Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

CHAPTER THREE
ROUTING PROTOCOLS CONFIGURATION
3.1 Introduction to Routing
Routers are small physical devices that join multiple networks together. Technically, a router is a Layer 3
gateway device, meaning that it connects two or more networks and that the router operates at the network
layer of the OSI model.
Routing a process accomplished by router and defined as follows:
 The process during which data packets are forwarded from one machine or device (technically referred
to as a node) to another on a network until they reach their destinations.
 Selecting the minimum cost, distance, and/or time path from several alternatives for a good or message
to reach its destination.
 The same as switching (with some very technical differences). IP routing uses IP addresses to forward
IP packets from their sources to their destinations. IP adopts packet switching.
The term routing encapsulates two tasks―deciding the paths for data transferred, and sending the packets on
these paths. Routing is a function carried out at the 3rd layer of the OSI reference model. A routing algorithm
decides the output line to transfer the incoming packets; algorithms are based on the routing protocol that uses
metrics―bandwidth, delay, and reliability-to assess whether a particular path is the optimal path available for
transfer of the data packets.
How routing works?
Let us consider a scenario where Balew’s sends a message from his computer in Burie to Dagnenet’s machine
in Debre Markos. TCP and other protocols do their work with the data on Balew's machine; then it is sent to
the IP protocol's module, where the data packets are bundled into IP packets and sent over the network
(Internet). These data packets have to cross through a lot of routers to reach their destination. The work these
routers do is called routing. Each packet carries the IP addresses of the source and destination machine.
Each of the intermediate routers consult the IP address of each packet received. Based on this, each will know
exactly in which direction to forward the packet. Normally, each router has a routing table, where data about
the neighboring routers is stored. This data (data in routing table) is used to calculate and decide where to send
the packets. The packets go each one its own way and can move through different networks and take different
paths. They all finally get routed to one same destination machine.
On reaching Dagnenet's machine, the destination address and the machine address will match. The packets
will be consumed by the machine, where the IP module on it will reassemble them and send the resulting data
above to the TCP service for further processing. This picture briefly depicts IP Routing.

Fig. Packets can take different paths to their destination

DMU 2022 Page 1

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

A routing table is a type of data file that acts as a map and is often installed on a router, networked computer
or other hardware. A routing table is either a document stored in the router or on a network computer in the
form of a database, or is simply a file stored in the router. The data entered in the routing table is referred to
when the best possible path to transfer information across two computers in a network is to be determined.
The routing table contains information about various routes between devices in order to present the most
efficient paths for data packets. The table is a small in-memory database managed by the router's built-in
hardware and software.
A routing table uses static and dynamic Internet protocol or IP addresses to identify devices, and works with
an ARP cache that holds these addresses. The routing table is commonly referred to as a resource for finding
the next hop, or subsequent route for a data packet. Static or dynamic routes may be compared in order to find
the best path for data.
Part of the challenge of designing a routing table is in recording information on many devices with a fixed
memory or storage space. There’s also the issue of working with an ARP cache and correctly maintaining lists
of available routes for data. This is often referred to as incorrect definition of the topology of a network. Other
routing problems, such as black holes, which cause ineffective delivery, should also be considered when using
a routing table.
Routing tables contain a list of IP addresses. Each IP address identifies a remote router (or other network
gateway) that the local router is configured to recognize. For each IP address, the routing table additionally
stores a network mask and other data that specifies the destination IP address ranges that remote device will
accept.
Home network routers utilize a very small routing table because they simply forward all outbound traffic to
the Internet Service Provider (ISP) gateway which takes care of all other routing steps. Home router tables
typically contain ten or fewer entries. By comparison, the largest routers at the core of the Internet backbone
must maintain the full Internet routing table that exceeds 100,000 entries and growing as the Internet expands.
3.2. Types of routing
The two classifications of routing are static routing and dynamic routing. These classifications are based on
the way in which routing tables are created and updated every time they are used. Routings in which the data
in routing table is stored and updated manually called static routing. On the other hand, routings in which the
information in routing table is changed dynamically, by the router itself, are referred to as dynamic routing.

3.2.1. Static Routing

Static routing is not really a routing protocol. Static routing is simply the process of manually entering routes
into a device's routing table via a configuration file that is loaded when the routing device starts up. As an
alternative, these routes can be entered by a network administrator who configures the routes manually. Since
these manually configured routes don't change after they are configured (unless a human changes them) they
are called 'static' routes.
A static routing table is created, maintained, and updated by a network administrator, manually. A static route
to every network must be configured on every router for full connectivity. This provides a granular level of
control over routing, but quickly becomes impractical on large networks. Routers will not share static routes
with each other, thus reducing CPU/RAM overhead and saving bandwidth. However, static routing is not
fault-tolerant, as any change to the routing infrastructure (such as a link going down, or a new network added)
requires manual intervention. Routers operating in a purely static environment cannot seamlessly choose a
better route if a link becomes unavailable. Static routes have an Administrative Distance (AD) of 1, and thus
are always preferred over dynamic routes, unless the default AD is changed. A static route with an adjusted
AD is called a floating static route.
Use static routing when you have very few devices to configure and when you know the routes will probably
never change.
Static routing also does not handle failures in external networks well because any route that is configured
manually must be updated or reconfigured manually to fix or repair any lost connectivity.

DMU 2022 Page 2

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

There are pros and cons to static routing, but that’s true for all routing processes. Static routing has the
following advantage and disadvantages:

Advantages of Static Routing Disadvantages of Static Routing

 Minimal CPU/Memory overhead  Infrastructure changes must be
manually adjusted
 No bandwidth overhead (updates are not  No “dynamic” fault tolerance if a
shared between routers) link goes down – the
administrator is responsible
 Granular control on how traffic is routed –  Impractical on large network
adds security

Here’s the command syntax you use to add a static route to a routing table:

ip route [destination_network] [mask] [next-hop_address or exit interface] [administrative_distance]

[permanent]

This list describes each command in the string:

 ip route The command used to create the static route.
 Destination_network The network you’re placing in the routing table.
 Mask The subnet mask being used on the network.
 Next-hop_address The address of the next-hop router that will receive the packet and forward it to the
remote network. This is a router interface that’s on a directly connected network. You must be able to
ping the router interface before you add the route. If you type in the wrong next-hop address or the
interface to that router is down, the static route will show up in the router’s configuration but not in the
routing table.
 Exit interface Used in place of the next-hop address if you want, and shows up as directly connected
route.
 Administrative_distance By default, static routes have an administrative distance of 1 (or even 0 if
you use an exit interface instead of a next-hop address). You can change the default value by adding an
administrative weight at the end of the command.
 Permanent If the interface is shut down or the router can’t communicate to the next-hop router, the
route will automatically be discarded from the routing table. Choosing the permanent option keeps the
entry in the routing table no matter what happens.
Default Route
When the router is unable to find a matching address to the packets destination address in its routing table, it
forwards the packet to its exit interface or next hop address configured with a default route 0.0.0.0/0.
Syntax
ip route 0.0.0.0 0.0.0.0 [next-hop_address or exit interface]

Use the following network topology to configure static/default route, EIGRP, and OSPF.

DMU 2022 Page 3

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

Configuration of static route

Exercise:

1. Configure a static route on both Router 1 and Router 2 so that PCs in 192.168.10.0/24 network are
able to communicate with PC 3 in 10.10.10.0/24 network and vice versa.
2. First remove the static configuration and then configure a default route on both Router 1 and
Router 2 so that PCs in 192.168.10.0/24 network are able to communicate with PC 3 in
10.10.10.0/24 network and vice versa.
3.2.2 Dynamic Routing
Dynamic routing uses a routing protocol and this protocols uses software and routing algorithms running on
the routing device (the router) to determine optimal network data transfer and communication paths between
network nodes. Routing protocols facilitate router communication and overall network topology
understanding. Routers in dynamic routing dynamically learn network destinations and how to get to them and
also advertise those destinations to other routers. This advertisement function allows all the routers to learn
about all the destination networks that exist and how to go those networks.

A dynamic routing table is created, maintained, and updated by a routing protocol running on the router.
Routers do share dynamic routing information with each other, which increases CPU, RAM, and bandwidth
usage. However, routing protocols are capable of dynamically choosing a different (or better) path when there
is a change to the routing infrastructure.
A router using dynamic routing will 'learn' the routes to all networks that are directly connected to the device.
Next, the router will learn routes from other routers that run the same routing protocol (RIP, RIP2, EIGRP,
OSPF, IS-IS, BGP etc.). Each router will then sort through its list of routes and select one or more 'best' routes
for each network destination the router knows or has learned.
Dynamic routing protocols will then distribute this 'best route' information to other routers running the same
routing protocol, thereby extending the information on what networks exist and can be reached. This gives
dynamic routing protocols the ability to adapt to logical network topology changes, equipment failures or
network outages 'on the fly'.
The following briefly outlines the advantages and disadvantages of dynamic routing:

DMU 2022 Page 4

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

Advantages of Dynamic Routing Disadvantages of Dynamic Routing

 Simpler to configure on larger networks  Updates are shared between routers,
thus consuming bandwidth
 Will dynamically choose a different (or  Routing protocols put additional load
better) on router CPU/RAM
 route if a link goes down
 Ability to load balance between  The choice of the “best route” is in the
multiple links hands of the routing protocol, and not
the network Administrator
Most Internet Protocol (IP) networks use the following dynamic routing protocols. The dynamic routing
protocols classified into two categories.
1. Distance Vector Routing Protocols (DVRP) – The distance-vector protocols find the best path to a
remote network by judging distance. Each time a packet goes through a router, that’s called a hop. The
route with the least number of hops to the network is determined to be the best route. The vector indicates
the direction to the remote network. Both RIP and IGRP are examples of distance-vector routing
protocols. They send the entire routing table to directly connected neighbors.
All distance-vector routing protocols share several key characteristics:
 Periodic updates of the full routing table are sent to routing neighbors.
 Distance-vector protocols suffer from slow convergence, and are highly susceptible to loops.
 Some form of distance is used to calculate a route’s metric.
 The Bellman-Ford algorithm is used to determine the shortest path.
A distance-vector routing protocol begins by advertising directly-connected networks to its neighbors. These
updates are sent regularly (RIP – every 30 seconds; IGRP – every 90 seconds).
Neighbors will add the routes from these updates to their own routing tables. Each neighbor trusts this
information completely, and will forward their full routing table (connected and learned routes) to every other
neighbor. Thus, routers fully (and blindly) rely on neighbors for route information, a concept known as
routing by rumor.
Distance-vector protocols utilize some form of distance to calculate a route’s metric. RIP uses hop count as its
distance metric, and IGRP uses a composite of bandwidth and delay. EIGRP is also an advanced distance-
vector protocol.
2. Link State Routing Protocol (LSRP) – In link-state protocols, also called shortest-path-first protocols,
each router create three separate tables. One of these tables keeps track of directly attached neighbors, one
determines the topology of the entire internetwork, and one is used as the routing table. Link state routers
know more about the internetwork than any distance-vector routing protocol. OSPF is an IP routing
protocol that is completely link state. Link-state protocols send updates containing the state of their own
links to all other routers on the network.
It uses sophisticated algorithms that maintain a complex database of internetworking topology. Examples
are:
o Intermediate System-to-Intermediate System (IS-IS) and
o Open Shortest Path First (OSPF)
Link-state routing protocols were developed to alleviate the convergence and loop issues of distance-vector
protocols. Link-state protocols maintain three separate tables:
 Neighbor table – contains a list of all neighbors, and the interface each neighbor is connected off of.
Neighbors are formed by sending Hello packets.
 Topology table – also known as the “link-state” table contains a map of all links within an area,
including each link’s status.
 Shortest-Path table – contains the best routes to each particular destination (also known as the
“routing” table”)
DMU 2022 Page 5
Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

Link-state protocols do not “route by rumor.” Instead, routers send updates advertising the state of their links
(a link is a directly-connected network). All routers know the state of all existing links within their area, and
store this information in a topology table. All routers within an area have identical topology tables.
The best route to each link (network) is stored in the routing (or shortest- path) table. If the state of a link
changes, such as a router interface failing, an advertisement containing only this link-state change will be sent
to all routers within that area. Each router will adjust its topology table accordingly, and will calculate a new
best route if required. By maintaining a consistent topology table among all routers within an area, link-state
protocols can converge very quickly and are immune to routing loops.
Additionally, because updates are sent only during a link-state change, and contain only the change (and not
the full table), link-state protocols are less bandwidth intensive than distance-vector protocols. However, the
three link-state tables utilize more RAM and CPU on the router itself. Link-state protocols utilize some form
of cost, usually based on bandwidth, to calculate a route’s metric. The Dijkstra formula is used to determine
the shortest path.
Do not confuse routing protocols with routed protocols:
 A routed protocol is a Layer 3 protocol that applies logical addresses to devices and routes data
between networks (such as IP)
 A routing protocol dynamically builds the network, topology, and next hop information in routing
tables (such as RIP, EIGRP, etc.)
3.3 Basic Concepts-AD, metrics and wildcard mask
There are some important things you should know about routing protocols before getting deeper into them.
Specifically, you need to understand administrative distances, metric and wild mask.

Administrative Distance
An administrative distance is the value used by routers to choose the best path when there are two or more
routes to the same destination from two different routing protocols. An administrative distance guides the
selection of one routing protocol (or static route) over another, when more than one protocol adds the same
route to the uncast routing table. Each routing protocol is prioritized in order of most to least reliable using an
administrative distance value.
Static routes have a default administrative distance of 1. A router prefers a static route to a dynamic route
because the router considers a route with a low number to be the shortest. If you want a dynamic route to
override a static route, you can specify an administrative distance for the static route. For example, if you have
two dynamic routes with an administrative distance of 120, you would specify an administrative distance that
is greater than 120 for the static route if you want the dynamic route to override the static route.
The administrative distance (AD) is used to rate the trustworthiness of routing information received on a
router from a neighbor router. An administrative distance is an integer from 0 to 255, where 0 is the most
trusted and 255 means no traffic will be passed via this route. If a router receives two updates listing the same
remote network, the first thing the router checks is the AD. If one of the advertised routes has a lower AD than
the other, then the route with the lowest AD will be placed in the routing table.
If both advertised routes to the same network have the same AD, then routing protocol metrics (such as hop
count or bandwidth of the lines) will be used to find the best path to the remote network. The advertised route
with the lowest metric will be placed in the routing table. But if both advertised routes have the same AD as
well as the same metrics, then the routing protocol will load-balance to the remote network (which means that
it sends packets down each link).
Table below shows the default administrative distances that a Cisco router uses to decide which route to take
to a remote network.

DMU 2022 Page 6

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

Route Source Default AD

Connected interface 0
Static route 1/0
EIGRP summary route 5
EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
External EIGRP 170
Unknown 255(This route will never be used)

3.2 Table 1 Default Administrative Distances

If a network is directly connected, the router will always use the interface connected to the network. If an
administrator configures a static route, the router will believe that route over any other learned routes.
For example, if you have a static route, a RIP-advertised route, and an IGRP-advertised route listing the same
network, then by default, the router will always use the static route unless you change the AD of the static
route.

Metric
There are cases when a routing protocol learns of more than one route to the same destination. To select the
best path, the routing protocol must be able to evaluate and differentiate between the available paths. For this
purpose a metric is used. A metric is a value used by routing protocols to assign costs to reach remote
networks. The metric is used to determine which path is most preferable when there are multiple paths to the
same remote network.
Each routing protocol uses its own metric. For example, RIP uses hop count, EIGRP uses a combination of
bandwidth and delay, and Cisco's implementation of OSPF uses bandwidth. Hop count is the easiest metric to
envision. The hop count refers to the number of routers a packet must cross to reach the destination network.

Wildcard mask
A wildcard mask is a mask of bits that indicates which parts of an IP address can assume any value. In the
Cisco IOS, they are used in several places, for example:

 To indicate the size of a network or subnet for some routing protocols, such as OSPF.
 To indicate what IP addresses should be permitted or denied in access control lists (ACLs).
A wildcard mask can be thought of as a subnet mask, with ones and zeros inverted; for example, a wildcard
mask of 0.0.0.255 corresponds to a subnet mask of 255.255.255.0. A wildcard mask is usually used in
combination with an IP address. For example, in a standard ACL, a statement like the following: allows data
from subnet 10.0.3.0/24 to pass, that is, the first three octets must match exactly, whereas all the bits in the
fourth octet can take on any value.
However, any bits can be marked as "don't care". For example, a wildcard mask of 0.0.0.254 (binary
equivalent = 00000000.00000000.00000000.11111110) in an ACL might accept (or deny) all even-numbered
IP addresses in a specific network.
Wildcard masks are used in situations where the subnet mask may not apply. For example, in an ACL, two
affected hosts may fall in different subnets, but the use of a wildcard mask can group the two together.

DMU 2022 Page 7

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

To calculate wildcard mask

Simply subtract your mask from 255.255.255.255 to get your wildcard mask.
Example:
The wildcard mask of /26 is:
255.255.255.255 - 255.255.255.192 = 0.0.0.63
The wildcard mask of /19 is:
255.255.255.255 - 255.255.224.0 = 0.0.31.255
The wildcard mask of /12 is:
255.255.255.255 - 255.240.0.0 = 0.15.255.255

Wildcard Mask Exercises -

1. You wish to match all hosts on the 192.168.1.0/24 network. What address and wildcard mask combination
should you use?
2. You wish to match the specific host 172.16.1.1. What address and wildcard mask combination should you
use?
3.3.1 Routing Information Protocol (RIP)
Routing Information Protocol (RIP) is a standards-based, distance-vector, interior gateway protocol (IGP)
used by routers to exchange routing information. RIP only uses hop count to determine the best path between
two locations. Hop count is the number of routers the packet must go through till it reaches the destination
network. The maximum allowable number of hops a packet can traverse in an IP network implementing RIP
is 15 hops. It has a maximum allowable hop count of 15 by default, meaning that 16 is deemed unreachable.
The hop count represents the total number of routing devices a given piece of data (packet) passes through.
Repeaters, Hubs, the end stations, and Switches (do not include them in the hop count) - these devices are all
transparent, and do not route - and therefore is not included in the hop count. Typically Hop Count = routers
and also Firewall that are Routers can be included in the Hop Count. RIP works well in small networks, but
it's inefficient on large networks with slow WAN links or on networks with a large number of routers
installed. In a RIP network, each router broadcasts its entire RIP table to its neighboring routers every 30
seconds. When a router receives a neighbor's RIP table, it uses the information provided to update its own
routing table and then sends the updated table to its neighbors.
RIP plays an important role providing the shortest and best path for data to take from node to node. The hop is
the step towards the next existing device, which could be a router, computer or other device. Once the length
of the hop is determined, the information is stored in a routing table for future use. RIP is being used in both
local and wide area networks and is generally considered to be easily configured and implemented.
RIP uses only hop count to determine the best path to a network. If RIP finds more than one link to the same
remote network with the same hop count, it will automatically perform a round-robin load balancing. RIP can
perform load balancing for up to six equal-cost links (four by default). However, a problem with this type of
routing metric arises when the two links to a remote network are different bandwidths but the same hop count.
The differences between RIPv1 and RIPv2
RIPv1
– It is a classful protocol (which means that all devices in the network must use the same subnet mask).
This is because RIP version 1 doesn’t send updates with subnet mask information.
– RIP supports up to six equal-cost paths to a single destination, where all six paths can be placed in the
routing table and the router can load-balance across them. The default is actually four paths, but this
can be increased up to a maximum of six. Remember that an equal-cost path is where the hop count
value is the same. RIP will not load-balance across unequal-cost paths.
– Outdated
DMU 2022 Page 8
Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

RIPv2
– RIPv2 uses multicasts
– RIPv2 supports triggered updates—when a change occurs, a RIPv2 router will immediately propagate
its routing information to its connected neighbors.
– RIPv2 is a classless protocol. RIPv2 supports variable-length subnet masking (VLSM)
– RIPv2 supports authentication. You can restrict what routers you want to participate in RIPv2. This is
accomplished using a hashed password value.
RIP Timers
RIP uses four different kinds of timers to regulate its performance:
Route update timer
Sets the interval (typically 30 seconds) between periodic routing updates in which the router sends a complete
copy of its routing table out to all neighbors.
Hold-down timer
This sets the amount of time during which routing information is suppressed. Routes will enter into the hold-
down state when an update packet is received that indicated the route is unreachable. This continues either
until an update packet is received with a better metric or until the hold-down timer expires. The default is 180
seconds.
Route invalid timer
It determines the length of time that must elapse (180 seconds) before a router determines that a route has
become invalid. It will come to this conclusion if it hasn’t heard any updates about a particular route for that
period. When that happens, the router will send out updates to all its neighbors letting them know that the
route is invalid.
Route flush timer
This sets the time between a route becoming invalid and its removal from the routing table (240 seconds).
Before it's removed from the table, the router notifies its neighbors of that route's impending failure. The value
of the route invalid timer must be less than that of the route flush timer. This gives the router enough time to
tell its neighbors about the invalid route before the local routing table is updated.

RIP configuration (Refer your lecture note)

Syntax:

RIPv1 RIPv2
router rip (on Global configuration mode) router rip (on Global configuration mode)
network Network_Address vesion 2
network Network_Address
3.3.2 Interior Gateway Routing Protocol (IGRP)
Interior Gateway Routing Protocol (IGRP) is a dynamic class routing protocol used by autonomous system
(AS) routers running on TCP/IP hosts. An AS is a collection of networks under a common administrative
domain, which basically means that all routers sharing the same routing table information are in the same AS.
EGPs are used to communicate between ASs.
IGRP overcomes Routing Information Protocol (RIP) network limitations and supports multiple routing
metrics, including delay, bandwidth, load and reliability. Routing updates are broadcast every 90 seconds (by
default).

DMU 2022 Page 9

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

The followings are the characteristics of IGRP:

- Developed by Cisco
- Uses composite metrics
- Uses multipath routing
- Supports unequal-cost load balancing
- Supports hold-downs and split horizon
- Deprecated *
3.3.3 Enhanced Interior Gateway Routing Protocol (EIGRP)

EIGRP is an advanced distance vector routing protocol based on the principles of the Interior Gateway
Routing Protocol (IGRP). EIGRP is a successor to the Interior Gateway Routing Protocol (IGRP). Both are
owned by Cisco and operate only on their devices. Cisco introduced EIGRP because it needed a protocol with
faster converging abilities, route selection and calculation and the ability to record information from
neighboring devices.

EIGRP has the following characteristics:

1. Advanced operational efficiency
2. Capabilities of both link state and distance vector
3. A classless routing protocol
4. Unique features including use of Reliable Transport Protocol (RTP- capable of transmitting both
multicast and unicast), a diffusing update algorithm (DUAL), updates and updated information about
neighbors
5. Faster converging because it pre-calculates routes and does not broadcast hold-down timer packets
before converging
6. Supports discontiguous network
7. Supports all layer 3 protocols (IPv4, IPX, and IPv6)

EIGRP uses bandwidth, delay, load and reliability to calculate the metric for its routing table (not hop count
used by legacy protocols). For this reason, EIGRP always selects and calculates the most optimal route for
efficiency. EIGRP uses a DUAL algorithm to avoid loops and send occasional hello packets to check the
status of neighbor routers.

It uses the following tables for route discovery i.e. neighbor table, topology table and route table.

EIGRP configuration (Refer your lecture note)

Syntax: router eigrp AS (On global Configuration mode)

network Network_Address | network Network_Address Wildcard mask

*AS can be any number in the range from 1 to 65535 both inclusive.

3.3.4 Open Shortest Path First (OSPF)

OSPF is a link state routing protocol (LSRP) that uses the Shortest Path First (SPF) network communication
algorithm (Dijkstra's algorithm) to calculate the shortest connection path between known devices.

DMU 2022 Page 10

 Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

OSPF is an Interior Routing Protocol (IGP) that routes Internet Protocol (IP) packets within a single routing
network domain only. OSPF finds the best network layout (topology) by calculating shortest device
connection paths using the Shortest Path First (SPF) algorithm.
For example, a person in city A wants to travel to city M and is given two options:
 Travel via cities B and C. The route would be ABCM. And the distance (or bandwidth cost in the
networking case) for A-B is 10 miles, B-C is 5 miles and C-M is 10 miles.
 Travel via city F. The route would be AFM. And the distance for A-F is 20 miles and F-M is 10 miles.
The shortest route is always the one with least amount of distance covered in total. Thus, the ABCM route is
the better option (10+5+10=25), even though the person has to travel to two cities as the associated total cost
to travel to the destination is less than the second option with a single city (20+10=30). OSPF performs a
similar algorithm by first calculating the shortest path between the source and destination based on link
bandwidth cost and then allows the network to send and receive IP packets via the shortest route.
The larger network can be broken into the small areas so the routers in one area know less topology and they
don’t have information about other areas routers. Creating OSPF areas result in smaller database which reduce
the memory consumption and processing.
OSPF maintains a two layer hierarchy consisting of:
- Backbone area (area 0)
- Off backbone area ( area 1 -65, 535)
The followings are the characteristics of OSPF:
- AD value is 110
- Supports classless network
- Supports VLSM/CIDR and has unlimited hop counts
- Supports hierarchical network
- Route propagation using multicasting
OSPF Configuration (Refer your lecture note)
Syntax: router ospf Process_ID (On global Configuration mode)
network Network_Address Wildcard_mask area 0

* Process_ID can be any number in the range from 1 to 65535 both inclusive.

Routing Protocol Comparison

Name Class Type AD Metric Classful/ Algorithm Transport type

Less
RIPv1 Distance IGP 120 Hop count Classful Bellman-Fold UDP/520
Vector
RIPv2 Distance IGP 120 Hop count Classless Bellman-Fold UDP/520
Vector
IGRP Distance IGP 100 Composite Classful Dijkstra(SPF) IP Protocol 9
Vector (BW+DLY)
EIGR Advanced IGP 90 (internal) Composite Classless DUAL EIGRP Protocol
P Distance 170(external) (BW+DLY) 88
Vector
OSPF Link State IGP 110 Cost(BW) Classless Dijkstra(SPF) OSPF Protocol 89
3.4 ACL (Access Control List)
ACLs can be used for two purposes on Cisco devices:
• To filter traffic
• To identify traffic

DMU 2022 Page 11

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

Access lists are a set of rules, organized in a rule table. Each rule or line in an access-list provides a condition,
either permit or deny:
When using an access-list to filter traffic, a permit statement is used to “allow” traffic, while a deny statement
is used to “block” traffic. Similarly, when using an access list to identify traffic, a permit statement is used to
“include” traffic, while a deny statement states that the traffic should “not” be included. It is thus interpreted
as a true/false statement.
Access control lists enable you to permit or deny packets based on source and destination IP address, IP
protocol information, or TCP or UDP protocol information.
Types of Access Lists
There are two categories of access lists: numbered and named. You can configure the following types of
numbered ACLs:
• Standard – Permits or denies packets based on source IP address. Valid standard ACL IDs are
1 – 99 or a string.
• Extended – Permits or denies packets based on source and destination IP address and also based on IP
protocol information. Valid extended ACL IDs are a number from 100 – 199 or a string.

 Named access lists provide a bit more flexibility. Descriptive names can be used to identify your
access-lists. Additionally, individual lines can be removed from a named access-list. However, like
numbered lists, all new entries are still added to the bottom of the access list.
There are two common types of named access lists:
 IP standard named access lists
 IP extended named access lists
IP access-lists use wildcard masks to determine two things:
1. Which part of an address must match exactly?
2. Which part of an address can match any number?
Consider the following address and wildcard mask:
Address: 172.16.0.0
Wild Card Mask: 0.0.255.255
The above would match any address that begins “172.16.” The last two octets could be anything. How do I
know this?
Two Golden Rules of Access Lists:
1. If a bit is set to 0 in a wild-card mask, the corresponding bit in the address must be matched exactly.
2. If a bit is set to 1 in a wild-card mask, the corresponding bit in the address can match any number. In
other words, we “don’t care” what number it matches.
To see this more clearly, we’ll convert both the address and the wild card mask into binary:
Address: 10101100.00010000.00000000.00000000
Wild Card Mask: 00000000.00000000.11111111.11111111
Any 0 bits in the wildcard mask, indicates that the corresponding bits in the address must be matched exactly.
Thus, looking at the above example, we must exactly match the following in the first two octets:
10101100.00010000 = 172.16
Any 1 bits in the wildcard mask indicates that the corresponding bits can be anything. Thus, the last two octets
can be any number, and it will still match this access-list entry.
If wanted to match a specific address with a wildcard mask (we’ll use an example of 172.16.1.1), how would
we do it?
Address: 172.16.1.1
Wild Card Mask: 0.0.0.0
Written out in binary, that looks like:
Address: 10101100.00010000.00000001.00000001
Wild Card Mask: 00000000.00000000.00000000.00000000

DMU 2022 Page 12

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

Remember what a wildcard mask is doing. A 0 indicates it must match exactly, a 1 indicates it can match
anything. The above wildcard mask has all bits set to 0, which means we must match all four octets exactly.
There are actually two ways we can match a host:
• Using a wildcard mask with all bits set to 0 – 172.16.1.1 0.0.0.0
• Using the keyword “host” – host 172.16.1.1
How would we match all addresses with a wildcard mask?
Address: 0.0.0.0
Wild Card Mask: 255.255.255.255
Written out in binary, that looks like:
Address: 00000000.00000000.00000000.00000000
Wild Card Mask: 11111111.11111111.11111111.11111111
Notice that the above wildcard mask has all bits set to 1. Thus, each bit can match anything – resulting in the
above address and wildcard mask matching all possible addresses.
There are actually two ways we can match all addresses:
• Using a wildcard mask with all bits set to 1 – 0.0.0.0 255.255.255.255
• Using the keyword “any” – any
Standard IP Access List
Syntax: access-list [1-99] [permit | deny] [source address] [wildcard mask] [log]
Standard IP access-lists are based upon the source host or network IP address, and should be placed closest to
the destination network.
Consider the following example:

In order to block network 172.18.0.0 from accessing the 172.16.0.0 network, we would create the following
access-list on Router A:
Router(config)# access-list 10 deny 172.18.0.0 0.0.255.255
Router(config)# access-list 10 permit any
Notice the wildcard mask of 0.0.255.255 on the first line. This will match (deny) all hosts on the 172.18.x.x
network.
The second line uses a keyword of any, which will match (permit) any other address. Remember that you
must have at least one permit statement in your access list.

DMU 2022 Page 13

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

To apply this access list, we would configure the following on Router A:

Router(config)# int fa4/0
Router(config-if)# ip access-group 10 in
To view all IP access lists configured on the router:
Router# show ip access-list
To view what interface an access-list is configured on:
Router# show ip interface
Router# show running-config

Extended IP Access List

Syntax: access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask] [destination
address] [wildcard mask] [operator [port]] [log]
Extended IP access-lists block based upon the source IP address, destination IP address, and TCP or UDP port
number. Extended access-lists should be placed closest to the source network.
Consider the following example: (use the above network topology)
Assume there is a web server on the 172.17.x.x network with an IP address of 172.17.0.10.
In order to block network 172.18.0.0 from accessing anything on the 172.17.0.0 network, EXCEPT for the
HTTP port on the web server, we would create the following access-list on Router B:
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.17.0.10 eq 80
Router(config)# access-list 101 deny ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
Router(config)# access-list 101 permit ip any any
The first line allows the 172.18.x.x network access only to port 80 on the web server. The second line blocks
172.18.x.x from accessing anything else on the 172.17.x.x network. The third line allows 172.18.x.x access to
anything else.
We could have identified the web server in one of two ways:
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 host 172.17.0.10 eq 80
Router(config)# access-list 101 permit tcp 172.18.0.0 0.0.255.255 172.17.0.10 0.0.0.0 eq 80
To apply this access list, we would configure the following on Router B:
Router(config)# int fa1/0
Router(config-if)# ip access-group 101 in
3.5 Network Address Translation (NAT)
Network Address Translation (NAT) is designed for IP address conservation. It enables private IP networks
that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two
networks together, and translates the private (not globally unique) addresses in the internal network into legal
(globally known) addresses, before packets are forwarded to another network.
As part of this capability, NAT can be configured to advertise only one address for the entire network to the
outside world. This provides additional security by effectively hiding the entire internal network behind that
address. NAT offers the dual functions of security and address conservation and is typically implemented in
remote-access environments.
Network Address Translation (NAT) is the process of assigning a public address to a computer (or group of
computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an
organization or company must use, for both economy and security purposes.
Basically, NAT allows a single device, such as a router, to act as an agent between the Internet (or public
network) and a local network (or private network), which means that only a single unique IP address is
required to represent an entire group of computers to anything outside their network.
The most common form of network translation involves a large private network using addresses in a private
range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255). The

DMU 2022 Page 14

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

private addressing scheme works well for computers that only have to access resources inside the network,
like workstations needing access to file servers and printers. Routers inside the private network can route
traffic between private addresses with no trouble. However, to access resources outside the network, like the
Internet, these computers have to have a public address in order for responses to their requests to return to
them. This is where NAT comes into play.
Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly
that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer
on the Internet. Routers within the network recognize that the request is not for a resource inside the network,
so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. It
then makes the same request to the Internet using its own public address, and returns the response from the
Internet resource to the computer inside the private network. From the perspective of the resource on the
Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it
appears that communication is directly with the site on the Internet. When NAT is used in this way, all users
inside the private network access the Internet have the same public IP address when they use the Internet. That
means only one public addresses is needed for hundreds or even thousands of users.
Most modern firewalls are stateful - that is, they are able to set up the connection between the internal
workstation and the Internet resource. They can keep track of the details of the connection, like ports, packet
order, and the IP addresses involved. This is called keeping track of the state of the connection. In this way,
they are able to keep track of the session composed of communication between the workstation and the
firewall, and the firewall with the Internet. When the session ends, the firewall discards all of the information
about the connection.
There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with
internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and
require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the
public to access the servers only through that IP address. However, as an additional layer of security, the
firewall acts as the intermediary between the outside world and the protected internal network. Additional
rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows
network engineers to more efficiently route internal network traffic to the same resources, and allow access to
more ports, while restricting access at the firewall. It also allows detailed logging of communications between
the network and the outside world.
Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or
other computers requiring special access outside the network can be assigned specific external IPs using NAT,
allowing them to communicate with computers and applications that require a unique public IP address.
Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port
access and protocols.
NAT is a very important aspect of firewall security. It conserves the number of public addresses used within
an organization, and it allows for stricter control of access to resources on both sides of the firewall.
Note: NAT is not restricted to private-to-public address translation, though that is the most common
application. NAT can also perform public-to-public address translation, as well as private-to-private address
translation.
NAT is only a temporarily solution to the address shortage problem. IPv4will eventually be replaced with
IPv6, which supports a vast address space. Both Cisco IOS devices and PIX/ASA firewalls support NAT.
Situation where you should use NAT
 Your ISP did not provide you sufficient public IP address
 Your company is going to merge in a company which use same address space
 Where you want to hide your internal IP address space from outside
 You want to assign the same IP address to multiple machines

DMU 2022 Page 15

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

Types of NAT
NAT comes in three flavors:

 Static NAT: Provides one-to-one mapping between local and global addresses, consequently, every
computer on the network must be allocated a single dedicated routable IP address.
 Dynamic NAT: A pool of routable IP addresses is configured on the router and dynamically the router
assigns addresses from this pool to every machine that requires sending traffic to the “outside world”.
This type of NAT needs good planning from the beginning so that the pool of IP addresses is enough
to cover the traffic needs of the peak hour traffic to the Internet.
 NAT overload (PAT): Port address translation is another variation of NAT and the most popular one.
It is also called NAT Overloading because it is designed to map many private IP addresses to just a
single registered IP address (overloaded address) by applying different port addresses in the TCP or
UDP header.

Static NAT

In static NAT manual translation is performed by an address translation device, translating one IP address to a
different one. If you have 100 devices, you need to create 100 static entries in the address translation table.
Typically, static translation is done for inside resources that outside people want to access.
To configure static inside source address translation for the example shown in the Figure above, the following
need to be performed on the router:
 Specify the inside interface:
o Router(config)#interface fast ethernet0/0 (private side interface)
o Router(config-if)# ip nat inside
 Specify the outside interface:
o Router(config)#interface fast ethernet0/1 (Public side interface)
o Router(config-if)# ip nat outside
 Enter static translation entry :
o Router(config)# ip nat inside source static 192.168.0.1 206.245.160.1

DMU 2022 Page 16

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

Dynamic NAT

Dynamic NAT is mostly used when inside users needs to access outside resources. The global address
assigned to the internal user isn't important, since outside devices don't directly connect to your internal users
they just return traffic to them that the inside user requested.
When an inside user sends traffic through the address translation device, say a router, it examines the source
IP address and compares it to the internal local address pool. If it finds a match, then it determines which
inside global address pool it should use for the translation. It then dynamically picks an address in the global
address pool that is not currently assigned to an inside device. The router adds this entry in its address
translation table, the packet is translated, and the packet is then sent to the outside world. If no matching entry
is found in the local address pool, the address is not translated and is forwarded to the outside world in its
original state.
When returning traffic comes back into your network, the address translation device examines the destination
IP addresses and checks them against the address translation table. Upon finding a matching entry, it converts
the global inside address to the local inside address in the destination IP address field of the packet header and
forwards the packet to the inside network.
To configure dynamic inside source address translation for the example shown in the figure above, the
following need to be performed:
 Specify the inside interface:
o Router(config)#interface fast ethernet0/0
o Router(config-if)# ip nat inside
 Specify the outside interface:
o Router(config)#interface serial0/0
o Router(config-if)# ip nat outside
 Define an Access List to permit the inside local addresses to be translated:
o Router(config)#access-list 1 permit 10.0.0.0 0.0.0.255
 Define a pool of global addresses :
o Router(config)# ip nat pool DNAT1 179.2.2.65 179.2.2.90 netmask 255.255.255.224
 Enter dynamic translation entry :
o Router(config)# ip nat inside source list 1 pool DNAT1

DMU 2022 Page 17

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

In the previous static NAT configuration on Cisco Routers, we saw how you can translate one IP address into
another single IP address. This part will cover how to translate many IP addresses into many IP addresses,
otherwise referred to as many-to-many translation.
Dynamic NAT allows us to translate many IP addresses into a pool of many IP addresses. The big thing to
realize here is that the pool does not need to contain enough IP addresses to translate all the internal addresses
at the same time, as would be the case if we used Static NAT. Dynamic NAT allows internal hosts to be
translated into an IP address in the pool when it requires a connection. Once the internal host has finished its
session the NAT entry is removed from the NAT table allowing another internal host to use the external IP
address for its session.
Assume we have 50 hosts in our inside network but only have 5 public IP addresses available to use. With
Dynamic NAT we can allow all 50 internal addresses to share the 5 public addresses as and when they need
them. This of course does impose a limit of only 5 simultaneous connections to the outside world and that is
where PAT would come in and solve that problem.
One of the benefits of using Dynamic NAT vs Static NAT, is that Dynamic NAT requires the session to
originate from the inside network. No outside connections can be established to the inside network. This is
obviously a more secure solution as connections from the outside won’t work; only traffic originating from
the inside will be translated. Static NAT is different in the fact that the entry is added to the NAT table on a
permanent basis and will allow connections in either direction.
NAT overloading (PAT)
NAT Overload, also known as PAT (Port Address Translation) is essentially NAT with the added feature of
TCP/UDP ports translation.
NAT overload is the most common operation in most businesses around the world, as it enables the whole
network to access the Internet using one single real IP address.
'Overloading' means that the single public IP assigned to your router can be used by multiple internal hosts
concurrently. This is done by translating source UDP/TCP ports in the packets and keeping track of them
within the translation table kept in the router (R1 in our case below). This is a typical NAT configuration for
almost all of today's networks.

The first step in any NAT configuration is to define the inside and outside interfaces. It is imperative that we
define these interfaces for NAT overload to function.

Set the fast ethernet 0/0 interface as the inside interface:

R1# configure terminal
R1(config)# interface fastethernet0/0
R1(config-if)# ip nat inside
Next step is to set the serial interface S2/0 as the outside interface:

DMU 2022 Page 18

Network Devices and Configuration (ITec4113) Chapter 3 –Lecture Note

R1(config-if)# interface serial2/0

R1(config-if)# ip nat outside
R1(config-if)# exit
We now need to create an Access Control List (ACL) that will include local (private) hosts or network(s).
This ACL will later on be applied to the NAT service command, effectively controlling the hosts that will be
able to access the Internet. You can use standard or extended access lists depending on your requirements:

R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any

The above command instructs the router to allow the 192.168.0.0/24 network to reach any destination.
All that's left now is to enable NAT overload and bind it to the outside interface previously selected:
R1(config)# ip nat inside source list 100 interface serial 2/0 overload

From this point onward, the router will happily create all the necessary translations to allow the
192.168.0.0/24 network access to the Internet.
NAT overloading is PAT, which involves using a pool with a range of one or more addresses or using an
interface IP address in combination with the port. When you overload, you create a fully extended translation.
This is a translation table entry containing IP address and source/destination port information, which is
commonly called PAT or overloading.
PAT (or overloading) is a feature of Cisco IOS NAT that is used to translate internal (inside local) private
addresses to one or more outside (inside global, usually registered/public) IP addresses. Unique source port
numbers on each translation are used to distinguish between the conversations.
With PAT, all devices that go through the address translation device have the same global IP address assigned
to them, so the source TCP or UDP port numbers are used to differentiate the different connections. If two
devices have the same source port number, the translation device changes one of them to ensure uniqueness.
Major difference between NAT and PAT is in NAT Only IP addresses are translated (not port numbers).
Disadvantages of Address Translation
Three main disadvantages with address translation are:
 Each connection has an added delay.
 Troubleshooting is more difficult.
 Not all applications work with address translation.

Address Translation Terms

Term
Inside local IP address
Inside global IP address
Outside global IP address
Outside local IP address
Explanation
The IPv4 address that is assigned to a host on the inside network
A legitimate IPv4 address assigned by the ISP that represents one or
more inside local IPv4 addresses to the outside world
An outside device with a registered public IP address
An outside device with an assigned private IP address

Further reading Assignment

1. Identify – EIGRP and OSPF packet types.
2. What are DR and BDR in OSPF? How a router becomes a DR or BDR?
3. What are Successor and Feasible successor in EIGRP? How a router becomes a Successor or Feasible
successor?
4. Distance vector routing protocols loop prevention methods

DMU 2022 Page 19