The errata list is a list of errors and their corrections that were found after the product was released.
The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.
| Version |
Location |
Description |
Submitted by |
Date submitted |
| Printed |
Page 3
2nd paragraph |
"Attacks in which a hacker does disable anything are the truly
dangerous ones. Without adequate monitoring and auditing, no
one knows the network has been compromised."
should read
"Attacks in which a hacker does NOT disable anything ..."
|
Anonymous |
|
| Printed |
Page 3
3rd paragraph |
Missing verb:
"... a key strategy IS to attack ..."
|
Anonymous |
|
| Printed |
Page 7
item "Major Release" |
Garbled 2nd sentence, should likely read
"... once a release becomeS a Major Release, no additional
features or platforms WILL BE added ANYMORE."
|
Anonymous |
|
| Printed |
Page 17
top configuration example |
The router prompts are wrong. The prompt
Router(config-line)#
should be in front of
login tacacs
instead of
tacacs-server last-resort password
|
Anonymous |
|
| Printed |
Page 17
Caveat |
"... can't tell the differenCE between ..."
|
Anonymous |
|
| Printed |
Page 19
4th paragraph |
"... in order TO prevent them."
|
Anonymous |
|
| Printed |
Page 27
largest paragraph |
"... are allowed TO log in."
|
Anonymous |
|
| Printed |
Page 41
second block of code, second to last line |
I believe the line:
privilege exec level 1 show ip
should read
privilege exec level 15 show ip
|
Anonymous |
|
| Printed |
Page 45
explaination for example |
The example indicates that tacacs+ failure will result in checking the local database
(as setup by the username command), but the explination discusses the "enable
password" and the "local enable password." The word enable should be stricken in
both places (or the example should be changed to from "...tacacs+ local" to "...
tacacs+ enable"
|
Anonymous |
|
| Printed |
Page 66
2nd paragraph; second command example |
ip classless is not a service. In fact it's a required statement for Classless IP
routing (CIDR) to work. This is true if the router has varying sized subnets within
an otherwise classful network present in the routing table for any reason. Disabling
it can create serious routing problems in CIDR-capable environments such as OSPF,
EIGRP, RIP2 or BGP4 which are all very common today.
no ip classless used to be the default but, as of current releases, ip classless is
now standard as it needs to be. Even if only RIP1 or static routes with single-sized
subnet masks are used, it should still be on for future growth or change. It poses no
significant security risk by being on even if it isn't strictly needed in a given
environment.
|
Anonymous |
|
| Printed |
Page 84
"Ingress" paragraph |
The prhase "Assume that your network is 130.218.0.0/16..."
has the wrong address prefix: must be 130.18.0.0/16.
The same apply to the two rows following.
|
Anonymous |
|
| Printed |
Page 85
second example of access-list 15 |
Example is missing exclude for 255.255.255.255/32
access-list 15 deny 255.255.255.255 0.0.0.0
|
Anonymous |
|
| Printed |
Page 140
4th paragraph |
lectronic should be electronic
|
Anonymous |
|
| Printed |
Page 152
configuration example, access lists |
The access-list configuration starts with a deny for 10.10.0.0. Two lines later a
second deny for 10.0.0.0 is configured. Although the first one is for the "internal
private" network, and the seccond part of the "block all private address space from
the outside" it is not a good example. The examples on page 85 are much clearer. The
same is true for the configuration example on page 156.
|
Anonymous |
|
| Printed |
Page 159
last line of configuration example |
The last command is probably wrong, my router does not accept it:
access-sclass 15 in
is wrong and should be
access-class 15 in
Btw. the example ending on page 154 has the command right.
{Ch. 10} "Access Lists";
In the sample chapter on "NTP Access Lists", a sample configuration is provided for
'RouterOne' which synchronises the router with three external NTP servers and peers
with an internal router (RouterTwo).
In order to synchronise with the external NTP servers (as defined with the ntp server
command), the access list assigned to the "ntp access-group peer <ACL>" command
(access list 20 in the example) needs to include the IP addresses of the external
servers, in addition to the IP address of the 'RouterTwo' NTP peer. Otherwise, the
ntp associations will not be formed, as the "peer" access-group is the only access-
group which will allow the router to synchronise itself to hosts specified in the
access-list.
E.g. (RouterTwo has IP address 135.26.2.1
RouterOne#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterOne(config)#ntp server 128.250.36.2
RouterOne(config)#ntp server 140.79.17.101
RouterOne(config)#ntp server 138.194.21.154
RouterOne(config)#ntp peer RouterTwo
RouterOne(config)#access-list 20 permit 135.26.2.1 0.0.0.0
RouterOne(config)#access-list 20 permit 128.250.36.2 0.0.0.0
RouterOne(config)#access-list 20 permit 140.79.17.101 0.0.0.0
RouterOne(config)#access-list 20 permit 138.194.21.154 0.0.0.0
RouterOne(config)#access-list 20 deny any
RouterOne(config)#ntp access-group peer 20
RouterOne(config)#access-list 21 permit 135.26.0.0 0.0.255.255
RouterOne(config)#access-list 21 deny any
RouterOne(config)#ntp access-group serve-only 21
RouterOne(config)#^Z
|
Anonymous |
|