Professional Documents
Culture Documents
Link State
A B C D
c
Distance Vector vs. Link State
Distance Vector Link State
ƥ Updates frequently ƥ Updates are event
triggered
ƥ Each router is
"aware" only of its ƥ Each router is
"aware" of all other
immediate neighbors routers in the "area"
ƥ Slow convergence ƥ Fast convergence
ƥ Prone to routing loops ƥ Less subject to
ƥ Easy to configure routing loops
ƥ More difficult to
configure ë
Comparison Continued
Distance Vector Link State
ÿ ÿ
ÿ ÿ
ÿ
ÿ
è
Link State Routing
Link State
Ô
]
Ú
ëpen Shortest Path First (ëSPF)
m
Link State
There are two types of Packets
Hello
LSAƞs
[
ëSPF Hello
uHellou Packets
ƥ Small frequently issued packets
ƥ Discover neighbours and negotiate "adjacencies"
ƥ Verify continued availability of adjacent neighbours
ƥ Hello packets and Link State Advertisements (LSAs) build
and maintain the topological database
ƥ Hello packets are addressed to 224.0.0.5.
c!
Link State Advertisement
(LSA)
An ëSPF data packet containing link state and routing
information that is shared among ëSPF routers
cc
Link State
There are three type of tables
Neighbor
Topology
Routing
cë
×ables
åeighbor
Contain information about the neighbors
Neighbor is a router which shares a link on same
network
Another relationship is adjacency
Not necessarily all neighbors
LSA updates are only when adjacency is established
cè
×ables
×opology
Contain information about all network and path to
reach any network
All LSAƞs are entered in to topology table
When topology changes LSAƞs are generated and send
new LSAƞs
ën topology table an algorithm is run to create a
shortest path, this algorithm is known as SPF or
dijkstra algorithm
c
×ables
Routing ×able
Also knows as forwarding database
Generated when an algorithm is run on the topology
database
Routing table for each router is unique
c]
ëSPF ×erms
Link Backbone area
Router ID Internal routers
Neighbours Area Border Router
Adjacency (ABR)
ëSPF Area Autonomous System
Boundary Router
(ASBR)
cÚ
Link
A network or router interface assigned to a
given network
Link (interface) will have "state" information
associated with it
Status (up or down)
IP Address
Network type (e.g. Fast Ethernet)
Bandwidth
Addresses of other routers attached to this
interface
cm
ëSPF ×erm: Link
ë!
åeighbours
Neighbours are two or more routers that
have an interface on a common network
E.g. two routers connected on a serial link
E.g. several routers connected on a common
Ethernet or Frame relay network
Communication takes place between /
among neighbours
neighbours form "adjacencies"
ëc
Adjacency
A relationship between two routers that
permits the direct exchange of route
updates
Not all neighbours will form adjacencies
This is done for reasons of efficiency ƛ more
later
ëë
ëSPF Design
Ôach router connects to the backbone called area 0, or the backbone area.
Routers that connect other areas to the backbone within an AS are called Area Border Routers (ABRs). ëne
interface must be in area 0.
ëSPF runs inside an autonomous system, but can also connect multiple autonomous systems together. ×he
router that connects these ASes together is called an Autonomous System Boundary Router (ASBR). ëè
ëSPF Areas
An ëSPF area is a grouping of contiguous networks and
routers
Share a common Y eY
A router can be a member of more than one area (area
border router)
All routers in the same area have the same topology
database
When multiple areas exist, there must always be an area
0 (the backbone) to which other areas connect
ë
hy areas?
Decreases routing overhead
Compare to multiple smaller broadcast domains
instead of one large one
Speeds convergence
ëÚ
LSAƍs in Area
ƥ LSAs communicate with adjacent routers in the same
ëSPF area
ëm
Path Calculation
Changes to the topological database of a router trigger a
recalculation to re-establish the best route(s) to known
networks
Uses the SPF (shortest path first) algorithm developed
by a computer scientist named Dijkstra
This is done by each individual router using its
detailed "knowledge" of the whole network
Leads to rapid and accurate convergence
Based on detailed knowledge of every link in the area
and the ëSPF "cost" of each
builds an ë t ee with itself at the route
ë[
×erminology: Cost
ƥ Various criteria can be selected by
the administrator to determine the
metric
ƥ Usually,
ëSPF cost=108/bandwidth
Do not forget to
configure the
bandwidth`
command on serial
links to ensure
correct
default ëSPF cost
ë
Pros and Cons
Note that ëSPF is a more sophisticated routing protocol
Converges rapidly and accurately
Can use a metric calculation that effectively selects
the "best" route(s) primarily based on bandwidth,
although an ëSPF cost can be administratively
assigned
Use of ëSPF requires
More powerful routing hardware
More detailed knowledge by the administrator,
especially when large multi-area networks are used
è!
×ypes of åeighbors
ƥ ëSPF can be defined for three type of neighbors
ƛ Broadcast Multi Access (BMA) ex- Ethernet
ƛ Point to Point
ƛ Non-Broadcast Multi Access (NBMA)
èc
ëSPF åetwork ×ypes
èë
Adjacencies
Point to Point all routers form adjacencies
BMA & NBMA one router is elected as DR
DR establish adjacency with every neighbor router
LSA updates are exchanged only to DR
DR is the router which has highest priority
All CISCë routers has priority 1
If priority is same then router id is seen
The RID is highest IP address of all interfaces
èè
Point-to-Point Links
è
Ñulti-access Broadcast åetwork
èm
DR Responsibility
When a router sees a new or changed link-state, it sends
an LSA to its DR using a particular multicast address
è[
ëSPF Summary
AD -100
Hop count is unlimited
Metric = Cost ƛ 108/BW
Classless, VLSM
Load balance up to SIX routers
Require more processing power
è
Basic ëSPF Configuration
ess-id # that
The number 1 in this example is a î ess-
begins an ëSPF process in the router
More than one process can be launched in a router,
but this is rarely necessary
Usually the same process-id is used throughout the
entire network, but this is not required
The process-id # can actually be any value from 1 to
"very large integerƠ
The process-id # cannot be ZERë
This is NëT the same as the AS# used in IGRP and
EIGRP
!
Configuring ëSPF Areas
After identifying the ëSPF process, you need to identify the interfaces that
you want to activate ëSPF communications
Lab_A#config t
Lab_A(config)#router ospf 1
Lab_A(config-router)#network 10.0.0.0 0.255.255.255
area ?
<0-4294967295> ëSPF area ID as a decimal value
A.B.C.D ëSPF area ID in IP address format
Lab_A(config-router)#network 10.0.0.0 0.255.255.255
area 0
ƥ Every ëSPF network must have an area 0 (the backbone area) to which
other areas connect
So in a multiple area network, there must be an area 0
The wildcard mask represents the set of hosts supported by the
network and is really just the inverse of the subnet mask.
c
ëSPF Configuration
ƥ ëSPF Process ID number is irrelevant. It can be the same on every
router on the network
ƥ The arguments of the network command are the network number
(10.0.0.0) and the wildcard mask (0.255.255.255)
ƥ Wildcards - A 0 octet in the wildcard mask indicates that the
corresponding octet in the network must match exactly
ƥ A 255 indicates that you donƞt care what the corresponding octet is
in the network number
ƥ A network and wildcard mask combination of 1.1.1.1 0.0.0.0 would
match 1.1.1.1 only, and nothing else.
ƥ The network and wildcard mask combination of 1.1.0.0 0.0.255.255
would match anything in the range 1.1.0.0ƛ1.1.255.255
ë
ëSPF Configuration -1
S0 S
0.0.0. 0.0.0.
S0
S0 0.0.0.
0.0.0. 0.0.0.
0
0.0.0. 0
0.0.0.
0.0.0.
x
è
ëSPF Configuration -1
S0 S
0.0.0. 0.0.0.
S0
S0
0.0.0. 0.0.0.
0
0.0.0. 0 0.0.0.
0.0.0.
0.0.0.
x
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 20.0.0.0 0.255.255.255 area 0
R1(config-router)#^Z
ëSPF Configuration -2
S0 S
00.0.0.0
00.0.0. 0
S0
S0
0
0
00.0.0. 00.0.0.
]
ëSPF Configuration -2
S0 S
00.0.0.0 00.0.0.
. . . . . .
S0
S0 00.0.0.9 00.0.0. 00.0.0.
0
00.0.0. 0
. . .
. . . 0 00.0.0. 00.0.0.
x
Ú
ëSPF Configuration -2
S0 S
00.0.0.0 00.0.0.
. . . . . .
S0
S0 00.0.0.9
00.0.0. 00.0.0.
0
00.0.0. 0
. . .
. . . 0 00.0.0. 00.0.0.
x
R3#config t
R1#config t Enter configuration commands, one per line. End with CNTL/Z.
Enter configuration commands, one per line. End with CNTL/Z. R3(config)#router ospf 1
R1(config)#router ospf 1 R3(config-router)#network 200.0.0. 32 0.0.0.31 area 0
R1(config-router)#network 200.0.0.16 0.0.0.15 area 0 R3(config-router)#network 200.0.0. 12 0.0.0.3 area 0
R1(config-router)#network 200.0.0. 8 0.0.0.3 area 0 R3(config-router)#^Z
R1(config-router)#^Z
m
ëSPF and Loopback Interfaces
Configuring loopback interfaces when using the ëSPF routing
protocol is important
Cisco suggests using them whenever you configure ëSPF on a
router
Loopback interfaces are logical interfaces, which are virtual,
software-only interfaces; they are not real router interfaces
Using loopback interfaces with your ëSPF configuration ensures that
an interface is always active for ëSPF processes.
The highest IP address on a router will become that routerƞs RID
The RID is used to advertise the routes as well as elect the DR and
BDR.
If you configure serial interface of your router with highest IP
Address this Address becomes RID of t is the RID of the router
because e router
If this interface goes down, then a re-election must occur
It can have an big impact when the above link is flapping
[
Configuring Loopback Interfaces
R1#config t
Enter configuration commands, one per line. End
with CNTL/Z.
R1(config)#int loopback 0
R1(config-if)#ip address 172.16.10.1
255.255.255.255
R1(config-if)#no shut
R1(config-if)#^Z
R1#
Verifying ëSPF ëperation
]ë
×he show ip ospf interface
Command
&0
01451013,5
0
!
%
%
0145101
6 7
8+
$)%8
0
8#
%+
%)89&
! +
%
%
0145101,
0145101,
$7
%
%
0145101
0145101
8 #
.
9
0
%
50
:
50
#
2
9
000005
6
;
;
0145101,
%
0
]è
×he show ip ospf neighbor
Command
$
6
%
!
%
8 #
014511
*<--3$%
0000=
014511
&0
01,11
*<--3 0000=>
01,11
0
]
show ip ospf neighbor detail
]]
Setting Priority for DR Ôlection
+
p
]Ú
]m
ÔIGRP
ƥ IGRP ƥ ëSPF
ƛ DV
ƛ LS
ƛ Easy to configure
ƛ Neighbor ƛ Incremental Updates
ƛ Advanced Metric ƛ Multicast
ƛ Periodic ƛ ëpen Standard
ƛ Broadcast
ƥ ÔIGRP
ƛ Hybrid
ƛ DUAL
ƛ Topology Database
ƛ Rapid Convergence
][
ƛ Reliable
ëverview
Ú!
Introducing ÔIGRP
ÔIGRP supports:
Rapid convergence
Reduced bandwidth usage
Multiple network-layer protocols
ÔIGRP ×ables
ƥ EIGRP maintains 3 tables
ƛ Neighbor table
ƛ Topology table
ƛ Routing table
Úë
åeighbor Discovery
x
x
" #
X xS
XK
l1 Ɗ B
l2- Delay
l3-Load
l3-Reliability
l5-Ñ×
Úè
Ñetric Calculation
The metrics used by EIGRP in making routing decisions are (lower the metric the
better):
bandwidth
delay
load
Reliability
MTU
x Yes:
Think of bY dwdth as the width of the pipe
and
deYy as the length of the pipe.
Ú]
×opology ×able
åetwork
ÚÚ
×opology ×able
The topology table is made up of all the EIGRP routing tables in the
autonomous system.
DUAL takes the information and calculates the lowest cost routes to each
destination.
The information that the router learns from the DUAL is used to determine
the successor route, which is the term used to identify the primary or best
route.
56lbps
1.544Ñbps
10Ñbps Ɗ 100
1,544Ñbps Ɗ 250
1.544Ñbps
56lbps -1000
mc
ÔIGRP ×erminology and
ëperations
ess Current Route
A successor is a route selected as the primary route to use to reach
a destination.
Successors are the entries kept in the routing table.
eY
be e
w A backup route
A feasible successor is a backup route.
These routes are selected at the same time the successors are
identified, but they are kept in the topology table.
Multiple feasible successors for a destination can be retained in the
topology table.
më
Reliable ×ransport Protocol (R×P)
Used by EIGRP for its routing updates in place of TCP
EIGRP can call on RTP to provide reliable or unreliable service
EIGRP uses reliable service for route updates
Unreliable for Hellos
m]
Discontiguous åetwork
mÚ
EIGRP & IGRP Metric Calculation
mm
Configuring ÔIGRP
Y p
7
p p
00.0.0.0 00.0.0.
. . . . . .
S0
S0 00.0.0.9
00.0.0. 00.0.0.
0
00.0.0. 0
. . .
. . . 0 00.0.0. 00.0.0.
x
R3#config t
R1#config t Enter configuration commands, one per line. End with CNTL/Z.
Enter configuration commands, one per line. End with CNTL/Z. R3(config)#router eigrp 10
R1(config)#router eigrp 10 R3(config-router)#network 200.0.0. 32
R1(config-router)#network 200.0.0.16 R3(config-router)#network 200.0.0. 12
R1(config-router)#network 200.0.0. 8 R3(config-router)#^Z
R1(config-router)#^Z
[!
Verifying the ÔIGRP Configuration
[c
show ip eigrp topology
[ë
show ip eigrp topology
all-links
[è
Administrative Distances
[
×ÔLåÔ×
Getting information about remote device
Can connect to remote device and configure a device
Password must be set
R1(config)# line vty 0 4
Password cisco
login
[]
Discovering åeighbors on the
åetwork
[Ú
"
#&cdp timer 90
[
sing CDP
!
sing the show cdp
neighbors Command
×he show cdp neighbor command (sh cdp nei for short) delivers
information about directly connected devices.
c
CDP
show cdp neighbor detail
ë
sing the show cdp entry
Command
×he show cdp entry * command displays the same information as the show cdp
neighbor details command.
è
Additional CDP Commands
]
Summary
Cisco Discovery Protocol is an information-gathering tool used
by network administrators to get information about directly
connected devices.
The show cdp entry, show cdp traffic, and show cdp interface
commands display detailed CDP information on a Cisco device.
Ú
m
hy se Access Lists?
ACLs are lists of conditions that are applied to traffic traveling across a
router's interface.
These lists tell the router what types of packets to accept or deny.
Reasons to Create ACLs
c!!
ACLƍs
Different access list for Telnet
When configuring ISDN you need to use access list
Implicit deny at bottom
All restricted statements should be on first
There are two types
Standard
Extended
c!c
åetwork
c cc å c cc å
c cc
c c
å å å c c å
c!ë
IP Packet
SRC IP Address
DÔS× IP Address
Protocol type
SRC Port
DÔS× Port
The first 2 bytes in the TCP/UDP header are the source port number
The next 2 bytes in the TCP/UDP header are the Destination port number
c!è
×ypes of Access Lists
Standard
Checks source address
Permits or denies entire protocol suite
Extended
Checks source and destination address
Generally permits or denies specific protocols
c!
How to Identify Access Lists
Router(config)#access-list Y essw
wbe
dey | pe
o e
[
o ewd Yd ]
w
wbe
c!Ú
ildcard Ñask
Access-list 99 permit 192.168.1.1 wildcard mask
All 32 bits of an IP Address can be filtered
ildcard inverse mask
0=must match
1= ignore
x"cë%cÚ[%c%c#
!%!%!%!" # cë%cÚ[%c%c
!%!%!%ë]] cë%cÚ[%c%!ë]]
!%!%ë]]%ë]] cë%cÚ[%!ë]]%!ë]]
!%ë]]%ë]]%ë]] cë%!ë]]%!ë]]%!ë]]
ë]]%ë]]%ë]]%ë]] !ë]]%!ë]]%!ë]]%!ë]]"
# c!m
×he Aå and HëS× keyword
Access-list 1 permit 0.0.0.0 255.255.255.255
ër
permit any
c![
×esting Packets with
Standard Access Lists
ëutbound ACL ëperation
ccc
Creating ACLs
ACLs are created in the global configuration mode. There are many
different types of ACLs including standard, extended, IPX, AppleTalk, and
others. When configuring ACLs on a router, each ACL must be uniquely
identified by assigning a number to it. This number identifies the type of
access list created and must fall within the specific range of numbers that
is valid for that type of list.
ccë
The ip access-group command
Rin 'out (
ccè
Ôercise Ɗ Standard Access List
192.168.0.5 192.168.0.9
255.255.255.252 255.255.255.252
192.168.0.33
0 255.255.255.240
192.168.0.17 S0 S S0 0
x 255.255.255.248 S0
192.168.0.10
255.255.255.252
192.168.0.18 192.168.0.6 192.168.0.34
255.255.255.248 255.255.255.252 255.255.255.240
To steps to configure
ƥCreate a standard Access list
ƥApply ACL to proper interface inbound or outbound
cc
Ôercise Ɗ Standard Access List
192.168.0.5 192.168.0.9
255.255.255.252 255.255.255.252
192.168.0.33
0 255.255.255.240
192.168.0.17 S0 S S0 0
x 255.255.255.248 S0
192.168.0.10
255.255.255.252
192.168.0.18 192.168.0.6 192.168.0.34
255.255.255.248 255.255.255.252 255.255.255.240
Config#int e 0
Config-if# ip access-group 1 out
cc]
Ôtended ACLs
Extended ACLs are used more often than standard ACLs because they provide a
greater range of control.
Extended ACLs check the source and destination packet addresses as well as being
able to check for protocols and port numbers.
At the end of the extended ACL statement, additional precision is gained from a
field that specifies the optional Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) port number.
Logical operations may be specified such as, equal (eq), not equal (neq), greater
than (gt), and less than (lt), that the extended ACL will perform on specific
protocols.
Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000
to 2699 in recent IëS).
ccÚ
Configuration
ÿ
ÿ x&R )
(
ÿ *
ÿ *
ÿ
ÿ Protocol
Å
Å Ô$
Å
ÿ Operator
Å
Å
Å
Å
Å
Å
ccm
×esting Packets with
Ôtended Access Lists
Ôtended ACL Synta
cc
Ôtended ACL LAB
x
Fa00 Fa0
200.0.0.10 200.0.0.9 200.0.0.17 200.0.0.18
255.255.255.248 255.255.255.248 255.255.255.240 255.255.255.240
Config# Access-list 100 deny tcp 200.0.0.10 0.0.0.7 200.0.0.18 0.0.0.15 eq www
Config# access-list 100 permit IP any any
192.168.0.34
255.255.255.240
x
192.168.0.18
255.255.255.248
192.168.0.34 should be denied F×P of 192.168.0.18 192.168.0.18 should be denied website of 192.168.0.34
ën Router R1 ën Router R3
Config# Access-list 100 deny tcp 192.168.0.34 0.0.0.0 192.168.0.18 Config# Access-list 100 deny tcp 192.168. 0.18 0.0.0.0 192.168.0.34
0.0.0.0 eq 21 0.0.0.0 eq 80
Config# access-list 100 permit IP any any Config# access-list 100 permit IP any any
Config#int s0 Config#int s0
Config-if# ip access-group 100 IN Config-if# ip access-group 100 IN
cëc
Deny F×P
access-list 101 deny tcp any any eq 21
or
cëë
Rules
For extended access list apply near to the
source
For standard access list apply near to the
destination
cëè
åamed ACLs
IP named ACLs were introduced in Cisco IëS Software Release 11.2,
allowing standard and extended ACLs to be given names instead of
numbers.
Named ACLs are not compatible with Cisco IëS releases prior to Release
11.2.
#Int e 0
#Ip access-group blocksales out
cëÚ
Verify Access List
cëm
Basic Rules for ACLs
Standard IP access lists should be applied closest to the destination.
Extended IP access lists should be applied closest to the source.
Use the inbound or outbound interface reference as if looking at the port
from inside the router.
Statements are processed sequentially from the top of list to the bottom
until a match is found, if no match is found then the packet is denied.
There is an implicit deny at the end of all access lists. This will not appear
in the configuration listing.
Access list entries should filter in the order from specific to general.
Specific hosts should be denied first, and groups or general filters should
come last.
Never work with an access list that is actively applied.
New lines are always added to the end of the access list.
A no access-list x command will remove the whole list. It is not possible
to selectively add and remove lines with numbered ACLs.
ëutbound filters do not affect traffic originating from the local router.
cë[