Upload
nijanthan-kumar
View
58
Download
0
Tags:
Embed Size (px)
Citation preview
Module 2 - IP RoutingRouting and Switching Administration II
Lesson Variable Length Subnet MaskingOverview
IP Routing is an umbrella term for the set of protocols that determine the path that data follows in order to travel across multiple networks from its source to its destination. Some of the concepts such as the variable-length subnet masking (VLSM), manual route summarization and automatic route summarization are discussed in depth
Routing and Switching Administration II
Module no. 2 : IP Routing
2
Lessons Variable Length Subnet Masking Routing Protocol EIGRP Concepts
1
2
3
4
OSPF Protocol Troubleshooting IP Routing
5
6
Access Control Lists
Routing and Switching Administration II
Module no. 2 : IP Routing
3
Lesson Variable Length Subnet MaskingIntroduction
IP Routing is a term for the set of protocols that establish the path that data follows in order to travel across multiple networks from its source to its destination. The IP Routing protocols enable routers to build up a forwarding table that compares final destinations with next hop addresses.
Topics
Classless and Classful Routing Protocols Overlapping VLSM Subnets Addressing with VLSM Route Summarization
Routing and Switching Administration II
Module no. 2 : IP Routing
4
Classless and Classful Routing Protocols
Each IP routing protocol should fall into either classless or classful routing category
Classful Routing Protocol
Classless Inter-Domain Routing (CIDR)
Routing and Switching Administration II
Module no. 2 : IP Routing
5
Overlapping VLSM Subnets
The subnets address ranges should not overlap in any IP internetwork There are more chances for overlapping if the network is with single subnet mask Due to this overlapping, routing becomes random and only particular parts of the internetwork can reach some hosts. The problems related to overlapping VLSM subnets are analyzing an existing design to find overlaps
To also select new VLSM subnets so that an overlapped subnet should not be created
Routing and Switching Administration II
Module no. 2 : IP Routing
6
Addressing with VLSM
Designing the IP addressing scheme for a classful network can be done by selecting IP subnets with a single subnet mask. The process starts with evaluating the number of subnets and the number and the number of hosts in the largest subnet. Now a subnet mask is chosen. And then all possible subnets of the network using that mask are identified.
Routing and Switching Administration II
Module no. 2 : IP Routing
7
Addressing with VLSMTo perform a VLSM
Find the largest segment in the areathe segment with the largest number of devices connected to it. Find the appropriate subnet mask for the largest network segment. Write down the subnet numbers to fit the subnet mask. For the smaller segments, consider a newly created subnets and apply a most appropriate, subnet mask. Make a note of the newly subnetted subnets.
Routing and Switching Administration II
Module no. 2 : IP Routing
8
Route Summarization
Route summarization has the ability to take a bunch of neighboring network numbers in the routing table and advertise them as a single summarized route The advantages of route summarization includes
It reduces the size of routing tables, requiring less memory and processing.It reduces the size of updates, requiring less bandwidth. It controls network problems
Routing and Switching Administration II
Module no. 2 : IP Routing
9
Route Summarization
Route Summarization can be categorized into two types, they are
Manual Summarization
when an engineer configures one or more commands. The network demands have to be manually configured.
Auto Summarization
It happens automatically without a specific configuration command. It is by default with some protocols
Routing and Switching Administration II
Module no. 2 : IP Routing
10
Manual Summarization
The term manual refers to the fact that manual route summarization occurs only when an engineer configures one or more commands When we summarize routes in RIP, IGRP, EIGRP, or OSPF, we are replacing a series of routes with a summary route and mask Searching the routing table for the longest match is an important feature ,it allows
The granularity of the hierarchical design Manual summarization Discontinuous networks
Routing and Switching Administration II
Module no. 2 : IP Routing
11
AutoSummarization
Autosummarization means when a router has interfaces in more than one Class A, B or C network It can advertise a single route for an entire Class into the other classful network There is an example of autosummarization
Routing and Switching Administration II
Module no. 2 : IP Routing
12
Conclusion
A Variable Length Subnet Mask (VLSM) is a resource of assigning IP addressing to subnets. Classful networking is the name given to the first round of changes to the structure of the IP address in IPv4. The subnets address ranges should not overlap in any IP internetwork. When an engineer configures one or more commands, it happens to be a manual autosummarization
Autosummarization is when it happens without a specific configuration command.
Routing and Switching Administration II
Module no. 2 : IP Routing
13
Lesson Routing ProtocolIntroduction
Routing protocols are used between routers to determine paths and maintain routing table. A routing protocol specifies how routers communicate with each other to distribute information that allows them to select routes between any two nodes on a network.
TopicsDynamic Routing protocol Routing Protocol Functions Distance Vector Protocol Link-state routing Protocol
Routing and Switching Administration II
Module no. 2 : IP Routing
14
Dynamic Routing Protocol
In dynamic routing, the routers monitor the network, and can change their routing tables based on the current network conditions. A Dynamic Routing system selects routes based on current state information for the network. The routing protocols are divided into two groups.
IGP (Interior Gateway Protocols) EGP (Exterior Gateway Protocols)
Interior Gateway Protocols (IGP) are used to route Intranet communication within one administrative boundary.Exterior Gateway protocol is used to exchange routing information between two neighbor gateways.Module no. 2 : IP Routing15
Routing and Switching Administration II
Routing Protocol Functions
A routing protocol is a protocol that supports the transport of a routed protocol. It supports methods for the common use of routing information for routers. Some of the functions of a routing protocol areLongest Prefix Match Administrative Distance Metrics Load Balancing
Routing and Switching Administration II
Module no. 2 : IP Routing
16
Routing Protocol FunctionsLongest Prefix Match
Longest Prefix Matching techniques have received significant attention due to the fundamental role it plays in the performance of Internet routers.Longest prefix matches are used to determine the best next-hop route for a packet The path is based only on the destination address contained in the packet header. The result of a longest prefix match generally reflects the best, or shortest, route to the destination.
Routing and Switching Administration II
Module no. 2 : IP Routing
17
Administrative Distance
Routers use administrative distance feature to select the best path when there are two or more routes to the same destination from two different routing protocols Administrative distance describes the reliability of a routing protocol.
With the administrative distance value, each routing protocol is prioritized on order of most to least reliable.Administrative distance has only local significance, and is not advertised in routing updates.
Routing and Switching Administration II
Module no. 2 : IP Routing
18
Routing Protocol FunctionsMetrics
Routing algorithm uses routing metric to decide whether one route is better than another. It is the most common routing metric
Path Length Reliability
They are arbitrary numeric values usually assigned to network links by network administrators. It refers to the time required to move a packet from source to destination through internetwork. This refers to the available traffic capacity of a link.
Routing delay Bandwidth Load
It refers to the degree to which a network resource The hop count is the number of network devices between the starting node and the destination node The cost of a path is a function of both the hop count and the available bandwidth.
Hop Count CostRouting and Switching Administration II
Module no. 2 : IP Routing
19
Routing Protocol FunctionsLoad Balancing
If a router finds multiple routes to a specific destination, by default it takes the route with the lowest administrative distance in the routing table If the administrative distance is same, router will select the lowest cost to the destination. Each routing process calculates its cost differently and the costs may need to be manipulated in order to achieve load-balancing.
The IGRP and EIGRP routing protocols support unequal cost load-balancing.
Routing and Switching Administration II
Module no. 2 : IP Routing
20
Distance Vector Protocol
Distance is the cost of reaching a destination, usually based on the number of hosts the path passes through The vector is the interface traffic that will be forwarded out in order to reach the destination network
Distance vector protocols use a distance calculation plus a outgoing network interface to choose the best path to a destination network.RIP and IGRP are distance vector protocols
Routing and Switching Administration II
Module no. 2 : IP Routing
21
Distance Vector ProtocolRoute Poisoning
Route poisoning is a way to prevent routing loops. It prevents a network from sending packets through a route, which is invalid.
Split Horizon
Split horizon is used with small routing loops. Split horizon is a powerful loop-avoidance feature.
Routing and Switching Administration II
Module no. 2 : IP Routing
22
Distance Vector ProtocolPoison Reverse
There are two distance vector loop avoidance procedures, those two are Split Horizon and Poison Reverse. The poison reverse updates are intended to prevent larger routing loops
Triggered Updates
Distance vector protocols send updates based on a regular update interval Most looping problems occur when a router fails Distance vector protocols send triggered updates as soon as a route fails. Whenever a gateway changes the metric for a route, it is required to send update messages, this is the manner in which the triggered updates are sentModule no. 2 : IP Routing
Routing and Switching Administration II
23
Link State Routing Protocol
Link-state protocol is another major type of routing protocol. Using link-state routing protocols need to collectively advertise every detail about the internetwork to all the other routers. Open Shortest Path First (OSPF) is a link-state protocol, which is more reliable and widely used inside large IP routing domains.
Routing and Switching Administration II
Module no. 2 : IP Routing
24
Dual Algorithm
Diffusing Update Algorithm (DUAL) is used by EIGRP to calculate and create routing tables based on certain criteria It provides loop-free operation at every instant throughout a route computation DUAL also permits a router running EIGRP to find alternate paths without waiting on updates from other routers.
DUAL calculates which route will be the successor and feasible successor.
Routing and Switching Administration II
Module no. 2 : IP Routing
25
ConclusionInterior Gateway Protocols (IGP) are used to route Internet communications within a local area network. A Dynamic Routing system selects routes based on current state information for the network. A routing protocol is a protocol that supports the transport of a routed protocol.
Load balancing is used in networks where it is difficult to assume the number of requests that will be issued to a server.
Routing and Switching Administration II
Module no. 2 : IP Routing
26
ConclusionDistance vector protocols use a distance calculation plus an outgoing network interface to choose the best path to a destination network. Diffusing Update Algorithm (DUAL) is used by EIGRP to calculate and create routing tables based on certain criteria
Routing and Switching Administration II
Module no. 2 : IP Routing
27
Lesson EIGRP ConceptsIntroduction
Hybrid Routing is a third classification of routing algorithm. Hybrid protocol uses advantages of both distance vector and link state protocols. It uses distance vectors for more accurate metrics to decide the best paths to destination networks and report routing information only when there is a change in the topology of the network.
TopicsEnhance Interior Gateway Protocol EIGRP Packet Types Troubleshooting EIGRP
Routing and Switching Administration II
Module no. 2 : IP Routing
28
Topic - Enhanced Interior Gateway Routing Protocol (EIGRP)
The Enhanced Interior Gateway Routing Protocol (EIGRP) is an evolution from its predecessor IGRP. EIGRP was developed due to the changes in networking and the demands of diverse, large-scale internetworks. EIGRP is compatible with IGRP routers EIGRP treats IGRP routes as external routes and provides a way for the network administrator to customize them.
Routing and Switching Administration II
Module no. 2 : IP Routing
29
Topic - Enhanced Interior Gateway Routing Protocol (EIGRP)EIGRP Features
EIGRP supports fast convergence, support for variable-length subnet mask, support for partial updates, support for multiple network layer protocols.EIGRP stores all its neighbors routing tables so that it can adapt to alternate routes EIGRP supports VLSM (variable-length subnet masks), which permits routes to be automatically summarized on a network EIGRP can be configured to summarize on any bit boundary at any interface.
Routing and Switching Administration II
Module no. 2 : IP Routing
30
Topic - Enhanced Interior Gateway Routing Protocol (EIGRP)Route Tagging
Route tagging permits the network administrator to customize routing and maintain flexible policy controls. Route tagging is particularly useful in transit ASs, where EIGRP typically interacts with an interdomain routing protocol that implements more global policies
Routing and Switching Administration II
Module no. 2 : IP Routing
31
Topic - Enhanced Interior Gateway Routing Protocol (EIGRP)EIGRP Routing Tables
Neighbor Table
Neighbor table lists all attached EIGRP routers. Dynamically learn of new routes that join their network. Identify routers that become either unreachable or deadly. Rediscover routers that had previously been unreachable.
Topology Table
Every EIGRP router maintains a topology table for each network protocol. Each entry in the topology table includes the destination address and a list of neighbors that have advertised the destination.Routing and Switching Administration II Module no. 2 : IP Routing32
Topic - Enhanced Interior Gateway Routing Protocol (EIGRP)Communication with Other EIGRP Routers
Like OSPF, EIGRP uses hello packets to discover and maintain neighbor relationships.EIGRP generates hello packets every 5 seconds on LAN, point-to-point, and multipoint connections with speeds of at least T1/E1 speeds. If an EIGRP router doesnt receive an ACK from these three packet types, the router will try a total of 16 times to resend the information. When a router sends a hello packet, no corresponding ACK is expected.
Routing and Switching Administration II
Module no. 2 : IP Routing
33
Topic - Enhanced Interior Gateway Routing Protocol (EIGRP)Calculating Best Route
EIGRP is an enhanced distance vector protocol, relying on the Diffused Update Algorithm (DUAL) to calculate the shortest pathDUAL uses distance information to select efficient, loop-free paths and it chooses the router for adding in a routing table based on feasible successors.
Routing and Switching Administration II
Module no. 2 : IP Routing
34
Topic - Enhanced Interior Gateway Routing Protocol (EIGRP)EIGRP Metric Calculation
EIGRP uses the minimum bandwidth on the path to a destination network and the total delay to compute routing metricsWhen you configure other metrics but it may cause routing loops in the network. The bandwidth and delay metrics are determined from values configured on the interfaces of routers in the path to the destination network
Routing and Switching Administration II
Module no. 2 : IP Routing
35
Topic - Enhanced Interior Gateway Routing Protocol (EIGRP)Feasible Distance and Advertised Distance
Feasible distance is the best metric along a path to a destination network, including the metric to the neighbor advertising that path.It is the lowest known distance to a particular destination. Advertised Distance is the distance to a particular destination as reported by a router to its neighbors. This distance is sometimes also called a Reported Distance
Routing and Switching Administration II
Module no. 2 : IP Routing
36
Topic - Enhanced Interior Gateway Routing Protocol (EIGRP)EIGRP Convergence
In the convergence process all routers share and process the same routing tables. With EIGRP, each router has the exact same information, which is achieved by retaining the information sent by the EIGRP routers neighbors.
Successor and Feasible Successor
A successor route is a path in the topology table that has the best metric compared to all the other alternative paths to the same destination. A feasible successor is a backup route to the successor route.
Routing and Switching Administration II
Module no. 2 : IP Routing
37
Load Balancing
In the routing table EIGRP mentions up to four routes of equal cost, which the router then load balances. EIGRP can also load-balance over unequal cost links. The load balancing types changes according to the type of switching being done in the router. By using max-paths, we can configure EIGRP to use up to six routes of equal cost.
Routing and Switching Administration II
Module no. 2 : IP Routing
38
EIGRP Packet TypesEIGRP uses the following packet types,
HelloAcknowledgment
UpdateQuery
Reply
Routing and Switching Administration II
Module no. 2 : IP Routing
39
EIGRP Packet TypesQuery and reply processQuery from Neighbor, which is not the present successor. Successor Any neighbor Any neighbor Successor Condition of route Passive Passive There is no path through this neighbor This is not known before Active Action Reply with present successor information Try to find new successor Reply with best path that is available now. Reply that the destination is unreachable. If find a new successor, reply with new information otherwise mark destination unreachableModule no. 2 : IP Routing40
Routing and Switching Administration II
ConclusionThe Enhanced Interior Gateway Routing Protocol (EIGRP) is an evolution from its predecessor IGRP EIGRP treats IGRP routes as external routes and provides a way for the network administrator to customize them. Like OSPF, EIGRP uses hello packets to discover and maintain neighbor relationships
EIGRP uses the metrics such as bandwidth, delay, reliability and load to select the router
Routing and Switching Administration II
Module no. 2 : IP Routing
41
Lesson OSPF ProtocolIntroduction
The Open Shortest Path First (OSPF) handles routing for IP traffic. Its newest implementation, version 2, is explained in RFC 2328. OSPF was created in the mid-1980s in order to overcome problems, especially scalability problems that RIP had in large enterprises
Topics
OSPF Neighbors OSPF Routers IP Routing Table OSPF Area Advanced OSPF Troubleshooting OSPF ProblemsModule no. 2 : IP Routing42
Routing and Switching Administration II
OSPF Neighbors
Link-state protocols do not exchange routes and metrics This series of computations is known as the Shortest Path First (SPF) algorithm, also referred to as the Dijkstra algorithm Sending routers will send Link State Advertisements into a Link State Update (LSU). OSPF routers send neighbors hello packets at regular intervals.
Link-state protocols do not depending on distance-vector loop prevention methods such as split horizon or poison reverse.
Routing and Switching Administration II
Module no. 2 : IP Routing
43
OSPF NeighborsNeighbor States
The different neighbor states are,
Down Attempt
Init 2-Way
Exchange Loading FullRouting and Switching Administration II Module no. 2 : IP Routing44
OSPF RoutersOSPF routers serve in various roles depending upon where they are located and which areas they participate in:
Internal Routers Backbone Routers Area Border Router (ABR) Autonomous System Boundary Router (ASBR) Designated Router (DR)
Backup Designated Router (BDR)
Routing and Switching Administration II
Module no. 2 : IP Routing
45
IP Routing Table
In the IP routing table, each router runs the Dijkstra SPF algorithm against the OSPF topology database The best path is chosen based on this process. The OSPF topology database contains lists of subnet numbers, lists of routers and the links to which each router is connected. A router uses the SPF algorithm to find the best path with the information of links and routers.
The algorithm finds the shortest path from that router to each subnet in the LSDB and enters the best route to each subnet in the IP routing table
Routing and Switching Administration II
Module no. 2 : IP Routing
46
OSPF Area
OSPF areas are used to give a hierarchical structure to the flow of data over the network. A network using OSPF will always have at least one area. Areas are used to group routers into manageable groups that exchange routing information locally
Backbone Totally Stub Area Stub Area Not-so-stubby Virtual LinksModule no. 2 : IP Routing47
Routing and Switching Administration II
Advanced OSPFConfiguring OSPF Router ID
To configure OSPF router ID, enter router ospf 1 commandThe IP address of the router ID has to be entered. By default, the highest IP address will become a router ID. To configure router ID manually, enter router-id 1.1.1.1 command To check the router ID, enter s hip ospf neighbor command
Routing and Switching Administration II
Module no. 2 : IP Routing
48
Advanced OSPFHello and Dead Timer
Hello timer is responsible for communication of any neighbor routers The Dead timer is responsible for terminating the OSPF connection
OSPF Metrics
OSPF metric is cost, to change this metrics enter on the interface mode. Then issue int s0 command By default the cost of any interface is 64, with the help of ip ospf cost 12 command Sh ip ospf int s 0 command is used to verify the cost
Routing and Switching Administration II
Module no. 2 : IP Routing
49
Advanced OSPFLoad Balancing
If we have more than 2 best routes to reach the destination we can use load balancing feature.To enter privilege mode issue enable command By default, OSPF will load balance on 4 paths. With the help of maximumpath command we can determine how many paths can be used for load balancing
Routing and Switching Administration II
Module no. 2 : IP Routing
50
Advanced OSPFOSPF Authentication
To secure routers from unauthenticated routers OSPF authentication is configured.Enter the privilege mode Now, specify the interface Now, issue the ip ospf authentication-key cisco command The command ip ospf authentication will support plain text authentication. To verify whether authentication is implemented use sh run int s0/0.Module no. 2 : IP Routing51
Routing and Switching Administration II
Troubleshooting OSPF ProblemsWith the help of s hip ospf interface command the following can be verified,
Interfaces area Network type used by OSPF Router ID
OSPF costWhether interface is up or down Whether authentication is enabled or not
Hello timer and Dead timerWhether this router is adjacency with the neighbor routerModule no. 2 : IP Routing
Routing and Switching Administration II
52
ConclusionThe Open Shortest Path First (OSPF) handles routing for IP traffic.
The disadvantage of OSPF is it needs more memory to hold the adjacency, topology and routing table.Link-state protocols do not exchange routes and metrics
In the IP routing table, each router runs the Dijkstra SPF algorithm against the OSPF topology database OSPF areas are used to give a hierarchical structure to the flow of data over the networkModule no. 2 : IP Routing53
Routing and Switching Administration II
Lesson Troubleshooting IP RoutingIntroduction
IP routing is the core of networking. It is a set of protocols that determine the path of traffic that flows in order to travel over multiple networks and across different routers. Troubleshooting issues related to IP routing form a major part of network maintenance
Topics
Using ICMP Using Traceroute Troubleshooting Packet Forwarding Isolating IP routing with respect to routers Forward Route Problem Reverse Route Problem
Routing and Switching Administration II
Module no. 2 : IP Routing
54
Using Internet Control Message Protocol (ICMP)
ICMP is a protocol that is included in TCP/IP. It helps to manage and control the TCP/IP network. ICMP maintains information of a TCP/IP network it can be used for troubleshooting ICMP sends error messages and is not related to sending and receiving data. IP encapsulates the errors with an appropriate ICMP message and a new IP header and then transmits the resulting datagram
Routing and Switching Administration II
Module no. 2 : IP Routing
55
Using Internet Control Message Protocol (ICMP)Different types of messages:
Destination Unreachable MessageNetwork unreachable
Host UnreachableProtocol Unreachable
Port UnreachableFragment needed but DF setModule no. 2 : IP Routing
Routing and Switching Administration II
56
Using Internet Control Message Protocol (ICMP)Destination Unreachable codes areCodes ! . U Q N M ? & Meaning Each exclamation mark represents an ICMP Echo Reply received. Each period represents that the network timed out while waiting for a response Destination unreachable/destination dropped packet error received. Destination is busy and hence there is source quench Destination network/subnet unreachable error received Cannot fragment error received. The packet received is unknown Lifetime of the packet has exceeded.
Routing and Switching Administration II
Module no. 2 : IP Routing
57
Using Internet Control Message Protocol (ICMP)Redirecting ICMP Message
ICMP redirect messages are generated by a router to tell a host that a better route is available for a particular destination address.3If there are multiple routers connected to the same subnet, then sending packets to the default gateway is not the best route. The default gateway will recognize that there is another better route It will send an ICMP Redirect message to the host.
Routing and Switching Administration II
Module no. 2 : IP Routing
58
Using Internet Control Message Protocol (ICMP)ICMP Time Exceeded Message
ICMP Time Exceeded messages are generated by routers or gateways. Each IP header has a Time to Live (TTL) field. Router decrements TTL by 1 every time it forwards the packet. When the TTL value becomes 0 routers discard the packet and send ICMP Time Exceeded message to the host.
Routing and Switching Administration II
Module no. 2 : IP Routing
59
Using Traceroute
Traceroute command shows the route over the network between two systems It lists all intermediate routers a connection has to pass through to finally reach the destination Traceroute uses the TTL field of IP header and Time Exceeded messages to find the routers Traceroute receives an ICMP Port Unreachable message from the host when the test packet is not delivered to the destination. There is an extended traceroute command available that can be used for testing reverse routes.
Routing and Switching Administration II
Module no. 2 : IP Routing
60
Troubleshooting Packet Forwarding
The two main functions of a router are packet forwarding and routing. Packet forwarding is important as it decides the path of data flow.
Extracting the header information from incoming traffic. Looking up for matching header entry in forwarding/routing table. Sending packets corresponding to the next hop in the table on the network.
Unicasting is the simplest type of packet forwarding where data is passed from link to link on a chain leading from source to destination.
Troubleshooting packet forwarding process helps in problem isolation on a network. Routing and Switching Administration II Module no. 2 : IP Routing
61
Isolating IP Routing with respect to routers
The ping command is used to analyse whether the problem lies with source or destination Ping the hosts default gateway from the host or ping the hosts IP address from default gateway. You can use extended ping command from the default router for the hosts IP address with a source address from another of the routers interface. Once ping works on both the source host and destination host issue , the host will be discarded and the troubleshooting will continue
Routing and Switching Administration II
Module no. 2 : IP Routing
62
Forward Route Problem
The route that a packet follows from the source to destination is called as a forward route Troubleshooting includes finding issues with source/destination host as well as the forward/reverse route.
If there is no issue with the routers then the entire focus is between the connectivity of the first and the last router.In this case, the problem will be usually associated with either the forward route or the reverse route.
Routing and Switching Administration II
Module no. 2 : IP Routing
63
Reverse Route Problem
A connection between two systems or networks has two routes. One is the forward route from host to destination and another from the server back to the source. This route is called as the reverse route.
Routing and Switching Administration II
Module no. 2 : IP Routing
64
Conclusion
ICMP manages and controls TCP/IP network. It does the job of delivering error messages to a host within a network. It generates Destination Unreachable messages when packet delivery fails. ICMP Redirect message provide a better route for data flow in a network. ICMP Time Exceeded messages are generated by routers or gateways. If there is no issue with the routers then the entire focus is between the connectivity of the first and the last router. A connection between two systems or networks has two routes.Module no. 2 : IP Routing65
Routing and Switching Administration II
Lesson Access Control ListsIntroduction
IP access control lists are used to control traffic in a network. They act as filters and restrict access to the network. IP ACLs help a router to discard unwanted packets that may come from hackers. Access control lists are used in firewall routers. These firewall routers are placed between an internal network and external network like internet.
Topics
IP Access Control Lists Managing ACL Configuration Editing ACLs using sequence numbers Controlling Telnet and SSH access with ACL Advanced ACL Access List Troubleshooting
Routing and Switching Administration II
Module no. 2 : IP Routing
66
IP Access Control Lists
The IP access control list has the filtering logic. The filter contains rules for matching an IP packet. They are matched for the protocol, address, port, ICMP type and type of service. Access control lists can be generated for both incoming and outgoing packets on an interface Deny term is used for a packet to be filtered whereas Permit is used when a packet is not going to be filtered
Routing and Switching Administration II
Module no. 2 : IP Routing
67
IP Access Control ListsIP Standard ACL
The features of standard IP ACL are:
It has a simple logic. It filters packets based on source IP address. It is placed close to the destination router. It has numbers ranging from 1 to 99 and 1300 to 1999.
Routing and Switching Administration II
Module no. 2 : IP Routing
68
IP Access Control ListsWildcards
Wildcards tell a router what part of the IP address to be filtered.They are used with ACLs to specify a host, network or part of a network.
A wildcard masks gives the range of IP address to be filtered.
Routing and Switching Administration II
Module no. 2 : IP Routing
69
IP Access Control ListsExtended IP ACL
Extended IP ACL is also configured on an interface like standard IP ACLThe features of extended IP ACL are
It has a complex logic It filters based on source and destination IP address, IP protocol and protocol information. It is placed near to source router. Is has number ranging from 100 to 199 and 2000 to 2699Routing and Switching Administration II Module no. 2 : IP Routing70
IP Access Control ListsThe different fields that an extended ACL matches are
Source IP addressSource port
Destination IP addressDestination port
Portions of source and destination IP addressProtocol type (TCP, UDP, ICMP, IGRP, IGMP etc)Module no. 2 : IP Routing
Routing and Switching Administration II
71
IP Access Control ListsNamed IP Access Lists
IOS identifies named ACLs by the names that are given instead of numbers.An individual line in the access command list can be deleted with this option. To configure a named standard ACL the following command is used:
Router (config) #ip access-list standard name_of_ACL
Routing and Switching Administration II
Module no. 2 : IP Routing
72
IP Access Control ListsStandard IP Access List Configuration
The command to configure a standard ACL is
access-list access-list-number [deny/permit] source-ipaddress [source wildcard mask]
Some key points you need to remember configuring a standard IP ACL are:
Routing and Switching Administration II
A standard ACL is placed close to the destination router. Enable ACL on the router interface using ip command in the correct direction (inbound/outbound). It performs the match based on the source address hence you should know the source IP address. The access-list is searched in a sequence and the search stops if a match is made, hence all deny statements shouldModule no. 2 : IP Routing73
IP Access Control ListsConfiguring Extended Access Control List
The global configuration command for an extended ACL is:
access-list access-list-number (deny/permit) protocol source source-wildcard destination destination-wildcard (log/log-input)
If the extended ACL has a TCP parameter then the command will be:
access-list access-list-number (deny/permit) (tcp/udp) source source-wildcard (operator (port)) destination destination-wildcard (operator (port)) (log)Routing and Switching Administration II Module no. 2 : IP Routing74
Managing ACL Configuration
The number of packets matched by named ACLs is the same as compared to standard and extended IP ACLs. The advantage with named ACL is that you can change the ACL configuration.
Routing and Switching Administration II
Module no. 2 : IP Routing
75
Editing ACLs Using Sequence Numbers
To delete a single command you had to disable the ACL from all interfaces and then delete it. To configure the ACL again, it had to be enabled again on all the interfaces. With the introduction of named ACL this was prevented by deleting a single command. Now there is no need to delete the entire ACL using sequence numbers you can
Routing and Switching Administration II
Delete an individual ACL deny/permit statement by referencing the sequence number. Add a new deny/permit statement giving the location usingModule no. 2 : IP Routing76
Controlling Telnet and SSH Access with ACL
Access control lists can also be used to control access of a router by Telnet and SSH. Telnet uses port 23 and SSH uses port 22 The VTY lines can be applied with ACL in order to restrict access through or SSH. VTY lines are used to connect to a router to make configuration changes or check status.
Routing and Switching Administration II
Module no. 2 : IP Routing
77
Advanced ACLThere are some ACLs that are used for specific tasks.Types of ACLsReflexive ACLs
DescriptionReflexive ACLs are also called as IP session filtering. They provide security as they allow traffic if a request is initiated within the same network Dynamic ACLs are also called as Lock-and-Key Security. To gain access to the host the user will have to first generate a telnet to the router. Time-based ACLs are similar to normal IP ACLs except that they have a time parameter attached to the command.
Dynamic ACLs
Time-based ACLs
Routing and Switching Administration II
Module no. 2 : IP Routing
78
Access List TroubleshootingBefore starting to troubleshoot an access-list you need to verify if
The access-list has been applied to the correct interface or not. The access-list has command statements listed and is not empty. The sequence of rules in the access-list is followed.
Some of the commands used for troubleshooting are
show ip access-list show ipv6 access-list show interface
Other available CLI commands are
logging logfile SyslogFile 7 logging level kernel 7 logging level ipacl 7Module no. 2 : IP Routing79
Routing and Switching Administration II
Access List TroubleshootingAll packets are blocked
Some of the reasons for the packets to be clocked are
The deny filter is too long Access-list is empty The packets do not match any existing permit filters. The order of deny command is too high in the access-list
No packets are blocked
The order of permit command is too high in the access-list. The permit filter is too long.Module no. 2 : IP Routing80
Routing and Switching Administration II
Access List TroubleshootingCannot Connect Remotely to a switch
One of the major cause for this situation is that
The ACL has not been applied to all interfaces in the PortChannel
Creating ACL Using Security Device Manager
Security Device Manager (SDM) is a web based, GUI device management tool. SDM has built in configuration checks and can monitor router performance, system logs and firewall logs It also includes advanced wizards for LAN and WAN networks. SDM improves productivity and make router management easy.Module no. 2 : IP Routing81
Routing and Switching Administration II
ConclusionThe Open Shortest Path First (OSPF) handles routing for IP traffic.
The disadvantage of OSPF is it needs more memory to hold the adjacency, topology and routing table.Link-state protocols do not exchange routes and metrics
In the IP routing table, each router runs the Dijkstra SPF algorithm against the OSPF topology database OSPF areas are used to give a hierarchical structure to the flow of data over the networkModule no. 2 : IP Routing82
Routing and Switching Administration II