My next topic for writing up my notes is the security section.
For this post and all posts following I will be using the CCIE blueprint from Cisco here (you may need CCO access to access that document but that is free).
My reasoning for structuring it like this is to make it easier both myself to reference and hopefully someone else will find it easier as well.
Some of the information is a little basic and will have been covered at CCNA and CCNP levels but seen as CCIE doesn’t actually have any pre-requisites I thought it best not to leave any stone unturned.
Security
Implement access lists
There are two types of access lists that can be used on Cisco platforms; the standard access list and the extended access list.
Standard access lists are a little basic in their use and can only match on the source address of the traffic you are matching.
Extended access lists differ from standard access lists in that they can not only match on both source and destination addresses but they can also match a whole plethora of other things such as L4 src/dst port number, DSCP marking, packet size etc.
Just like there are two different types of access list there are also two different methods of configuring them.
Firstly there is the numbered access-list method (which is the older method) where depending on what number you give to your ACL will depend on what type it is:
1-99 - Standard access list
100-199 - Extended access list
1300-1999 - Expanded standard access list (useful if you have >100 standard ACL's)
2000-2699 - Expanded extended access list (useful if you have >100 extended ACL's)
There is also the named access-list method in which the name that you give to the access list is completely agnostic to type of ACL it is. When you are using named access-lists you have to explicitly tell the CLI which type of access-list you are creating.
Things to remember about all ACL’s:
– All ACL’s end with an implicit deny all
– Order of statements in the ACL is critical (they match on a top down approach)
Continue reading →