1 pertemuan 26 integrating network using routing protocol

1

Pertemuan 26 Integrating Network using Routing Protocol

Discussion Topics

• Configuring network using dynamic routing protocol• Configuring ACLs• Network troubleshooting

2Ref : Rick Graziani [email protected]

3

SanJose2

hostname SanJose2

interface ethernet 0

ip add 192.168.1.1 255.255.255.0

interface serial 0

ip add 192.168.2.1 255.255.255.0

SanJose1

hostname SanJose1


ip add 192.168.3.1 255.255.255.0

interface serial 0

ip add 192.168.2.2 255.255.255.0

interface serial 1

ip add 192.168.4.2 255.255.255.0

Baypointe

hostname Baypointe


ip add 192.168.5.1 255.255.255.0

interface serial 0

ip add 192.168.4.1 255.255.255.0

Running RIPv1 on classful networks

4

Objective: Running RIPv1 on classful networks This scenario is the same one we used in the network discovery lab, with the same

configurations and the same outputs. The concepts specific to this scenario will become more clear when we view the differences between this scenario and Scenario 2: Running RIPv1 on subnets and between classful networks.

Step 1 – Configuring RIP First, lets enable RIP on each router. From global configuration you will enter the command (the default is RIPv1):Router(config)#router rip Once you are in the Router RIP configuration sub-mode, all you need to do is enter the

classful network address for each directly connected network, using the network command.

Router(config-router)#network directly-connected-classful-network-address

Scenario 1: Running RIPv1 on classful networks

5

Here are the commands for each router:

SanJose2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

SanJose2(config)#router rip

SanJose2(config-router)#network 192.168.1.0


Baypointe#configure terminal


Baypointe(config)#router rip

Baypointe(config-router)#network 192.168.4.0

Baypointe(config-router)#network 192.168.5.0

SanJose1#configure terminal







Rick Graziani [email protected]

6

Step 2 – Understanding the network command

SENDING RIP MESSAGES

Each router will begin to send RIP update message out each interface belonging to one of the network statements.




For example, SanJose2 to will send out RIP update messages on Ethernet 0 because that interface has an IP address that belong to the network 192.168.1.0, and on Serial 0 because that interface has an IP address that belongs to the network 192.168.2.0.

Just because a router has a directly connected network does not mean it will automatically include that network in its routing updates to neighboring routers. The network command also tells the RIP to include these networks in its updates to adjacent neighbors.

To view the RIP messages being sent and received use the debug ip rip command.

SanJose2# debug ip rip

RIP protocol debugging is on

SanJose2

01:03:27: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (192.168.1.1)

01:03:27: network 192.168.2.0, metric 1

01:03:27: RIP: sending v1 update to 255.255.255.255 via Serial0 (192.168.2.1)

01:03:27: network 192.168.1.0, metric 1

7

LISTENING FOR RIP MESSAGESRouters will also listen for RIP messages on each interface belonging to one of the

network statements. For example, SanJose2 to will listen for RIP update messages on Ethernet 0

because that interface has an IP address that belong to the network 192.168.1.0, and also listen for RIP update messages on Serial 0 because that interface has an IP address that belongs to the network 192.168.2.0.

As RIP messages are received router, will add those networks in the messages to their routing tables:

If the RIP message contains a network not currently in the routing table.If the RIP message contains a network with a better metric (fewer hops) than an

entry currently in the routing table. SanJose201:10:56: RIP: received v1 update from 192.168.2.2 on Serial001:10:56: 192.168.4.0 in 1 hops01:10:56: 192.168.3.0 in 1 hops


8

Step 3 – Viewing the debug ip rip output and the routing tables

Remember that SanJose1 will learn routes to networks from SanJose2. It will then send that information to Baypointe, telling Baypointe that it is the next hop to get to those networks, and incrementing the metric (hop count) by one.

After convergence, each router will continue to send its RIP update messages out the appropriate interfaces every 30 seconds.

Lets look at the debug messages and the routing table for each router:



9

SanJose2


01:30:45: network 192.168.4.0, metric 2

01:30:45: network 192.168.5.0, metric 3

01:30:45: network 192.168.2.0, metric 1

01:30:45: network 192.168.3.0, metric 2


01:30:45: network 192.168.1.0, metric 1

SanJose2#

01:30:50: RIP: received v1 update from 192.168.2.2 on Serial0

01:30:50: 192.168.4.0 in 1 hops

01:30:50: 192.168.5.0 in 2 hops

01:30:50: 192.168.3.0 in 1 hops

SanJose2#

SanJose2#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

<omitted>

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

U - per-user static route, o - ODR

Gateway of last resort is not set

R 192.168.4.0/24 [120/1] via 192.168.2.2, 00:00:10, Serial0

R 192.168.5.0/24 [120/2] via 192.168.2.2, 00:00:10, Serial0

C 192.168.1.0/24 is directly connected, Ethernet0

C 192.168.2.0/24 is directly connected, Serial0

R 192.168.3.0/24 [120/1] via 192.168.2.2, 00:00:10, Serial0

SanJose2#


10

SanJose1


01:33:05: 192.168.5.0 in 1 hops

SanJose1#


01:33:07: 192.168.1.0 in 1 hops


01:33:08: network 192.168.4.0, metric 1

01:33:08: network 192.168.5.0, metric 2

01:33:08: network 192.168.1.0, metric 2

01:33:08: network 192.168.2.0, metric 1


01:33:08: network 192.168.4.0, metric 1

01:33:08: network 192.168.5.0, metric 2

01:33:08: network 192.168.3.0, metric 1


01:33:08: network 192.168.1.0, metric 2

01:33:08: network 192.168.2.0, metric 1

01:33:08: network 192.168.3.0, metric 1

SanJose1#show ip route


<omitted>



R 192.168.5.0/24 [120/1] via 192.168.4.1, 00:00:12, Serial1

R 192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:10, Serial0




11

Baypointe


01:34:53: network 192.168.4.0, metric 1

01:34:53: network 192.168.1.0, metric 3

01:34:53: network 192.168.2.0, metric 2

01:34:53: network 192.168.3.0, metric 2


01:34:53: network 192.168.5.0, metric 1

Baypointe#


01:34:56: 192.168.1.0 in 2 hops

01:34:56: 192.168.2.0 in 1 hops

01:34:56: 192.168.3.0 in 1 hops

Baypointe#show ip route


D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

U - per-user static route, o - ODR




R 192.168.1.0/24 [120/2] via 192.168.4.2, 00:00:23, Serial0

R 192.168.2.0/24 [120/1] via 192.168.4.2, 00:00:23, Serial0

R 192.168.3.0/24 [120/1] via 192.168.4.2, 00:00:23, Serial0

12

NOTE: At this point all routers should be able to ping all networks. We will discuss RIP much more in the chapter on Routing Protocols (RIP).

Step 4 – Turning-off debug Don’t forget to turn-off debug when you are done collecting the output. Router# undebug allorBaypointe# undebug ip rip Step 5 – Reflections• For each router compare the RIP received messages with its routing table. Now you see

how the information is entered into the routing table.• Cisco IOS uses split horizon with poison reverse, however this information is not

displayed with debug ip rip command.• You will notice that the routers send RIP messages out their stub Ethernet interfaces,

even though there are no routers out there to receive those messages. This does take up unnecessary bandwidth on the link; so later we will see how to keep those RIP messages from going out those interfaces.


13

ACL Example

• Task: – Deny only the host 172.16.30.2 from exiting the Sales network.– Permit all other hosts on the Sales network to leave the

172.16.30.0/24 network.• Keyword “any” can be used to represent all IP Addresses.

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0

RouterA RouterB RouterC

Administration Sales Engineering

14

ACL Example

RouterB(config)#access-list 10 deny 172.16.30.2RouterB(config)#access-list 10 permit anyImplicit “deny any” -do not need to add this, discussed laterRouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255

RouterB(config)# interface e 0RouterB(config-if)# ip access-group 10 in

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Order matters! What if these two statements were reversed? Does the implicit deny any ever get a match? No, the permit any will cover all other packets.

15

ACL Example

RouterB(config)#access-list 10 permit anyRouterB(config)#access-list 10 deny 172.16.30.2Implicit “deny any” -do not need to add this, discussed laterRouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255

RouterB(config)# interface e 0RouterB(config-if)# ip access-group 10 in

172.16.10.2/24

172.16.10.3/24

172.16.30.2/24

172.16.30.3/24

172.16.50.2/24

172.16.50.3/24

172.16.20.0/24 172.16.40.0/24

e0 e0 e0.1 .1 .1

.1 .1.2 .2

s0 s0 s1 s0



Order matters! In this case all packets would be permitted, because all packets would match the first access list statement. Once a condition is met, all other statements are ignored. The second access list statement and the implicit deny any would never be used. This would not do what we want.

16

Note on inbound access lists

• When an access lists applied to an inbound interface, the packets are checked against the access list before any routing table lookup process occurs.

• We will see how outbound access list work in a moment, but they are applied after the forwarding decision is made, after the routing table lookup process takes place and an exit interface is determined.

• Once a packet is denied by an ACL, the router sends an ICMP “Destination Unreachable” message, with the code value set to “Administratively Prohibited” to the source of the packet.

RouterB(config)#access-list 10 deny 172.16.30.2

RouterB(config)#access-list 10 permit any

Implicit “deny any” (do not need to add this, discussed later):

RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255

RouterB(config)# interface e 0

RouterB(config-if)# ip access-group 10 in

17

Notes from www.cisco.com

• Traffic coming into the router is compared to ACL entries based on the order that the entries occur in the router.

• New statements are added to the end of the list. • The router keeps looking until it has a match. • If no matches are found when the router reaches the end of the list,

the traffic is denied. • For this reason, you should have the frequently hit entries at the top

of the list. • There is an "implied deny" for traffic that is not permitted. • A single-entry ACL with only one "deny" entry has the effect of

denying all traffic. • You must have at least one "permit" statement in an ACL or all

traffic will be blocked.

access-list 10 permit 10.1.1.1 0.0.0.255 access-list 10 deny ip any (implicit)

18

Time for Wildcard Masks!

A wildcard mask address:

• Tells how much of the packet’s source IP address (or destination IP address) needs to match for this condition to be true.

19

Time for Wildcard Masks!

• A wildcard mask is a 32-bit quantity that is divided into four octets. • A wildcard mask is paired with an IP address. • The numbers one and zero in the mask are used to identify how to

treat the corresponding IP address bits. • The term wildcard masking is a nickname for the ACL mask-bit

matching process and comes from of an analogy of a wildcard that matches any other card in the game of poker.

• Wildcard masks have no functional relationship with subnet masks. – They are used for different purposes and follow different rules.

• Subnet masks start from the left side of an IP address and work towards the right to extend the network field by borrowing bits from the host field.

• Wildcard masks are designed to filter individual or groups of IP addresses permitting or denying access to resources based on the address.

20

Wildcard Masks!

• “Trying to figure out how wildcard masks work by relating them to subnet masking will only confuse the entire matter. The only similarity between a wildcard mask and a subnet mask is that they are both thirty-two bits long and use ones and zeros for the mask.”

• This is not entirely true. • Although it is very important that you understand how a wildcard mask

works, it can also be thought as an inverse subnet mask.

21

Wildcard Masks!

• Wildcard masking used to identify how to treat the corresponding IP address bits. – 0 - “check the corresponding bit value.” – 1 - “do not check (ignore) that corresponding bit value.”

• A zero in a bit position of the access list mask indicates that the corresponding bit in the address must be checked and must match for condition to be true.

• A one in a bit position of the access list mask indicates the corresponding bit in the address is not “interesting”, does not need to match, and can be ignored.

10101100.00010000.00000000.00000000

00000000.00000000.11111111.11111111

------------------------------------

10101100.00010000.any value.any value

A Match… Matching packets will look like this…

Test Condition

The packet

Test Conditon

22

Wildcard Masks!

– 0 - “check the corresponding bit value.” – 1 - “do not check (ignore) that corresponding bit value.”

10101100.00010000.00000000.00000000

00000000.00000000.11111111.11111111

------------------------------------

10101100.00010000.any value.any value

A Match…Must Match No Match Necessary

Resulting in the bits that must match or doesn’t matter.

Matching packets will look like this.

Test Condition

Test Conditon

The packet

1 pertemuan 26 integrating network using routing protocol

Documents

network statements

classful network address

router riponce

network discovery lab

ip address

debug ip rip command

interface serial

rip update messages