1 - Binus Repository
Download
Report
Transcript 1 - Binus Repository
Pertemuan 26
Integrating Network using Routing
Protocol
1
Discussion Topics
• Configuring network using dynamic routing protocol
• Configuring ACLs
• Network troubleshooting
Ref : Rick Graziani [email protected]
2
Running RIPv1 on classful networks
SanJose2
hostname SanJose2
interface ethernet 0
ip add 192.168.1.1 255.255.255.0
interface serial 0
ip add 192.168.2.1 255.255.255.0
SanJose1
hostname SanJose1
interface ethernet 0
ip add 192.168.3.1 255.255.255.0
interface serial 0
ip add 192.168.2.2 255.255.255.0
interface serial 1
ip add 192.168.4.2 255.255.255.0
Baypointe
hostname Baypointe
interface ethernet 0
ip add 192.168.5.1 255.255.255.0
interface serial 0
ip add 192.168.4.1 255.255.255.0
3
Scenario 1: Running RIPv1 on classful
networks
Objective: Running RIPv1 on classful networks
This scenario is the same one we used in the network discovery lab, with the same
configurations and the same outputs. The concepts specific to this scenario will become
more clear when we view the differences between this scenario and Scenario 2: Running
RIPv1 on subnets and between classful networks.
Step 1 – Configuring RIP
First, lets enable RIP on each router.
From global configuration you will enter the command (the default is RIPv1):
Router(config)#router rip
Once you are in the Router RIP configuration sub-mode, all you need to do is enter the
classful network address for each directly connected network, using the network
command.
Router(config-router)#network directly-connected-classful-networkaddress
4
Scenario 1: Running RIPv1 on classful
networks
Here are the commands for each router:
SanJose2#configure terminal
Enter configuration commands, one per line.
SanJose2(config)#router rip
SanJose2(config-router)#network 192.168.1.0
SanJose2(config-router)#network 192.168.2.0
End with CNTL/Z.
Baypointe#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Baypointe(config)#router rip
Baypointe(config-router)#network 192.168.4.0
Baypointe(config-router)#network 192.168.5.0
SanJose1#configure terminal
Enter configuration commands, one per line.
SanJose1(config)#router rip
SanJose1(config-router)#network 192.168.2.0
SanJose1(config-router)#network 192.168.3.0
SanJose1(config-router)#network 192.168.4.0
End with CNTL/Z.
5
Step 2 – Understanding the network command
SENDING RIP MESSAGES
Each router will begin to send RIP update message out each interface belonging to one of the network
statements.
SanJose2(config)#router rip
SanJose2(config-router)#network 192.168.1.0
SanJose2(config-router)#network 192.168.2.0
For example, SanJose2 to will send out RIP update messages on Ethernet 0 because that interface has an
IP address that belong to the network 192.168.1.0, and on Serial 0 because that interface has an IP
address that belongs to the network 192.168.2.0.
Just because a router has a directly connected network does not mean it will automatically include that
network in its routing updates to neighboring routers. The network command also tells the RIP to
include these networks in its updates to adjacent neighbors.
To view the RIP messages being sent and received use the debug ip rip command.
SanJose2# debug ip rip
RIP protocol debugging is on
SanJose2
01:03:27: RIP: sending v1 update to
01:03:27:
network 192.168.2.0,
01:03:27: RIP: sending v1 update to
01:03:27:
network 192.168.1.0,
255.255.255.255 via Ethernet0 (192.168.1.1)
metric 1
255.255.255.255 via Serial0 (192.168.2.1)
metric 1
Rick Graziani
[email protected]
6
Scenario 1: Running RIPv1 on classful
networks
LISTENING FOR RIP MESSAGES
Routers will also listen for RIP messages on each interface belonging to one of the
network statements.
For example, SanJose2 to will listen for RIP update messages on Ethernet 0
because that interface has an IP address that belong to the network
192.168.1.0, and also listen for RIP update messages on Serial 0 because that
interface has an IP address that belongs to the network 192.168.2.0.
As RIP messages are received router, will add those networks in the messages to
their routing tables:
If the RIP message contains a network not currently in the routing table.
If the RIP message contains a network with a better metric (fewer hops) than an
entry currently in the routing table.
SanJose2
01:10:56: RIP: received v1 update from 192.168.2.2 on Serial0
01:10:56:
192.168.4.0 in 1 hops
01:10:56:
192.168.3.0 in 1 hops
7
Scenario 1: Running RIPv1 on classful
networks
Step 3 – Viewing the debug ip rip output and the routing tables
Remember that SanJose1 will learn routes to networks from SanJose2. It
will then send that information to Baypointe, telling Baypointe that it is
the next hop to get to those networks, and incrementing the metric (hop
count) by one.
After convergence, each router will continue to send its RIP update
messages out the appropriate interfaces every 30 seconds.
Lets look at the debug messages and the routing table for each router:
8
SanJose2
01:30:45: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (192.168.1.1)
01:30:45:
network 192.168.4.0, metric 2
01:30:45:
network 192.168.5.0, metric 3
01:30:45:
network 192.168.2.0, metric 1
01:30:45:
network 192.168.3.0, metric 2
01:30:45: RIP: sending v1 update to 255.255.255.255 via Serial0 (192.168.2.1)
01:30:45:
network 192.168.1.0, metric 1
SanJose2#
01:30:50: RIP: received v1 update from 192.168.2.2 on Serial0
01:30:50:
192.168.4.0 in 1 hops
01:30:50:
192.168.5.0 in 2 hops
01:30:50:
192.168.3.0 in 1 hops
SanJose2#
SanJose2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
<omitted>
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
Gateway of last resort is not set
R
192.168.4.0/24
R
192.168.5.0/24
C
192.168.1.0/24
C
192.168.2.0/24
R
192.168.3.0/24
SanJose2#
[120/1] via
[120/2] via
is directly
is directly
[120/1] via
192.168.2.2, 00:00:10, Serial0
192.168.2.2, 00:00:10, Serial0
connected, Ethernet0
connected, Serial0
192.168.2.2, 00:00:10, Serial0
Rick Graziani
[email protected]
9
SanJose1
01:33:05:
01:33:05:
SanJose1#
01:33:07:
01:33:07:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
01:33:08:
RIP: received v1 update from 192.168.4.1 on Serial1
192.168.5.0 in 1 hops
RIP: received v1 update from 192.168.2.1 on Serial0
192.168.1.0 in 1 hops
RIP: sending v1 update to 255.255.255.255 via Ethernet0 (192.168.3.1)
network 192.168.4.0, metric 1
network 192.168.5.0, metric 2
network 192.168.1.0, metric 2
network 192.168.2.0, metric 1
RIP: sending v1 update to 255.255.255.255 via Serial0 (192.168.2.2)
network 192.168.4.0, metric 1
network 192.168.5.0, metric 2
network 192.168.3.0, metric 1
RIP: sending v1 update to 255.255.255.255 via Serial1 (192.168.4.2)
network 192.168.1.0, metric 2
network 192.168.2.0, metric 1
network 192.168.3.0, metric 1
SanJose1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
<omitted>
Gateway of last resort is not set
C
192.168.4.0/24 is directly connected, Serial1
R
192.168.5.0/24 [120/1] via 192.168.4.1, 00:00:12, Serial1
R
192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:10, Serial0
C
192.168.2.0/24 is directly connected, Serial0
C
192.168.3.0/24 is directly connected, Ethernet0
Rick Graziani
[email protected]
10
Baypointe
01:34:53: RIP:
01:34:53:
01:34:53:
01:34:53:
01:34:53:
01:34:53: RIP:
01:34:53:
Baypointe#
01:34:56: RIP:
01:34:56:
01:34:56:
01:34:56:
sending
network
network
network
network
sending
network
v1 update to
192.168.4.0,
192.168.1.0,
192.168.2.0,
192.168.3.0,
v1 update to
192.168.5.0,
received v1
192.168.1.0
192.168.2.0
192.168.3.0
255.255.255.255 via Ethernet0 (192.168.5.1)
metric 1
metric 3
metric 2
metric 2
255.255.255.255 via Serial0 (192.168.4.1)
metric 1
update from 192.168.4.2 on Serial0
in 2 hops
in 1 hops
in 1 hops
Baypointe#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
Gateway of last resort is not set
C
C
R
R
R
192.168.4.0/24
192.168.5.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
is directly
is directly
[120/2] via
[120/1] via
[120/1] via
connected, Serial0
connected, Ethernet0
192.168.4.2, 00:00:23, Serial0
192.168.4.2, 00:00:23, Serial0
192.168.4.2, 00:00:23, Serial0
Rick Graziani
[email protected]
11
Scenario 1: Running RIPv1 on classful
networks
NOTE: At this point all routers should be able to ping all networks. We will discuss RIP much
more in the chapter on Routing Protocols (RIP).
Step 4 – Turning-off debug
Don’t forget to turn-off debug when you are done collecting the output.
Router# undebug all
or
Baypointe# undebug ip rip
Step 5 – Reflections
• For each router compare the RIP received messages with its routing table. Now you see
how the information is entered into the routing table.
• Cisco IOS uses split horizon with poison reverse, however this information is not
displayed with debug ip rip command.
• You will notice that the routers send RIP messages out their stub Ethernet interfaces,
even though there are no routers out there to receive those messages. This does take up
unnecessary bandwidth on the link; so later we will see how to keep those RIP messages
from going out those interfaces.
12
ACL Example
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
e0
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
RouterB
s1
.1
.1 e0
Sales
172.16.30.3/24
172.16.30.2/24
s0
.2 RouterC
.1 e0
Engineering
172.16.50.3/24
172.16.50.2/24
• Task:
– Deny only the host 172.16.30.2 from exiting the Sales network.
– Permit all other hosts on the Sales network to leave the
172.16.30.0/24 network.
• Keyword “any” can be used to represent all IP Addresses.
13
ACL Example
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
e0
Administration
172.16.40.0/24
RouterB
.1 e0
Sales
172.16.10.3/24
172.16.10.2/24
s1
.1
s0
.2 RouterC
.1 e0
Engineering
172.16.30.3/24
172.16.30.2/24
172.16.50.3/24
172.16.50.2/24
Order matters! What if these two statements were reversed? Does the implicit
deny any ever get a match? No, the permit any will cover all other packets.
RouterB(config)#access-list
RouterB(config)#access-list
Implicit “deny any” -do not
RouterB(config)#access-list
10 deny 172.16.30.2
10 permit any
need to add this, discussed later
10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
14
ACL Example
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
RouterB
s1
.1
.1 e0
e0
Sales
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
s0
.2 RouterC
.1 e0
Engineering
172.16.30.3/24
172.16.30.2/24
172.16.50.3/24
172.16.50.2/24
Order matters! In this case all packets would be permitted, because all packets
would match the first access list statement. Once a condition is met, all other
statements are ignored. The second access list statement and the implicit deny
any would never be used. This would not do what we want.
RouterB(config)#access-list
RouterB(config)#access-list
Implicit “deny any” -do not
RouterB(config)#access-list
10 permit any
10 deny 172.16.30.2
need to add this, discussed later
10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
15
Note on inbound access lists
• When an access lists applied to an inbound interface, the packets are
checked against the access list before any routing table lookup
process occurs.
• We will see how outbound access list work in a moment, but they are
applied after the forwarding decision is made, after the routing table
lookup process takes place and an exit interface is determined.
• Once a packet is denied by an ACL, the router sends an ICMP
“Destination Unreachable” message, with the code value set to
“Administratively Prohibited” to the source of the packet.
RouterB(config)#access-list
RouterB(config)#access-list
Implicit “deny any” (do not
RouterB(config)#access-list
10 deny 172.16.30.2
10 permit any
need to add this, discussed later):
10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
16
Notes from www.cisco.com
• Traffic coming into the router is compared to ACL entries based on
the order that the entries occur in the router.
• New statements are added to the end of the list.
• The router keeps looking until it has a match.
• If no matches are found when the router reaches the end of the list,
the traffic is denied.
• For this reason, you should have the frequently hit entries at the top
of the list.
• There is an "implied deny" for traffic that is not permitted.
• A single-entry ACL with only one "deny" entry has the effect of
denying all traffic.
• You must have at least one "permit" statement in an ACL or all
traffic will be blocked.
access-list 10 permit 10.1.1.1 0.0.0.255
access-list 10 deny ip any
(implicit)
17
Time for Wildcard Masks!
A wildcard mask address:
• Tells how much of the packet’s source IP
address (or destination IP address) needs to
match for this condition to be true.
18
Time for Wildcard Masks!
• A wildcard mask is a 32-bit quantity that is divided into four octets.
• A wildcard mask is paired with an IP address.
• The numbers one and zero in the mask are used to identify how to
treat the corresponding IP address bits.
• The term wildcard masking is a nickname for the ACL mask-bit
matching process and comes from of an analogy of a wildcard that
matches any other card in the game of poker.
• Wildcard masks have no functional relationship with subnet masks.
– They are used for different purposes and follow different rules.
• Subnet masks start from the left side of an IP address and work
towards the right to extend the network field by borrowing bits from the
host field.
• Wildcard masks are designed to filter individual or groups of IP
addresses permitting or denying access to resources based on the
address.
19
Wildcard Masks!
• “Trying to figure out how wildcard masks work by relating them to
subnet masking will only confuse the entire matter. The only similarity
between a wildcard mask and a subnet mask is that they are both
thirty-two bits long and use ones and zeros for the mask.”
• This is not entirely true.
• Although it is very important that you understand how a wildcard mask
works, it can also be thought as an inverse subnet mask.
20
Wildcard Masks!
Test Condition
Test
Conditon
10101100.00010000.00000000.00000000
00000000.00000000.11111111.11111111
-----------------------------------A Match…
Matching packets will look like this…
The packet
10101100.00010000.any value.any value
•
•
•
Wildcard masking used to identify how to treat the corresponding IP address bits.
– 0 - “check the corresponding bit value.”
– 1 - “do not check (ignore) that corresponding bit value.”
A zero in a bit position of the access list mask indicates that the corresponding
bit in the address must be checked and must match for condition to be true.
A one in a bit position of the access list mask indicates the corresponding bit in
the address is not “interesting”, does not need to match, and can be ignored.
21
Wildcard Masks!
Test Condition
Test
Conditon
10101100.00010000.00000000.00000000
00000000.00000000.11111111.11111111
-----------------------------------Must Match
No Match Necessary
A Match…
The packet
10101100.00010000.any value.any value
Resulting in the bits that must match or doesn’t matter.
Matching packets will look like this.
– 0 - “check the corresponding bit value.”
– 1 - “do not check (ignore) that corresponding
22
bit value.”