Dynamic Routing Basics

© 2009, Velocis Systems

Routed versus Routing Protocols
• Routed protocols used between routers to direct user traffic; also called network protocols
– Examples: IP, IPX, DECnet, AppleTalk, NetWare, OSI, VINES

• Routing protocols used between routers to maintain routing tables
– Examples: RIP, IGRP, OSPF, BGP, EIGRP
Networking Fundamentals—Layer 3 Switching

Network Protocol Protocol name

Destination Exit Port Network to Use 1.0 2.0 3.0 1.1 2.1 3.1

© 2009, Velocis Systems

8-2

DYNAMIC ROUTING

• Dynamic Routing: Dynamic routing is the process of routing protocols running on the router communicating with neighbor routers. –If a change occurs in the network the dynamic routing protocols automatically inform all routers about the change.
Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 8-3

. Velocis Systems 8-4 .. Networking Fundamentals—Layer 3 Switching …and an alternate route is found dynamically.Dynamic Routing • Most internetworks use dynamic routing X A D B C X A D B C A network change blocks the established path. © 2009.

Routing Protocols © 2009. Velocis Systems .

3.1. Velocis Systems 8-6 . • Once the path is determined a router can route a routed protocol.2.What is a Routing Protocol? 10.0 • Routing protocols are used between routers to determine paths and maintain routing tables.120.16.0 Exit Interface E0 S0 S1 172.17.0 Routed Protocol: IP Routing protocol: RIP. E0 S0 Network Protocol Connected RIP EIGRP Destination Network 10.17.3.16.0 172.2.2. EIGRP Networking Fundamentals—Layer 3 Switching © 2009.0 172.120.0 172.

EIGRP EGPs: BGP Autonomous System 100 Autonomous System 200 – An autonomous system is a collection of networks under a common administrative domain Networking Fundamentals—Layer 3 Switching – IGPs operate within an autonomous system © 2009.Autonomous Systems: Interior or Exterior Routing Protocols IGPs: RIP. Velocis Systems 8-7 .

Administrative Distance: Ranking Routes I need to send a packet to Network E. Velocis Systems 8-8 . Which route is best? Router A EIGRP Administrative Distance=90 Router B RIP Administrative Distance=120 E Router C Router D Networking Fundamentals—Layer 3 Switching © 2009. Both router B and C will get it there.

Distance Vector versus Link State • Distance vector – Sends routing table info only to neighbors. but complex to configure • Cisco’s EIGRP hybrid – Efficient and easy to configure Networking Fundamentals—Layer 3 Switching © 2009. so changes are known immediately – Efficient. but slow • Link state – Floods routing information about itself to all nodes. so change communication may need one min/router – Also called “routing by rumor” – Easy to configure. Velocis Systems 8-9 .

Distance Vector Routing Protocols B C Distance—How far Vector—In which direction D A D Routing Table C Routing Table B Routing Table A Routing Table •Pass periodic copies of routing table to neighbor routers and accumulate distance vectors Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-10 .

0.0.0 B S1 S0 10.0 E0 S0 0 0 Routing Table 10.0 E0 10.1.0.0 S1 0 0 Routing Table 10.1.0.2.0. Velocis Systems 8-11 .0 C E0 Routing Table 10.3.3.0 10.0.4.0 S0 E0 0 0 •Routers discover the best path to destinations from each neighbor Networking Fundamentals—Layer 3 Switching © 2009.0 S0 10.2.0.Distance Vector—Sources of Information and Discovering Routes 10.0 A S0 S0 10.2.0 10.0.3.0.4.0.

0 10.0.0 S0 S1 S1 S0 0 0 1 1 Routing Table 10.1.0 10.0 10.0 10.0.4.1.0.0. Velocis Systems 8-12 .4.0.Distance Vector—Sources of Information and Discovering Routes 10.0.0.0.0.0 B S1 S0 10.0 10.0.0.0.0 10.1.0.0 E0 S0 S0 0 0 1 Routing Table 10.3.0 C E0 Routing Table 10.2.0 E0 10.0 10.4.3.0 A S0 S0 10.0.2.0 S0 E0 S0 0 0 1 •Routers discover the best path to destinations from each neighbor Networking Fundamentals—Layer 3 Switching © 2009.2.3.3.2.

0.0 E0 10.0.0 10.0.1.1.4.1.3.3.3.0 10.2.0.4.0.0.1.0 10.0.0 10.0 B S1 S0 10.0.Distance Vector—Sources of Information and Discovering Routes 10.0 10.0 S0 E0 S0 S0 0 0 1 2 •Routers discover the best path to destinations from each neighbor Networking Fundamentals—Layer 3 Switching © 2009.2.0 10.0 10.0 S0 S1 S1 S0 0 0 1 1 Routing Table 10.0.0.2.4. Velocis Systems 8-13 .0.0 C E0 Routing Table 10.0 10.0.0 10.0.0 A S0 S0 10.0.2.3.0.0 E0 S0 S0 S0 0 0 1 2 Routing Table 10.4.0.

Distance Vector—Selecting Best Route with Metrics A 56 RIP Hop count T1 56 EIGRP Bandwidth T1 B Information used to select the best path for routing Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-14 .

Distance Vector—Maintaining Routing Information Process to update this routing table Topology change causes routing table update A •Updates proceed step-by-step from router to router Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-15 .

Velocis Systems 8-16 .Distance Vector—Maintaining Routing Information Process to update this routing table Router A sends out this updated routing table after the next period expires Topology change causes routing table update A •Updates proceed step-by-step from router to router Networking Fundamentals—Layer 3 Switching © 2009.

Distance Vector—Maintaining Routing Information Process to update this routing table Router A sends out this updated routing table after the next period expires Process to update this routing table Topology change causes routing table update B A •Updates proceed step-by-step from router to router Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-17 .

2 kbps T1 T1 – Hop count metric selects the path – Routes update every 30 seconds Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-18 T1 .RIP Overview 19.

RIP Configuration ter(config)#router rip –Starts the RIP routing process (config-router)#network network-number • Selects participating attached networks • The network number must be a major classful network number Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-19 .

0 router rip network 10.0 S2 S2 10.2.2.16.1 C 10.0 router rip network 172.0.2.2 B S3 S3 E0 192.0.3.0 network 10.0.1.1.1.0 A 172.16.0.1 10.0 network 10.1.2.2 10.1.RIP Configuration Example E0 172.1 2.0.0.1.168.0.3 192.1.168.168.1.0 2.0.0 router rip network 192.16.0 Networking Fundamentals—Layer 3 Switching © 2009.1.3.0. Velocis Systems 8-20 .

1.16.2 120 00:00:10 Distance: (default is 120) Networking Fundamentals—Layer 3 Switching © 2009.1. flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1. receive any version Interface Send Recv Key-chain Ethernet0 1 1 2 Serial2 1 1 2 Routing for Networks: 10.1.2 B S3 S3 E0 192.1.1.2.0.1.0 Routing Information Sources: Gateway Distance Last Update 10.2. Velocis Systems 8-21 .1.1. hold down 180.1 C 10.2.0.Verifying the Routing Protocol— RIP E0 172.2.168.0 S2 S2 10.3 192.0 172.1.1 10.1.0.1 RouterA#sh ip protocols Routing Protocol is "rip" Sending updates every 30 seconds. next due in 0 seconds Invalid after 180 seconds.16.2 10.0 A 172.168.16.

1. Serial2 10.1.1.1. Serial2 192.EIGRP external.per-user static route.1.ODR T .OSPF NSSA external type 2 E1 .RIP.2.EGP i .16.IS-IS.1.1. 00:00:07. 00:00:07.16. S .3 192.1.candidate default U . B . * .IGRP.2 B S3 S3 E0 192.0.2.0 A 172.1.16.1.1. L1 .IS-IS level-2.EIGRP. E2 .1. M .OSPF external type 1.2. N2 . I .1 C 10.0.0 S2 S2 10.0/24 [120/2] via 10.1.OSPF external type 2.0.168.2.mobile. Serial2 © 2009.1. 1 subnets 172. o .2 10.IS-IS level-1. EX .16.BGP D .1.2.Displaying the IP Routing Table E0 172.connected.1 RouterA#sh ip route Codes: C . Ethernet0 10. O .168.0 is directly connected.OSPF.0/24 is subnetted.0/24 is subnetted.1 10.2.traffic engineered route Gateway of last resort is not set 172. E . 2 subnets 10.0 is directly connected. L2 .168. Velocis Systems 8-22 C R C R Networking Fundamentals—Layer 3 Switching . R . IA .2.OSPF inter area N1 .1.OSPF NSSA external type 1.0 [120/1] via 10.2.static.

Link-State Routing Protocols B C D Link-State Packets Topological Database SPF Algorithm Routing Table A Shortest Path First Tree • After initial flood. Velocis Systems 8-23 . pass small event-triggered link-state updates to all other routers Networking Fundamentals—Layer 3 Switching © 2009.

EIGRP Overview 6-24 .

What Is Enhanced IGRP (EIGRP)? IP Routing Protocols AppleTalk Routing Protocol IP Routing Protocols Enhanced IGRP AppleTalk Routing Protocol IPX Routing Protocols IPX Routing Protocols – EIGRP supports: • Rapid convergence • Reduced bandwidth usage • Multiple network-layer protocols Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-25 .

EIGRP Features

• Advanced distance vector • 100% loop free • Fast convergence • Easy configuration • Less network design constraints than OSPF

Networking Fundamentals—Layer 3 Switching

© 2009, Velocis Systems

8-26

EIGRP Features (cont.)

• Incremental updates • Supports VLSM networks • Classless routing

Networking Fundamentals—Layer 3 Switching

© 2009, Velocis Systems

8-27

Advantages of EIGRP
•Uses multicast instead of broadcast •Utilizes link bandwidth •Unequal cost path load balancing •Manual summarization can be done in any interface at any router within the network
Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 8-28

0. Velocis Systems 8-29 .0.168.0.0 /16 172.42.0 /24 192.0 /24 • EIGRP performs route summarization – Classful network boundaries (default) – Arbitrary network boundaries (manual) Networking Fundamentals—Layer 3 Switching © 2009.42.EIGRP Support for Route Summarization 172.0.168.16.0 /16 192.16.0.0 /18 172.0 /27 10.16.

Configuring EIGRP 6-30 .

Configuring Summarization (config-router)# no auto-summary • Turns off autosummarization for the EIGRP process (config-if)# ip summary-address eigrp <as-number> <address> <mask> • Creates a summary address to be generated by this interface Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-31 .

Verifying EIGRP Operation 6-32 .

Verifying EIGRP Operation Router# show ip eigrp neighbors Router# – Displays the neighbors discovered by IP EIGRP – Displays the IP EIGRP topology table – Displays current EIGRP entries in the routing table – Displays the parameters and current state of the active routing protocol process – Displays the number of IP EIGRP packets sent and received show ip eigrp topology Router# show ip route eigrp Router# show ip protocols Router# show ip eigrp traffic Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-33 .

Example EIGRP Configuration Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-34 .

255 network 192. Velocis Systems 8-35 .255.17.17.168.0 <output omitted> interface Serial0/0/1 bandwidth 64 ip address 192.0 0.102 255.168.2 255.255.224 <output omitted> router eigrp 100 network 172.255.0 Networking Fundamentals—Layer 3 Switching © 2009.0.R2 EIGRP Configuration <output omitted> interface FastEthernet0/0 ip address 172.1.255.2.1.0.2.

102 Se0/0/1 10 00:07:22 10 R1# RTO Q Seq Cnt Num 2280 0 5 Networking Fundamentals—Layer 3 Switching © 2009.168. Velocis Systems 8-36 .1.Verifying EIGRP: show ip eigrp neighbors R1#show ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT (sec) (ms) 0 192.

Null0 192.16. 00:07:01.168.0/16 is variably subnetted. 2 subnets.1.1. 2 subnets.16.1.17.1. Null0 C 172. Velocis Systems 8-37 .1.168.0/24 is a summary. 2 subnets.0/24 is directly connected. Null0 R1#show ip route <output omitted> Gateway of last resort is not set D 172. 2 masks D 172. 00:05:13.168.0/16 is a summary. 2 masks C 192. FastEthernet0/0 192.0/16 [90/40514560] via 192.1.96/27 is directly connected.0/24 is a summary.168.0/24 is variably subnetted.0.1.0.0/16 [90/40514560] via 192. 00:05:13.1.102.102.168. 2 masks D 192.0.0. 2 subnets. Serial0/0/1 D 192. Serial0/0/1 172. 2 masks D 172. Null0 Networking Fundamentals—Layer 3 Switching © 2009. Serial0/0/1 172.0.168.0/16 is variably subnetted.Verifying EIGRP: show ip route eigrp R1#show ip route eigrp D 172.16.168.0/16 is a summary.16.17.16. 00:06:55. 00:05:07. 00:05:07.0.0/24 is variably subnetted.

Verifying EIGRP: show ip protocols R1#show ip protocols Routing Protocol is "eigrp 100" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1.102 90 00:09:40 Distance: internal 90 external 170 Networking Fundamentals—Layer 3 Switching © 2009. K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 100 EIGRP NSF-aware route hold timer is 240s <output omitted> Maximum path: 4 Routing for Networks: 172.1. K2=0.168.168. K3=1.1.0/24 192. Velocis Systems 8-38 .0 Routing Information Sources: Gateway Distance Last Update (this router) 90 00:09:38 Gateway Distance Last Update 192.1.16. K4=0.

Velocis Systems 8-39 .Verifying EIGRP: show ip eigrp interfaces R1#show ip eigrp interfaces IP-EIGRP interfaces for process 100 Xmit Queue Interface Peers Un/Reliable Fa0/0 0 0/0 Se0/0/1 1 0/0 Mean SRTT 0 10 Pacing Time Un/Reliable 0/10 10/380 Multicast Flow Timer 0 424 Pending Routes 0 0 Networking Fundamentals—Layer 3 Switching © 2009.

FD is 28160 via Connected.0/24. FD is 28160 via Summary (28160/0). FastEthernet0/0 P 172.1.Active. Velocis Systems 8-40 . 1 successors.0/24.Query.168. 1 successors. 1 successors.96/27.16.1.Passive. Null0 P 172. Q .168.102 (40514560/28160). 1 successors. FD is 40512000 via Summary (40512000/0).0/16. FD is 40514560 via 192.168.1. R Reply. 1 successors. FD is 40512000 via Connected.0. A . U . s .17. r . Serial0/0/1 P 192. Null0 P 172.Update.1.Verifying EIGRP: show ip eigrp topology R1#show ip eigrp topology IP-EIGRP Topology Table for AS(100)/ID(192.101) Codes: P .168.0/16.1.sia Status P 192.reply Status.0.16. Serial0/0/1 Networking Fundamentals—Layer 3 Switching © 2009.

Verifying EIGRP: show ip eigrp traffic R1#show ip eigrp traffic IP-EIGRP Traffic Statistics for AS 100 Hellos sent/received: 429/192 Updates sent/received: 4/4 Queries sent/received: 1/0 Replies sent/received: 0/1 Acks sent/received: 4/3 Input queue high water mark 1. 0 drops SIA-Queries sent/received: 0/0 SIA-Replies sent/received: 0/0 Hello Process ID: 113 PDM Process ID: 73 Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-41 .

OSPF Overview © 2009. Velocis Systems 4-42 .

Velocis Systems 8-43 .What Is OSPF? – Has fast convergence – Supports VLSM – Processes updates efficiently – Selects paths based on bandwidth Networking Fundamentals—Layer 3 Switching © 2009.

OSPF Terminology © 2009. Velocis Systems 4-44 .

Velocis Systems 8-45 .OSPF Terminology Networking Fundamentals—Layer 3 Switching © 2009.

OSPF Areas Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-46 .

Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-47 .Drawbacks of link state routing • The initial discovery causes flooding • Link-state routing is memory and processor intensive.

Velocis Systems 8-48 .OSPF Cost • Places router at the root of the tree and calculates the shortest path to each destination based on cumulative cost • cost = 100000000/bandwidth bps Networking Fundamentals—Layer 3 Switching © 2009.

Velocis Systems 4-49 .OSPF Operation © 2009.

Velocis Systems 8-50 .Router ID –Number by which the router is known to OSPF –Default: The highest IP address on an active interface at the moment of OSPF process startup –Can be overridden by a loopback interface: Highest IP address of any active loopback interface Networking Fundamentals—Layer 3 Switching © 2009.

5.16.2/24 E1 B Networking Fundamentals—Layer 3 Switching © 2009.1/24 E0 Down State 172.5.16.Exchange Process A 172. Velocis Systems 8-51 .

1 and I see no one.1/24 E0 Down State 172.16. Velocis Systems 8-52 .Exchange Process A 172.5.16.16.16. Init State Router B Neighbors List 172. int E1 Networking Fundamentals—Layer 3 Switching © 2009.5.5.2/24 E1 B I am router ID 172.1/24.5.

1/24.5.5. Networking Fundamentals—Layer 3 Switching © 2009.16.5.2/24 E1 B I am router ID 172. Init State Router B Neighbors List 172.5.16.16.1/24 E0 Down State 172. int E1 I am router ID 172. Velocis Systems 8-53 . and I see 172.2.Exchange Process A 172.16.5.1 and I see no one.1.16.5.16.

Init State Router B Neighbors List 172.2/24 E1 B I am router ID 172.16. int E0 Two-Way State Networking Fundamentals—Layer 3 Switching © 2009.5.2.1.Exchange Process A 172.1 and I see no one.5. Velocis Systems 8-54 .5. Router A Neighbors List 172.16.16.1/24.5.5.16. and I see 172.5.16.1/24 E0 Down State 172.16.2/24.16. int E1 I am router ID 172.5.

1.5.3 Exstart State Hello I will start exchange because I have router ID 172.16.16.1 afadjfjorqpoeru 39547439070713 DR E0 172.5.16.5. Hello Networking Fundamentals—Layer 3 Switching © 2009.Discovering Routes E0 172. Velocis Systems 8-55 . afadjfjorqpoeru 39547439070713 No. I will start exchange because I have a higher router ID.

5.16. I will start exchange because I have a higher router ID.16. afadjfjorqpoeru 39547439070713 No.Discovering Routes E0 172.5.1 afadjfjorqpoeru 39547439070713 DR E0 172.3 Exstart State Hello I will start exchange because I have router ID 172. afadjfjorqpoeru 39547439070713 DBD DBD Here is a summary of my link-state database.5.1. Exchange State Hello afadjfjorqpoeru 39547439070713 Here is a summary of my link-state database.16. Velocis Systems 8-56 Networking Fundamentals—Layer 3 Switching . © 2009.

3 afadjfjorqpoeru 39547439070713 LSAck Thanks for the information! LSAck Networking Fundamentals—Layer 3 Switching © 2009.1 afadjfjorqpoeru 39547439070713 E0 172.16.5.) DR E0 172.5.16. Velocis Systems 8-57 .Discovering Routes (cont.

OSPF Operation in a Point-to-Point Topology © 2009. Velocis Systems 4-58 .

0.Point-to-Point Neighborship – Router dynamically detects its neighboring router using the Hello protocol – Adjacency is automatic as soon as the two routers can communicate Networking Fundamentals—Layer 3 Switching – OSPF packets are always sent as multicast 224.5 © 2009.0. Velocis Systems 8-59 .

Velocis Systems 4-60 .Configuring OSPF in a Single Area © 2009.

1 E0 E0 Point-to-Point Network B S0 10.0.2 0.2 10.255. Velocis Systems 8-61 .255.255.64.0 area 0 network 10.255 area 0 <Output Omitted> interface Ethernet0 ip address 10.2 255.0.255.0.1 S1 C <Output Omitted> interface Ethernet0 ip address 10.255.0 <Output Omitted> router ospf 50 network 10.1.255.0 0.0.1 255.1.64. 2.0.0 ! interface Serial0 ip address 10.Configuring OSPF on Internal Routers Broadcast Network A 10.2 10.64. Networking Fundamentals—Layer 3 Switching © 2009.0.64.1.2 0.2.255.0.0 area 0 Can Assign Network or Interface Address.2.2 255.1.0.0.64.2.0 ! <Output Omitted> router ospf 1 network 10.0.255.0.

Velocis Systems 4-62 .Verifying OSPF Operation © 2009.

Verifying OSPF Operation Router# show ip protocols • Verifies that OSPF is configured Router# show ip route • Displays all the routes learned by the router Router# show ip ospf interface • Displays area ID and adjacency information Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-63 .

) Router# show ip ospf Router# show ip ospf neighbor detail • Displays OSPF timers and statistics Router# show ip ospf database • Displays information about DR.Verifying OSPF Operation (cont. BDR and neighbors Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-64 .

exchange. Velocis Systems 8-65 .Verifying OSPF Operation (cont. and flooding processes Networking Fundamentals—Layer 3 Switching © 2009.) Router# clear ip route * • Allows you to clear the IP routing table Router# debug ip ospf option • Displays router interaction during the hello.

Velocis Systems 8-66 .ACCESS-LISTS Networking Fundamentals—Layer 3 Switching © 2009.

Why Use Access Lists? Token Ring FDDI – Manage IP Traffic as network access grows Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-67 .

Why Use Access Lists?
172.16.0.0

Token Ring
FDDI

Internet

172.17.0.0

– Filter packets as they pass through the router
Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 8-68

Access List Applications
Transmission of packets on an interface

– Permit or deny packets moving through the router – Permit or deny vty access to or from the router – Without access lists all packets could be transmitted onto all parts of your network
Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems 8-69

What Are Access Lists?
E0
Incoming Packet

Access List Processes
Source Permit?

Outgoing Packet

S0

• Standard – Checks Source address – Generally permits or denies entire protocol suite

Networking Fundamentals—Layer 3 Switching

© 2009, Velocis Systems

8-70

What Are Access Lists? E0 Incoming Packet Access List Processes Source and Destination Protocol Permit? Outgoing Packet S0 • Standard – Checks Source address – Generally permits or denies entire protocol suite • Extended – Checks Source and Destination address – Generally permits or denies specific protocols Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-71 .

What Are Access Lists? E0 Incoming Packet Access List Processes Source and Destination Protocol Permit? Outgoing Packet S0 • Standard – Checks Source address – Generally permits or denies entire protocol suite • Extended – Checks Source and Destination address – Generally permits or denies specific protocols • Inbound or Outbound Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-72 .

Outbound Access Lists Packet Inbound Interface Packets Choose Interface S0 Outbound Interfaces Y Routing Table Entry ? N Access N List ? Y Packet Discard Bucket Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-73 .

Outbound Access Lists Packet Inbound Interface Packets Choose Interface Test Access List Statements Access N List ? Y S0 Outbound Interfaces E0 Packet Permit ? Y Y Routing Table Entry ? N Packet Discard Bucket Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-74 .

Outbound Access Lists Packet Inbound Interface Packets Choose Interface Test Access List Statements Access N List ? Y S0 Outbound Interfaces E0 Packet Permit ? N Y Y Routing Table Entry ? N Discard Packet Notify Sender Packet Discard Bucket If no access list statement matches then discard the packet Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-75 .

Velocis Systems 8-76 .A List of Tests: Deny or Permit Packets to interfaces in the access group Match First Test Y Y ? Deny Permit Destination Interface(s) Packet Discard Bucket Networking Fundamentals—Layer 3 Switching Deny © 2009.

A List of Tests: Deny or Permit Packets to Interface(s) in the Access Group Match First Test Y Y ? N Deny Deny Y Match Next Test(s) ? Y Permit Permit Destination Interface(s) Packet Discard Bucket Networking Fundamentals—Layer 3 Switching Deny © 2009. Velocis Systems 8-77 .

Velocis Systems 8-78 . filter traffic going through the router.Access List Configuration Guidelines – Access list numbers indicate which protocol is filtered – The order of access list statements controls testing – There is an implicit deny any as the last access list test— every list should have at least one permit statement – Create access lists before applying them to interfaces – Access list. they do not apply to traffic originated from the router Networking Fundamentals—Layer 3 Switching © 2009.

Velocis Systems 8-79 .Access List Command Overview Step 1: Set parameters for this access list test statement (which can be one of several statements) Router(config)# access-list access-list-number { permit | deny } { test conditions } Networking Fundamentals—Layer 3 Switching © 2009.

Access List Command Overview Step 1: Set parameters for this access list test statement (which can be one of several statements) Router(config)# access-list access-list-number { permit | deny } { test conditions } Step 2: Enable an interface to use the specified access list Router(config-if)# { protocol } access-group access-list-number {in | out} IP Access lists are numbered 1-99 or 100-199 Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-80 .

How to Identify Access Lists Access List Type IP Standard Number Range/Identifier 1-99 • Standard IP lists (1 to 99) test conditions of all IP packets from source addresses Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-81 .

and destination ports Networking Fundamentals—Layer 3 Switching © 2009. specific TCP/IP protocols.How to Identify Access Lists Access List Type IP Standard Extended Number Range/Identifier 1-99 100-199 • Standard IP lists (1 to 99) test conditions of all IP packets from source addresses • Extended IP lists (100 to 199) can test conditions of source and destination addresses. Velocis Systems 8-82 .

Velocis Systems 8-83 . specific TCP/IP protocols.2.How to Identify Access Lists Access List Type IP Standard Extended Standard Extended SAP filters Named Number Range/Identifier 1-99 100-199 800-899 900-999 1000-1099 Name (Cisco IOS 11. F and later) IPX – Standard IP lists (1 to 99) test conditions of all IP packets from source addresses – Extended IP lists (100 to 199) can test conditions of source and destination addresses. and destination ports Networking Fundamentals—Layer 3 Switching © 2009.

Configuring Standard IP Access Lists Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-84 10-84 .

Standard IP Access List Configuration Router(config)# access-list access-list-number {permit|deny} source [mask] • Sets parameters for this list entry • IP standard access lists use 1 to 99 • Default wildcard mask = 0.0 • “no access-list access-list-number” removes entire access-list Networking Fundamentals—Layer 3 Switching © 2009.0.0. Velocis Systems 8-85 .

0 • “no access-list access-list-number” removes entire access-list Router(config-if)# ip access-group access-list-number – Activates the list on an interface – Sets inbound or outbound testing – Default = Outbound – “no ip access-group access-list-number” removes access-list from the interface Networking Fundamentals—Layer 3 Switching © 2009.0.Standard IP Access List Configuration Router(config)# access-list access-list-number {permit|deny} source [mask] • Sets parameters for this list entry • IP standard access lists use 1 to 99 • Default wildcard mask = 0.0. Velocis Systems 8-86 { in | out } .

0. Velocis Systems 8-87 .13 access-list 1 deny 172.4.0 172.0 S0 E0 E1 172.0.Standard IP Access List Example 172.16.16.16.16.13 0.3.0 Non172.16.4.0.0 Deny a specific host Networking Fundamentals—Layer 3 Switching © 2009.4.

0 255.255) Deny a specific host Networking Fundamentals—Layer 3 Switching © 2009.0 172.4.16.0.255.3.16.13 access-list 1 deny 172.0 Non172.Standard IP Access List Example 2 172.16. Velocis Systems 8-88 .0.0.0 S0 E0 E1 172.16.4.16.0.0 access-list 1 permit 0.0.13 0.255.4.0 255.0.255 (implicit deny all) (access-list 1 deny 0.255.0.255.

Control vty Access With Access Class Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-89 10-89 .

Velocis Systems 8-90 .Filter Virtual Terminal (vty) Access to a Router console e0 Console port (direct connect) 0 1 2 34 Physical port e0 (Telnet) Virtual ports (vty 0 through 4) – Five virtual terminal lines (0 through 4) – Filter addresses that can access into the router’s vty ports – Filter vty access out from the router Networking Fundamentals—Layer 3 Switching © 2009.

How to Control vty Access e0 0 1 2 34 Physical port (e0) (Telnet) Router# Virtual ports (vty 0 through 4) • Setup IP address filter with standard access list statement • Use line configuration mode to filter access with the access-class command • Set identical restrictions on all vtys Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-91 .

Virtual Terminal Line Commands Router(config)# line vty#{vty# | vty-range} • Enters configuration mode for a vty or vty range Router(config-line)# access-class access-list-number {in|out} • Restricts incoming or outgoing vty connections for address in the access list Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-92 .

Velocis Systems 8-93 .0.255 ! line vty 0 4 access-class 12 in Permits only hosts in network 192.89.89.55.0 to connect to the router’s vtys Networking Fundamentals—Layer 3 Switching © 2009.Virtual Terminal Access Example Controlling Inbound Access access-list 12 permit 192.0 0.55.0.

Velocis Systems 8-94 10-94 .Configuring Extended IP Access Lists Networking Fundamentals—Layer 3 Switching © 2009.

Permit or deny entire TCP/IP protocol suite. Specifies a specific IP protocol and port number. Networking Fundamentals—Layer 3 Switching © 2009.Standard versus External Access List Standard Filters Based on Source. Range is 1 through 99 Extended Filters Based on Source and destination. Range is 100 through 199. Velocis Systems 8-95 .

Extended IP Access List Configuration Router(config)# access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log] • Sets parameters for this list entry Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-96 .

Velocis Systems 8-97 .Extended IP Access List Configuration Router(config)# { permit | deny [operator port] [ operator port access-list access-list-number } protocol source source-wildcard destination destination-wildcard ] [ established ] [log] • Sets parameters for this list entry Router(config-if)# ip access-group access-list-number { in | out } • Activates the extended list on an interface Networking Fundamentals—Layer 3 Switching © 2009.

16.3.4.0 0.0.0.3.16.0 S0 E0 E1 172.Extended Access List Example 1 172.16.0.0 Non172.16.0.16.0.16.0.16.255 172.3.0 0.0 out of E0 Networking Fundamentals—Layer 3 Switching – Permit all other traffic © 2009.0 to subnet 172.255 172.0 0.4.4.16.255 eq 21 access-list 101 deny tcp 172. Velocis Systems 8-98 .0.16.0 172.3.4.0.255 eq 20 – Deny FTP from subnet 172.0 0.13 access-list 101 deny tcp 172.16.4.0.

16.0 Non172.0 0.0.3.16.0.0 255.0.255.16.0.255.255.0.0.4.16.4.0 0.0 S0 E0 E1 172.16.16.3.255.255 172.3.0.0 to subnet 172. Velocis Systems 8-99 .0 0.0 255.0.0.13 access-list 101 deny tcp 172.255 172.16.255 eq 21 access-list 101 deny tcp 172.4.0 172.0.Extended Access List Example 1 172.0 0.0.16.4.4.3.0 out of E0 Networking Fundamentals—Layer 3 Switching – Permit all other traffic © 2009.0.16.255 eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip 0.255) – Deny FTP from subnet 172.0.255 0.16.

0.255 eq 20 access-list 101 permit ip any any (implicit deny all) (access-list 101 deny ip 0.0.4.0.0.16.16.255) interface ethernet 0 ip access-group 101 out – Deny FTP from subnet 172.0 255.0.0.0 0.255 eq 21 access-list 101 deny tcp 172.0 Non172.0.16.3.0.3.255.255 172.16.13 access-list 101 deny tcp 172.255 172.0 0.255 0.0.16.0.16.0.4.255.0 255.4.16.0 S0 E0 E1 172.255.4.0 172.0 to subnet 172.Extended Access List Example 1 172.16.16.0.255.0. Velocis Systems 8-100 Networking Fundamentals—Layer 3 Switching – Permit all other traffic .16.0 0.4.3.0 0.0 out of E0 © 2009.3.

4. Velocis Systems 8-101 .0.4.3.255 any eq 23 – Deny only Telnet from subnet 172.0.Extended Access List Example 2 172.16.13 access-list 101 deny tcp 172.16.0 172.0 S0 E0 E1 172.16.4.4.16.0.0 Non172.0 out of E0 – Permit all other traffic Networking Fundamentals—Layer 3 Switching © 2009.0 0.16.16.

0 S0 E0 E1 172.16. Velocis Systems 8-102 .255 any eq 23 – Deny only Telnet from subnet 172.16.16.Extended Access List Example 2 172.16.16.0.0 172.4.13 access-list 101 deny tcp 172.4.4.0 out of E0 – Permit all other traffic Networking Fundamentals—Layer 3 Switching © 2009.3.4.0 access-list 101 permit ip any any (implicit deny all) 0.0.0 Non172.0.16.

16.13 access-list 101 deny tcp 172.0 out of E0 – Permit all other traffic Networking Fundamentals—Layer 3 Switching © 2009.0 172.255 any eq 23 – Deny only Telnet from subnet 172.0.0 access-list 101 permit ip any any (implicit deny all) interface ethernet 0 ip access-group 101 out 0.16.3.0 Non172.16.4.4. Velocis Systems 8-103 .0 S0 E0 E1 172.0.4.Extended Access List Example 2 172.16.16.16.4.0.

Where to Place IP Access Lists S0 E0 E0 A B S0 S1 S1 C E0 To0 Token Ring D E0 E1 – Place extended access lists close to the source – Place standard access lists close to the destination Networking Fundamentals—Layer 3 Switching © 2009. Velocis Systems 8-104 Recommended: .

3.4.2. Velocis Systems 8-105 .Monitoring Access List Statements wg_ro_a#show {protocol} access-list {access-list number} wg_ro_a#show access-lists {access-list number} wg_ro_a#show access-lists Standard IP access list 1 permit 10.3.1 any eq ftp permit tcp host 10.2.44.1 permit 10.1 permit 10.4.22.1 any eq telnet permit tcp host 10.5.22.1 Extended IP access list 101 permit tcp host 10.44.33.1 permit 10.1 any eq ftp-data Networking Fundamentals—Layer 3 Switching © 2009.5.33.

Sign up to vote on this title
UsefulNot useful