Rip, Eigrp, Ospf and Acl
-
Upload
charu-mathur -
Category
Documents
-
view
163 -
download
9
Transcript of Rip, Eigrp, Ospf and Acl
© 2009, Velocis Systems
Dynamic Routing Basics
8-2Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Routed versus Routing ProtocolsRouted versus Routing Protocols
• Routed protocols used between routers to direct user traffic; also called network protocols– Examples: IP, IPX,
DECnet, AppleTalk, NetWare, OSI, VINES
1.02.03.0
1.12.13.1
DestinationNetwork
NetworkProtocol
Protocol name
Exit Port to Use
• Routing protocols used between routers to maintain routing tables– Examples: RIP, IGRP,
OSPF, BGP, EIGRP
8-3Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
• Dynamic Routing: Dynamic routing is the process of routing protocols running on the router communicating with neighbor routers.
–If a change occurs in the network the dynamic routing protocols automatically inform all routers about the change.
DYNAMIC ROUTING
8-4Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Dynamic RoutingDynamic Routing
A network change blocks the established path...
A B
CD
XA B
CD
X
…and an alternate route is found dynamically.
• Most internetworks use dynamic routing
© 2009, Velocis Systems
Routing Protocols
8-6Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
What is a Routing Protocol?What is a Routing Protocol?
• Routing protocols are used between routers to determine paths and maintain routing tables.
• Once the path is determined a router can route a routed protocol.
NetworkProtocol
DestinationNetwork
ConnectedRIP
EIGRP
10.120.2.0172.16.2.0172.17.3.0
Exit Interface
E0S0S1
Routed Protocol: IPRouting protocol: RIP, EIGRP
172.17.3.0
172.16.1.010.120.2.0
E0S0
8-7Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Autonomous System 100 Autonomous System 200
IGPs: RIP, EIGRP EGPs: BGP
Autonomous Systems: Interior or Exterior Routing Protocols
Autonomous Systems: Interior or Exterior Routing Protocols
– An autonomous system is a collection of networks under a common administrative domain
– IGPs operate within an autonomous system
– EGPs connect different autonomous systems
8-8Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Administrative Distance: Ranking Routes
Administrative Distance: Ranking Routes
EIGRPAdministrative Distance=90
Router DRouter D
Router BRouter BRouter ARouter A
Router CRouter C
RIPAdministrative Distance=120
EE
I need to send a packet to
Network E. Both router B
and C will get it there.
Which route is best?
8-9Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Distance Vector versus Link StateDistance Vector versus Link State
• Distance vector
– Sends routing table info only to neighbors, so change communication may need one min/router
– Also called “routing by rumor”
– Easy to configure, but slow
• Link state
– Floods routing information about itself to all nodes, so changes are known immediately
– Efficient, but complex to configure
• Cisco’s EIGRP hybrid
– Efficient and easy to configure
8-10Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Distance Vector Routing ProtocolsDistance Vector Routing Protocols
•Pass periodic copies of routing table to neighbor routers and accumulate distance vectors
CC
DD
BB
AA
CC BB AADD
RoutingTable
RoutingTable
RoutingTable
RoutingTable
RoutingTable
RoutingTable
RoutingTable
RoutingTable
Distance—How farVector—In which direction
Distance—How farVector—In which direction
8-11Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
•Routers discover the best path to destinations from each neighbor
AA BB CC
10.1.0.0 10.2.0.0 10.3.0.0 10.4.0.0
E0 S0 S0 S1 S0 E0
Routing TableRouting Table
10.2.0.010.2.0.0
10.3.0.010.3.0.0
00
00
S0
S1
Routing TableRouting Table
10.3.0.010.3.0.0 S0 00
10.4.0.010.4.0.0 E0 00
Routing TableRouting Table
10.1.0.010.1.0.0
10.2.0.010.2.0.0
E0
S0
0
0
Distance Vector—Sources of Information and Discovering Routes
Distance Vector—Sources of Information and Discovering Routes
8-12Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
•Routers discover the best path to destinations from each neighbor
AA BB CC
10.1.0.0 10.2.0.0 10.3.0.0 10.4.0.0
E0 S0 S0 S1 S0 E0
Routing TableRouting Table
10.1.0.010.1.0.0
10.2.0.010.2.0.0
10.3.0.010.3.0.0
Routing TableRouting Table
10.2.0.010.2.0.0
10.3.0.010.3.0.0
10.4.0.010.4.0.0
10.1.0.010.1.0.0
00
00
11
11
S0
S1
S1
S0
Routing TableRouting Table
10.3.0.010.3.0.0 S0 00
10.4.0.010.4.0.0 E0 00
10.2.0.010.2.0.0 S0
11
E0
S0
S0 11
0
0
Distance Vector—Sources of Information and Discovering Routes
Distance Vector—Sources of Information and Discovering Routes
8-13Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Distance Vector—Sources of Information and Discovering Routes
Distance Vector—Sources of Information and Discovering Routes
•Routers discover the best path to destinations from each neighbor
AA BB CC
10.1.0.0 10.2.0.0 10.3.0.0 10.4.0.0
E0 S0 S0 S1 S0 E0
Routing TableRouting Table
10.1.0.010.1.0.0
10.2.0.010.2.0.0
10.3.0.010.3.0.0
10.4.0.010.4.0.0
Routing TableRouting Table
10.2.0.010.2.0.0
10.3.0.010.3.0.0
10.4.0.010.4.0.0
10.1.0.010.1.0.0
00
00
11
11
S0
S1
S1
S0
Routing TableRouting Table
10.3.0.010.3.0.0 S0 00
10.4.0.010.4.0.0 E0 00
10.2.0.010.2.0.0 S0
10.1.0.010.1.0.0 S0
11
22
E0
S0
S0
S0
11
22
0
0
8-14Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Distance Vector—Selecting Best Route with Metrics
Distance Vector—Selecting Best Route with Metrics
Information used to select the best path for routing
56T1
56
T1
B
A
Hop countHop count
RIP
EIGRP
Bandwidth
8-15Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Distance Vector—Maintaining Routing Information
Distance Vector—Maintaining Routing Information
•Updates proceed step-by-step from router to router
AA
Process to update this
routingtable
Process to update this
routingtable
TopologyTopologychange change causescausesroutingrouting
tabletableupdateupdate
8-16Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Distance Vector—Maintaining Routing Information
Distance Vector—Maintaining Routing Information
•Updates proceed step-by-step from router to router
AA
Process to update this
routingtable
Process to update this
routingtable
Router A sends out this updated
routing table after the
next period expires
Topologychange causesrouting
tableupdate
8-17Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Distance Vector—Maintaining Routing Information
Distance Vector—Maintaining Routing Information
•Updates proceed step-by-step from router to router
AABB
Process to update this
routingtable
Process to update this
routingtable
Process to update this
routingtable
Process to update this
routingtable
Topologychange causesrouting
tableupdate
Router A sends out this updated
routing table after the
next period expires
8-18Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
19.2 kbps
T1
T1 T1
– Hop count metric selects the path
– Routes update every 30 seconds
RIP OverviewRIP Overview
8-19Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
–Starts the RIP routing process
Router(config)#router rip
Router(config-router)#network network-number
• Selects participating attached networks• The network number must be a major classful
network number
RIP ConfigurationRIP Configuration
8-20Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
2.3.0.0router ripnetwork 172.16.0.0network 10.0.0.0
RIP Configuration ExampleRIP Configuration Example
router ripnetwork 10.0.0.0
2.3.0.0router ripnetwork 192.168.1.0network 10.0.0.0
172.16.1.1
S2E0 S3
192.168.1.110.1.1.1 10.2.2.210.1.1.2
S2 S3
10.2.2.3
172.16.1.0 A B C192.168.1.0
E0
8-21Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Verifying the Routing Protocol—RIP
Verifying the Routing Protocol—RIP
RouterA#sh ip protocolsRouting Protocol is "rip" Sending updates every 30 seconds, next due in 0 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Key-chain Ethernet0 1 1 2 Serial2 1 1 2 Routing for Networks: 10.0.0.0 172.16.0.0 Routing Information Sources: Gateway Distance Last Update 10.1.1.2 120 00:00:10 Distance: (default is 120)
172.16.1.1
S2E0 S3
192.168.1.110.1.1.1 10.2.2.210.1.1.2
S2 S3
10.2.2.3
172.16.1.0 A B C192.168.1.0
E0
8-22Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Displaying the IP Routing TableDisplaying the
IP Routing Table
RouterA#sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR T - traffic engineered route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnetsC 172.16.1.0 is directly connected, Ethernet0 10.0.0.0/24 is subnetted, 2 subnetsR 10.2.2.0 [120/1] via 10.1.1.2, 00:00:07, Serial2C 10.1.1.0 is directly connected, Serial2R 192.168.1.0/24 [120/2] via 10.1.1.2, 00:00:07, Serial2
172.16.1.1
S2E0 S3
192.168.1.110.1.1.1 10.2.2.210.1.1.2
S2 S3
10.2.2.3
172.16.1.0 A B C192.168.1.0
E0
8-23Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Link-State Routing ProtocolsLink-State Routing Protocols
• After initial flood, pass small event-triggered link-state updates to all other routers
Link-State Packets
SPFAlgorithm
TopologicalDatabase
Shortest Path First Tree
RoutingTable
RoutingTable
CC AA
DD
BB
6-24
EIGRP Overview
8-25Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
– EIGRP supports:
• Rapid convergence
• Reduced bandwidth usage
• Multiple network-layer protocols
What Is Enhanced IGRP (EIGRP)?What Is Enhanced IGRP (EIGRP)?
EnhancedIGRP
IPX RoutingProtocols
AppleTalk Routing Protocol
IP RoutingProtocols
IPX RoutingProtocols
AppleTalk Routing Protocol
IP RoutingProtocols
8-26Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
EIGRP FeaturesEIGRP Features
• Advanced distance vector
• 100% loop free
• Fast convergence
• Easy configuration
• Less network design constraints than OSPF
8-27Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
EIGRP Features (cont.)EIGRP Features (cont.)
• Incremental updates
• Supports VLSM networks
• Classless routing
8-28Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Advantages of EIGRPAdvantages of EIGRP
•Uses multicast instead of broadcast
•Utilizes link bandwidth
•Unequal cost path load balancing
•Manual summarization can be done in any interface at any router within the network
8-29Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
EIGRP Support for Route Summarization
EIGRP Support for Route Summarization
• EIGRP performs route summarization
– Classful network boundaries (default)
– Arbitrary network boundaries (manual)
172.16.0.0 /24 10.0.0.0 /18192.168.42.0 /27
172.16.0.0 /16 172.16.0.0 /16192.168.42.0 /24
6-30
Configuring EIGRP
8-31Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Configuring SummarizationConfiguring Summarization
(config-router)#
no auto-summary
• Turns off autosummarization for the EIGRP process
(config-if)#
ip summary-address eigrp <as-number> <address> <mask>
• Creates a summary address to be generatedby this interface
6-32
Verifying EIGRP
Operation
8-33Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Verifying EIGRP OperationVerifying EIGRP Operation
show ip protocols
Router#
show ip route eigrp
Router#
show ip eigrp traffic
Router#
show ip eigrp neighbors
Router#
show ip eigrp topology
Router#
– Displays the neighbors discovered by IP EIGRP
– Displays the IP EIGRP topology table
– Displays current EIGRP entries in the routing table
– Displays the parameters and current state of the active routing protocol process
– Displays the number of IP EIGRP packets sent and received
8-34Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Example EIGRP ConfigurationExample EIGRP Configuration
8-35Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
R2 EIGRP ConfigurationR2 EIGRP Configuration
<output omitted>interface FastEthernet0/0 ip address 172.17.2.2 255.255.255.0
<output omitted>interface Serial0/0/1 bandwidth 64 ip address 192.168.1.102 255.255.255.224
<output omitted>router eigrp 100 network 172.17.2.0 0.0.0.255 network 192.168.1.0
8-36Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Verifying EIGRP: show ip eigrp neighbors
Verifying EIGRP: show ip eigrp neighbors
R1#show ip eigrp neighborsIP-EIGRP neighbors for process 100H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num0 192.168.1.102 Se0/0/1 10 00:07:22 10 2280 0 5R1#
8-37Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Verifying EIGRP: show ip route eigrp
Verifying EIGRP: show ip route eigrp
R1#show ip route eigrpD 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:07:01, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masksD 172.16.0.0/16 is a summary, 00:05:13, Null0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksD 192.168.1.0/24 is a summary, 00:05:13, Null0
R1#show ip route <output omitted>Gateway of last resort is not setD 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:06:55, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masksD 172.16.0.0/16 is a summary, 00:05:07, Null0C 172.16.1.0/24 is directly connected, FastEthernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.1.96/27 is directly connected, Serial0/0/1D 192.168.1.0/24 is a summary, 00:05:07, Null0
8-38Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Verifying EIGRP: show ip protocols
Verifying EIGRP: show ip protocols
R1#show ip protocolsRouting Protocol is "eigrp 100" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 100 EIGRP NSF-aware route hold timer is 240s<output omitted>
Maximum path: 4 Routing for Networks: 172.16.1.0/24 192.168.1.0 Routing Information Sources: Gateway Distance Last Update (this router) 90 00:09:38 Gateway Distance Last Update 192.168.1.102 90 00:09:40 Distance: internal 90 external 170
8-39Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Verifying EIGRP: show ip eigrp interfaces
Verifying EIGRP: show ip eigrp interfaces
R1#show ip eigrp interfacesIP-EIGRP interfaces for process 100 Xmit Queue Mean Pacing Time Multicast PendingInterface Peers Un/Reliable SRTT Un/Reliable Flow Timer RoutesFa0/0 0 0/0 0 0/10 0 0Se0/0/1 1 0/0 10 10/380 424 0
8-40Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Verifying EIGRP: show ip eigrp topology
Verifying EIGRP: show ip eigrp topology
R1#show ip eigrp topologyIP-EIGRP Topology Table for AS(100)/ID(192.168.1.101)Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia StatusP 192.168.1.96/27, 1 successors, FD is 40512000 via Connected, Serial0/0/1P 192.168.1.0/24, 1 successors, FD is 40512000 via Summary (40512000/0), Null0P 172.16.0.0/16, 1 successors, FD is 28160 via Summary (28160/0), Null0P 172.16.1.0/24, 1 successors, FD is 28160 via Connected, FastEthernet0/0P 172.17.0.0/16, 1 successors, FD is 40514560 via 192.168.1.102 (40514560/28160), Serial0/0/1
8-41Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Verifying EIGRP: show ip eigrp traffic
Verifying EIGRP: show ip eigrp traffic
R1#show ip eigrp trafficIP-EIGRP Traffic Statistics for AS 100 Hellos sent/received: 429/192 Updates sent/received: 4/4 Queries sent/received: 1/0 Replies sent/received: 0/1 Acks sent/received: 4/3 Input queue high water mark 1, 0 drops SIA-Queries sent/received: 0/0 SIA-Replies sent/received: 0/0 Hello Process ID: 113 PDM Process ID: 73
© 2009, Velocis Systems 4-42
OSPF Overview
8-43Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
–Has fast convergence
–Supports VLSM
–Processes updates efficiently
–Selects paths based on bandwidth
What Is OSPF?What Is OSPF?
© 2009, Velocis Systems 4-44
OSPF Terminology
8-45Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
OSPF Terminology
8-46Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
OSPF AreasOSPF Areas
8-47Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Drawbacks of link state routingDrawbacks of link state routing
• The initial discovery causes flooding
• Link-state routing is memory and processor intensive.
8-48Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
OSPF CostOSPF Cost
• Places router at the root of the tree and calculates the shortest path to each destination based on cumulative cost
• cost = 100000000/bandwidth bps
© 2009, Velocis Systems 4-49
OSPF Operation
8-50Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Router IDRouter ID
–Number by which the router is known to OSPF
–Default: The highest IP address on an active interface at the moment of OSPF process startup
–Can be overridden by a loopback interface: Highest IP address of any active loopback interface
8-51Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Exchange ProcessExchange Process
172.16.5.1/24
E0
172.16.5.2/24
E1A BDown State
8-52Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Exchange ProcessExchange Process
172.16.5.1/24
E0
172.16.5.2/24
E1
Router BNeighbors List
172.16.5.1/24, int E1
I am router ID 172.16.5.1 and I see no one.
Down State
Init State
A B
8-53Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Exchange ProcessExchange Process
172.16.5.1/24
E0
I am router ID 172.16.5.2, and I see 172.16.5.1.
172.16.5.2/24
E1
Router BNeighbors List
172.16.5.1/24, int E1
I am router ID 172.16.5.1 and I see no one.
Down State
Init State
A B
8-54Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Exchange ProcessExchange Process
172.16.5.1/24
E0
I am router ID 172.16.5.2, and I see 172.16.5.1.
Router ANeighbors List
172.16.5.2/24, int E0
172.16.5.2/24
E1
Router BNeighbors List
172.16.5.1/24, int E1
I am router ID 172.16.5.1 and I see no one.
Down State
Init State
Two-Way State
A B
8-55Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Discovering RoutesDiscovering Routes
E0
172.16.5.1
DRE0
172.16.5.3
No, I will start exchange because I have a higher router ID.
I will start exchange because I have router ID 172.16.5.1.Hello
afadjfjorqpoeru39547439070713
Hello
afadjfjorqpoeru39547439070713
Exstart State
8-56Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Discovering RoutesDiscovering Routes
Here is a summary of my link-state database.DBD
afadjfjorqpoeru39547439070713
Exchange State
Here is a summary of my link-state database.DBD
afadjfjorqpoeru39547439070713
E0
172.16.5.1
DRE0
172.16.5.3
No, I will start exchange because I have a higher router ID.
I will start exchange because I have router ID 172.16.5.1.Hello
afadjfjorqpoeru39547439070713
Hello
afadjfjorqpoeru39547439070713
Exstart State
8-57Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Discovering Routes (cont.)Discovering Routes (cont.)
E0
172.16.5.1
E0
172.16.5.3
Thanks for the information!LSAck
afadjfjorqpoeru39547439070713
LSAck
afadjfjorqpoeru39547439070713
DR
© 2009, Velocis Systems
OSPF Operation in a Point-to-Point Topology
OSPF Operation in a Point-to-Point Topology
4-58
8-59Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Point-to-Point NeighborshipPoint-to-Point Neighborship
–Router dynamically detects its neighboring router using the Hello protocol
–Adjacency is automatic as soon as the two routers can communicate
–OSPF packets are always sent as multicast 224.0.0.5
© 2009, Velocis Systems 4-60
Configuring OSPF in a Single Area
8-61Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Configuring OSPF on Internal Routers
Configuring OSPF on Internal Routers
Can Assign Network or Interface Address.
Broadcast Network Point-to-Point Network
E0
10.64.0.1
10.64.0.2
E0
S0
10.2.1.2 10. 2.1.1
S1AA BB CC
<Output Omitted>
interface Ethernet0
ip address 10.64.0.1 255.255.255.0
!
<Output Omitted>
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
<Output Omitted>
interface Ethernet0
ip address 10.64.0.2 255.255.255.0
!
interface Serial0
ip address 10.2.1.2 255.255.255.0
<Output Omitted>
router ospf 50
network 10.2.1.2 0.0.0.0 area 0
network 10.64.0.2 0.0.0.0 area 0
© 2009, Velocis Systems 4-62
Verifying OSPF Operation
8-63Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Router#
show ip ospf interface
Verifying OSPF OperationVerifying OSPF Operation
• Displays area ID and adjacency information
Router#
show ip protocols
• Verifies that OSPF is configuredRouter#
show ip route
• Displays all the routes learned by the router
8-64Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
• Displays OSPF timers and statistics
• Displays information about DR, BDR and neighbors
• Displays the link-state database
Verifying OSPF Operation (cont.)Verifying OSPF Operation (cont.)
Router#
show ip ospf neighbor detail
Router#
show ip ospf database
Router#
show ip ospf
8-65Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
• Allows you to clear the IP routing table
Router#
clear ip route *
Router#
debug ip ospf option
• Displays router interaction during the hello, exchange, and flooding processes
Verifying OSPF Operation (cont.)Verifying OSPF Operation (cont.)
8-66Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
ACCESS-LISTSACCESS-LISTS
8-67Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
FDDI
– Manage IP Traffic as network access grows
TokenRing
Why Use Access Lists?Why Use Access Lists?
8-68Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
FDDI
172.16.0.0
172.17.0.0
TokenRing
Internet
– Filter packets as they pass through the router
Why Use Access Lists?Why Use Access Lists?
8-69Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Access List ApplicationsAccess List Applications
– Permit or deny packets moving through the router
– Permit or deny vty access to or from the router
– Without access lists all packets could be transmitted onto all parts of your network
Transmission of packets on an interface
8-70Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
What Are Access Lists?
• Standard
– Checks Source address
– Generally permits or denies entire protocol suite
OutgoingPacket
E0
S0
IncomingPacket
Access List Processes
Permit?
Source
8-71Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
What Are Access Lists?
• Standard
– Checks Source address
– Generally permits or denies entire protocol suite
• Extended
– Checks Source and Destination address
– Generally permits or denies specific protocols
OutgoingPacket
E0
S0
IncomingPacket
Access List Processes
Permit?
Sourceand
Destination
Protocol
8-72Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
• Standard
– Checks Source address
– Generally permits or denies entire protocol suite
• Extended
– Checks Source and Destination address
– Generally permits or denies specific protocols
• Inbound or Outbound
What Are Access Lists?
OutgoingPacket
E0
S0
IncomingPacket
Access List Processes
Permit?
Sourceand
Destination
Protocol
8-73Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
InboundInterfacePackets
N
Y
Packet Discard Bucket
ChooseInterface
NAccessList
?
RoutingTable Entry
?
Y
Outbound Interfaces
Packet
S0
Outbound Access Lists Outbound Access Lists
8-74Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Outbound Interfaces
Packet
N
Y
Packet Discard Bucket
ChooseInterface
RoutingTable Entry
?N Packet
TestAccess ListStatements
Permit?
Y
Outbound Access Lists Outbound Access Lists
AccessList
?
Y
S0
E0
InboundInterfacePackets
8-75Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Notify Sender
Outbound Access Lists Outbound Access Lists
If no access list statement matches then discard the packet
N
Y
Packet Discard Bucket
ChooseInterface
RoutingTable Entry
?N
Y
TestAccess ListStatements
Permit?
Y
AccessList
?
Discard Packet
N
Outbound Interfaces
Packet
Packet
S0
E0
InboundInterfacePackets
8-76Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
A List of Tests: Deny or PermitA List of Tests: Deny or Permit
Packets to interfacesin the access group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstTest
?
Permit
8-77Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
A List of Tests: Deny or PermitA List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Deny
Y
MatchFirstTest
?
Permit
N
Deny PermitMatchNext
Test(s)?
YY
8-78Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Access List Configuration Guidelines
Access List Configuration Guidelines
– Access list numbers indicate which protocol is filtered
– The order of access list statements controls testing
– There is an implicit deny any as the last access list test—every list should have at least one permit statement
– Create access lists before applying them to interfaces
– Access list, filter traffic going through the router; they do not apply to traffic originated from the router
8-79Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Access List Command OverviewAccess List Command Overview
Step 1: Set parameters for this access list test statement (which can be one of several statements)
access-list access-list-number { permit | deny } { test conditions }
Router(config)#
8-80Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Step 1: Set parameters for this access list test statement (which can be one of several statements)Router(config)#
Step 2: Enable an interface to use the specified access list
{ protocol } access-group access-list-number {in | out}
Router(config-if)#
Access List Command OverviewAccess List Command Overview
IP Access lists are numbered 1-99 or 100-199
access-list access-list-number { permit | deny } { test conditions }
8-81Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
How to Identify Access ListsHow to Identify Access Lists
Number Range/IdentifierAccess List Type
IP 1-99Standard
• Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
8-82Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Number Range/IdentifierAccess List Type
How to Identify Access ListsHow to Identify Access Lists
IP 1-99100-199
StandardExtended
• Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
• Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports
8-83Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Number Range/Identifier
IP 1-99100-199
800-899900-9991000-1099Name (Cisco IOS 11.2. F and later)
StandardExtendedSAP filtersNamed
StandardExtended
Access List Type
IPX
How to Identify Access ListsHow to Identify Access Lists
– Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
– Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports
8-84Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 10-84
Configuring Standard IP Access Lists
8-85Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Standard IP Access List Configuration
Standard IP Access List Configuration
access-list access-list-number {permit|deny} source [mask]
Router(config)#
• Sets parameters for this list entry
• IP standard access lists use 1 to 99
• Default wildcard mask = 0.0.0.0
• “no access-list access-list-number” removes entire access-list
8-86Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
access-list access-list-number {permit|deny} source [mask]
Router(config)#
– Activates the list on an interface
– Sets inbound or outbound testing
– Default = Outbound
– “no ip access-group access-list-number” removes access-list from the interface
Router(config-if)#
ip access-group access-list-number { in | out }
• Sets parameters for this list entry
• IP standard access lists use 1 to 99
• Default wildcard mask = 0.0.0.0
• “no access-list access-list-number” removes entire access-list
Standard IP Access List Configuration
Standard IP Access List Configuration
8-87Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Deny a specific host
Standard IP Access List Example
Standard IP Access List Example
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 1 deny 172.16.4.13 0.0.0.0
8-88Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Standard IP Access List Example 2
Standard IP Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
Deny a specific host
access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)
8-89Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 10-89
Control vty Access With Access Class
8-90Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Filter Virtual Terminal (vty) Access to a Router
Filter Virtual Terminal (vty) Access to a Router
–Five virtual terminal lines (0 through 4)
–Filter addresses that can access into the router’s vty ports
–Filter vty access out from the router
0 1 2 3 4
Virtual ports (vty 0 through 4)
Physical port e0 (Telnet)Console port (direct connect)
console e0
8-91Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
How to Control vty AccessHow to Control vty Access
0 1 2 3 4
Virtual ports (vty 0 through 4)
Physical port (e0) (Telnet)
• Setup IP address filter with standard access list statement
• Use line configuration mode to filter access with the access-class command
• Set identical restrictions on all vtys
Router#
e0
8-92Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Virtual Terminal Line CommandsVirtual Terminal Line Commands
• Enters configuration mode for a vty or vty range
• Restricts incoming or outgoing vty connections for address in the access list
access-class access-list-number {in|out}
line vty#{vty# | vty-range}
Router(config)#
Router(config-line)#
8-93Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Virtual Terminal Access ExampleVirtual Terminal Access Example
Permits only hosts in network 192.89.55.0 to connect to the router’s vtys
access-list 12 permit 192.89.55.0 0.0.0.255
!
line vty 0 4
access-class 12 in
Controlling Inbound Access
8-94Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 10-94
Configuring Extended IP Access Lists
8-95Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Standard versus External Access List
Standard versus External Access List
Standard Extended
Filters Based onSource.
Filters Based onSource and destination.
Permit or deny entire TCP/IP protocol suite.
Specifies a specific IP protocol and port number.
Range is 100 through 199.Range is 1 through 99
8-96Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Extended IP Access List Configuration
Extended IP Access List Configuration
Router(config)#
• Sets parameters for this list entry
access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]
8-97Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Router(config-if)# ip access-group access-list-number { in | out }
Extended IP Access List Configuration
Extended IP Access List Configuration
• Activates the extended list on an interface
• Sets parameters for this list entry
Router(config)# access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]
8-98Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
– Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0
– Permit all other traffic
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
Extended Access List Example 1
Extended Access List Example 1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
8-99Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
– Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0
– Permit all other traffic
Extended Access List Example 1
Extended Access List Example 1
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
8-100Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
interface ethernet 0ip access-group 101 out
– Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0
– Permit all other traffic
Extended Access List Example 1
Extended Access List Example 1
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
8-101Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
– Deny only Telnet from subnet 172.16.4.0 out of E0
– Permit all other traffic
Extended Access List Example 2
Extended Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23
8-102Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
– Deny only Telnet from subnet 172.16.4.0 out of E0
– Permit all other traffic
Extended Access List Example 2
Extended Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)
8-103Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)
interface ethernet 0ip access-group 101 out
– Deny only Telnet from subnet 172.16.4.0 out of E0
– Permit all other traffic
Extended Access List Example 2
Extended Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
8-104Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
– Place extended access lists close to the source
– Place standard access lists close to the destination
E0
E0
E1
S0
To0
S1S0
S1
E0
E0TokenRing
BB
AACC
Where to Place IP Access ListsWhere to Place IP Access Lists
Recommended:
DD
8-105Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems
Monitoring Access List StatementsMonitoring Access List Statements
wg_ro_a#show access-lists Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a#show {protocol} access-list {access-list number}
wg_ro_a#show access-lists {access-list number}