Presentation 4 for students of professordkinney.com

www.professordkinney.com

Establishing Internet Connectivity

04/13/23Instructional Design-Computer Networking - Bridges Educational Group

Lessons Objectives:Exploring the Packet-Delivery Process.Enabling Static Routing.Managing Traffic Using ACLs.Enabling Internet Connectivity.



Exploring the Packet-Delivery Process-Router Paths and Packet SwitchingInternet Protocol (IP) packet format contains fields

that provide information about the packet and the sending and receiving hosts

Fields that are importance for CCNA students:-Destination IP address-Source IP address-Version & TTL-IP header length-Precedence & type of service-Packet length





MAC Layer Frame Format-MAC Frames are also divided into fields. They

include:-Preamble-Start of frame delimiter-Destination MAC address-Source MAC address-Type/length-Data and pad-Frame check sequence



A Metric is a numerical value used by routing protocols help determine the best path to a destinationThe smaller the metric value the better the path

2 types of metrics used by routing protocols are:-Hop count - this is the number of routers a packet must travel

through to get to its destination-Bandwidth - this is the “speed” of a link also known as the data

capacity of a link



Equal cost metric is a condition where a router has multiple paths to the same destination that all have the same metric

To solve this problem., a router will use Equal Cost Load Balancing. This means the router sends packets over the multiple exit interfaces listed in the routing table.

Path determination is a process used by a router to pick the best path to a destination

One of 3 path determinations results from searching for the best path Directly connected network Remote network No route determined



Switching Function of Router is the process used by a router to switch a packet from an incoming interface to an outgoing interface on the same router.A packet received by a router will do the

following: Strips off layer 2 headers. Examines destination IP address located in

Layer 3 header to find best route to destination. Re-encapsulates layer 3 packet into layer 2

frame. Forwards frame out exit interface.



As a packet travels from one networking device to another

-The Source and Destination IP addresses NEVER change

-The Source & Destination MAC addresses CHANGE as packet is forwarded from one router to the next.

-TTL field decrement by one until a value of zero is reached at which point router discards packet (prevents packets from endlessly traversing the network)



Path determination and switching function details. PC1 Wants to send something to PC 2 here is part of what happens Step 1 - PC1 encapsulates packet into a frame.

Frame contains R1’s destination MAC address



Step 2 - R1 receives Ethernet frame. R1 sees that destination MAC address

matches its own MAC. R1 then strips off Ethernet frame. R1 Examines destination IP. R1 consults routing table looking for

destination IP. After finding destination IP in routing table,

R1 now looks up next hop IP address. R1 re-encapsulates IP packet with a new

Ethernet frame. R1 forwards Ethernet packet out Fa0/1

interface.





Path determination and switching function details. PC1 Wants to send something to PC 2 here is part of what happens Step 3 - Packet arrives at R2

R2 receives Ethernet frame R2 sees that destination MAC address matches its

own MAC R2 then strips off Ethernet frame R2 Examines destination IP R2 consults routing table looking for destination IP After finding destination IP in routing table, R2 now

looks up next hop IP address R2 re-encapsulates IP packet with a new data link

frame R2 forwards Ethernet packet out S0/0 interface



Path determination and switching function details. PC1 Wants to send something to PC 2 here is part of what happens Step 4 - Packet arrives at R3

R3 receives PPP frame R3 then strips off PPP frame R3 Examines destination IP R3 consults routing table looking for destination IP After finding destination IP in routing table, R3 is

directly connected to destination via its fast Ethernet interface

R3 re-encapsulates IP packet with a new Ethernet frame

R3 forwards Ethernet packet out Fa0/0 interfaceStep 5 - IP packet arrives at PC2. Frame is

decapsulated & processed by upper layer protocols.



Purpose of a static routeA manually configured route used when

routing from a network to a stub network



IP route command To configure a static route use the following

command: ip route Example:

-Router(config)# ip route network-address subnet-mask {ip-address | exit-interface }



Understanding static route syntax ip route - Static route command 172.16.1.0 – Destination network address 255.255.255.0 - Subnet mask of destination

network 172.16.2.2 - Serial 0/0/0 interface IP address

on R2, which is the "next-hop" to this network



Configuring routes to 2 or more remote networksUse the following commands for R1

-R1(config)#ip route 192.168.1.0 255.255.255.0 172.16.2.2

-R1(config)#ip route 192.168.2.0 255.255.255.0 172.16.2.2



Modifying Static routes Existing static routes cannot be modified. The

old static route must be deleted by placing no in front of the ip route

Example:-no ip route 192.168.2.0 255.255.255.0 172.16.2.2

A new static route must be rewritten in the configuration



Verifying the Static Route Configuration-Use the following commands

Step 1 show running-config Step 2 verify static route has been entered correctly Step 3 show ip route Step 4 verify route was configured in routing table Step 5 issue ping command to verify packets can

reach destination and that Return path is working



Ethernet interfaces and ARP. – If a static route is configured on an

Ethernet link-If the packet is sent to the next-hop router then… the destination MAC address will be the address of the next hop’s Ethernet interface

This is found by the router consulting the ARP table. If an entry isn’t found then an ARP request will be sent out



What are ACLs?ACLs are lists of instructions you apply to a

router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Acceptance and denial can be based on certain specifications, such as source address, destination address and port number. ACLs enable you to manage traffic and scan specific packets by applying the ACL to a router interface. Any traffic going through the interface is tested against certain conditions that are part of the ACL.



Reasons for ACLsThere are many reasons to create ACLs. For example,

ACLs can be used to:Limit network traffic and increase network performance.

For example, ACLs can designate certain packets to be processed by a router before other traffic, on the basis of a protocol. This is referred to as queuing, which ensures that routers will not process packets that are not needed. As a result, queuing limits the network traffic and reduces network congestion.

Provide traffic flow control. For example, ACLs can restrict or reduce the contents of routing updates. These restrictions are used to limit information about specific networks from propagating through the network.



Provide a basic level of security for network access. For example, ACLs can allow one host to access a part of your network and prevent another host from accessing the same area. Host A is allowed to access the Human Resources network and Host B is prevented from accessing the Human Resources network. If you do not configure ACLs on your router, all packets passing through the router could be allowed onto all parts of the network.

Decide which types of traffic are forwarded or blocked at the router interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all TELNET traffic.



How ACLs WorkAn ACL is a group of statements that define how packets: Enter inbound interfaces Relay through the router Exit outbound interfaces of the router The beginning of the communication process is the same, whether ACLs are

used or not. As a packet enters an interface, the router checks to see whether the packet is routable or bridgeable. Now the router checks whether the inbound interface has an ACL. If one exists, the packet is now tested against the conditions in the list. If the packet is allowed it will then be checked against routing table entries to determine the destination interface.

Next, the router checks whether the destination interface has an ACL. If it does not, the packet can be sent to the destination interface directly; for example, if it will use E0, which has no ACLs, the packet uses E0 directly.

ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit "deny any" statement is imposed. This means that even though you will not see the "deny any" as the last line of an ACL, it is there.



ACL commands can be lengthy character strings. Key tasks covered in this section for creating ACLs include the following:

You create ACLs by using the global configuration mode. Specifying an ACL number from 1 to 99 instructs the router to accept

standard ACL statements. Specifying an ACL number from 100 to 199 instructs the router to accept extended ACL statements. (see table below)

You must carefully select and logically order the ACL. Permitted IP protocols must be specified; all other protocols should be denied.

You should select which IP protocols to check; any other protocols are not checked. Later in the procedure, you can also specify an optional destination port for more precision.

Assigning a unique number to each ACL When configuring ACLs on a router, you must identify each ACL uniquely

by assigning a number to the protocol's ACL. When you use a number to identify an ACL, the number must be within the specific range of numbers that is valid for the protocol.

You can specify ACLs by numbers for the protocols listed in the table. The table also lists the range of ACL numbers that is valid for each protocol.




After you create a numbered ACL, you must assign it to an interface for it to be used. If you want to alter an ACL containing numbered ACL statements, you need to delete all the statements in the numbered ACL by using the command no access-list[list-number].


Purpose and Function of Wildcard Mask Bits

wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value" and a wildcard mask bit 1 means "do not check (ignore) that corresponding bit value".

A wildcard mask is paired with an IP address. The numbers one and zero are used to identify how to treat the corresponding IP address bits. ACLs use wildcard masking to identify a single or multiple addresses for permit or deny tests. The term wildcard masking is a nickname for the ACL mask-bit matching process and comes from of an analogy of a wildcard that matches any other card in a poker game.

Although both are 32-bit quantities, wildcard masks and IP subnet masks operate differently. Recall that the zeros and ones in a subnet mask determine the network, subnet and host portions of the corresponding IP address. The zeros and ones in a wildcard, as just noted, determine whether the corresponding bits in the IP address should be checked or ignored for ACL purposes.



The ANY CommandWorking with decimal representations of binary wildcard mask bits can be tedious.

For the most common uses of wildcard masking, you can use abbreviations. These abbreviations reduce the amount of typing you need to do when configuring address test conditions. For example, say you want to specify that any source address will be permitted in an ACL test. To indicate any IP address, you would enter 0.0.0.0; then, to indicate that the ACL should ignore (that is, allow without checking) any value, the corresponding wildcard mask bits for this address would be all ones (that is, 255.255.255.255). You can use the abbreviation any to communicate this same test condition to Cisco IOS ACL software. Instead of typing 0.0.0.0 255.255.255.255, you can use the word any by itself as the keyword.

For example, instead of using this: Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 you can use this: Router(config)# access-list 1 permit any



The HOST CommandA second common condition where Cisco IOS permits an abbreviation in the

ACL wildcard mask is when you want to match all the bits of an entire IP host address. For example, say you want to specify that a specific IP host address will be denied in an ACL test. To indicate a host IP address, you would enter the full address (for example, 172.30.16.29); then, to indicate that the ACL should check all the bits in the address, the corresponding wildcard mask bits for this address would be all zeros (that is, 0.0.0.0). You can use the abbreviation host to communicate this same test condition to Cisco IOS ACL software. In the example, instead of typing 172.30.16.29 0.0.0.0, you can use the word host in front of the address.

For example, instead of using this: Router(config)# access-list 1 deny 172.30.16.29 0.0.0.0 you can use this: Router(config)# access-list 1 deny host 172.30.16.29



Standard ACLs You use standard ACLs when you want to block all traffic from a network,

allow all traffic from a specific network, or deny protocol suites. Standard ACLs check the source address of packets that could be routed. The result permits or denies output for an entire protocol suite, based on the network, subnet and host addresses. For example, packets coming in E0 are checked for source address and protocol. If they are permitted, the packets are output through S0, which is grouped to the ACL. If they are not permitted they are dropped.



We use the standard version of the access-list global configuration command to define a standard ACL with a number. This command is used in global configuration command mode.

The full syntax of the command is Router(config)# access-list access-list-number {deny | permit} source

[source-wildcard ] [log] You use the no form of this command to remove a standard ACL. This is the

syntax: Router(config)# no access-list access-list-number Examples of ACLsAccess-list 33 permit 172.16.0.0 0.0.255.255 (permits all

traffic from 172.16.0.0) Access-list 44 deny 172.16.13.7 0.0.0.0 (denies traffic from host

172.16.13.7) Access-list 55 deny 172.16.64.0 any (denies all traffic from network

172.16.64.0)



Placing ACLsThe second part of establishing an access list is applying the list to a specific

interface. Router(config-if)# ip access-group 33 in (applies access-list 33 to the packets

inbound to the interface being configured) Router(config-if)# ip access-group 44 out (applies access-list 44 to packets

outbound from the interface being configured)

How to Verify Standard ACLsYou use the show access-lists EXEC command to display the contents of all

ACLs. In addition, you use the show access-lists EXEC command followed by the name or number of an ACL to display the contents of one ACL. The following example of a standard ACL allows access for hosts on the three specified networks:

access-list 1 permit 192.5.34.0 0.0.0.255 access-list 1 permit 128.88.0.0 0.0.255.255 access-list 1 permit 36.0.0.0 0.255.255.255



In the example, the wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the ACL statements will be rejected. To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands have the same effect:

access-list 2 permit 36.48.0.3 access-list 2 permit 36.48.0.3 0.0.0.0 The ip access-group command groups an existing ACL to an interface.

Remember that only one ACL per port per protocol per direction is allowed. The format of the command is:

Router(config)#ip access-group access-list-number {in | out}



Example of a Standard ACL In the example below, the ACL allows only traffic from source network

172.16.0.0 to be forwarded. Non-172.16.0.0 network traffic is blocked. The example shows how the ACL allows only traffic from source network 172.16.0.0 to be forwarded and non-172.16.0.0 to be blocked.

Also shown in the example, the command ip access-group 1 out groups the ACL to an outgoing interface.


Permitting Traffic from Source Network 172.16.0.0

access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny any - not visible in the list)(access-list 1 deny 0.0.0.0 255.255.255.255)interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 out



Writing an ACL to deny a Specific HostThe example below shows how an ACL is designed to block traffic from a

specific address, 172.16.4.13 and to allow all other traffic to be forwarded on interface Ethernet 0

In the second access-list command, the 0.0.0.0 255.255.255.255 IP address/ wildcard mask combination identifies traffic from any source. This combination can also be written using the keyword any. All zeros in the address indicate a placeholder and all ones in the wildcard mask indicate that all 32 bits will not be checked in the source address. Any packet that does not match the first line of the ACL will match the second one and be forwarded.

Denying a Specific Host access-list 1 deny host 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255 (implicit deny any) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out


ST

AN

DA

RD

AC

L E

XA

MP

LE


Writing a Standard ACL to deny a Specific Network

0.0.0.255: The zeros in the first three octets indicate that those bits will be tested for matches while the last octet of all ones indicates a don't care condition for matching the last octet of the IP address (the host portion). Note also that the any abbreviation has been used for the IP address of the source.

Denying a Specific Subnet (access-list 1 deny) 172.16.4.0 0.0.0.255

access-list 1 permit any (implicit deny any) access-list 1 deny any interface ethernet 0 ip access-group 1 out

04/13/23Instructional Design-Computer Networking - Bridges Educational Group S

TA

ND

AR

D A

CL

EX

AM

PLE


Extended ACLs Extended ACLs are used most often to test conditions because they provide a

greater range of control than standard ACLs. You would use an extended ACL when you want to allow Web traffic but deny File Transfer Protocol (FTP) or TELNET from non-company networks. Extended ACLs check for both source and destination packet addresses. They also can check for specific protocols, port numbers and other parameters. This gives you more flexibility to describe what checking the ACL will do. Packets can be permitted or denied output based on where the packet originated and based on its destination. For example, the extended ACL can allow e-mail traffic from E0 to specific S0 destinations, while denying remote logins or file transfers.

The standard ACL (numbered 1 to 99) might not provide the traffic-filtering control you need. Standard ACLs filter traffic based on a source address and mask. Standard ACLs also permit or deny the entire Transmission Control Protocol (TCP) protocol suite. You might need a more precise way to control traffic and access.

For more precise traffic-filtering control, you use extended ACLs. Extended ACL statements check for source address and for destination address. In addition, at the end of the extended ACL statement, you gain additional precision from a field that specifies the optional TCP or User Datagram Protocol (UDP) protocol port number. These can be the well-known port numbers for TCP/IP. A few of the most common port numbers are shown in Figure. You can specify the logical operation the extended ACL will perform on specific protocols. Extended ACLs use a number in the range 100 to 199.



Extended ACL ParametersThe complete form of the access-list command is:

Router(config)# access-list [access-list-number] {permit | deny}

protocol source [source-mask destination destination-mask operator operand] [established]

The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is:

Router(config)# access-list access-list-number {in | out}





Writing an ACL to Deny FTP on an Ethernet Interface

The figure shows an example of an extended ACL that blocks FTP traffic. The interface E0 access-group 101 command links ACL 101 to outgoing

interface E0. Note that blocking port 21 prevents FTP commands from being

transmitted, thus preventing FTP file transfers. Blocking port 20 prevents the traffic itself from being transmitted, but does not block FTP commands. FTP servers can easily be configured to work on different ports.

You should understand that well-known port numbers are just that: well-known. There are no guarantees that services will be on those ports, although they usually are.


ST

AN

DA

RD

AC

L E

XA

MP

LE


Writing an ACL that denies SMTP out of an Ethernet Port but permits all other Traffic

The figure shows an example of an extended ACL that blocks SNMP traffic. The interface E0 access-group 101 command links ACL 101 to outgoing

interface E0. Note that blocking port 25 prevents SMTP traffic from being transmitted.

Mail servers can easily be configured to work on different ports. You should understand that well-known port numbers are just that: well-known. There are no guarantees that services will be on those ports, although they usually are.


ST

AN

DA

RD

AC

L E

XA

MP

LE


Configuring Named ACLsNamed ACLs allow standard and extended IP ACLs to be identified with an alphanumeric

string (name) instead of the current numeric (1 to 199) representation. Named ACLs can be used to delete individual entries from a specific ACL. This enables you to modify your ACLs without deleting and then reconfiguring them. Use named ACLs when:

You want to intuitively identify ACLs using an alphanumeric name.You have more than 99 simple and 100 extended ACLs to be configured in a router

for a given protocol.Consider the following before implementing named ACLs: Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2. You cannot use the same name for multiple ACLs. In addition, ACLs of different types

cannot have the same name. For example, it is illegal to specify a standard ACL named George and an extended ACL with the same name.

To name the ACL, use the following command: Router(config)# ip access-list {standard | extended} name In ACL configuration mode, specify one or more conditions permitted or denied. This

determines whether the packet is passed or dropped: Router(config {std- | ext-}nacl)# deny {source [source-wildcard] | any}or Router(config {std- | ext-}nacl)# permit {source [source-wildcard] | any}. The configuration shown in the Figure creates a standard ACL named Internetfilter and an

extended ACL named marketing_group.

04/13/23

Instructional Design-Computer Networking - Bridges Educational Group


The DENY Command You use the deny ACL configuration command to set conditions for a

named ACL. The full syntax for this command is: deny {source [source-wildcard] | any} You use the no form of this command to remove a deny condition, using

the following syntax: no deny {source [source-wildcard] | any}

The PERMIT Command You use the permit access-list configuration command to set conditions for

a named standard ACL. The full syntax of this command is: permit {source [source-wildcard] | any}[log] You use the no form of this command to remove a condition from an ACL,

using the following syntax: no permit {source [source-wildcard]| any} You use this command in access list configuration mode, following the ip

access-list command, to define the conditions under which a packet passes the ACL.



The following example is for a standard ACL named Internetfilter: ip access-list standard Internetfilter deny 192.5.34.0 0.0.0.255 permit 128.88.0.0 0.0.255.255 permit 36.0.0.0 0.255.255.255 !(Note: all other access implicitly denied) In this example, permit and deny statements have no number and no removes

the specific test from the named ACL: Router(config {std- | ext-}nacl)# {permit | deny} {ip ACL test conditions}

{permit | deny} {ip ACL test conditions}no {permit | deny} {ip ACL text conditions}

This example activates the IP named ACL on an interface: Router(config-if)# ip access-group {name | 1-199 {in | out}}

Verifying ACLsThe show ip interface command displays IP interface information and indicates

whether any ACLs are set. The show access-lists command displays the contents of all ACLs. By entering the ACL name or number as an option for this command, you can see a specific list.



Establishing Internet ConnectivityConfigure a router interface

Paris(config)#interface FastEthernet 0/0 Paris(config-if)#ip address 172.16.1.1

255.255.0.0Paris(config-if)#no shutdownParis(config-if)#exit Interface names vary, depending on whether

the router is modular and on the bandwidth.E.g. interface Ethernet 0 on an older router


Paris(config)#interface serial 0/0 Paris(config-if)#ip address 192.168.4.1

255.255.255.0(Paris(config-if)#clock rate 64000)Paris(config-if)#no shutdownParis(config-if)#exit Give Switch IP ADDRESS :The switch IP address goes on a virtual interface, not a real one, normally

VLAN1. SwA(config)#interface VLAN1 SwA(config-if)#ip address 172.16.255.1 255.255.0.0 SwA(config-if)#no shutdown SwA(config-if)#exit



Give Switch A default GatewaySwA(config)#ip default gateway

172.16.255.254 Just like a workstation, a switch needs a

default gateway if it exchanges messages with devices on a different network.

The default gateway is the address of the local router.


Up And Down:

Interface status: Layer 1UpDownAdministratively down (no shutdown to bring

up)Protocol: Layer 2

UpDown (no keepalive signal received)


Ping – step by stepPing 127.0.0.1 (loopback, is TCP/IP OK?)Ping own IP address (are NIC hardware and

software all right? Is IP address bound?)Ping local hosts (checks own configuration

and that of others)Ping gatewayPing other intermediate routersPing hosts on remote networks



Find out about nodesPing – used from workstation, router or

switch – shows if destination can be reachedTraceroute – shows hops along the pathArp -a on workstation – shows list of MAC

and IP addressesshow mac-address-table on switch – shows

list of MAC addresses and switch ports


Lesson Summary:Packet Delivery Process.Exploring ACL.Configuring Static Routing.Establishing Internet Connectivity.



Date post:	20-Jun-2015
Category:	Technology
Upload:	arnold-derrick-kinney
View:	488 times
Download:	0 times

Presentation 4 for students of professordkinney.com

Technology