rip, eigrp, ospf and acl

Post on 26-Oct-2014

161 Views

Category:

Documents

9 Downloads

Preview:

Click to see full reader

TRANSCRIPT

© 2009, Velocis Systems

Dynamic Routing Basics

8-2Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Routed versus Routing ProtocolsRouted versus Routing Protocols

• Routed protocols used between routers to direct user traffic; also called network protocols– Examples: IP, IPX,

DECnet, AppleTalk, NetWare, OSI, VINES

1.02.03.0

1.12.13.1

DestinationNetwork

NetworkProtocol

Protocol name

Exit Port to Use

• Routing protocols used between routers to maintain routing tables– Examples: RIP, IGRP,

OSPF, BGP, EIGRP

8-3Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

• Dynamic Routing: Dynamic routing is the process of routing protocols running on the router communicating with neighbor routers.

–If a change occurs in the network the dynamic routing protocols automatically inform all routers about the change.

DYNAMIC ROUTING

8-4Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Dynamic RoutingDynamic Routing

A network change blocks the established path...

A B

CD

XA B

CD

X

…and an alternate route is found dynamically.

• Most internetworks use dynamic routing

© 2009, Velocis Systems

Routing Protocols

8-6Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

What is a Routing Protocol?What is a Routing Protocol?

• Routing protocols are used between routers to determine paths and maintain routing tables.

• Once the path is determined a router can route a routed protocol.

NetworkProtocol

DestinationNetwork

ConnectedRIP

EIGRP

10.120.2.0172.16.2.0172.17.3.0

Exit Interface

E0S0S1

Routed Protocol: IPRouting protocol: RIP, EIGRP

172.17.3.0

172.16.1.010.120.2.0

E0S0

8-7Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Autonomous System 100 Autonomous System 200

IGPs: RIP, EIGRP EGPs: BGP

Autonomous Systems: Interior or Exterior Routing Protocols

Autonomous Systems: Interior or Exterior Routing Protocols

– An autonomous system is a collection of networks under a common administrative domain

– IGPs operate within an autonomous system

– EGPs connect different autonomous systems

8-8Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Administrative Distance: Ranking Routes

Administrative Distance: Ranking Routes

EIGRPAdministrative Distance=90

Router DRouter D

Router BRouter BRouter ARouter A

Router CRouter C

RIPAdministrative Distance=120

EE

I need to send a packet to

Network E. Both router B

and C will get it there.

Which route is best?

8-9Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Distance Vector versus Link StateDistance Vector versus Link State

• Distance vector

– Sends routing table info only to neighbors, so change communication may need one min/router

– Also called “routing by rumor”

– Easy to configure, but slow

• Link state

– Floods routing information about itself to all nodes, so changes are known immediately

– Efficient, but complex to configure

• Cisco’s EIGRP hybrid

– Efficient and easy to configure

8-10Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Distance Vector Routing ProtocolsDistance Vector Routing Protocols

•Pass periodic copies of routing table to neighbor routers and accumulate distance vectors

CC

DD

BB

AA

CC BB AADD

RoutingTable

RoutingTable

RoutingTable

RoutingTable

RoutingTable

RoutingTable

RoutingTable

RoutingTable

Distance—How farVector—In which direction

Distance—How farVector—In which direction

8-11Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

•Routers discover the best path to destinations from each neighbor

AA BB CC

10.1.0.0 10.2.0.0 10.3.0.0 10.4.0.0

E0 S0 S0 S1 S0 E0

Routing TableRouting Table

10.2.0.010.2.0.0

10.3.0.010.3.0.0

00

00

S0

S1

Routing TableRouting Table

10.3.0.010.3.0.0 S0 00

10.4.0.010.4.0.0 E0 00

Routing TableRouting Table

10.1.0.010.1.0.0

10.2.0.010.2.0.0

E0

S0

0

0

Distance Vector—Sources of Information and Discovering Routes

Distance Vector—Sources of Information and Discovering Routes

8-12Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

•Routers discover the best path to destinations from each neighbor

AA BB CC

10.1.0.0 10.2.0.0 10.3.0.0 10.4.0.0

E0 S0 S0 S1 S0 E0

Routing TableRouting Table

10.1.0.010.1.0.0

10.2.0.010.2.0.0

10.3.0.010.3.0.0

Routing TableRouting Table

10.2.0.010.2.0.0

10.3.0.010.3.0.0

10.4.0.010.4.0.0

10.1.0.010.1.0.0

00

00

11

11

S0

S1

S1

S0

Routing TableRouting Table

10.3.0.010.3.0.0 S0 00

10.4.0.010.4.0.0 E0 00

10.2.0.010.2.0.0 S0

11

E0

S0

S0 11

0

0

Distance Vector—Sources of Information and Discovering Routes

Distance Vector—Sources of Information and Discovering Routes

8-13Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Distance Vector—Sources of Information and Discovering Routes

Distance Vector—Sources of Information and Discovering Routes

•Routers discover the best path to destinations from each neighbor

AA BB CC

10.1.0.0 10.2.0.0 10.3.0.0 10.4.0.0

E0 S0 S0 S1 S0 E0

Routing TableRouting Table

10.1.0.010.1.0.0

10.2.0.010.2.0.0

10.3.0.010.3.0.0

10.4.0.010.4.0.0

Routing TableRouting Table

10.2.0.010.2.0.0

10.3.0.010.3.0.0

10.4.0.010.4.0.0

10.1.0.010.1.0.0

00

00

11

11

S0

S1

S1

S0

Routing TableRouting Table

10.3.0.010.3.0.0 S0 00

10.4.0.010.4.0.0 E0 00

10.2.0.010.2.0.0 S0

10.1.0.010.1.0.0 S0

11

22

E0

S0

S0

S0

11

22

0

0

8-14Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Distance Vector—Selecting Best Route with Metrics

Distance Vector—Selecting Best Route with Metrics

Information used to select the best path for routing

56T1

56

T1

B

A

Hop countHop count

RIP

EIGRP

Bandwidth

8-15Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Distance Vector—Maintaining Routing Information

Distance Vector—Maintaining Routing Information

•Updates proceed step-by-step from router to router

AA

Process to update this

routingtable

Process to update this

routingtable

TopologyTopologychange change causescausesroutingrouting

tabletableupdateupdate

8-16Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Distance Vector—Maintaining Routing Information

Distance Vector—Maintaining Routing Information

•Updates proceed step-by-step from router to router

AA

Process to update this

routingtable

Process to update this

routingtable

Router A sends out this updated

routing table after the

next period expires

Topologychange causesrouting

tableupdate

8-17Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Distance Vector—Maintaining Routing Information

Distance Vector—Maintaining Routing Information

•Updates proceed step-by-step from router to router

AABB

Process to update this

routingtable

Process to update this

routingtable

Process to update this

routingtable

Process to update this

routingtable

Topologychange causesrouting

tableupdate

Router A sends out this updated

routing table after the

next period expires

8-18Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

19.2 kbps

T1

T1 T1

– Hop count metric selects the path

– Routes update every 30 seconds

RIP OverviewRIP Overview

8-19Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

–Starts the RIP routing process

Router(config)#router rip

Router(config-router)#network network-number

• Selects participating attached networks• The network number must be a major classful

network number

RIP ConfigurationRIP Configuration

8-20Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

2.3.0.0router ripnetwork 172.16.0.0network 10.0.0.0

RIP Configuration ExampleRIP Configuration Example

router ripnetwork 10.0.0.0

2.3.0.0router ripnetwork 192.168.1.0network 10.0.0.0

172.16.1.1

S2E0 S3

192.168.1.110.1.1.1 10.2.2.210.1.1.2

S2 S3

10.2.2.3

172.16.1.0 A B C192.168.1.0

E0

8-21Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Verifying the Routing Protocol—RIP

Verifying the Routing Protocol—RIP

RouterA#sh ip protocolsRouting Protocol is "rip" Sending updates every 30 seconds, next due in 0 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Key-chain Ethernet0 1 1 2 Serial2 1 1 2 Routing for Networks: 10.0.0.0 172.16.0.0 Routing Information Sources: Gateway Distance Last Update 10.1.1.2 120 00:00:10 Distance: (default is 120)

172.16.1.1

S2E0 S3

192.168.1.110.1.1.1 10.2.2.210.1.1.2

S2 S3

10.2.2.3

172.16.1.0 A B C192.168.1.0

E0

8-22Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Displaying the IP Routing TableDisplaying the

IP Routing Table

RouterA#sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR T - traffic engineered route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 1 subnetsC 172.16.1.0 is directly connected, Ethernet0 10.0.0.0/24 is subnetted, 2 subnetsR 10.2.2.0 [120/1] via 10.1.1.2, 00:00:07, Serial2C 10.1.1.0 is directly connected, Serial2R 192.168.1.0/24 [120/2] via 10.1.1.2, 00:00:07, Serial2

172.16.1.1

S2E0 S3

192.168.1.110.1.1.1 10.2.2.210.1.1.2

S2 S3

10.2.2.3

172.16.1.0 A B C192.168.1.0

E0

8-23Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Link-State Routing ProtocolsLink-State Routing Protocols

• After initial flood, pass small event-triggered link-state updates to all other routers

Link-State Packets

SPFAlgorithm

TopologicalDatabase

Shortest Path First Tree

RoutingTable

RoutingTable

CC AA

DD

BB

6-24

EIGRP Overview

8-25Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

– EIGRP supports:

• Rapid convergence

• Reduced bandwidth usage

• Multiple network-layer protocols

What Is Enhanced IGRP (EIGRP)?What Is Enhanced IGRP (EIGRP)?

EnhancedIGRP

IPX RoutingProtocols

AppleTalk Routing Protocol

IP RoutingProtocols

IPX RoutingProtocols

AppleTalk Routing Protocol

IP RoutingProtocols

8-26Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

EIGRP FeaturesEIGRP Features

• Advanced distance vector

• 100% loop free

• Fast convergence

• Easy configuration

• Less network design constraints than OSPF

8-27Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

EIGRP Features (cont.)EIGRP Features (cont.)

• Incremental updates

• Supports VLSM networks

• Classless routing

8-28Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Advantages of EIGRPAdvantages of EIGRP

•Uses multicast instead of broadcast

•Utilizes link bandwidth

•Unequal cost path load balancing

•Manual summarization can be done in any interface at any router within the network

8-29Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

EIGRP Support for Route Summarization

EIGRP Support for Route Summarization

• EIGRP performs route summarization

– Classful network boundaries (default)

– Arbitrary network boundaries (manual)

172.16.0.0 /24 10.0.0.0 /18192.168.42.0 /27

172.16.0.0 /16 172.16.0.0 /16192.168.42.0 /24

6-30

Configuring EIGRP

8-31Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Configuring SummarizationConfiguring Summarization

(config-router)#

no auto-summary

• Turns off autosummarization for the EIGRP process

(config-if)#

ip summary-address eigrp <as-number> <address> <mask>

• Creates a summary address to be generatedby this interface

6-32

Verifying EIGRP

Operation

8-33Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Verifying EIGRP OperationVerifying EIGRP Operation

show ip protocols

Router#

show ip route eigrp

Router#

show ip eigrp traffic

Router#

show ip eigrp neighbors

Router#

show ip eigrp topology

Router#

– Displays the neighbors discovered by IP EIGRP

– Displays the IP EIGRP topology table

– Displays current EIGRP entries in the routing table

– Displays the parameters and current state of the active routing protocol process

– Displays the number of IP EIGRP packets sent and received

8-34Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Example EIGRP ConfigurationExample EIGRP Configuration

8-35Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

R2 EIGRP ConfigurationR2 EIGRP Configuration

<output omitted>interface FastEthernet0/0 ip address 172.17.2.2 255.255.255.0

<output omitted>interface Serial0/0/1 bandwidth 64 ip address 192.168.1.102 255.255.255.224

<output omitted>router eigrp 100 network 172.17.2.0 0.0.0.255 network 192.168.1.0

8-36Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Verifying EIGRP: show ip eigrp neighbors

Verifying EIGRP: show ip eigrp neighbors

R1#show ip eigrp neighborsIP-EIGRP neighbors for process 100H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num0 192.168.1.102 Se0/0/1 10 00:07:22 10 2280 0 5R1#

8-37Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Verifying EIGRP: show ip route eigrp

Verifying EIGRP: show ip route eigrp

R1#show ip route eigrpD 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:07:01, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masksD 172.16.0.0/16 is a summary, 00:05:13, Null0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksD 192.168.1.0/24 is a summary, 00:05:13, Null0

R1#show ip route <output omitted>Gateway of last resort is not setD 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:06:55, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masksD 172.16.0.0/16 is a summary, 00:05:07, Null0C 172.16.1.0/24 is directly connected, FastEthernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.1.96/27 is directly connected, Serial0/0/1D 192.168.1.0/24 is a summary, 00:05:07, Null0

8-38Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Verifying EIGRP: show ip protocols

Verifying EIGRP: show ip protocols

R1#show ip protocolsRouting Protocol is "eigrp 100" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 100 EIGRP NSF-aware route hold timer is 240s<output omitted>

Maximum path: 4 Routing for Networks: 172.16.1.0/24 192.168.1.0 Routing Information Sources: Gateway Distance Last Update (this router) 90 00:09:38 Gateway Distance Last Update 192.168.1.102 90 00:09:40 Distance: internal 90 external 170

8-39Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Verifying EIGRP: show ip eigrp interfaces

Verifying EIGRP: show ip eigrp interfaces

R1#show ip eigrp interfacesIP-EIGRP interfaces for process 100 Xmit Queue Mean Pacing Time Multicast PendingInterface Peers Un/Reliable SRTT Un/Reliable Flow Timer RoutesFa0/0 0 0/0 0 0/10 0 0Se0/0/1 1 0/0 10 10/380 424 0

8-40Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Verifying EIGRP: show ip eigrp topology

Verifying EIGRP: show ip eigrp topology

R1#show ip eigrp topologyIP-EIGRP Topology Table for AS(100)/ID(192.168.1.101)Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia StatusP 192.168.1.96/27, 1 successors, FD is 40512000 via Connected, Serial0/0/1P 192.168.1.0/24, 1 successors, FD is 40512000 via Summary (40512000/0), Null0P 172.16.0.0/16, 1 successors, FD is 28160 via Summary (28160/0), Null0P 172.16.1.0/24, 1 successors, FD is 28160 via Connected, FastEthernet0/0P 172.17.0.0/16, 1 successors, FD is 40514560 via 192.168.1.102 (40514560/28160), Serial0/0/1

8-41Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Verifying EIGRP: show ip eigrp traffic

Verifying EIGRP: show ip eigrp traffic

R1#show ip eigrp trafficIP-EIGRP Traffic Statistics for AS 100 Hellos sent/received: 429/192 Updates sent/received: 4/4 Queries sent/received: 1/0 Replies sent/received: 0/1 Acks sent/received: 4/3 Input queue high water mark 1, 0 drops SIA-Queries sent/received: 0/0 SIA-Replies sent/received: 0/0 Hello Process ID: 113 PDM Process ID: 73

© 2009, Velocis Systems 4-42

OSPF Overview

8-43Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

–Has fast convergence

–Supports VLSM

–Processes updates efficiently

–Selects paths based on bandwidth

What Is OSPF?What Is OSPF?

© 2009, Velocis Systems 4-44

OSPF Terminology

8-45Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

OSPF Terminology

8-46Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

OSPF AreasOSPF Areas

8-47Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Drawbacks of link state routingDrawbacks of link state routing

• The initial discovery causes flooding

• Link-state routing is memory and processor intensive.

8-48Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

OSPF CostOSPF Cost

• Places router at the root of the tree and calculates the shortest path to each destination based on cumulative cost

• cost = 100000000/bandwidth bps

© 2009, Velocis Systems 4-49

OSPF Operation

8-50Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Router IDRouter ID

–Number by which the router is known to OSPF

–Default: The highest IP address on an active interface at the moment of OSPF process startup

–Can be overridden by a loopback interface: Highest IP address of any active loopback interface

8-51Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Exchange ProcessExchange Process

172.16.5.1/24

E0

172.16.5.2/24

E1A BDown State

8-52Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Exchange ProcessExchange Process

172.16.5.1/24

E0

172.16.5.2/24

E1

Router BNeighbors List

172.16.5.1/24, int E1

I am router ID 172.16.5.1 and I see no one.

Down State

Init State

A B

8-53Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Exchange ProcessExchange Process

172.16.5.1/24

E0

I am router ID 172.16.5.2, and I see 172.16.5.1.

172.16.5.2/24

E1

Router BNeighbors List

172.16.5.1/24, int E1

I am router ID 172.16.5.1 and I see no one.

Down State

Init State

A B

8-54Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Exchange ProcessExchange Process

172.16.5.1/24

E0

I am router ID 172.16.5.2, and I see 172.16.5.1.

Router ANeighbors List

172.16.5.2/24, int E0

172.16.5.2/24

E1

Router BNeighbors List

172.16.5.1/24, int E1

I am router ID 172.16.5.1 and I see no one.

Down State

Init State

Two-Way State

A B

8-55Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Discovering RoutesDiscovering Routes

E0

172.16.5.1

DRE0

172.16.5.3

No, I will start exchange because I have a higher router ID.

I will start exchange because I have router ID 172.16.5.1.Hello

afadjfjorqpoeru39547439070713

Hello

afadjfjorqpoeru39547439070713

Exstart State

8-56Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Discovering RoutesDiscovering Routes

Here is a summary of my link-state database.DBD

afadjfjorqpoeru39547439070713

Exchange State

Here is a summary of my link-state database.DBD

afadjfjorqpoeru39547439070713

E0

172.16.5.1

DRE0

172.16.5.3

No, I will start exchange because I have a higher router ID.

I will start exchange because I have router ID 172.16.5.1.Hello

afadjfjorqpoeru39547439070713

Hello

afadjfjorqpoeru39547439070713

Exstart State

8-57Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Discovering Routes (cont.)Discovering Routes (cont.)

E0

172.16.5.1

E0

172.16.5.3

Thanks for the information!LSAck

afadjfjorqpoeru39547439070713

LSAck

afadjfjorqpoeru39547439070713

DR

© 2009, Velocis Systems

OSPF Operation in a Point-to-Point Topology

OSPF Operation in a Point-to-Point Topology

4-58

8-59Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Point-to-Point NeighborshipPoint-to-Point Neighborship

–Router dynamically detects its neighboring router using the Hello protocol

–Adjacency is automatic as soon as the two routers can communicate

–OSPF packets are always sent as multicast 224.0.0.5

© 2009, Velocis Systems 4-60

Configuring OSPF in a Single Area

8-61Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Configuring OSPF on Internal Routers

Configuring OSPF on Internal Routers

Can Assign Network or Interface Address.

Broadcast Network Point-to-Point Network

E0

10.64.0.1

10.64.0.2

E0

S0

10.2.1.2 10. 2.1.1

S1AA BB CC

<Output Omitted>

interface Ethernet0

ip address 10.64.0.1 255.255.255.0

!

<Output Omitted>

router ospf 1

network 10.0.0.0 0.255.255.255 area 0

<Output Omitted>

interface Ethernet0

ip address 10.64.0.2 255.255.255.0

!

interface Serial0

ip address 10.2.1.2 255.255.255.0

<Output Omitted>

router ospf 50

network 10.2.1.2 0.0.0.0 area 0

network 10.64.0.2 0.0.0.0 area 0

© 2009, Velocis Systems 4-62

Verifying OSPF Operation

8-63Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Router#

show ip ospf interface

Verifying OSPF OperationVerifying OSPF Operation

• Displays area ID and adjacency information

Router#

show ip protocols

• Verifies that OSPF is configuredRouter#

show ip route

• Displays all the routes learned by the router

8-64Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

• Displays OSPF timers and statistics

• Displays information about DR, BDR and neighbors

• Displays the link-state database

Verifying OSPF Operation (cont.)Verifying OSPF Operation (cont.)

Router#

show ip ospf neighbor detail

Router#

show ip ospf database

Router#

show ip ospf

8-65Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

• Allows you to clear the IP routing table

Router#

clear ip route *

Router#

debug ip ospf option

• Displays router interaction during the hello, exchange, and flooding processes

Verifying OSPF Operation (cont.)Verifying OSPF Operation (cont.)

8-66Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

ACCESS-LISTSACCESS-LISTS

8-67Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

FDDI

– Manage IP Traffic as network access grows

TokenRing

Why Use Access Lists?Why Use Access Lists?

8-68Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

FDDI

172.16.0.0

172.17.0.0

TokenRing

Internet

– Filter packets as they pass through the router

Why Use Access Lists?Why Use Access Lists?

8-69Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Access List ApplicationsAccess List Applications

– Permit or deny packets moving through the router

– Permit or deny vty access to or from the router

– Without access lists all packets could be transmitted onto all parts of your network

Transmission of packets on an interface

8-70Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

What Are Access Lists?

• Standard

– Checks Source address

– Generally permits or denies entire protocol suite

OutgoingPacket

E0

S0

IncomingPacket

Access List Processes

Permit?

Source

8-71Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

What Are Access Lists?

• Standard

– Checks Source address

– Generally permits or denies entire protocol suite

• Extended

– Checks Source and Destination address

– Generally permits or denies specific protocols

OutgoingPacket

E0

S0

IncomingPacket

Access List Processes

Permit?

Sourceand

Destination

Protocol

8-72Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

• Standard

– Checks Source address

– Generally permits or denies entire protocol suite

• Extended

– Checks Source and Destination address

– Generally permits or denies specific protocols

• Inbound or Outbound

What Are Access Lists?

OutgoingPacket

E0

S0

IncomingPacket

Access List Processes

Permit?

Sourceand

Destination

Protocol

8-73Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

InboundInterfacePackets

N

Y

Packet Discard Bucket

ChooseInterface

NAccessList

?

RoutingTable Entry

?

Y

Outbound Interfaces

Packet

S0

Outbound Access Lists Outbound Access Lists

8-74Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Outbound Interfaces

Packet

N

Y

Packet Discard Bucket

ChooseInterface

RoutingTable Entry

?N Packet

TestAccess ListStatements

Permit?

Y

Outbound Access Lists Outbound Access Lists

AccessList

?

Y

S0

E0

InboundInterfacePackets

8-75Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Notify Sender

Outbound Access Lists Outbound Access Lists

If no access list statement matches then discard the packet

N

Y

Packet Discard Bucket

ChooseInterface

RoutingTable Entry

?N

Y

TestAccess ListStatements

Permit?

Y

AccessList

?

Discard Packet

N

Outbound Interfaces

Packet

Packet

S0

E0

InboundInterfacePackets

8-76Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

A List of Tests: Deny or PermitA List of Tests: Deny or Permit

Packets to interfacesin the access group

Packet Discard Bucket

Y

Interface(s)

Destination

Deny

Deny

Y

MatchFirstTest

?

Permit

8-77Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

A List of Tests: Deny or PermitA List of Tests: Deny or Permit

Packets to Interface(s)in the Access Group

Packet Discard Bucket

Y

Interface(s)

Destination

Deny

Deny

Y

MatchFirstTest

?

Permit

N

Deny PermitMatchNext

Test(s)?

YY

8-78Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Access List Configuration Guidelines

Access List Configuration Guidelines

– Access list numbers indicate which protocol is filtered

– The order of access list statements controls testing

– There is an implicit deny any as the last access list test—every list should have at least one permit statement

– Create access lists before applying them to interfaces

– Access list, filter traffic going through the router; they do not apply to traffic originated from the router

8-79Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Access List Command OverviewAccess List Command Overview

Step 1: Set parameters for this access list test statement (which can be one of several statements)

access-list access-list-number { permit | deny } { test conditions }

Router(config)#

8-80Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Step 1: Set parameters for this access list test statement (which can be one of several statements)Router(config)#

Step 2: Enable an interface to use the specified access list

{ protocol } access-group access-list-number {in | out}

Router(config-if)#

Access List Command OverviewAccess List Command Overview

IP Access lists are numbered 1-99 or 100-199

access-list access-list-number { permit | deny } { test conditions }

8-81Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

How to Identify Access ListsHow to Identify Access Lists

Number Range/IdentifierAccess List Type

IP 1-99Standard

• Standard IP lists (1 to 99) test conditions of all IP packets from source addresses

8-82Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Number Range/IdentifierAccess List Type

How to Identify Access ListsHow to Identify Access Lists

IP 1-99100-199

StandardExtended

• Standard IP lists (1 to 99) test conditions of all IP packets from source addresses

• Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports

8-83Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Number Range/Identifier

IP 1-99100-199

800-899900-9991000-1099Name (Cisco IOS 11.2. F and later)

StandardExtendedSAP filtersNamed

StandardExtended

Access List Type

IPX

How to Identify Access ListsHow to Identify Access Lists

– Standard IP lists (1 to 99) test conditions of all IP packets from source addresses

– Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports

8-84Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 10-84

Configuring Standard IP Access Lists

8-85Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Standard IP Access List Configuration

Standard IP Access List Configuration

access-list access-list-number {permit|deny} source [mask]

Router(config)#

• Sets parameters for this list entry

• IP standard access lists use 1 to 99

• Default wildcard mask = 0.0.0.0

• “no access-list access-list-number” removes entire access-list

8-86Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

access-list access-list-number {permit|deny} source [mask]

Router(config)#

– Activates the list on an interface

– Sets inbound or outbound testing

– Default = Outbound

– “no ip access-group access-list-number” removes access-list from the interface

Router(config-if)#

ip access-group access-list-number { in | out }

• Sets parameters for this list entry

• IP standard access lists use 1 to 99

• Default wildcard mask = 0.0.0.0

• “no access-list access-list-number” removes entire access-list

Standard IP Access List Configuration

Standard IP Access List Configuration

8-87Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Deny a specific host

Standard IP Access List Example

Standard IP Access List Example

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

access-list 1 deny 172.16.4.13 0.0.0.0

8-88Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Standard IP Access List Example 2

Standard IP Access List Example 2

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

Deny a specific host

access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)

8-89Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 10-89

Control vty Access With Access Class

8-90Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Filter Virtual Terminal (vty) Access to a Router

Filter Virtual Terminal (vty) Access to a Router

–Five virtual terminal lines (0 through 4)

–Filter addresses that can access into the router’s vty ports

–Filter vty access out from the router

0 1 2 3 4

Virtual ports (vty 0 through 4)

Physical port e0 (Telnet)Console port (direct connect)

console e0

8-91Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

How to Control vty AccessHow to Control vty Access

0 1 2 3 4

Virtual ports (vty 0 through 4)

Physical port (e0) (Telnet)

• Setup IP address filter with standard access list statement

• Use line configuration mode to filter access with the access-class command

• Set identical restrictions on all vtys

Router#

e0

8-92Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Virtual Terminal Line CommandsVirtual Terminal Line Commands

• Enters configuration mode for a vty or vty range

• Restricts incoming or outgoing vty connections for address in the access list

access-class access-list-number {in|out}

line vty#{vty# | vty-range}

Router(config)#

Router(config-line)#

8-93Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Virtual Terminal Access ExampleVirtual Terminal Access Example

Permits only hosts in network 192.89.55.0 to connect to the router’s vtys

access-list 12 permit 192.89.55.0 0.0.0.255

!

line vty 0 4

access-class 12 in

Controlling Inbound Access

8-94Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 10-94

Configuring Extended IP Access Lists

8-95Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Standard versus External Access List

Standard versus External Access List

Standard Extended

Filters Based onSource.

Filters Based onSource and destination.

Permit or deny entire TCP/IP protocol suite.

Specifies a specific IP protocol and port number.

Range is 100 through 199.Range is 1 through 99

8-96Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Extended IP Access List Configuration

Extended IP Access List Configuration

Router(config)#

• Sets parameters for this list entry

access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]

8-97Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Router(config-if)# ip access-group access-list-number { in | out }

Extended IP Access List Configuration

Extended IP Access List Configuration

• Activates the extended list on an interface

• Sets parameters for this list entry

Router(config)# access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]

8-98Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

– Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0

– Permit all other traffic

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

Extended Access List Example 1

Extended Access List Example 1

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20

8-99Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

– Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0

– Permit all other traffic

Extended Access List Example 1

Extended Access List Example 1

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)

8-100Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)

interface ethernet 0ip access-group 101 out

– Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0

– Permit all other traffic

Extended Access List Example 1

Extended Access List Example 1

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

8-101Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

– Deny only Telnet from subnet 172.16.4.0 out of E0

– Permit all other traffic

Extended Access List Example 2

Extended Access List Example 2

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23

8-102Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

– Deny only Telnet from subnet 172.16.4.0 out of E0

– Permit all other traffic

Extended Access List Example 2

Extended Access List Example 2

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)

8-103Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)

interface ethernet 0ip access-group 101 out

– Deny only Telnet from subnet 172.16.4.0 out of E0

– Permit all other traffic

Extended Access List Example 2

Extended Access List Example 2

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

8-104Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

– Place extended access lists close to the source

– Place standard access lists close to the destination

E0

E0

E1

S0

To0

S1S0

S1

E0

E0TokenRing

BB

AACC

Where to Place IP Access ListsWhere to Place IP Access Lists

Recommended:

DD

8-105Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Monitoring Access List StatementsMonitoring Access List Statements

wg_ro_a#show access-lists Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data

wg_ro_a#show {protocol} access-list {access-list number}

wg_ro_a#show access-lists {access-list number}

top related