rip, eigrp, ospf and acl

© 2009, Velocis Systems

Dynamic Routing Basics

8-2Networking Fundamentals—Layer 3 Switching © 2009, Velocis Systems

Routed versus Routing ProtocolsRouted versus Routing Protocols

• Routed protocols used between routers to direct user traffic; also called network protocols– Examples: IP, IPX,

DECnet, AppleTalk, NetWare, OSI, VINES

1.02.03.0

1.12.13.1

DestinationNetwork

NetworkProtocol

Protocol name

Exit Port to Use

• Routing protocols used between routers to maintain routing tables– Examples: RIP, IGRP,

OSPF, BGP, EIGRP


• Dynamic Routing: Dynamic routing is the process of routing protocols running on the router communicating with neighbor routers.

–If a change occurs in the network the dynamic routing protocols automatically inform all routers about the change.

DYNAMIC ROUTING


Dynamic RoutingDynamic Routing

A network change blocks the established path...

A B

CD

XA B

CD

X

…and an alternate route is found dynamically.

• Most internetworks use dynamic routing


Routing Protocols


What is a Routing Protocol?What is a Routing Protocol?

• Routing protocols are used between routers to determine paths and maintain routing tables.

• Once the path is determined a router can route a routed protocol.

NetworkProtocol

DestinationNetwork

ConnectedRIP

EIGRP

10.120.2.0172.16.2.0172.17.3.0

Exit Interface

E0S0S1

Routed Protocol: IPRouting protocol: RIP, EIGRP

172.17.3.0

172.16.1.010.120.2.0

E0S0


Autonomous System 100 Autonomous System 200

IGPs: RIP, EIGRP EGPs: BGP

Autonomous Systems: Interior or Exterior Routing Protocols

Autonomous Systems: Interior or Exterior Routing Protocols

– An autonomous system is a collection of networks under a common administrative domain

– IGPs operate within an autonomous system

– EGPs connect different autonomous systems


Administrative Distance: Ranking Routes

Administrative Distance: Ranking Routes

EIGRPAdministrative Distance=90

Router DRouter D

Router BRouter BRouter ARouter A

Router CRouter C

RIPAdministrative Distance=120

EE

I need to send a packet to

Network E. Both router B

and C will get it there.

Which route is best?


Distance Vector versus Link StateDistance Vector versus Link State

• Distance vector

– Sends routing table info only to neighbors, so change communication may need one min/router

– Also called “routing by rumor”

– Easy to configure, but slow

• Link state

– Floods routing information about itself to all nodes, so changes are known immediately

– Efficient, but complex to configure

• Cisco’s EIGRP hybrid

– Efficient and easy to configure


Distance Vector Routing ProtocolsDistance Vector Routing Protocols

•Pass periodic copies of routing table to neighbor routers and accumulate distance vectors

CC

DD

BB

AA

CC BB AADD

RoutingTable

RoutingTable

RoutingTable

RoutingTable

RoutingTable

RoutingTable

RoutingTable

RoutingTable

Distance—How farVector—In which direction

Distance—How farVector—In which direction


•Routers discover the best path to destinations from each neighbor

AA BB CC

10.1.0.0 10.2.0.0 10.3.0.0 10.4.0.0

E0 S0 S0 S1 S0 E0

Routing TableRouting Table

10.2.0.010.2.0.0

10.3.0.010.3.0.0

00

00

S0

S1


10.3.0.010.3.0.0 S0 00

10.4.0.010.4.0.0 E0 00


10.1.0.010.1.0.0

10.2.0.010.2.0.0

E0

S0

0

0

Distance Vector—Sources of Information and Discovering Routes




AA BB CC

10.1.0.0 10.2.0.0 10.3.0.0 10.4.0.0

E0 S0 S0 S1 S0 E0


10.1.0.010.1.0.0

10.2.0.010.2.0.0

10.3.0.010.3.0.0


10.2.0.010.2.0.0

10.3.0.010.3.0.0

10.4.0.010.4.0.0

10.1.0.010.1.0.0

00

00

11

11

S0

S1

S1

S0


10.3.0.010.3.0.0 S0 00

10.4.0.010.4.0.0 E0 00

10.2.0.010.2.0.0 S0

11

E0

S0

S0 11

0

0







AA BB CC

10.1.0.0 10.2.0.0 10.3.0.0 10.4.0.0

E0 S0 S0 S1 S0 E0


10.1.0.010.1.0.0

10.2.0.010.2.0.0

10.3.0.010.3.0.0

10.4.0.010.4.0.0


10.2.0.010.2.0.0

10.3.0.010.3.0.0

10.4.0.010.4.0.0

10.1.0.010.1.0.0

00

00

11

11

S0

S1

S1

S0


10.3.0.010.3.0.0 S0 00

10.4.0.010.4.0.0 E0 00

10.2.0.010.2.0.0 S0

10.1.0.010.1.0.0 S0

11

22

E0

S0

S0

S0

11

22

0

0


Distance Vector—Selecting Best Route with Metrics

Distance Vector—Selecting Best Route with Metrics

Information used to select the best path for routing

56T1

56

T1

B

A

Hop countHop count

RIP

EIGRP

Bandwidth


Distance Vector—Maintaining Routing Information


•Updates proceed step-by-step from router to router

AA

Process to update this

routingtable


routingtable

TopologyTopologychange change causescausesroutingrouting

tabletableupdateupdate





AA


routingtable


routingtable

Router A sends out this updated

routing table after the

next period expires

Topologychange causesrouting

tableupdate





AABB


routingtable


routingtable


routingtable


routingtable

Topologychange causesrouting

tableupdate

Router A sends out this updated

routing table after the

next period expires


19.2 kbps

T1

T1 T1

– Hop count metric selects the path

– Routes update every 30 seconds

RIP OverviewRIP Overview


–Starts the RIP routing process

Router(config)#router rip

Router(config-router)#network network-number

• Selects participating attached networks• The network number must be a major classful

network number

RIP ConfigurationRIP Configuration


2.3.0.0router ripnetwork 172.16.0.0network 10.0.0.0

RIP Configuration ExampleRIP Configuration Example

router ripnetwork 10.0.0.0

2.3.0.0router ripnetwork 192.168.1.0network 10.0.0.0

172.16.1.1

S2E0 S3

192.168.1.110.1.1.1 10.2.2.210.1.1.2

S2 S3

10.2.2.3

172.16.1.0 A B C192.168.1.0

E0


Verifying the Routing Protocol—RIP

Verifying the Routing Protocol—RIP

RouterA#sh ip protocolsRouting Protocol is "rip" Sending updates every 30 seconds, next due in 0 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Key-chain Ethernet0 1 1 2 Serial2 1 1 2 Routing for Networks: 10.0.0.0 172.16.0.0 Routing Information Sources: Gateway Distance Last Update 10.1.1.2 120 00:00:10 Distance: (default is 120)

172.16.1.1

S2E0 S3

192.168.1.110.1.1.1 10.2.2.210.1.1.2

S2 S3

10.2.2.3

172.16.1.0 A B C192.168.1.0

E0


Displaying the IP Routing TableDisplaying the

IP Routing Table

RouterA#sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR T - traffic engineered route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 1 subnetsC 172.16.1.0 is directly connected, Ethernet0 10.0.0.0/24 is subnetted, 2 subnetsR 10.2.2.0 [120/1] via 10.1.1.2, 00:00:07, Serial2C 10.1.1.0 is directly connected, Serial2R 192.168.1.0/24 [120/2] via 10.1.1.2, 00:00:07, Serial2

172.16.1.1

S2E0 S3

192.168.1.110.1.1.1 10.2.2.210.1.1.2

S2 S3

10.2.2.3

172.16.1.0 A B C192.168.1.0

E0


Link-State Routing ProtocolsLink-State Routing Protocols

• After initial flood, pass small event-triggered link-state updates to all other routers

Link-State Packets

SPFAlgorithm

TopologicalDatabase

Shortest Path First Tree

RoutingTable

RoutingTable

CC AA

DD

BB

6-24

EIGRP Overview


– EIGRP supports:

• Rapid convergence

• Reduced bandwidth usage

• Multiple network-layer protocols

What Is Enhanced IGRP (EIGRP)?What Is Enhanced IGRP (EIGRP)?

EnhancedIGRP

IPX RoutingProtocols

AppleTalk Routing Protocol

IP RoutingProtocols

IPX RoutingProtocols

AppleTalk Routing Protocol

IP RoutingProtocols


EIGRP FeaturesEIGRP Features

• Advanced distance vector

• 100% loop free

• Fast convergence

• Easy configuration

• Less network design constraints than OSPF


EIGRP Features (cont.)EIGRP Features (cont.)

• Incremental updates

• Supports VLSM networks

• Classless routing


Advantages of EIGRPAdvantages of EIGRP

•Uses multicast instead of broadcast

•Utilizes link bandwidth

•Unequal cost path load balancing

•Manual summarization can be done in any interface at any router within the network


EIGRP Support for Route Summarization

EIGRP Support for Route Summarization

• EIGRP performs route summarization

– Classful network boundaries (default)

– Arbitrary network boundaries (manual)

172.16.0.0 /24 10.0.0.0 /18192.168.42.0 /27

172.16.0.0 /16 172.16.0.0 /16192.168.42.0 /24

6-30

Configuring EIGRP


Configuring SummarizationConfiguring Summarization

(config-router)#

no auto-summary

• Turns off autosummarization for the EIGRP process

(config-if)#

ip summary-address eigrp <as-number> <address> <mask>

• Creates a summary address to be generatedby this interface

6-32

Verifying EIGRP

Operation


Verifying EIGRP OperationVerifying EIGRP Operation

show ip protocols

Router#

show ip route eigrp

Router#

show ip eigrp traffic

Router#

show ip eigrp neighbors

Router#

show ip eigrp topology

Router#

– Displays the neighbors discovered by IP EIGRP

– Displays the IP EIGRP topology table

– Displays current EIGRP entries in the routing table

– Displays the parameters and current state of the active routing protocol process

– Displays the number of IP EIGRP packets sent and received


Example EIGRP ConfigurationExample EIGRP Configuration


R2 EIGRP ConfigurationR2 EIGRP Configuration

<output omitted>interface FastEthernet0/0 ip address 172.17.2.2 255.255.255.0

<output omitted>interface Serial0/0/1 bandwidth 64 ip address 192.168.1.102 255.255.255.224

<output omitted>router eigrp 100 network 172.17.2.0 0.0.0.255 network 192.168.1.0


Verifying EIGRP: show ip eigrp neighbors

Verifying EIGRP: show ip eigrp neighbors

R1#show ip eigrp neighborsIP-EIGRP neighbors for process 100H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num0 192.168.1.102 Se0/0/1 10 00:07:22 10 2280 0 5R1#


Verifying EIGRP: show ip route eigrp

Verifying EIGRP: show ip route eigrp

R1#show ip route eigrpD 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:07:01, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masksD 172.16.0.0/16 is a summary, 00:05:13, Null0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksD 192.168.1.0/24 is a summary, 00:05:13, Null0

R1#show ip route <output omitted>Gateway of last resort is not setD 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:06:55, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masksD 172.16.0.0/16 is a summary, 00:05:07, Null0C 172.16.1.0/24 is directly connected, FastEthernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.1.96/27 is directly connected, Serial0/0/1D 192.168.1.0/24 is a summary, 00:05:07, Null0


Verifying EIGRP: show ip protocols

Verifying EIGRP: show ip protocols

R1#show ip protocolsRouting Protocol is "eigrp 100" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 100 EIGRP NSF-aware route hold timer is 240s<output omitted>

Maximum path: 4 Routing for Networks: 172.16.1.0/24 192.168.1.0 Routing Information Sources: Gateway Distance Last Update (this router) 90 00:09:38 Gateway Distance Last Update 192.168.1.102 90 00:09:40 Distance: internal 90 external 170


Verifying EIGRP: show ip eigrp interfaces

Verifying EIGRP: show ip eigrp interfaces

R1#show ip eigrp interfacesIP-EIGRP interfaces for process 100 Xmit Queue Mean Pacing Time Multicast PendingInterface Peers Un/Reliable SRTT Un/Reliable Flow Timer RoutesFa0/0 0 0/0 0 0/10 0 0Se0/0/1 1 0/0 10 10/380 424 0


Verifying EIGRP: show ip eigrp topology

Verifying EIGRP: show ip eigrp topology

R1#show ip eigrp topologyIP-EIGRP Topology Table for AS(100)/ID(192.168.1.101)Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia StatusP 192.168.1.96/27, 1 successors, FD is 40512000 via Connected, Serial0/0/1P 192.168.1.0/24, 1 successors, FD is 40512000 via Summary (40512000/0), Null0P 172.16.0.0/16, 1 successors, FD is 28160 via Summary (28160/0), Null0P 172.16.1.0/24, 1 successors, FD is 28160 via Connected, FastEthernet0/0P 172.17.0.0/16, 1 successors, FD is 40514560 via 192.168.1.102 (40514560/28160), Serial0/0/1


Verifying EIGRP: show ip eigrp traffic

Verifying EIGRP: show ip eigrp traffic

R1#show ip eigrp trafficIP-EIGRP Traffic Statistics for AS 100 Hellos sent/received: 429/192 Updates sent/received: 4/4 Queries sent/received: 1/0 Replies sent/received: 0/1 Acks sent/received: 4/3 Input queue high water mark 1, 0 drops SIA-Queries sent/received: 0/0 SIA-Replies sent/received: 0/0 Hello Process ID: 113 PDM Process ID: 73

© 2009, Velocis Systems 4-42

OSPF Overview


–Has fast convergence

–Supports VLSM

–Processes updates efficiently

–Selects paths based on bandwidth

What Is OSPF?What Is OSPF?


OSPF Terminology


OSPF AreasOSPF Areas


Drawbacks of link state routingDrawbacks of link state routing

• The initial discovery causes flooding

• Link-state routing is memory and processor intensive.


OSPF CostOSPF Cost

• Places router at the root of the tree and calculates the shortest path to each destination based on cumulative cost

• cost = 100000000/bandwidth bps


OSPF Operation


Router IDRouter ID

–Number by which the router is known to OSPF

–Default: The highest IP address on an active interface at the moment of OSPF process startup

–Can be overridden by a loopback interface: Highest IP address of any active loopback interface


Exchange ProcessExchange Process

172.16.5.1/24

E0

172.16.5.2/24

E1A BDown State



172.16.5.1/24

E0

172.16.5.2/24

E1

Router BNeighbors List

172.16.5.1/24, int E1

I am router ID 172.16.5.1 and I see no one.

Down State

Init State

A B



172.16.5.1/24

E0

I am router ID 172.16.5.2, and I see 172.16.5.1.

172.16.5.2/24

E1


172.16.5.1/24, int E1


Down State

Init State

A B



172.16.5.1/24

E0

I am router ID 172.16.5.2, and I see 172.16.5.1.

Router ANeighbors List

172.16.5.2/24, int E0

172.16.5.2/24

E1


172.16.5.1/24, int E1


Down State

Init State

Two-Way State

A B


Discovering RoutesDiscovering Routes

E0

172.16.5.1

DRE0

172.16.5.3

No, I will start exchange because I have a higher router ID.

I will start exchange because I have router ID 172.16.5.1.Hello

afadjfjorqpoeru39547439070713

Hello


Exstart State


Discovering RoutesDiscovering Routes

Here is a summary of my link-state database.DBD


Exchange State

Here is a summary of my link-state database.DBD


E0

172.16.5.1

DRE0

172.16.5.3

No, I will start exchange because I have a higher router ID.

I will start exchange because I have router ID 172.16.5.1.Hello


Hello


Exstart State


Discovering Routes (cont.)Discovering Routes (cont.)

E0

172.16.5.1

E0

172.16.5.3

Thanks for the information!LSAck


LSAck


DR


OSPF Operation in a Point-to-Point Topology

OSPF Operation in a Point-to-Point Topology

4-58


Point-to-Point NeighborshipPoint-to-Point Neighborship

–Router dynamically detects its neighboring router using the Hello protocol

–Adjacency is automatic as soon as the two routers can communicate

–OSPF packets are always sent as multicast 224.0.0.5


Configuring OSPF in a Single Area


Configuring OSPF on Internal Routers

Configuring OSPF on Internal Routers

Can Assign Network or Interface Address.

Broadcast Network Point-to-Point Network

E0

10.64.0.1

10.64.0.2

E0

S0

10.2.1.2 10. 2.1.1

S1AA BB CC

<Output Omitted>

interface Ethernet0

ip address 10.64.0.1 255.255.255.0

!

<Output Omitted>

router ospf 1

network 10.0.0.0 0.255.255.255 area 0

<Output Omitted>

interface Ethernet0

ip address 10.64.0.2 255.255.255.0

!

interface Serial0

ip address 10.2.1.2 255.255.255.0

<Output Omitted>

router ospf 50

network 10.2.1.2 0.0.0.0 area 0

network 10.64.0.2 0.0.0.0 area 0


Verifying OSPF Operation


Router#

show ip ospf interface

Verifying OSPF OperationVerifying OSPF Operation

• Displays area ID and adjacency information

Router#

show ip protocols

• Verifies that OSPF is configuredRouter#

show ip route

• Displays all the routes learned by the router


• Displays OSPF timers and statistics

• Displays information about DR, BDR and neighbors

• Displays the link-state database

Verifying OSPF Operation (cont.)Verifying OSPF Operation (cont.)

Router#

show ip ospf neighbor detail

Router#

show ip ospf database

Router#

show ip ospf


• Allows you to clear the IP routing table

Router#

clear ip route *

Router#

debug ip ospf option

• Displays router interaction during the hello, exchange, and flooding processes

Verifying OSPF Operation (cont.)Verifying OSPF Operation (cont.)


ACCESS-LISTSACCESS-LISTS


FDDI

– Manage IP Traffic as network access grows

TokenRing

Why Use Access Lists?Why Use Access Lists?


FDDI

172.16.0.0

172.17.0.0

TokenRing

Internet

– Filter packets as they pass through the router

Why Use Access Lists?Why Use Access Lists?


Access List ApplicationsAccess List Applications

– Permit or deny packets moving through the router

– Permit or deny vty access to or from the router

– Without access lists all packets could be transmitted onto all parts of your network

Transmission of packets on an interface


What Are Access Lists?

• Standard

– Checks Source address

– Generally permits or denies entire protocol suite

OutgoingPacket

E0

S0

IncomingPacket

Access List Processes

Permit?

Source



• Standard



• Extended

– Checks Source and Destination address

– Generally permits or denies specific protocols

OutgoingPacket

E0

S0

IncomingPacket


Permit?

Sourceand

Destination

Protocol


• Standard



• Extended

– Checks Source and Destination address

– Generally permits or denies specific protocols

• Inbound or Outbound


OutgoingPacket

E0

S0

IncomingPacket


Permit?

Sourceand

Destination

Protocol


InboundInterfacePackets

N

Y

Packet Discard Bucket

ChooseInterface

NAccessList

?

RoutingTable Entry

?

Y

Outbound Interfaces

Packet

S0

Outbound Access Lists Outbound Access Lists


Outbound Interfaces

Packet

N

Y


ChooseInterface

RoutingTable Entry

?N Packet

TestAccess ListStatements

Permit?

Y


AccessList

?

Y

S0

E0



Notify Sender


If no access list statement matches then discard the packet

N

Y


ChooseInterface

RoutingTable Entry

?N

Y

TestAccess ListStatements

Permit?

Y

AccessList

?

Discard Packet

N

Outbound Interfaces

Packet

Packet

S0

E0



A List of Tests: Deny or PermitA List of Tests: Deny or Permit

Packets to interfacesin the access group


Y

Interface(s)

Destination

Deny

Deny

Y

MatchFirstTest

?

Permit


A List of Tests: Deny or PermitA List of Tests: Deny or Permit

Packets to Interface(s)in the Access Group


Y

Interface(s)

Destination

Deny

Deny

Y

MatchFirstTest

?

Permit

N

Deny PermitMatchNext

Test(s)?

YY


Access List Configuration Guidelines

Access List Configuration Guidelines

– Access list numbers indicate which protocol is filtered

– The order of access list statements controls testing

– There is an implicit deny any as the last access list test—every list should have at least one permit statement

– Create access lists before applying them to interfaces

– Access list, filter traffic going through the router; they do not apply to traffic originated from the router


Access List Command OverviewAccess List Command Overview

Step 1: Set parameters for this access list test statement (which can be one of several statements)

access-list access-list-number { permit | deny } { test conditions }

Router(config)#


Step 1: Set parameters for this access list test statement (which can be one of several statements)Router(config)#

Step 2: Enable an interface to use the specified access list

{ protocol } access-group access-list-number {in | out}

Router(config-if)#

Access List Command OverviewAccess List Command Overview

IP Access lists are numbered 1-99 or 100-199

access-list access-list-number { permit | deny } { test conditions }


How to Identify Access ListsHow to Identify Access Lists

Number Range/IdentifierAccess List Type

IP 1-99Standard

• Standard IP lists (1 to 99) test conditions of all IP packets from source addresses


Number Range/IdentifierAccess List Type


IP 1-99100-199

StandardExtended

• Standard IP lists (1 to 99) test conditions of all IP packets from source addresses

• Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports


Number Range/Identifier

IP 1-99100-199

800-899900-9991000-1099Name (Cisco IOS 11.2. F and later)

StandardExtendedSAP filtersNamed

StandardExtended

Access List Type

IPX


– Standard IP lists (1 to 99) test conditions of all IP packets from source addresses

– Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports


Standard IP Access List Configuration


access-list access-list-number {permit|deny} source [mask]

Router(config)#

• Sets parameters for this list entry

• IP standard access lists use 1 to 99

• Default wildcard mask = 0.0.0.0

• “no access-list access-list-number” removes entire access-list


access-list access-list-number {permit|deny} source [mask]

Router(config)#

– Activates the list on an interface

– Sets inbound or outbound testing

– Default = Outbound

– “no ip access-group access-list-number” removes access-list from the interface

Router(config-if)#

ip access-group access-list-number { in | out }


• IP standard access lists use 1 to 99

• Default wildcard mask = 0.0.0.0

• “no access-list access-list-number” removes entire access-list




Deny a specific host

Standard IP Access List Example

Standard IP Access List Example

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

access-list 1 deny 172.16.4.13 0.0.0.0


Standard IP Access List Example 2

Standard IP Access List Example 2

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

Deny a specific host

access-list 1 deny 172.16.4.13 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255(implicit deny all)(access-list 1 deny 0.0.0.0 255.255.255.255)


Control vty Access With Access Class


Filter Virtual Terminal (vty) Access to a Router

Filter Virtual Terminal (vty) Access to a Router

–Five virtual terminal lines (0 through 4)

–Filter addresses that can access into the router’s vty ports

–Filter vty access out from the router

0 1 2 3 4

Virtual ports (vty 0 through 4)

Physical port e0 (Telnet)Console port (direct connect)

console e0


How to Control vty AccessHow to Control vty Access

0 1 2 3 4

Virtual ports (vty 0 through 4)

Physical port (e0) (Telnet)

• Setup IP address filter with standard access list statement

• Use line configuration mode to filter access with the access-class command

• Set identical restrictions on all vtys

Router#

e0


Virtual Terminal Line CommandsVirtual Terminal Line Commands

• Enters configuration mode for a vty or vty range

• Restricts incoming or outgoing vty connections for address in the access list

access-class access-list-number {in|out}

line vty#{vty# | vty-range}

Router(config)#

Router(config-line)#


Virtual Terminal Access ExampleVirtual Terminal Access Example

Permits only hosts in network 192.89.55.0 to connect to the router’s vtys

access-list 12 permit 192.89.55.0 0.0.0.255

!

line vty 0 4

access-class 12 in

Controlling Inbound Access


Configuring Extended IP Access Lists


Standard versus External Access List

Standard versus External Access List

Standard Extended

Filters Based onSource.

Filters Based onSource and destination.

Permit or deny entire TCP/IP protocol suite.

Specifies a specific IP protocol and port number.

Range is 100 through 199.Range is 1 through 99


Extended IP Access List Configuration


Router(config)#


access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]


Router(config-if)# ip access-group access-list-number { in | out }



• Activates the extended list on an interface


Router(config)# access-list access-list-number { permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [ operator port ] [ established ] [log]


– Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0

– Permit all other traffic

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

Extended Access List Example 1


access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20






172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)


access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)

interface ethernet 0ip access-group 101 out





172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0


– Deny only Telnet from subnet 172.16.4.0 out of E0




172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23






172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)


access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)

interface ethernet 0ip access-group 101 out





172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0


– Place extended access lists close to the source

– Place standard access lists close to the destination

E0

E0

E1

S0

To0

S1S0

S1

E0

E0TokenRing

BB

AACC

Where to Place IP Access ListsWhere to Place IP Access Lists

Recommended:

DD


Monitoring Access List StatementsMonitoring Access List Statements

wg_ro_a#show access-lists Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data

wg_ro_a#show {protocol} access-list {access-list number}

wg_ro_a#show access-lists {access-list number}

rip, eigrp, ospf and acl

Documents

specific tcpip

124 e0down

standard ip

updated routing

wgroashow

highest ip

routing table

updates proceed