Cisco IOS Access Lists

Errata for Cisco IOS Access Lists

Submit your own errata for this product.


The errata list is a list of errors and their corrections that were found after the product was released. If the error was corrected in a later version or reprint the date of the correction will be displayed in the column titled "Date Corrected".

The following errata were submitted by our customers and approved as valid errors by the author or editor.

Color Key: Serious Technical Mistake Minor Technical Mistake Language or formatting error Typo Question Note Update



Version Location Description Submitted By Date Submitted Date Corrected
Printed
Page 21-22
IN PRINT: last paragraph

Jeff explains that the default wildcard mask used with an access list it 0.0.0 .0, which will match the exact address only, as in a host address. However he goes on to explain in the last example: access-list 2 permit 192.168.30.0 access-list 2 permit 192.168.33.0 includes 192.168.30.0 /24 and 192.168.33.0 24. If the default wildcard mask is 0.0.0.0 then the above referenced access-list would match only host 192.168.30.0 and 192.168.33.0 not the class c network range of 192.168.30.1 to 192.168.30.255. Am I correct or when the access-list is used in route redistribute is the wild card mask changed to be the classfull subnet mask, and if it is shouldn't the resulting access-list with wildcard masks listed on page 22 be correctly listed as: access-list 2 permit 192.168.30.0 0.0.0.255 access-list 2 permit 192.168.33.0 0.0.0.255 SHOULD BE: This paragraph is wrong and should be deleted.

Anonymous   
Printed
Page 24
IN PRINT: second half of page

In the section titled "Generic format of standard access lists", the author gives the following as the generic format of a standard access list: access-list [list number] [permit | deny] [IP address] [wildcard mask (optional)] SHOULD BE: The generic format should read access-list [list number] [permit | deny] [IP address] [wildcard mask (optional)] [log (optional)] with the text in [list number], [IP address], [wildcard mask (optional)], and [log (optional)] in italics. There should also be a section after wildcard mask argument definition: log The log keyword. If present, it turns on logging every time the access list entry is matched.

Anonymous   
Printed
Page 31
IN PRINT: Last paragraph.

The line that reads: "The first line of this access list allows TCP packets from all of network 192.168.30.0/24 to the medical diagnostic host with IP address 192.168.33.5". SHOULD BE: The first line of the last paragraph of page 31 should read: The first line of this access list allows TCP packets from all of network 192.168.30.0/24 to the medical diagnostic host with IP address 192.168.35.1.

Anonymous   
Printed
Page 33-34
IN PRINT: 2nd half of page 33. Top of page 34.

On pages 33-34, the author indicates that one can use the "logging" keyword to log any matches of an access list entry. According to Cisco documentation, this should just be "log". (I have verified this on my own router: using the keyword "logging" results in a syntax error.) Moreover, there is a slightly different keyword, "log-input" to include the input interface in the the logging output. This keyword was not mentioned in the text. SHOULD BE: The access list generic format should look like the following access-list [list number] [permit | deny] [protocol] [source specification] [destination specification] [protocol qualification] [log (optional)] On page 35, the entry for logging should instead be log The log key word. If present, it turns on a log of all packet information every time the access list entry is matched.

Anonymous   
Printed
Page 45
IN PRINT: 2nd configuration example

The line: access-group 2 in should read: access-class 2 in

Anonymous   
Printed
Page 57
IN PRINT: Fig 3-4 & 4th para

In figure web server facing interface is "Ethernet 0" and in text and example ACL it is "Ethernet 2". SHOULD BE: The ethernet interface in figure 3-4 that connects to the web server should ethernet 2.

Anonymous   
Printed
Page 59
IN PRINT: Figure 3-5

I believe that Figure 3-5 contains an errors. It is a diagram of an FTP session between a client and server. While the text seems to indicate that Data Channel Setup is sent from port 20, the figure seems to indicate that it is sent from port 21. SHOULD BE: It should be port 20 in the figure for the source port on the FTP Serve (on the right)

Anonymous   
Printed
Page 70
IN PRINT: Figure 3-9

Company C Web server at 192.168.35.1 should have an address of 192.168.30.2

Anonymous   
Printed
Page 75
IN PRINT: boxed text

Huh? Not only are ARP packets not IP packets, so I don't see why an IP access-list would apply if Cisco syntax made sense, but I certainly don't have to do this on an operational router, and never have had to. Just to double check that I wasn't dreaming I just checked on a 7204 running IOS 12.1(6)E. The Internet facing interface is a ethernet interface connected to redundant upstream routers. The only things the extended IP inbound ACL on that interface allows to the router itself is ICMP ttl-exceeded so that I can do traceroutes from the router, and access in from a remote management network. I can't even ping the upstream routers. If I do a "sh arp", however, there all the upstream router IP and MAC addresses are. BTW, you could filter ARP packets using access lists in the 200-299 range where you specify the ethernet type-code, but I'm not familiar with those and suspect that they can only be used with bridging. SHOULD BE: This is true, so this box should be deleted.

Anonymous   
Printed
Page 76
IN PRINT: There is an access list for OSPF hello packets

access-list 101 permit ospf 192.168.31.0 0.0.0.255 host 224.0.0.4 SHOULD BE: On page 76, the access list for OSPF should read: access-list 101 permit ospf 192.168.31.0 0.0.0.255 host 224.0.0.5

Anonymous   
Printed
Page 77
IN PRINT: Example after last paragraph

The example after the last paragraph isn't correct. At the bottom of the page, --either-- ip access-group out-to-Internet out should be ip access-group out-to-server out which then would match the text which describes the example (on pg 78) but in doing so would make the example not "self documentating" (read confusing) --or-- ip access-list extended out-to-server should be ip access-list extended out-to-Internet which then doesn't match the text on pg 78. SHOULD BE: The access list at the bottom of page 77 should read ! access-list out to the Internet ip access-list extended out-to-Internet permit tcp host 192.168.35.1 any evaluate tcp-connections ip access-list in-from-Internet permit tcp any any reflect tcp-connections ! interface statements interface serial 1 ip access-group out-to-Internet out ip access-group in-from-Internet in ! access-list out tothe

Anonymous   
Printed
Page 78
IN PRINT: Second to last paragraph

The paragraph with first sentence "Reflexive access lists are created ..." is hard to follow. Is it safe to assume that the next sentence "In our example ..." refers to the _previous_ example (on the prior page)? Should inbound have really been outbound? Regarding the next (and last sentence) in the paragraph (before the IOS ACL commands, I assume this is a new example "Lets implement the policy ...". Is this new example showing a outbound access list created using an inbound ACL? SHOULD BE: The last sentence on the second to last paragraph of page 78 should read: Let's implement the same policy using inbound access lists: The the list following example should read ! access-list in from the server ip access-list extended in-from-server permit tcp host 192.168.35.1 any evaluate tcp-connections ip access-list extended out-to-server permit tcp any any reflect tcp-connections ! interface statements interface Ethernet 0 ip access-group out-to-server out ip access-group in-from-server in

Anonymous   
Printed
Page 78
IN PRINT: last paragraph

In the configuration example given at the bottom of the page, there is the line permit tcp any host 192.168.35.1 any From the way that the access list is being used, the first "any" shouldn't be there. I think the line should read permit tcp host 192.168.35.1 any SHOULD BE: The last sentence of the second to last paragraph (starting with "Reflexive access lists") and the first part of the following configuration should read: Let's implement the same policy using inbound access lists: ! access-list in from the server ip access-list extended in-from-server permit tcp host 192.168.35.1 any

Anonymous   
Printed
Page 79-80
IN PRINT: Access list example that spans from bottom of page 79 to top of

page 80; In the example describing the use of a Reflexive access list for UDP, the extended access list going out to the Internet from the server should read "ip access-list extended in-from-server". This goes along with its description and the way it's applied to the Ethernet interface later in the example. SHOULD BE: The configuration fragment at the start of page 80 should start: ! access list out to the Internet from the server ip access-list extended in-from-server

Anonymous   
Printed
Page 80
IN PRINT: 2nd paragraph

In the second paragraph, the author states: "Reflexive access lists have a number a limitations. You cannot use them on protocols that do not have source ports, such as ICMP." While I haven't verified this for myself on my own router, this is in direct conflict with the online Cisco documentation. Here is the text from the documention for the permit(reflexive) command in IOS version 11.3: "permit protocol any any reflect name [timeout seconds] no permit protocol any any reflect name protocol Name or number of an IP protocol. It can be one of the keywords gre, icmp, ip, ipinip, nos, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip." This also holds true in versions 12.0, 12.1, and 12.2. Here is a link to the latest documentation: http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/cs/csprts/ csprts3/csreflex.htm I would guess that in protocols that don't have ports, then all that happens is that source and destination IP addresses get reversed. Without verifying, that's just an educated guess though. SHOULD BE: The assertion is correct - other protocols can be used with reflexive access lists. In protocols without ports, packet characteristics like ICMP packet type are used. On page 80, the sentence beginning with "you can't use them on protocols without source ports like ICMP" should be deleted, along with the sentence after it that begins with "In the previous entry".

Anonymous   
Printed
Page 89
Chapter 3

Figure 3-14 : Arrows for Access List 101 and 104 should be reversed (101 is incoming and 104 is outgoing). The same applies to Access List 105 and 102 (102 is incoming and 105 is outgoing).

Anonymous   
Printed
Page 94
IN PRINT: figure 4-1

Routing info uses nets A to D. Associated text refers to networks 1 to 4 except in the last line of the page which contains a reference to network X. SHOULD BE: In the text of the last paragraph of page 94 through the type of page 95, 'Network 1' should be replaced by 'Network A', 'Network 2' should be replaced by 'Network B', Network 3 should be replaced by 'Network C', and Network 4 should be replaced by 'Network D.'

Anonymous   
Printed
Page 97
IN PRINT: figure 4-2

the interface 3 and 4 label should be swapped in the figure 4-2 in order to match the description on the paragraph just below. SHOULD BE: In figure 4-2, the labels of Interface 3 and Interface 4 should be sapped.

Anonymous   
Printed
Page 106
IN PRINT: 1st paragraph at top of page.

In the second sentence at the top of the page, the author states: "Since Site E uses network 10.0.0.0/8,..." However, in Figure 4-9, there is no Site E. Rather, Site P is using network 10.0.0.0/8. A Similar problem happens a little bit down the page: "This configuration fragment permits only the route to 10.0.0.0 in through serial interface 2 of the router, thus permitting only network 10.0.0.0/8 to come in from Site O." The end of this sentence needs to read "...from Site P." in order to agree with the figure. SHOULD BE: The first complete sentence at the start of page 106 should read: "Since Site P uses network 10.0.0.0/8, we would set up the following on Router 4." The next sentence should read: "This configuration fragment permits only the route to 10.0.0.0 in through serial interface 2 of router 4, thus permitting only network 10.0.0.0/8 to come in from site P."

Anonymous   
Printed
Page 107
IN PRINT: figure 4-10

the two interfaces labeled e1/0 in the middle and lower port on the router box should read e1/1 and e1/2 respectively to match the description in the access list on the same page. SHOULD BE: The two interfaces labeled e1/0 in the middle and lower port on the router box should read e1/1 and e1/2 respectively.

Anonymous   
Printed
Page 107
IN PRINT: Figure 4-10 at top of page.

In the figure, all of the ethernet segments are labeled as having the following network numbers/netmasks: 192.168.20.0/8 192.168.29.0/8 192.168.30.0/8 192.168.31.0/8 I'm guessing that these should be changed to: 192.168.20.0/24 192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 since the way that they are printed in the book, they are all on the same network! (Namely, 192.0.0.0/8.) SHOULD BE: In Figure 4-10, the host segments should read 192.168.20.0/24 192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 Also, the ethernet interface labels from the top down, should be e1/0, e1/1, and e1/2.

Anonymous   
Printed
Page 107
IN PRINT: Just below Figure 4-10

The configuration fragment just below Figure 4-10 is: access-list 1 deny all This should be chagned to: access-list 1 deny any (There is no keyword "all" for access lists.) SHOULD BE: The configuration fragment below 4-10 should read access-list 1 deny any

Anonymous   
Printed
Page 108
IN PRINT: Last paragraph

The configuration fragment near the bottom of the page: access-list 1 deny all should read: access-list 1 deny any (There is no keyword "all" in access lists.) SHOULD BE: The configuration fragment at near the bottoem of page 108 should read access-list 1 deny any

Anonymous   
Printed
Page 108-109
IN PRINT: Figure 4-11 on page 108 and 1st two lines on page 109

In Figure 4-11, the author labels the ethernet network connecting the three routers in the figure as being 192.168.10.0/8. I'm wondering if the author didn't mean 192.168.10.0/24 because in the configuration fragment at the bottom of the page has the two lines router rip network 192.168.10.0 From the way that RIP works, this command would mean 192.168.10.0/24 without any further information. Likewise, in the first sentenence on page 109, the author states: "The network statement here says that we broadcast RIP on all interfaces connected to network 192.168.10.0/8." The end of this should read "...connected to network 192.168.10.0/24." (I think you would have to use the command network 192.0.0.0 to get a /8 with RIP.) SHOULD BE: Figure 4-11 should read "hosts on 192.168.10.0/24" on the note at the bottom of the figure. The first sentence on page 109 should read: The network statement here says that we broadcast RIP on all interfaces connected to network 192.168.10.0/24.

Anonymous   
Printed
Page 109
IN PRINT: 2nd paragraph on page

The author writes: "...and it was asked to forward a packet to network 198.168.30.0/8." Does the author mean network 198.168.30.0/24 here? Because if he meant 198.168.30.0/8, why wouldn't he just write 198.0.0.0/8? SHOULD BE: The reference to 198.168.30.0 in the second paragraph of page 109 should be 192.168.30.0/24.

Anonymous   
Printed
Page 110
IN PRINT: 2nd paragraph no page

The author writes: "Since we accept only one route, to network 172.28.0.0/16 as the default network to other networks, Router 1 doesn't have to accept route 10.0.0.0/8 from Site O." If this is referring to Figure 4-9 as stated, then I believe that this should read "...accept route 10.0.0.0/8 from Site P." SHOULD BE: The second sentence of the second paragraph should read: Since we accept only one route, to network 172.28.0.0/16 as the default network to other networks, router 1 doesn't have to accept route 10.0.0.0/8 from site M or any other route from other sites within the intranet.

Anonymous   
Printed
Page 112
IN PRINT: 3rd paragraph

An an option of the distribute-list statement that lets us reduce the impact of filtering routes when they are distributed from one routing process to another. Please take out the second 'an' here. SHOULD BE: "An option of the distribute-list statement...". The second "an" in the third paragraph of page 112 should be removed.

Anonymous   
Printed
Page 117
IN PRINT: 1st paragrpah, just before 1st config fragment on page

The author writes: First, let's define a policy set with network 10.0.0.0/8 and another network 172.20.0.0/8 in it:" This should be "...and another network 172.20.0.0/16 in it:" in order to agree with Figure 4-14 and the previous and following text of this example. SHOULD BE: The last sentence of the first paragraph on page 117 should read: First, let's define a policy set with network 10.0.0.0/8 and another with network 172.20.0.0/16 in it:

Anonymous   
Printed
Page 123
IN PRINT: last paragraph on page

Near the bottom of the page, the author writes: "In Figure 4-17, network 192.168.18.0/16..." This should be changed to "...network 192.168.18.0/24..." in order to agree with the figure. SHOULD BE: The last sentence on page 123 should read: In figure 4-17, network 192.168.18.0/24 contains servers dedicated to anapplication critical to users on networks 10.0.0.0/8 and 172.28.0.0/16.

Anonymous   
Printed
Page 126-127
IN PRINT: Near bottom of page 126 and top of page 127

Near the bottom of page 126, the author writes: "Router 4's serial interface to Site E..." This should be changed to "Router 4's serial interface to Site P..." in order to agree with Figure 4-9. Similarly, near the top of page 127, where the author says: "We then redistribute our default network within Site D." This should be "We then redistribute our default network within Site O." to agree with the figure. SHOULD BE: The second to last sentence on page 126 should read: "Router 4 's serial interface to site P has IP address 192.168.13.1 and router 6's serial interface has IP address 192.168.13.2." The second sentence on page 127 should read: "We then redistribute our default network within site O."

Anonymous   
Printed
Page 130
IN PRINT: 1st paragraph

The author states that EIGRP is a classful routing protocol, which is incorrect. RIP and IGRP are classful, however, EIGRP, OSPF, IS-IS, and BGP are all classless... SHOULD BE: This refers to material that does not appear on page 130 or anywhere else in this book - it may apply to another book, but not this one.

Anonymous   
Printed
Page 130
IN PRINT: First config fragment on page

Part of the first config fragment on the page is: ! no routes from the host segments distance 192.168.29.0 0.0.0.0 255 distance 192.168.30.0 0.0.0.1 255 This last line should read distance 192.168.30.0 0.0.1.0 255 in order to agree with previous config statements. SHOULD BE: The last distance statement of the first configuration fragment on page 130 should read distance 192.168.30.0 0.0.1.0 255

Anonymous   
Printed
Page 135
IN PRINT In middle of page

In the middle of the page, the author specifies the following policy: "All of the hosts with IP addresses 192.168.32.32 through 192.168.32.63 except 192.168.32.40 through 192.168.32.43 can have SNMP read access." The author then gives an example of implementing this policy incorrectly as follows: access-list 1 deny 192.168.40.0 0.0.0.7 access-list 1 permit 192.168.32.0 0.0.0.31 snmp community string public ro 1 While the author was trying to illustrate an incorrect implementation, I got the impression, that he was merely trying to show an incorrect wild-card mask. In the access list above, the hosts that are denied are 192.168.40.0 through 192.168.40.7, and the hosts that are permitted are 192.168.32.0 through 192.168.32.31. Note that none of these are in the range that were specifed by the policy given above. I think that the following would fix this example: access-list 1 deny 192.168.32.40 0.0.0.7 access-list 1 permit 192.168.32.32 0.0.0.31 Then there seems to be a cut-and-paste error, because the fix to the error in the access list was given as: access-list 1 deny 192.168.40.0 0.0.0.3 access-list 1 permit 192.168.32.0 0.0.0.31 This will deny the range 192.168.40.0 through 192.168.40.3, and it will permit the range 192.168.32.0 through 192.168.32.31, which is not in the policy given above. I think that this really should read: access-list 1 deny 192.168.32.40 0.0.0.3 access-list 1 permit 192.168.32.32 0.0.0.31 SHOULD BE: The first configuration fragment on page 135 should read: access-list 1 deny 192.168.32.40 0.0.0.7 access-list 1 permit 192.168.32.32 0.0.0.31 The second configuration fragment on page 135 should read: access-list 1 deny 192.168.32.40 0.0.0.3 access-list 1 permit 192.168.32.32 0.0.0.31

Anonymous   
Printed
Page 139
IN PRINT: Middle of the page

EIGRP does not use the same compound metric as IGRP. In fact, EIGRP mutlplies the IGRP metric by 256 to provide greater granularity. SHOULD BE: This refers to material that does not appear on page 139 or anywhere else in this book - it may apply to another book, but not this one.

Anonymous   
Printed
Page 139
IN PRINT: middle of the page

The author states that EIGRP " is pretty much loop-free". This is misleading. EIGRP is guarenteed loop free at every instance due to its routing algorithm. SHOULD BE: This refers to material that does not appear on page 139 or anywhere else in this book - it may apply to another book, but not this one.

Anonymous   
Printed
Page 150
IN PRINT: Just above Figure 5-3

Just above Figure 5-3, the author writes: "The first example in Chapter 4 deals with the network shown in Figure 5-3." Then in Figure 5-3, the two sites are labeled as being Site D and Site B. However, the example in Chapter 4 uses Sites L, M, N, O, and P. Judging from the IP addresses given, did the author mean Site O where he says Site D and Site M where he says Site B in the figure. (All by itself, the figure and the text are entirely self-consistent. I'm just question the reference to the example in Chapter 4.) SHOULD BE: To make this consistent with the references, we need to do the following. In Figure 5-3, Site D should be site O, and Site M should be site M. The first two sentences of the paragraph under figure 5-3 should read: "Router 3, located in Site M, seeks to restrict the routes that it receives from site O. Since site O uses only one network 19.0.0.0/8 and does not transit any traffic from any other sites, site M should only hear about network 19.0.0.0/8 in the routing updates that it hears from router 1." The second and third sentences of the second paragraph on page 152 should read: "Our policy requires this is to be the only route learned from site O. In looking at the show ip route output, note that the only route learned via EIGRP from site O's router 1 is 19.0.0.0/8, and the next hop for the network is 192.168.3.2, the serial interface of router 1."

Anonymous   
Printed
Page 154
IN PRINT: Last paragraph

The author states in the last paragraph: "In Chapter 4, I showed an example of Site D filtering the routes it distributes in order to prevent any routing problems from within Site D from spreading to other sites." Does the author mean Site O here? (At least that is what I would guess from the configuration block that follows this statement.) I don't think that there are any figures in Chapter 4 that mention a "Site D". SHOULD BE: The last two sentences on page 154 should read: "In chapter 4, I showed an example of site O filtering the routes that it distributes in order to prevent any routing problems within site O from spreading other sites. Only network 19.0.0.0/8 should be advertised from site O, so I configured the following on router 1:"

Anonymous   
Printed
Page 156
IN PRINT: Figure 5-4

If this is the example that we have been working with since Chapter 4, then there seem to be some site naming problems. In Figure 4-9, the sites are named L, M, N, O, and P. In this figure, they are named A, B, C, D, and E. SHOULD BE: In figure 5-4, the sites should be labeled L, M, N, O, and P, instead of A, B, C, D, and E respectively. The first sentence of the paragraph under 5-4 should read as: "Let's say that an interface of router 6 has IP address 10.1.1.2 and that the router1 interface going to Site M has an IP address of 192.168.3.2."

Anonymous   
Printed
Page 161
IN PRINT: 2nd half of page

Near the bottom of page 161, there is the output block: RIP: received update from 192.168.2.1 on Serial0 network 10.0.0.0 in 1 hops network 192.168.3.0 in 1 hops RIP: received update from 192.168.1.1 on Serial1 network 10.0.0.0 in 2 hops network 192.168.3.0 in 1 hops RIP: sending update to 192.168.1.255 via Serial0 (192.168.2.2) network 172.20.0.0, metirc 4 network 192.168.1.0, metric 1 network 192.168.3.0, metric 2 RIP: sending update to 192.168.2.255 via Serial1 (192.168.1.2) netowrk 172.20.0.0, metric 1 network 192.168.2.0, metric 2 According to Figure 5-5, however, Serial0 has IP address 192.168.1.2 and Serial1 has IP address 192.168.2.2. So there seems to be some mixing up of which IP address goes to which interface. Also, on page 160, there is the code block: router rip network 192.168.1.0 netowrk 192.168.2.0 network 172.20.0.0 offset-list 1 in 3 serial 0 offset-list 2 out 3 serial 0 where access lists 1 and 2 are as follows (from page 159): access-list 1 permit 10.0.0.0 access-list 2 permit 172.20.0.0 Wouldn't this mean that the output above should have network 10.0.0.0 as being 4 hops coming into Serial 0? SHOULD BE: The debug output on page 161 should have the following 4 lines: RIP: received update from 192.168.1.1 on Serial0 network 10.0.0.0 in 4 hops network 192.168.3.0 in 1 hops RIP: received update from 192.168.2.1 on Serial1

Anonymous   
Printed
Page 166
IN PRINT: Just past the first output block

The author writes: "...a static route excludes any routing advertisement of network 10.0.0.0 since static routes have a higher administrative distance then any dynamic protocol." Shouldn't this read: ...a static route excludes any routing advertisement of network 10.0.0.0 since static routes have a lower administrative distance than any dynamic protocol." Since static routes have a default administrative distance of 1, which is lower than any routing protocol. But this gives static routes a HIGHER priority. SHOULD BE: The phrase on page 166 after the first output block should read: a static route excludes any routing advertisement of network 10.0.0.0 since static routes have a lower administrative distance then any dynamic routing protocol.

Anonymous   
Printed
Page 171
IN PRINT: 1st output block

On page 170, in the last output block, it says: ip prefix-list Net-10-prefixes: 4 entries seq 5 permit 10.204.23.0/24 seq 10 permit 10.204.28.0/24 seq 15 deny 10.204.0.0/16 seq 20 permit 10.0.0.0/8 But then in the first output block on page 171, you have the line: seq 15 permit 10.204.0.0/16 (hit count: 0, refcount: 1) Shouldn't the permit in this line be changed to a deny? SHOULD BE: In the first output block on page 171, the out with sequence 15 should read: seq 15 deny 10.204.0.0/16 (hit count: 0, refcount: 1)

Anonymous   
Printed
Page 176
IN PRINT: Very bottom, last output block

On page 172, the author states that AS numbers are stored as 16-bit values. In the last output block on page 176, the author shows the output of the EXEC command "show ip bgp regex ^(66000)$". The last five lines of this output are as follows: Network Next Hop Metric LocPrf Weight Path *> 172.15.0.0/16 192.168.248.252 0 (66000) i *> 172.18.0.0/16 192.168.248.252 0 (66000) i *> 192.168.72.0/24 192.168.248.252 0 (66000) i *> 172.20.0.0/16 192.168.248.252 0 (66000) i My only question about this example is how could you ever get an AS that was equal to 66000 if AS numbers only have 16 bits. (This creates a maximum AS number of 65535.) SHOULD BE: In the last paragraph and output display on page 176, all 66000 appearances should be replaced with 65000.

Anonymous   
Printed
Page 182
IN PRINT: Example "interface Ethernet0/1"

The example: interface ethernet 0/0 ip policy route FROM-ETHERNET-0-0 interface Ethernet0/1 ip policy route FROM-ETHERNET-0-0 should be: interface ethernet 0/0 ip policy route FROM-ETHERNET-0-0 interface Ethernet0/1 ip policy route FROM-ETHERNET-0-1 (change 0-0 to 0-1) SHOULD BE: The first part ofthe example on page 182 should read: interface ethernet 0/0 ip policy route FROM-ETHERNET-0-0 interface Ethernet0/1 ip policy route FROM-ETHERNET-0-1

Anonymous   
Printed
Page 182
IN PRINT: 2nd half of config block

The code: route-map FROM-ETHERNET-0-0 permit 10 match interface 0/0 should read: route-map FROM-ETHERNET-0-0 permit 10 match interface Ethernet0/0 SHOULD BE: On page 182, the first route map in the example should read as: route-map FROM-ETHERNET-0-0 permit 10 match interface Ethernet0/0 set next-hop Serial1/0

Anonymous   
Printed
Page 191
IN PRINT: Figure 6-2

In Figure 6-2, both ends of the 45Mbit line have the same IP address, 192.168.30.1. Judging from the following configs, I would guess that the end of the line that is near the router (opposite of AS 2) should have the IP address 192.168.30.2. SHOULD BE: On Figure 6-2, the IP address at the end of the 45Mbit line ending at the router should be 192.168.30.2.

Anonymous   
Printed
Page 193
IN PRINT: In1st config block

On page 193, there is the config line: neighbor 192.168.30.1 weight 30 On page 192, this weight had been 20. I was wondering why it had changed, when the text immediately previous had said that changing the wieght wouldn't work for that example? SHOULD BE: On page 193, in the first configuration section, the first two neighbor statements should read: neighbor 192.168.30.1 remote-as 2 neighbor 192.168.30.1 weight 20

Anonymous   
Printed
Page 194
IN PRINT: Figure 6-3

Both ends of the 45Mbit line in Figure 6-3 have the same IP address, 192.168.30.1. Judging from both previous text and the following text, the end that is next to Router 1 should have the IP address 192.168.30.2. SHOULD BE: The IP adress on router 1 at the end ofthe 45 Mbit line should 192.168.30.2

Anonymous   
Printed
Page 194
IN PRINT: Figure 6-4

There seems to be a cut-and-paste error here. Again, both ends of the 45 Mbit line have the same IP address, 192.168.30.1. Judging from the following configs, router 1's interface should have the IP address 192.168.30.2.

Anonymous   
Printed
Page 197
IN PRINT: at the end of the first config block

In the first config block, there is a comment in the block that to me indicates that all of the following config applies to router 2 from Figure 6-4. However, the last two lines of the config block are: neighbor 192.168.30.1 remote-as 2 neighbor 192.168.30.1 route-map ROUTES-OUT out If this is config for router 2, then shouldn't these lines read: neighbor 192.168.31.1 remote-as 2 neighbor 192.168.31.1 route-map ROUTES-OUT out SHOULD BE: The last two lines of the first configuration block on page 197 should read: neighbor 192.168.31.1 remote-as 2 neighbor 192.168.31.1 route-map ROUTES-OUT out

Anonymous   
Printed
Page 229
IN PRINT: 2nd paragraph, 24th line of program listing on this page

ip policy route FROM-LOW-PRIORTY-WEB-SERVERS no ip directed-broadcast > 'PRIORTY' looks like a typo to me. SHOULD BE: The policy route statement for Fast Ethernet 2/1 should read ip policy route FROM-LOW-PRIORITY-WEB-SERVERS

Anonymous   
Printed
Page 246
IN PRINT: from /25 and down

subnet masks are all incorrect from /25 down. For example /27 is 255.255.255.224 not 255.255.224.0 Also not all valid networks are there, e.g. for /28 the .208 'net is valid. SHOULD BE: The subnet masks for prefixes /25 through /31 should read: Mask Correct Subnet Mask /25 255.255.255.128 /26 255.255.255.192 /27 255.255.255.224 /28 255.255.255.240 /29 255.255.255.248 /30 255.255.255.252 /31 255.255.255.254 /32 255.255.255.255

Anonymous   
Printed
Page 246
IN PRINT: Table B-2, Prefix length /28

Prefix length /28, second column Reads now: 255.255.240.0 Should read: 255.255.255.240 Prefix /25 to Prefix /31 have errors. SHOULD BE: The subnet masks for prefixes /25 through /31 should read: Mask Correct Subnet Mask /25 255.255.255.128 /26 255.255.255.192 /27 255.255.255.224 /28 255.255.255.240 /29 255.255.255.248 /30 255.255.255.252 /31 255.255.255.254 /32 255.255.255.255

Anonymous