead to unintended blocking of traffic. The order of entries determines which rule is applied first, so placing deny statements before permit statements may lead to blocking legitimate traffic.

Common ACL Configuration Errors

Mistakes in configuring ACLs often include incorrect ordering of entries, inadequate rule implementation, or misapplying the ACL to the wrong direction, interface, or source address.

ACL Direction

ACLs are applied to interfaces with a specific direction (inbound, outbound, or both). Applying an ACL to the wrong direction can result in unintended blocking of traffic.

ACL Source Address

The source address specified in an ACL entry determines which traffic is affected. Applying an ACL with an incorrect source address can result in unintended blocking of traffic.

ACL Rules and Traffic Control

ACLs are used to manage traffic flow by either permitting or denying specific traffic based on rules defined in the ACL entries. They help control access and security by filtering packets based on various criteria like source and destination addresses, ports, protocols, etc.

What is an ACL?

A set of rules configured on a router to control incoming and outgoing network traffic based on packet information.

What are the key elements of ACLs?

ACLS utilize access control entries (ACEs), which are individual rules that specify actions like 'permit' or 'deny' based on packet characteristics.

What is an extended ACL?

A more granular ACL that considers source and destination IP addresses, protocols, and port numbers.

What does 'deny tcp any any' mean?

This ACL statement blocks all packets with a TCP header, regardless of source or destination IP addresses.

How do ACLs control traffic?

ACLS analyze packet headers to determine if they match the configured rules. If a packet meets the criteria of an ACE, it is either permitted or denied.

What is the purpose of ACLs' 'implicit deny'?

The last ACE in an ACL, which acts as a default, blocking any traffic not explicitly permitted by previous rules.

What are some common applications that use well-known port numbers?

Applications like FTP, SSH, Telnet, SMTP, DNS, and HTTP all use specific port numbers for communication, and ACLs can target these ports for filtering.

How can you filter traffic based on source and destination port numbers?

Extended ACLs can filter traffic by specifying the source and destination port numbers, granting fine-grained control over specific applications.

What's the difference between TCP and UDP?

TCP is connection-oriented (reliable, ordered delivery), while UDP is connectionless (faster but less reliable).

What is a well-known port number?

A port number reserved for a specific application, commonly used for TCP and UDP connections.

Extended Access List

A type of access control list (ACL) that uses more detailed criteria, like protocol, source and destination addresses, and port numbers.

Deny Keyword

Used in an access-list command to explicitly block matching traffic.

Permit Keyword

Used in an access-list command to allow matching traffic to pass through.

Protocol

Specifies the type of network protocol, such as TCP or UDP.

Source and Destination Wildcards

Used to define the source and destination addresses that the ACL applies to, using network masks.

Port Numbers

Used to specify the specific ports that the ACL targets, like the port used for web traffic.

Established Keyword

Used with TCP to permit established connections to pass through, even if they would otherwise be denied by the list.

Study Notes

Chapter 9: Multiarea OSPF

• Multiarea OSPF is used in small to medium-sized business networks to improve efficiency and scalability.
• Using areas allows OSPF to handle a larger link-state database (LSDB) more efficiently, reducing processing and memory overhead.
• Multiarea OSPFv2 and OSPFv3 are implemented in a two-layer area hierarchy.
• The backbone area is area 0, and all other areas connect to it.
• Internal routers have all interfaces in the same area.
• Backbone routers are located in area 0 and connect other areas.
• Area border routers (ABRs) have interfaces in multiple areas.
• Autonomous system border routers (ASBRs) have interfaces on one external network.
• OSPF Link State Advertisements (LSAs) provide network details needed for efficient operation.

OSPF LSA Types

• LSAs are database records that describe network details.
• LSAs, in combination, describe the entire OSPF network topology.
• The first five LSAs are always supported in implementations of Multiarea OSPF.
• LSA Type 1: Routers advertise their directly connected OSPF-enabled links and are flooded within the area.
• LSA Type 2: Used on non-broadcast and multi-access networks, provide information about the DR on the multiaccess segment.
• LSA Type 3: ABRs use these LSAs to advertise networks from other areas.
• LSA Type 4: Identifies ASBRs and routes to it, generated by ABRs when ASBRs exist in the area.
• LSA Type 5: Used to advertise external (non-OSPF) networks and are flooded throughout the routing domain. 

OSPF Routing Table

• OSPF routes in an IPv4 routing table are identified by "O" (intra-area).
• Interarea routes are identified as "O IA".
• External routes are identified by "O E1" (external type 1) or "O E2" (external type 2).

OSPF Route Calculation

• Routers prioritize calculating optimal routes within their area first (Type 1 and Type 2 LSAs).
• Then they calculate routes to other areas (Type 3 LSAs).
• Finally, they calculate routes to external autonomous systems (Type 5 LSAs).

Configuring Multiarea OSPF

• Gather network requirements and parameters.
• Define OSPF parameters (single-area vs. multiarea, IP addressing plan, OSPF areas, network topology).
• Configure the multiarea OSPF implementation.
• Verify the configuration.

Configuring Multiarea OSPFv2

• There are no special commands required.
• A router becomes an Area Border Router (ABR) when it has interfaces in two or more different areas

Configuring Multiarea OSPFv3

• There are no special commands required.
• A router becomes an Area Border Router (ABR) when it has interfaces in two or more different areas

Verifying Multiarea OSPFv2

• Use commands like show ip ospf neighbor, show ip ospf, show ip ospf interface, show ip ospf interface brief, show ip route ospf, show ip ospf database to verify the OSPFv2 operation.

Verifying Multiarea OSPFv3

• Use commands show ipv6 protocols, show ipv6 interface brief, show ipv6 route ospf, show ipv6 ospf database to verify the OSPFv3 operation.

Chapter 7: Access Control Lists

• Access Control Lists (ACLs) determine whether a router forwards or drops packets based on information in the packet header.
• ACLs are used to limit traffic, increase network performance, and provide network security, but aren't configured by default.
• Standard IPv4 ACLs filter traffic based on source IP addresses; Extended IPv4 ACLs filter traffic based on source and destination IP addresses and ports, as well as other fields.

ACL Operation

• ACLs in routers help control what traffic is allowed to pass.
• ACLs filter traffic as it approaches or leaves a specific interface.
• Inbound ACLs act on traffic entering an interface before it is processed.
• Outbound ACLs act on traffic exiting interface after it has been processed.

Wildcard Masks

• Wildcard masks are used to define a match in ACLs, allowing for more flexibility than literal address matching.
• A wildcard mask consists of binary digits; where 1 means ignore the corresponding bit, and 0 means to match the value of the bit.
• Wildcard masks are often abbreviated using keywords like "host" or "any".

ACL Configurations

• Standard ACL use only source IP addresses and are positioned near the destination.
• Extended ACL statements use protocol, source IP, source port, destination IP, and destination port information and are positioned close to the source.
• ACLS need testing before deployment and attention must be paid to the configuration and use order of entries.

Description

Test your knowledge on Multiarea OSPF with this quiz based on Chapter 9. Discover the importance of area hierarchy, LSAs, and router types such as ABRs and ASBRs. Enhance your understanding of how OSPF improves network efficiency and scalability.