Followers

Thursday, October 25, 2007

XP REGISTRY TRICKS

XP Registry tricks

Its a mixed bag.. a compilation of all the tricks..

many tricks are what i discovered..

many are shared ..

keep posting if u know more


 


 


 

Display Your Quick Launch ToolbarTip:


 


 

Is your Quick Launch toolbar missing from the taskbar?

To display your familiar Quick Launch toolbar:

Right-click an empty area on the taskbar, click Toolbars, and then click Quick Launch.


 

Easy as that your Quick Launch bar appears. To add items to your Quick Launch toolbar, click the icon for the program you want to add, and drag it to the Quick Launch portion of the taskbar.


 


 

--------------------------------------------------------------------------------


 

How to remove recycle bin from your desktop Tip:


 

Open Regedit by going to START - RUN and type Regedit and hit enter. Then you should navigate to following entry in registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E} and delete it. This action should remove recycle bin from your desktop.


 

--------------------------------------------------------------------------------


 

How to stop new programs installed balloon from coming up tip:


 

Right click on START button and select properties. Click on Customize and go to Advanced tab and deselect check box saying "Highlight newly installed programs". This would help you stop this annoying feature from popping up every now and then.


 


 


 

--------------------------------------------------------------------------------

Unlock Toolbars to Customize Them Tip:


 

The new Windows XP now features locking toolbars, and you can adjust them. You may customize a lot of the Windows XP features such as the Taskbar, Start Menu, and even toolbar icons in Internet Explorer and Outlook Express. Remember your right-click:

* Right-click on a toolbar, and then click Lock the Toolbars to remove the check mark.

* Right-click on the toolbar again, and then click Customize.


 

You may add or remove toolbar buttons, change text options and icon options. When you've got the toolbar customized, click Close. Now right-click on the toolbar and then click Lock the Toolbars to lock them in place. com


 


 

--------------------------------------------------------------------------------


 

Want to remove shared documents folder from My Computer window tip:


 

Some don't like my shared documents folder option. If you are one of that, here is a trick to remove it.Open registry editor by going to START-RUN and entering regedit.

Once in registry, navigate to key HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ My Computer \ NameSpace \ DelegateFolders You must see a sub-key named {59031a47-3f72-44a7-89c5-5595fe6b30ee}. If you delete this key, you have effectively removed the my shared documents folder.


 

--------------------------------------------------------------------------------


 

--------------------------------------------------------------------------------


 

How to improve on shutdown time ? Close apps automatically & quickly at shutdown tip:


 

Open Registry by going to START-RUN and typing REGEDIT. Navigate to HKEY_CURRENT_USER\CONTROL PANEL\DESKTOP and look for AutoEndTasks. On my computer default value is 0. Change it to 1. Thats all. Further more you can reduce the time it takes for Windows to issue kill directive to all active/hung applications.

In doing this only constraint that you should make sure exists is that HungAppTimeout is greater than WaitToKillAppTimeout. Change the values of WaitToKillAppTimeout to say 3500 (since default value for HungAppTimeout 5000 and for WaitToKillAppTimeout is 20000)


 


 

--------------------------------------------------------------------------------

Are you missing icons Tip:


 


 

Are you missing icons? You may be wondering where all the icons from your desktop are in Windows XP? Well if you're like me, you like to have at least My Computer, My Network Places, and My Documents on the your desktop.

You need to:

* Right-click on the desktop, and then click Properties.

* Click the Desktop tab and then click on Customize Desktop.

* Put a check mark in the box next to My Document, My Computer, My Network Places, or Internet Explorer, to add those familiar icons to your desktop. Easy yes!


 

--------------------------------------------------------------------------------


 

How to login as administrator if you don't see it available tip:


 

Unless and until you have run into issues and fixing XP (underwhich case you have to go to Safe Mode to login as Administrator), you can get to administrator screen by simply pressing CTRL+ALT+DELETE twice at the main screen.


 

--------------------------------------------------------------------------------


 

Speedup boot up sequence by defragmenting all key boot files tip:


 

Open Registry by going to START-RUN and typing REGEDIT. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction. In right hand panel look for Enable. Right click on it and set it 'Y' for enable. This is the way I have it set on my computer. This will help speedup boot time.


 


 

Use a Shortcut to Local Area Network Connection Information:


 


 

--------------------------------------------------------------------------------


 

Use a Shortcut to Local Area Network Connection Information Tip:


 


 

Here's something new in Windows XP, instead of using the command line program and typing ipconfig to get local area network information, you can try using the following shortcut:

* Click on Start, point to Connect to, and then click Show All Connections.

* Right–click the connection you want information about, and then click Status.

* In the connection Properties dialog box, click the Support tab.

* For more information, click on the Advanced tab.


 

To automatically enable the status monitor each time the connection is active, in the connection Properties dialog box, select the Show icon in taskbar notification area when connected check box.


 

--------------------------------------------------------------------------------


 

Do you know you can have Virtual Desktops (like in Linux) with PowerToys ?


 

If you have powertoys installed on Windows XP Its available for free at Microsoft download webpage. It is very easy to enable Microsoft Virtual Desktop Feature. Simply right click on the Start Panel Bar also called TaskBar, Click on Tool Bar and select Desktop manager.

You would see a set of 5 icons placed on the right portion of the TAskBar. Click on number 1 to 4 to go to any of the desktops. Now you have have four different Active Desktops.

IMPORTANT NOTE: You may see a little degradation in performance.


 

--------------------------------------------------------------------------------


 

Customize Internet. Explorer Title bar tip:


 

This tip won't make your computer any faster but may help personalize your computer experience. Open Registry by going to START-RUN and typing REGEDIT. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet. Explorer\Main. In right hand panel look for string "Window Title" and change its value to whatever custom text you want to see.

--------------------------------------------------------------------------------


 

adding content to Right click credit : ashwin C1


 

Once done, you will be able to right click any file or folder and use the Browse for Folder dialog to choose the location you want to move or copy your file or folder to, without having to go to the destination path.


 

First we will add the copy and move options to the right click menu of all FILES.

CLICK Start>Run, type REGEDIT and click OK to open up the registry editor and make your way to this key:

HKEY_CLASSES_ROOT->*->shellex->ContextMenuHandlers

Right click the ContextMenuHandlers key and choose New>Key.

Name the new key "Copy To" (without the quotes).

Repeat the above and create another new key named Move To.

You should now have two new subkeys under the ContextMenuHandlers key:

HKEY_CLASSES_ROOT->*->shellex->ContextMenuHandlers\Copy To

HKEY_CLASSES_ROOT->*->shellex->ContextMenuHandlers\Move To

Select the Copy To key and in the right hand pane, double click "Default"

Enter this clsid value as the value data:

{C2FBB630-2971-11d1-A18C-00C04FD75D13}

Next , select the Move To key and in the right hand pane set the default value to:

{C2FBB631-2971-11d1-A18C-00C04FD75D13}

This now takes care of the Copy and Move options for the right click context menu of all your files.

Now all that is left is to add the same options to the right click menu of all your folders.

The procedure will be the same as for files but at a different key:

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHan dlers

Right click ContextMenuHandlers and create a new key named Copy To.

Right click it again and create another new key named Move To.

left click on the right hand pane, add the same default values as you did for Files:

For Copy To:

{C2FBB630-2971-11d1-A18C-00C04FD75D13}

For the Move To:

{C2FBB631-2971-11d1-A18C-00C04FD75D13}

Exit the registry and you are done.

Now when you right click on a file or folder, you should see two new options: Copy to Folder and Move to Folder
Posted by at No comments:

TOP CHEATS FOR XP USERS

DISABLING SCANDISK

When Windows is not shut down correctly, it will perform an AutoCheck

using CHKDSK on the next restart.


 

AutoCheck is executed after a short time delay. AutoCheck can be

disabled or delayed by tweaking a few Registry settings.

Run 'Regedit' from 'Start Menu|Run...'

Go to 'HKEY_LOCAL_MACHINE|SYSTE

M|CurrentControlSet|Control|Session

Manager'.

Create a new DWORD value, or

modify the existing value, called

"AutoChkTimeOut" and set it according

to the value data below.

Value Name: AutoChkTimeOut.

Data Type: REG_DWORD (DWORD Value).

Value Data: Time in Seconds or 0 to disable

(default = 10).

Exit your registry, you may need to

restart or log out of Windows for the

change to take effect.


 

Monitoring the system


 

There are various applications you can use to monitor the state of your

system at any given time. One of them is a program called CoolMon (www.coolmon.org) where you can monitor about 22 of

the most geekiest system parameters like the temperature and speed of your system fans, the number of processes running, the total available memory on your hard disk and RAM, CPU utilization, etc. Each

of these can be individually con. gured to appear on the interface. Best of all, this monitoring happens in real time. Better still, the program is free.

If you need more details than what is offered by Windows System Information or the Device Manager, try out an application called Everest Home Edition (www.lavalys.com). This application hunts through your hardware and software setup and extracts every piece of information you might need about your processor, motherboard, graphics card,

hard disk and any other piece of hardware or software information that you might care to know about your computer.


 

Compress drive to save disk space


 

its not possible to increase ur memory size but u can compress ur data to save ur disk space, this feature is available in NTFS drive..

if u have a fat or fat32 drive, u can convert it to ntfs by running a command on dos:

for c drive:

convert c:/fs:ntfs

for d drive:

convert d:/fs:ntfs

for e drive:

convert e:/fs:ntfs

run the command similarly if u have more drive...


 

Compresing data in NTFS


 

* open my computer

* select any drive(drive with NTFS format)

* right click and select properties

* click on general tab

* select "compress drive to save disk space"

* Apply and OK


 

ur data will remain safe...


 

- Changing the Location of Special Folders

You can modify the registry to change the location of special folders like:


 

* My Documents

* Favorites

* My Pictures

* Personal


 

1. Start Regedit

2. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

3. Double click on any locations you want to change and alter the path

4. Logoff or restart for the changes to go into effect


 


 

Eliminating the Right Click on the Taskbar

To eliminate the right click on the taskbar:


 

1. Start Regedit

2. Go to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer

3. Add a DWORD and give it a name of NoTrayContextMenu

4. Give it a value of 1

5. Reboot


 


 

Eliminating the Right Click on the Desktop

To eliminate the right click on the desktop:


 

1. Start Regedit

2. Go to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer

3. Add a DWORD and give it a name of NoViewContextMenu

4. Give it a value of 1

5. Reboot


 

These are only three tricks…..there are many more available on net…..the idea here is not to teach you how to disable right click or how to change the color, fonts, looks, etc…..The basic reason why we post this chapter is to teach that if registry is the place where all the information is stored then why cant we brake passwords from here???

E.g. I install a software on my system to guard some folders which contain material which I want to hide. In order to access the folder I have to input a password, and if it is right only then I can see the content of the folder. From this example it is clear that the password is stored somewhere in the system from where the software compares the value which I enter in the password field. For this example as well as for every other software which asks for password to access the system features including the windows login password, all these values are stored in windows registry. Whenever the user enters a password, it is compared with the value stored in the system registry, and if it is found correct only then the user is allowed to access the feature. In Windows registry we can search for specific items, keys, values or software's using the search function in edit menu. But there is one problem the password is not stored in its original form, it is converted to some other format so that no one can recognize it. E.g.; If I set the password as "hacking" it is stored as "6167453291" or may be some other form depending upon the software. In such cases what we can do is reset the password i.e. delete the value (whatever it is). Once the value is deleted there is no password and our purpose is solved.
Posted by at No comments:

TOP CHEAT TRICKS

Set Processes Priority

Follow this tip to increase the priority of active processes, this will result in prioritisation of processes using the CPU.


 

CTRL-SHIFT-ESC

1.Go to the second tab called Processes, right click on one of the active processes, you will see the Set Priority option


 

2.For example, your Run your CDwriter program , set the priority higher, and guess what, no crashed CD's

Shutdown Trick !


 

Imidiate rapid shut down window

while shutting down window. open task manager(Ctr+Alt+Del),

Select shut down tab. and press ' Ctrl ' key while select Turn Off from dis tab.

Count 5 4 3 2 1 Voila!!! U r window will rapidly shut down.


 


 

Speed Up Ur Shut down !!


 


 

Start Regedit.

Navigate to HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control.

Click on the "Control" Folder.

Select "WaitToKillServiceTimeout"

Right click on it and select Modify.

Set it a value lower than 2000 (Mine is set to 200).


 

and !


 

Like previous versions of windows, it takes long time to restart or shutdown windows xp when the "Exit Windows" sound is enabled. to solve this problem you

must disable this useless sound. click start button then go to settings -> control panel -> Sound,Speech and Audio devices -> Sounds and Audio Devices -> Sounds, then under program events and windows menu click on "Exit Windows" sub-menu and highlight it.now from sounds you can select,choose "none" and then click apply and ok. now you can see some improvements when shutting down your system.


 


 

**new **

Crazy !!

Hide ur folders.. never known trick !!!!!!!!!! Disguise them to "Recycle Bin"


 


 

Rename any folder with extension {645FF040-5081-101B-9F08-00AA002F954E}

eg,

if u've a folder games

press F2,

then type, "games.{645FF040-5081-101B-9F08-00AA002F954E}"

c the magic....

then 2 get to original form,

remove the extension using

"ren games.{645FF040-5081-101B-9F08-00AA002F954E} games" in dos or as a bat file


 


 

n u are done..


 

~cheers~


 


 

System information


 

system up time only for xp professional edition

It boasts how long it can stay up. Whereas previous

versions of Windows were coy about how long they went

between boots, XP is positively proud of its stamina.

Go to the Command Prompt in the Accessories menu from

the All Programs start button option, and then type

'systeminfo'. The computer will produce a lot of

useful info, including the uptime. If you want to keep

these, type 'systeminfo > info.txt'. This creates a

file called info.txt you can look at later with

Notepad. (Professional Edition only).


 


 

lock pc just by double clicking mouse


 

You can lock your XP workstation with two clicks of

the mouse. Create a new shortcut on your desktop using

a right mouse click, and enter 'rundll32.exe

user32.dll,LockWorkStation' in the location field.

Give the shortcut a name you like. That's it -- just

double click on it and your computer will be locked.

And if that's not easy enough, Windows key + L will do

the same.


 


 


 

SPEED UP UR ACROBAT READER (ALMOST LIKE NOTEPAD)


 


 

Do u get irritated when acrobat reader takes 5/10 seconds to load when you want to open a pdf document. There is a way to speed up the loading.


 

1. Go to the installation folder of acrobat reader

(C:\program files\adobe\acrobat\reader\.. whatever)


 

2. Move all the files and folders from the "plugins" directory to the "Optional" directory. (I repeat.. cut and paste the files NOT copy & paste).


 

Also make sure that acrobat reader is not open else it will lock the files and not allow you to move the files).


 

Now your acrobat reader will load very fast

and almost as good as notepad..


 


 

Remove Stored username and Passwords !


 

To remove the Stored User Names and Passwords from your system, try this:

Click Start, Run and type Control keymgr.dll

Remove the entries from the list.

The other ways to access this dialog are:

Type Control Userpasswords2 in RUN box, click Advanced, Manage Passwords

-or-

From Control Panel, select your User Account, click Manage your network passwords


 

It Works


 

~ Cheers ~


 


 

*


 

Remove the Username and picture from Windows XP New Start Menu


 

The User account picture can be removed by turning off the Welcome Screen. Or, by switching to Windows Classic theme. Follow the method described in this article if you want to remove the username and picture from the Start Menu, without disabling the Welcome Screen and Windows XP Theme.


 

For those who want to remove the user name and user account picture from Start Menu, in order to have a blank blue panel at the top, try this:

Start Windows Explorer and go to this folder:


 

C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures


 

From that folder, rename the BMP file which corresponds to your user account.

( For example, if your username is Robert, rename Robert.bmp to old_Robert.bmp )

Next, rename the following folder:


 

C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures


 

to something else, say...


 

C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\No_Default Pictures

To remove the user name, follow these steps


 

Start regedit.exe and navigate to the this key:


 

HKEY_CURRENT_USER \ Software \ Microsoft\ Windows \ CurrentVersion \ Policies \ Explorer

In the right-pane, set NoUserNameInStartMenu value-data to 1


 

Close Regedit.exe and restart Windows.


 

You'll end up with a blue space at the top of the Start Menu.


 


 


 

To get back the username and the picture, reverse the above procedure.


 


 


 

For the New Start Menu, Windows XP looks for the <username>.bmp file in the folder


 

C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures


 

If the file is not found, it takes a picture from the "Default Pictures" sub-folder. By renaming the <username>.bmp and the "Default Pictures" folder, you're giving no chance for Windows to fetch an image for the Start Menu


 

~ Cheers ~.


 

Notepad Trick ! for complete list move to NOTEPAD TRICKS page !!


 

Well quite old but here is d complete collection


 

Step 1: Open Notepad

Step 2: Write following line in the notepad.

this app can break

Step 3: Save this file as xxx.txt

Step 4: Close the notepad.

Step 5: Open the file again.


 

Voilla!!


 

or


 

1> Open Notepad

2> Enter four words separated by spaces, wherein the first word has 4 letters, the next two have three letters, and the last word has five letters

3> DON'T hit enter at the end of the line.

4> Save the file.

5> Close Notepad.

6> Reopen Notepad.

7> Open the file you just saved.


 

or


 

Open a note pad

type Bush hid the facts

save that file,

close it

again open and see...


 


 

NOTEPAD "world trade centre trick".. :Rahul


 


 

Did you know that the flight number of the plane that had hit WTC ...on

9/11 was Q33N ....Open your Notepad in ur computer and type the flight

number i.e Q33N... Increase the Font Size to 72, Change the Font to

Wingdings. U will be amazed by the findings.


 

log trick !! make ur Notepad a diary !!


 

Sometimes we want to insert current data and time, whenever we open the file in the notepad. If you are a lazy person like me, who don't like to press F5 whenever you open a notepad. Then here is a trick to avoid this. Just add a .LOG in the first line of your text file and close it.

Whenever you open the file with that text in the first line in the notepad, it will insert the current date and time at the end of the file. You can start entering your text after that.


 

WHY?


 

The reason this happens:


 

In notepad, any other 4-3-3-5 letter word combo will have the same results.

It is all to do with a limitation in Windows. Text files containing Unicode UTF-16-encoded Unicode are supposed to start with a "Byte-Order Mark" (BOM), which is a two-byte flag that tells a reader how the following UTF-16 data is encoded.


 

1) You are saving to 8-bit Extended ASCII (Look at the Save As / Encoding format)

2) You are reading from 16-bit UNICODE (You guessed it, look at the Save As / Encoding format)

This is why the 18 8-bit characters are being displayed as 9 (obviously not supported by your codepage) 16-bit UNICODE characters


 

~ cheers ~


 


 

SPEED UP MENU DISPLAY.!!


 


 

When using the start menu the you will notice a delay between different tiers of the menu hierarchy. For the fastest computer experience possible I recommend changing this value to zero. This will allow the different tiers to appear instantly.


 

Start Regedit. If you are unfamiliar with regedit please refer to our FAQ on how to get started.


 

Navigate to HKEY_CURRENT_USER\Control Panel\Desktop

Select MenuShowDelay from the list on the right.


 

Right on it and select Modify.

Change the value to 0.

Reboot your computer.


 


 


 

CLICKING * .AVI FILES ON EXPLORER CAUSING 100% CPU USAGE.!!


 


 

Well windows seem to have a REALLY big problem when it comes to reading AVI files. It seems that when you click on an AVI file in explorer, it'll try to read the entire AVI file to determine the width,height, etc. of the AVI file (this is displayed in the Properties window). Now the problem with Windows is that if you have a broken/not fully downloaded AVI file that doesnt contain this info, Windows will scan the entire AVI file trying to figure out all these properties which in the process will probably cause 100% CPU usage and heavy memory usage. To solve this problem all you have to do is the following:

1. Open up regedit

2. Goto HKEY_CLASSES_ROOT\SystemFileAssociations\.avi\shellex\PropertyHandler

3. Delete the "Default" value which should be "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"

Voila! Please not that this will no longer provide you with the windows properties displaying the AVI file information such as width, height, bitrate etc. But its a small price to pay for saving you resources.

NOTE: Please use caution when using regedit. Improper usage may cause windows to behave imcorrectly. Also, I cannot be held resposible. Backup your registry first.


 

CD ROM STOPS AUTOPLAYING/AUTORUN.!!


 


 

And the AutoPlay Tab has disappeared in My Computer, Devices With Removable Storage, Right Click on CDROM, Properties.

Solution: The service: "Shell Hardware Detection" has been set to Manual or Disabled. Go to Control Panel, Administrative Tools, Services. Return this service to "Automatic".


 

How to make your Desktop Icons Transparent


 

Go to Control Panel > System, > Advanced > Performance area > Settings button Visual Effects tab "Use drop shadows for icon labels on the Desktop"


 


 

DISPLAY MESSAGE ON STARTUP.


 


 

Start regedit, if you are unfamiliar with regedit please see our FAQ.

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Modify the key legalnoticecaption with what you want to name the window.

Modify the key legalnoticetext with what you want the window to say. Restart


 


 

AUTO DELETE TEMPORARY FOLDER.!!


 

ll what i prefer is %temp% " without quotes.. at Start -> Run..

this opens ur temp folder n den u cal erase it neatly// still try dis one too..


 


 

First go into gpedit.msc

Next select -> Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Temporary Folder

Then right click "Do Not Delete Temp Folder Upon Exit"

Go to properties and hit disable. Now next time Windows puts a temp file in that folder it will automatically delete it when its done! Note from Forum Admin: Remember, GPEDIT (Group Policy Editor) is only available in XP Pro.


 


 

make ur pdf files to speak


 

make ur pdf files to speak

here r the shortcuts for hearing pdf files in abobe reader 6.0 or higher


 

ctrl+shift+b ---->to hear the whole topic

ctrl+shift+v ---->to hear the page
Posted by at No comments:

IP SUBNETTING

Takeaway: IP network engineers need a solid understanding of how IP subnetting works--yet the subject is often taught so poorly, students wind up completely baffled. George Ou has developed a simple, graphical approach that explains IP subnetting in a way that finally makes sense.

This article is also available as a PDF download.

IP subnetting is a fundamental subject that's critical for any IP network engineer to understand, yet students have traditionally had a difficult time grasping it. Over the years, I've watched students needlessly struggle through school and in practice when dealing with subnetting because it was never explained to them in an easy-to-understand way. I've helped countless individuals learn what subnetting is all about using my own graphical approach and calculator shortcuts, and I've put all that experience into this article.

IP addresses and subnets


 

Although IP stands for Internet Protocol, it's a communications protocol used from the smallest private network to the massive global Internet. An IP address is a unique identifier given to a single device on an IP network. The IP address consists of a 32-bit number that ranges from 0 to 4294967295. This means that theoretically, the Internet can contain approximately 4.3 billion unique objects. But to make such a large address block easier to handle, it was chopped up into four 8-bit numbers, or "octets," separated by a period. Instead of 32 binary base-2 digits, which would be too long to read, it's converted to four base-256 digits. Octets are made up of numbers ranging from 0 to 255. The numbers below show how IP addresses increment.

0.0.0.0
0.0.0.1
...increment 252 hosts...
0.0.0.254
0.0.0.255
0.0.1.0
0.0.1.1
...increment 252 hosts...
0.0.1.254
0.0.1.255
0.0.2.0
0.0.2.1
...increment 4+ billion hosts...
255.255.255.255

The word subnet is short for sub network--a smaller network within a larger one. The smallest subnet that has no more subdivisions within it is considered a single "broadcast domain," which directly correlates to a single LAN (local area network) segment on an Ethernet switch. The broadcast domain serves an important function because this is where devices on a network communicate directly with each other's MAC addresses, which don't route across multiple subnets, let alone the entire Internet. MAC address communications are limited to a smaller network because they rely on ARP broadcasting to find their way around, and broadcasting can be scaled only so much before the amount of broadcast traffic brings down the entire network with sheer broadcast noise. For this reason, the most common smallest subnet is 8 bits, or precisely a single octet, although it can be smaller or slightly larger.

Subnets have a beginning and an ending, and the beginning number is always even and the ending number is always odd. The beginning number is the "Network ID" and the ending number is the "Broadcast ID." You're not allowed to use these numbers because they both have special meaning with special purposes. The Network ID is the official designation for a particular subnet, and the ending number is the broadcast address that every device on a subnet listens to. Anytime you want to refer to a subnet, you point to its Network ID and its subnet mask, which defines its size. Anytime you want to send data to everyone on the subnet (such as a multicast), you send it to the Broadcast ID. Later in this article, I'll show you an easy mathematical and graphical way to determine the Network and Broadcast IDs.

The graphical subnet ruler


 

Over the years, as I watched people struggle with the subject of IP subnetting, I wanted a better way to teach the subject. I soon realized that many students in IT lacked the necessary background in mathematics and had a hard time with the concept of binary numbers. To help close this gap, I came up with the graphical method of illustrating subnets shown in Figure A. In this example, we're looking at a range of IP addresses from 10.0.0.0 up to 10.0.32.0. Note that the ending IP of 10.0.32.0 itself is actually the beginning of the next subnet. This network range ends at the number right before it, which is 10.0.31.255.

Figure A

Note that for every bit increase, the size of the subnet doubles in length, along with the number of hosts. The smallest tick mark represents 8 bits, which contains a subnet with 256 hosts--but since you can't use the first and last IP addresses, there are actually only 254 usable hosts on the network. The easiest way to compute how many usable hosts are in a subnet is to raise 2 to the power of the bit size minus 2. Go up to 9 bits ,and we're up to 510 usable hosts, because 2 to the 9th is 512, and we don't count the beginning and ending. Keep on going all the way up to 13 bits, and we're up to 8,190 usable hosts for the entire ruler shown above.

Learning to properly chop subnets


 

Subnets can be subdivided into smaller subnets and even smaller ones still. The most important thing to know about chopping up a network is that you can't arbitrarily pick the beginning and ending. The chopping must be along clean binary divisions. The best way to learn this is to look at my subnet ruler and see what's a valid subnet. In Figure B, green subnets are valid and red subnets are not.

Figure B

The ruler was constructed like any other ruler, where we mark it down the middle and bisect it. Then, we bisect the remaining sections and with shrinking markers every time we start a new round of bisecting. In the sample above, there were five rounds of bisections. If you look carefully at the edge of any valid (green) subnet blocks, you'll notice that none of the markers contained within the subnet is higher than the edge's markers. There is a mathematical reason for this, which we'll illustrate later, but seeing it graphically will make the math easier to understand.

The role of the subnet mask


 

The subnet mask plays a crucial role in defining the size of a subnet. Take a look at Figure C. Notice the pattern and pay special attention to the numbers in red. Whenever you're dealing with subnets, it will come in handy to remember eight special numbers that reoccur when dealing with subnet masks. They are 255, 254, 252, 248, 240, 224, 192, and 128. You'll see these numbers over and over again in IP networking, and memorizing them will make your life much easier.

Figure C

I've included three class sizes. You'll see the first two classes, with host bit length from 0 to 16, most often. It's common for DSL and T1 IP blocks to be in the 0- to 8-bit range. Private networks typically work in the 8- to 24-bit range.

Note how the binary mask has all those zeros growing from right to left. The subnet mask in binary form always has all ones to the left and all zeros to the right. The number of zeros is identical to the subnet length. I showed only the portion of the binary subnet in the octet that's interesting, since all octets to the right consist of zeros and all octets to the left consist of ones. So if we look at the subnet mask where the subnet length is 11 bits long, the full binary subnet mask is 11111111.11111111.11111000.00000000. As you can see under mask octet, the subnet mask transitions from 1 to 0 in the third octet. The particular binary subnet mask translates directly to base-256 form as 255.255.248.0.

The "mask" in subnet mask


 

The subnet mask not only determines the size of a subnet, but it can also help you pinpoint where the end points on the subnet are if you're given any IP address within that subnet. The reason it's called a subnet "mask" is that it literally masks out the host bits and leaves only the Network ID that begins the subnet. Once you know the beginning of the subnet and how big it is, you can determine the end of the subnet, which is the Broadcast ID.

To calculate the Network ID, you simply take any IP address within that subnet and run the AND operator on the subnet mask. Let's take an IP address of 10.20.237.15 and a subnet mask of 255.255.248.0. Note that this can be and often is written in shorthand as 10.20.237.15/21 because the subnet mask length is 21. Figure D and Figure E show the Decimal and Binary versions of the AND operation.

Figure D

Decimal math


 

Figure E

Binary math

The binary version shows how the 0s act as a mask on the IP address on top. Inside the masking box, the 0s convert all numbers on top into zeros, no matter what the number is. When you take the resultant binary Network ID and convert it to decimal, you get 10.20.232.0 as the Network ID.

One thing that's always bothered me about the way subnetting is taught is that students are not shown a simple trick to bypass the need for binary conversions when doing AND operations. I even see IT people in the field using this slow and cumbersome technique to convert everything to binary, run the AND operation, and then convert back to decimal using the Windows Calculator. But there's a really simple shortcut using the Windows Calculator, since the AND operator works directly on decimal numbers. Simply punch in 237, hit the AND operator, and then 248 and [Enter] to instantly get 232, as shown in Figure F. I'll never understand why this isn't explained to students, because it makes mask calculations a lot easier.

Figure F

Since there are 11 zeros in the subnet mask, the subnet is 11 bits long. This means there are 2^11, or 2,048, maximum hosts in the subnet and the last IP in this subnet is 10.20.239.255. You could compute this quickly by seeing there are three zeros in the third octet, which means the third octet of the IP address can have a variance of 2^3, or 8. So the next subnet starts at 10.20.232+8.0, which is 10.20.240.0. If we decrease that by 1, we have 10.20.239.255, which is where this subnet ends. To help you visualize this, Figure G shows it on my subnet ruler.

Figure G

IP classes made simple


 

For an arbitrary classification of IP subnets, the creators of the Internet chose to break the Internet into multiple classes. Note that these aren't important as far as your subnet calculations are concerned; this is just how the Internet is "laid out." The Internet is laid out as Class A, B, C, D, and E. Class A uses up the first half of the entire Internet, Class B uses half of the remaining half, Class C uses the remaining half again, Class D (Multicasting) uses up the remaining half again, and whatever is left over is reserved for Class E. I've had students tell me that they struggled with the memorization of IP classes for weeks until they saw this simple table shown in Figure H. This is because you don't actually need to memorize anything, you just learn the technique for constructing the ruler using half of what's available.

Figure H

Remember that all subnets start with EVEN numbers and all subnet endings are ODD. Note that 0.0.0.0/8 (0.0.0.0 to 0.255.255.255) isn't used and 127.0.0.0/8 (127.0.0.0 to 127.255.255.255) is reserved for loopback addresses.

All Class A addresses have their first octet between 1 to 126 because 0 and 127 are reserved. Class A subnets are all 24 bits long, which means the subnet mask is only 8 bits long. For example, we have the entire 3.0.0.0/8 subnet owned by GE, since GE was lucky enough to get in early to be assigned 16.8 million addresses. The U.S. Army owns 6.0.0.0/8. Level 3 Communications owns 8.0.0.0/8. IBM owns 9.0.0.0/8. AT&T owns 12.0.0.0/8. Xerox owns 13.0.0.0/8. HP owns 15.0.0.0/8 and 16.0.0.0/8. Apple owns 17.0.0.0/8.

All Class B addresses have their first octet between 128 and 191. Class B subnets are all 16 bits long, which means the subnet masks are 16 bits long. For example, BBN Communications owns 128.1.0.0/16, which is 128.1.0.0 to 128.1.255.255. Carnegie Mellon University owns 128.2.0.0/16.

All Class C addresses have their first octet between 192 and 223. Class C subnets are all 8 bits long, so the subnet mask is only 24 bits long. Note that ARIN (the organization that assigns Internet addresses) will sell blocks of four Class C addresses only to individual companies and you have to really justify why you need 1,024 Public IP addresses. If you need to run BGP so you can use multiple ISPs for redundancy, you have to have your own block of IP addresses. Also note that this isn't the old days, where blocks of 16.8 million Class A addresses were handed out for basically nothing. You have to pay an annual fee for your block of 1,024 addresses with a subnet mask of /22, or 255.255.252.0.

The concept of subnet classes can cause harm in actual practice. I've actually seen people forget to turn classes off in their old Cisco router and watch large subnet routes get hijacked on a large WAN configured for dynamic routing whenever some routes were added. This is because a Cisco router will assume the subnet mask is the full /8 or /16 or /24 even if you define something in between. All newer Cisco IOS software versions turn off the concept of subnet classes and uses classless routing by default. This is done with the default command "IP Classless."

Public versus private IP addresses


 

Besides the reserved IP addresses (0.0.0.0/8 and 127.0.0.0/8) mentioned above, there are other addresses not used on the public Internet. These private subnets consist of private IP addresses and are usually behind a firewall or router that performs NAT (network address translation). NAT is needed because private IP addresses are nonroutable on the public Internet, so they must be translated into public IP addresses before they touch the Internet. Private IPs are never routed because no one really owns them. And since anyone can use them, there's no right place to point a private IP address to on the public Internet. Private IP addresses are used in most LAN and WAN environments, unless you're lucky enough to own a Class A or at least a Class B block of addresses, in which case you might have enough IPs to assign internal and external IP addresses.

The following blocks of IP addresses are allocated for private networks:

  • 10.0.0.0/8  (10.0.0.0 to 10.255.255.255)
  • 172.16.0.0/12  (172.16.0.0 to 172.31.255.255)
  • 192.168.0.0/16  (192.168.0.0 to 192.168.255.255)
  • 169.254.0.0/16  (169.254.0.0 to 169.254.255.255)*

*Note that 169.254.0.0/16 is a block of private IP addresses used for random self IP assignment where DHCP servers are not available.

10.0.0.0/8 is normally used for larger networks, since there are approximately 16.8 million IP addresses available within that block. They chop it up into lots of smaller groups of subnets for each geographic location, which are then subdivided into even smaller subnets. Smaller companies typically use the 172.16.0.0/12 range, chopped up into smaller subnets, although there's no reason they can't use 10.0.0.0/8 if they want to. Home networks typically use a /24 subnet within the 192.168.0.0/16 subnet.

The use of private IP addresses and NAT has prolonged the life of IPv4 for the foreseeable future because it effectively allows a single public IP address to represent thousands of private IP addresses. At the current rate that IPv4 addresses are handed out, we have enough IPv4 addresses for approximately 17 years. ARIN is much more stingy now about handing them out, and small blocks of IP addresses are relatively expensive compared to the old days, when companies like Apple were simply handed a block of 16.8 million addresses. The next version of IP addresses, called IPv6, is 128 bits long--and there are more than 79 thousand trillion trillion times more IP addresses than IPv4. Even if you assigned 4.3 billion people on the planet with 4.3 billion IP addresses each, you would still have more than 18 million trillion IPv6 addresses left!
Posted by at No comments:

KEW GANG

Posted by at No comments:

CCNA 2 FINAL ANSWERS

  • Host name resolution allows for the use of an alphanumeric name to identify network devices. Select the answer that displays the correct configuration syntax for creating a host name.
    • Router(config)# ip host Fontana 200.100.50.5
  • Which command will display the status of the carrier detect signal and keepalive messages for a router running CDP?
    • Router# show cdp interface
  • Which of the following are necessary for basic network communication to occur between hosts that will run such applications as Telnet, web browsers, and e-mail? (Choose three.)
    • TCP/IP must be installed and properly configured on each device.
    • A default gateway must be configured for datagrams to travel outside of the LAN.
    • To ensure accurate delivery, a router must be configured and accessible by hosts on the network.
  • The following access list has been created to prevent traffic from host 204.204.7.122 from accessing the 201.100.11.0 network.
    access-list 22 deny host 204.204.7.122
    access-list 22 permit any
    Which group of commands will properly place this access list so that this host is denied access only o the 201.100.11.0 network?
    • RouterB(config)# interface fa0/0
    • RouterB(config-if)# ip access-group 22 out
  • How many Telnet sessions can take place simultaneously on a router running a standard edition of the IOS?
    • 5
  • What can be determined from the partial output of the show ip route command displayed below? (Choose two.)
    • The next update will be in 16 seconds.
    • The administrative distance is 120 and the metric is 1.
  • Which of the following are true regarding the setup configuration mode? (Choose three.)
    • To abort the setup mode, use the CTRL+C keys.
    • To enter setup mode, use the privileged mode setup command.
    • A router that does not find a valid configuration file during the boot process will start the system configuration dialog.
  • A network administrator needs to configure a routing protocol that will use bandwidth and delay when making routing decisions. Which of the following commands must be configured on Router2 so those metric values will be used when determining the best path?(Choose two.)
    • Router2(config)# router igrp 200
    • Router2(config-router)# network 192.5.5.0
    • Router2(config-router)# network 201.100.11.0
  • Which statements are true regarding VTY passwords? (Choose two.)
    • All VTY lines do not need to use the same password.
    • A VTY password is required to establish telnet sessions.
  • Refer to the topology shown. Which commands must be configured in order to enable two-way communication between the hosts connected to the E0 interface of the Utah router and hosts connected to the E0 interface of the
    • Idaho(config)# ip route 172.31.1.0 255.255.255.0 172.31.2.1
    • Idaho(config)# ip route 0.0.0.0 0.0.0.0 s0
    • Utah(config)# ip route 0.0.0.0 0.0.0.0 s0
  • Refer to the above graphic. When using RIP as the routing protocol, how would Chicago use load balancing to route packets to New York? (Choose two.)
    • by forwarding packets over paths of equal cost
    • by cycling packets through interfaces and routes following the same pattern (Router 1, 2, 3) each time
  • Routers have different types of memory. Choose the answer that describes ROM.
    • initializes the code used to boot the router
  • Given the above topology, which of the following statements are true? (Choose two.)
    • If RouterA receives a packet destined for 192.168.3.146, it will be forwarded out interface Ethernet 0.
    • If RouterA receives a packet destined for 10.5.27.15, it will be forwarded out interface Serial 1.
  • The routers shown in the graphic are running IGRP and sending updates about all of their networks. After the network converged, traffic destined for Router4 was received on the E0 interface of Router2. Which route will have the lowest metric?
    • Router2 to Router3 to Router4
  • Which of the following would cause the "Message Of The Day" banner to appear? (Choose three.)
    • telnetting into the router
    • using the Aux port to check the current configuration
    • using the console port to check the current configuration
  • A network administrator trying to deny Telnet traffic from the 192.5.5.0 network to the 201.100.11.0 network entered the commands shown in the graphic. When monitoring the network, the administrator noticed that the Telnet packets are still passing between those networks. What is the cause?
    • The access list has not been assigned to an interface.
  • What information is displayed by the show cdp neighbors detail command that is not displayed by the show cdp neighbors command?
    • IP addresses
  • What types of messages are sent periodically by devices configured for CDP?
    • advertisements
  • Routers in an OSPF network collect and advertise what information to other routers in the network? (Choose three.)
    • the names of neighboring routers
    • the status or router interfaces
    • the total path cost of the links to neighboring routers
  • Which of the following functions are initiated by the router configuration files? (Choose three.)
    • making decisions regarding the best path
    • controlling the flow of traffic in and out of the router
    • specifying the correct set up and use of routed and routing protocols
  • Which of the following will add a TFTP server as a fallback source for a router to load an IOS image?
    • Router# config t
    • Router(config)# boot system tftp c2500-d-l.120-9.bin 163.150.9.31
    • Router(config)# exit
    • Router# copy run start
  • Which statement about datagram life is true?
    • Each router decreases the TTL value by one until it reaches zero. The datagram is then discarded and a destination unreachable message is sent to the source.
  • An administrator has made routing protocol changes to a router's configuration. To ensure that the changes are implemented, the active configuration is saved and the router is reloaded. After the router has initialized, the output on the screen displays "Would you like to enter the initial configuration dialog?[yes/no]:"
    Why did this dialog appear?
    • The configuration register was set to ignore NVRAM.
  • When would the ROM monitor mode be used? (Choose two.)
    • modifying the IOS image stored in Flash
    • performing the bootstrap process
  • What are the major characteristics of a wide area network? (Choose three.)
    • connect devices separated by wide geographical areas
    • uses serial connections to access bandwidth
    • common carriers are needed for connections
  • Which of the following are characteristics of the Open Shortest Path First (OSPF) routing protocol? (Choose two.)
    • functions as a link state routing protocol
    • floods routing updates as topology changes occur
  • Which of the following are functions of a router? (Choose three.)
    • packet switching
    • segmentation of local area networks
    • selection of best path based on a logical addressing
  • Which of the following WAN connection services typically use synchronous communications? (Choose two.)
  • leased line
  • packet-switched
  • Refer to the output from the show ip route command. What can be concluded from the output of this router command?
    • There are two equal cost paths to network 1.0.0.0.
  • Why is having an interface description useful?
    • The interface desciption helps identify distant network connections.
  • The administrator knows that port E0 on router B connects to a small LAN without any routers. Which command can be executed on router B to conserve bandwidth on port E0?
    • passive-interface E0
  • In the configuration register value 0x2104, which value represents the boot field setting?
    • 4
  • Which of the following statements about the TTL of a datagram are true? (Choose three.)
    • The TTL value matches the maximum hop count defined by the routing protocol.
    • When the TTL value reaches 0, the packet is discarded.
    • A router decreases the TTL value by one as the router forwards the packet.
  • Which of the following are basic rules that should be followed when creating and applying access lists?
    (Choose three.)
    • One access list per protocol per direction.
    • There is an implicit deny at the end of all access lists.
    • Statements are processed sequentially from top to bottom until a match is found.
  • If the config-register on a router is set to 0x2102, where is the first place the router will look for boot system commands?
    • NVRAM
  • A client needs to access more than one network service running on a local server. Which of the following pieces of information will be used by the client to communicate with the appropriate network service on the server. (Choose four.)
    • IP address of the server
    • MAC address of the server
    • destination port number
    • source port number
  • Which command is used to redirect debug information to a device that is connected though a Telnet session?
    • Router# terminal monitor
  • RouterB loses connectivity to network 172.17.22.0. During the next update interval, RouterB sends an update to RouterA signifying that network 172.17.22.0 is inaccessible. RouterA adds the changes received from RouterB to its routing table. Approximately at the same time, RouterC sends an update to RouterA stating that network 172.17.22.0 is up. Which of the following is true regarding the described situation? (Choose two.)
    • Router A will not accept the information from RouterC if split horizon is enabled.
    • RouterA will remove network 172.17.22.0 from its routing table if the network is inaccessible after the flush timer has expired.
  • Which command will produce the output shown in the graphic?
    • show cdp neighbors
  • Of the eight network users on the Human Resources department LAN, one cannot connect to the file server.
    The user's PC has successfully booted but can not see the network. What should be checked first?
    • the PC network interface card LEDs
  • When must a router serial interface be configured with the clock rate command?
    • when no other device is supplying a clock signal to the link
  • Which of the following are true regarding route metrics? (Choose three.)
    • The more factors that make up a metric, the greater the flexibility to tailor network operations.
    • Load and reliability are dynamic metrics used by IGRP.
    • Ticks delay, MTU, and cost are metrics used by routing protocols.
  • The following IGRP configuration was typed in for RouterB:
    RouterB(config)# router igrp 100
    RouterB(config-router)# network 192.168.2.0
    RouterB(config-router)# network 192.169.3.0
    After several update periods, a technician notices that RouterB is not receiving updates from all routers shown in the diagram. Which of the following would correct this error?
    • RouterB(config)# router igrp 100
    • RouterB(config-router)# no network 192.169.3.0
    • RouterB(config-router)# network 192.168.3.0
  • Refer to the network graphic. A packet needs to travel from Router_F to Router_A. Which path would be selected by the IGRP routing protocol if the default metrics are used?
    • F,E,D,B,A
  • The host shown in the graphic has issued the ICMP request packet shown. What information does the host require, and which ICMP message should be sent in reply? (Choose two.)
    • The host requires the default gateway IP address.
    • The reply should be a router advertisement message.
  • Which of the following commands would indicate if a boot system statement is configured on a router?
    (Choose three.)
    • show startup-config
    • show running-config
    • show config
  • Which of the following could be placed in the destination port field of a UDP segment from a client machine?
    • 53
  • The following line was displayed in the output of the show ip route command.
    I 192.168.3.0/24 [100/80135] via 192.168.2.2, 00:00:30, Serial0/0
    What is the value of the composite metric?
    • 80135
  • A network administrator can establish a remote session to a host using the Router> telnet 192.168.1.1 command but is unsuccessful when using the Router> telnet Boston command to connect to the same interface. Which of the following could be the problem? (Choose two.)
    • The ip host table on the router is not configured.
    • Domain name services are not available.
  • Assume OSPF is being used on all routers. What happens when the link between Router1 and Router2 goes down? (Choose two.)
    • Link-state advertisements are flooded.
    • All routers note the change and adjust routes.
  • Which of the following devices are used in WANs and help define the WAN physical layer? (Choose three.)
    • communication servers
    • routers
    • modems
  • Which of the following is true regarding the protocol data unit (PDU) shown in the graphic?
    • It is a server response to a client request for Telnet services.
Posted by at No comments:

Friday, October 12, 2007

PLAY WITH ACL

Takeaway: Although typically considered Cisco's low-end security tool, access lists are far more productive. If you're new to Cisco, you will want to get to know this tool, and Amit Srivastava is here to help.


In this Daily Drill Down, I'm going to help you understand what Cisco's access lists are, how to use them on different Cisco series, and how to make your work with them more efficient. Why did I choose this topic? That's simple—Cisco's access list is a basic tool, applicable to numerous tasks. Every Cisco specialist has to know how to work with access lists. If you can handle access lists, you can handle the router; that's the rule.

Access list defined
Let's clarify the meaning of access list. Some technicians argue that the access list is a firewall tool and nothing more. These people are wrong. Access list (in Cisco notation) has a very broad meaning. The best way to describe an access list is as a "limit" that is used to determine "interesting traffic" and how to act upon it. Yes, of course, one can use access lists for organizing a simple firewall, but that's not their primary purpose.

Also, you should understand that access lists are not a panacea. You can do a lot of things with them, but you should always look for alternative solutions.

Let's start
Access lists can be used to control the transmission of packets across an interface, to restrict traffic across virtual terminal lines, or to restrict routing updates. You enter rules to permit or deny packets within each access list. The access lists are identified by a number. All statements within a single list must have the same number. The number used is up to you, but it has to fall within the definite ranges, depending on what service you are applying the access list to. Here are the available ranges for a Cisco 3640 router with Enterprise IOS 12.0(7)T:
core#configure terminal
core(config)#access-list ?
 <1-99>  IP standard access list
 <100-199> IP extended access list
 <1000-1099> IPX SAP access list
 <1100-1199> Extended 48-bit MAC address access list
 <1200-1299> IPX summary address access list
 <1300-1999> IP standard access list (expanded range)
 <200-299> Protocol type-code access list
 <2000-2699> IP extended access list (expanded range)
 <300-399> DECnet access list
 <400-499> XNS standard access list
 <500-599> XNS extended access list
 <600-699> Appletalk access list
 <700-799> 48-bit MAC address access list
 <800-899> IPX standard access list
 <900-999> IPX extended access list
 rate-limit Simple rate-limit specific access list

These ranges may vary among different IOS versions. For example, for Cisco 2620 with basic IP IOS 12.0(7)T, this list squeezes down to:
2620#configure terminal
2620(config)#access-list ?
 <1-99>  IP standard access list
 <100-199> IP extended access list
 <1100-1199> Extended 48-bit MAC address access list
 <1300-1999> IP standard access list (expanded range)
 <200-299> Protocol type-code access list
 <2000-2699> IP extended access list (expanded range)
 <700-799> 48-bit MAC address access list
 rate-limit Simple rate-limit specific access list

There is no sense in trying to build some ultimate tables for these ranges; just learn them from your router. The Cisco IOS help system is powerful enough to help you with this (so I've covered only the basic ones).

How IP access lists work
An IP access list is a collection of permit and deny rules that are applied to IP addresses. The router processes each access list statement, in sequence, against each packet. If the router reaches the end of the list and has found no match for the packet, the packet will be discarded. Therefore, it is important that each access list contain at least one permit statement. And because the first match is the one followed, it is critical to pay attention to the order.

Access list types
There are three basic types of IP access lists: standard, extended, and dynamic extended. Standard access lists use source addressing for applying rules and provide very basic forms of filtering. Extended access lists use both source and destination addresses for filtering and even allow filtering by protocol type. This allows a more granular method of controlling data flow. Finally, dynamic extended access lists grant access to destinations on a per-user basis, through an authentication process.

The router uses a wildcard mask (sometimes known as an inverse mask), along with the source or destination IP address, to identify a range of addresses to match. Just as a subnet mask tells the router which bits of the IP address belong to the network number and which belong to the host address, the wildcard mask tells the router how many bits of the IP address it needs to examine in order to make a matching determination. This address mask pair allows us to specify a range of IP addresses with just two 32-bit numbers.

Standard type
So how do you use standard access lists? Easy! For example, suppose we want to create an access list number 1, which will deny and log all requests from all addresses, except 192.168.1.25. We'll start out using the help feature by running the following at the configuration prompt:
core(config)#access-list 1 ?
 deny Specify packets to reject
 permit Specify packets to forward
 remark Access list entry comment

core(config)#access-list 1 permit ?
 Hostname or A.B.C.D Address to match
 any     Any source host
 host     A single host address

core(config)#access-list 1 permit 192.168.1.25 ?
 A.B.C.D Wildcard bits
 log  Log matches against this entry

And here we actually enter the commands to set up the access list:
core(config)#access-list 1 deny 192.168.1.25
core(config)#access-list 1 deny any log
core(config)#exit
core#show access-lists 1
Standard IP access list 1
 permit 192.168.1.25
 deny any log

After an access list is created, any additions to that list number are placed at the end. Unfortunately, this means that you can't selectively add or remove items. The only removal that can be done is to remove the entire access list, which can obviously be a nuisance if you have extensive lists.

Extended and dynamic extended type
Extended IP access lists allow you to control traffic at a more granular level. Extended IP uses both the source and destination addresses when it tries to match up packets to your list, and you can optionally use protocol type information for even finer control.

A lot of the rules you learned from standard IP access lists are the same in Extended IP access lists, such as the rule that we cannot selectively add or remove from a list, and that at the end of the list there is an implicit deny all statement (by default). The syntax for adding extended IP access lists is a bit more complex, though it is similar to the standard one. From the configuration prompt, run:
core(config)#access-list 101 ?
 deny  Specify packets to reject
 dynamic Specify a DYNAMIC list of PERMITs or DENYs
 permit Specify packets to forward
 remark Access list entry comment

core(config)#access-list 101 permit ?
 <0-255> An IP protocol number
 ahp  Authentication Header Protocol
 eigrp Cisco's EIGRP routing protocol
 esp  Encapsulation Security Payload
 gre  Cisco's GRE tunneling
 icmp  Internet Control Message Protocol
 igmp  Internet Gateway Message Protocol
 igrp  Cisco's IGRP routing protocol
 ip  Any Internet Protocol
 ipinip IP in IP tunneling
 nos  KA9Q NOS compatible IP over IP tunneling
 ospf  OSPF routing protocol
 pcp  Payload Compression Protocol
 pim  Protocol Independent Multicast
 tcp  Transmission Control Protocol
 udp  User Datagram Protocol

core(config)#access-list 101 permit ip ?
 A.B.C.D Source address
 any  Any source host
 host  A single source host

Let's say, for example, that we would like to block and log all TCP and UDP connections to the port 12345, and everything else should be passed through. Here is how this would be accomplished:
core#configure terminal
core(config)#access-lists 101 deny tcp any any eq 12345 log
core(config)#access-lists 101 deny udp any any eq 12345 log
core(config)#access-lists 101 permit ip any any
core(config)#exit
core#show access-lists 101
Extended IP access list 101
 deny tcp any any eq 12345 log
 deny udp any any eq 12345 log
 permit ip any any

Pretty simple, isn't it?

Named type
To finish, let's turn to the named access list. It is new in IOS version 11.2, and it is not backward-compatible with older releases. With named lists, you can identify IP access lists, whether standard or extended, with an alphanumeric name instead of a number. This allows you to exceed the previous limit of 99 characters for standard and 100 for extended. You should not, however, assume that all access lists that use a number can also use a name. If you choose to use this method, you should know that the mode and command syntax are a little different. Also, as of now, only packet and route filters can use a named list.

Conclusion
As you can see, using access lists is not hard. When you understand how they work, you can handle this tool. I wouldn't be mistaken if I said that access lists are one of the most important parts of Cisco IOS. And this makes the access list a must-know for every Cisco specialist.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.
Posted by at 1 comment:

Thursday, October 11, 2007

WEBSITES

This summary is not available. Please click here to view the post.
Posted by at No comments:
Subscribe to: Comments (Atom)