3. Lessons Objectives:
Exploring the Packet-Delivery Process.
Enabling Static Routing.
Managing Traffic Using ACLs.
Enabling Internet Connectivity.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
4. Exploring the Packet-Delivery Process-
Router Paths and Packet Switching
Internet Protocol (IP) packet format contains fields that
provide information about the packet and the sending and
receiving hosts
Fields that are importance for CCNA students:
-Destination IP address
-Source IP address
-Version & TTL
-IP header length
-Precedence & type of service
-Packet length
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
6. MAC Layer Frame Format-
MAC Frames are also divided into fields. They include:
-Preamble
-Start of frame delimiter
-Destination MAC address
-Source MAC address
-Type/length
-Data and pad
-Frame check sequence
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
7. A Metric is a numerical value used by routing protocols help determine the best
path to a destination
The smaller the metric value the better the path
2 types of metrics used by routing protocols are:
-Hop count - this is the number of routers a packet must travel through to
get to its destination
-Bandwidth - this is the “speed” of a link also known as the data capacity of a
link
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
8. Equal cost metric is a condition where a router has multiple paths to the same
destination that all have the same metric
To solve this problem., a router will use Equal Cost Load Balancing. This means
the router sends packets over the multiple exit interfaces listed in the routing
table.
Path determination is a process used by a router to pick the best path to a
destination
One of 3 path determinations results from searching for the best path
Directly connected network
Remote network
No route determined
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
9. Switching Function of Router is the process used by a
router to switch a packet from an incoming interface
to an outgoing interface on the same router.
A packet received by a router will do the following:
Strips off layer 2 headers.
Examines destination IP address located in Layer 3
header to find best route to destination.
Re-encapsulates layer 3 packet into layer 2 frame.
Forwards frame out exit interface.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
10. As a packet travels from one networking device to another
-The Source and Destination IP addresses NEVER
change
-The Source & Destination MAC addresses CHANGE
as packet is forwarded from one router to the next.
-TTL field decrement by one until a value of zero is
reached at which point router discards packet (prevents
packets from endlessly traversing the network)
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
11. Path determination and switching function details.
PC1 Wants to send something to PC 2 here is part of
what happens
Step 1 - PC1 encapsulates packet into a frame. Frame
contains R1’s destination MAC address
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
12. Step 2 - R1 receives Ethernet frame.
R1 sees that destination MAC address matches its
own MAC.
R1 then strips off Ethernet frame.
R1 Examines destination IP.
R1 consults routing table looking for destination
IP.
After finding destination IP in routing table, R1
now looks up next hop IP address.
R1 re-encapsulates IP packet with a new Ethernet
frame.
R1 forwards Ethernet packet out Fa0/1 interface.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
14. Path determination and switching function details. PC1 Wants to send
something to PC 2 here is part of what happens
Step 3 - Packet arrives at R2
R2 receives Ethernet frame
R2 sees that destination MAC address matches its own MAC
R2 then strips off Ethernet frame
R2 Examines destination IP
R2 consults routing table looking for destination IP
After finding destination IP in routing table, R2 now looks up
next hop IP address
R2 re-encapsulates IP packet with a new data link frame
R2 forwards Ethernet packet out S0/0 interface
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
15. Path determination and switching function details. PC1 Wants to send
something to PC 2 here is part of what happens
Step 4 - Packet arrives at R3
R3 receives PPP frame
R3 then strips off PPP frame
R3 Examines destination IP
R3 consults routing table looking for destination IP
After finding destination IP in routing table, R3 is directly
connected to destination via its fast Ethernet interface
R3 re-encapsulates IP packet with a new Ethernet frame
R3 forwards Ethernet packet out Fa0/0 interface
Step 5 - IP packet arrives at PC2. Frame is decapsulated
& processed by upper layer protocols.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
16. Purpose of a static route
A manually configured route used when routing from a
network to a stub network
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
17. IP route command
To configure a static route use the following command:
ip route
Example:
-Router(config)# ip route network-address subnet-mask {ip-
address | exit-interface }
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
18. Understanding static route syntax
ip route - Static route command
172.16.1.0 – Destination network address
255.255.255.0 - Subnet mask of destination network
172.16.2.2 - Serial 0/0/0 interface IP address on R2,
which is the "next-hop" to this network
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
19. Configuring routes to 2 or more remote networks
Use the following commands for R1
-R1(config)#ip route 192.168.1.0 255.255.255.0 172.16.2.2
-R1(config)#ip route 192.168.2.0 255.255.255.0 172.16.2.2
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
20. Modifying Static routes
Existing static routes cannot be modified. The old static
route must be deleted by placing no in front of the ip
route
Example:
-no ip route 192.168.2.0 255.255.255.0 172.16.2.2
A new static route must be rewritten in the
configuration
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
21. Verifying the Static Route Configuration
-Use the following commands
Step 1 show running-config
Step 2 verify static route has been entered correctly
Step 3 show ip route
Step 4 verify route was configured in routing table
Step 5 issue ping command to verify packets can reach
destination and that Return path is working
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
22. Ethernet interfaces and ARP.
– If a static route is configured on an Ethernet link
-If the packet is sent to the next-hop router then…
the destination MAC address will be the
address of the next hop’s Ethernet interface
This is found by the router consulting the ARP table.
If an entry isn’t found then an ARP request will be sent
out
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
23. What are ACLs?
ACLs are lists of instructions you apply to a router's
interface. These lists tell the router what kinds of packets
to accept and what kinds of packets to deny. Acceptance
and denial can be based on certain specifications, such as
source address, destination address and port number.
ACLs enable you to manage traffic and scan specific
packets by applying the ACL to a router interface. Any
traffic going through the interface is tested against certain
conditions that are part of the ACL.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
24. Reasons for ACLs
There are many reasons to create ACLs. For example, ACLs can be
used to:
Limit network traffic and increase network performance. For
example, ACLs can designate certain packets to be processed by a
router before other traffic, on the basis of a protocol. This is
referred to as queuing, which ensures that routers will not process
packets that are not needed. As a result, queuing limits the
network traffic and reduces network congestion.
Provide traffic flow control. For example, ACLs can restrict or
reduce the contents of routing updates. These restrictions are used
to limit information about specific networks from propagating
through the network.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
25. Provide a basic level of security for network access. For example,
ACLs can allow one host to access a part of your network and
prevent another host from accessing the same area. Host A is
allowed to access the Human Resources network and Host B is
prevented from accessing the Human Resources network. If you do
not configure ACLs on your router, all packets passing through the
router could be allowed onto all parts of the network.
Decide which types of traffic are forwarded or blocked at the router
interfaces. For example, you can permit e-mail traffic to be routed,
but at the same time block all TELNET traffic.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
26. How ACLs Work
An ACL is a group of statements that define how packets:
Enter inbound interfaces
Relay through the router
Exit outbound interfaces of the router
The beginning of the communication process is the same, whether ACLs are used or not.
As a packet enters an interface, the router checks to see whether the packet is routable
or bridgeable. Now the router checks whether the inbound interface has an ACL. If one
exists, the packet is now tested against the conditions in the list. If the packet is allowed
it will then be checked against routing table entries to determine the destination
interface.
Next, the router checks whether the destination interface has an ACL. If it does not, the
packet can be sent to the destination interface directly; for example, if it will use E0,
which has no ACLs, the packet uses E0 directly.
ACL statements operate in sequential, logical order. If a condition match is true, the
packet is permitted or denied and the rest of the ACL statements are not checked. If all
the ACL statements are unmatched, an implicit "deny any" statement is imposed. This
means that even though you will not see the "deny any" as the last line of an ACL, it is
there.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
27. ACL commands can be lengthy character strings. Key tasks covered in this section for
creating ACLs include the following:
You create ACLs by using the global configuration mode.
Specifying an ACL number from 1 to 99 instructs the router to accept standard ACL
statements. Specifying an ACL number from 100 to 199 instructs the router to accept
extended ACL statements. (see table below)
You must carefully select and logically order the ACL. Permitted IP protocols must be
specified; all other protocols should be denied.
You should select which IP protocols to check; any other protocols are not checked.
Later in the procedure, you can also specify an optional destination port for more
precision.
Assigning a unique number to each ACL
When configuring ACLs on a router, you must identify each ACL uniquely by assigning a
number to the protocol's ACL. When you use a number to identify an ACL, the number
must be within the specific range of numbers that is valid for the protocol.
You can specify ACLs by numbers for the protocols listed in the table. The table also lists
the range of ACL numbers that is valid for each protocol.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
28. 08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
After you create a numbered ACL, you must assign it to an interface for it to be used. If you want
to alter an ACL containing numbered ACL statements, you need to delete all the statements in
the numbered ACL by using the command no access-list[list-number].
Establishing Internet Connectivity
29. Purpose and Function of Wildcard Mask Bits
wildcard mask is a 32-bit quantity that is divided into four octets, with each octet
containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value" and
a wildcard mask bit 1 means "do not check (ignore) that corresponding bit value".
A wildcard mask is paired with an IP address. The numbers one and zero are used to
identify how to treat the corresponding IP address bits. ACLs use wildcard masking to
identify a single or multiple addresses for permit or deny tests. The term wildcard
masking is a nickname for the ACL mask-bit matching process and comes from of an
analogy of a wildcard that matches any other card in a poker game.
Although both are 32-bit quantities, wildcard masks and IP subnet masks operate
differently. Recall that the zeros and ones in a subnet mask determine the network,
subnet and host portions of the corresponding IP address. The zeros and ones in a
wildcard, as just noted, determine whether the corresponding bits in the IP address
should be checked or ignored for ACL purposes.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
33. We use the standard version of the access-list global configuration command to define a
standard ACL with a number. This command is used in global configuration command
mode.
The full syntax of the command is
Router(config)# access-list access-list-number {deny | permit} source [source-wildcard ]
[log]
You use the no form of this command to remove a standard ACL. This is the syntax:
Router(config)# no access-list access-list-number
Examples of ACLsAccess-list 33 permit 172.16.0.0 0.0.255.255 (permits all traffic from
172.16.0.0)
Access-list 44 deny 172.16.13.7 0.0.0.0 (denies traffic from host 172.16.13.7)
Access-list 55 deny 172.16.64.0 any (denies all traffic from network 172.16.64.0)
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
34. Placing ACLs
The second part of establishing an access list is applying the list to a specific interface.
Router(config-if)# ip access-group 33 in (applies access-list 33 to the packets inbound to
the interface being configured)
Router(config-if)# ip access-group 44 out (applies access-list 44 to packets outbound
from the interface being configured)
How to Verify Standard ACLs
You use the show access-lists EXEC command to display the contents of all ACLs. In
addition, you use the show access-lists EXEC command followed by the name or number
of an ACL to display the contents of one ACL. The following example of a standard ACL
allows access for hosts on the three specified networks:
access-list 1 permit 192.5.34.0 0.0.0.255
access-list 1 permit 128.88.0.0 0.0.255.255
access-list 1 permit 36.0.0.0 0.255.255.255
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
36. Example of a Standard ACL
In the example below, the ACL allows only traffic from source network 172.16.0.0 to be
forwarded. Non-172.16.0.0 network traffic is blocked. The example shows how the ACL
allows only traffic from source network 172.16.0.0 to be forwarded and non-172.16.0.0 to
be blocked.
Also shown in the example, the command ip access-group 1 out groups the ACL to an
outgoing interface.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
37. Permitting Traffic from Source Network 172.16.0.0
access-list 1 permit 172.16.0.0 0.0.255.255
(implicit deny any - not visible in the list)
(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0
ip access-group 1 out
interface ethernet 1
ip access-group 1 out
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
38. Writing an ACL to deny a Specific Host
The example below shows how an ACL is designed to block traffic from a specific address,
172.16.4.13 and to allow all other traffic to be forwarded on interface Ethernet 0
In the second access-list command, the 0.0.0.0 255.255.255.255 IP address/ wildcard
mask combination identifies traffic from any source. This combination can also be
written using the keyword any. All zeros in the address indicate a placeholder and all
ones in the wildcard mask indicate that all 32 bits will not be checked in the source
address. Any packet that does not match the first line of the ACL will match the second
one and be forwarded.
Denying a Specific Host
access-list 1 deny host 172.16.4.13 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny any)
(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0
ip access-group 1 out
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
STANDARDACLEXAMPLE
Establishing Internet Connectivity
39. Writing a Standard ACL to deny a Specific Network
0.0.0.255: The zeros in the first three octets indicate that those bits will be tested for
matches while the last octet of all ones indicates a don't care condition for matching the
last octet of the IP address (the host portion). Note also that the any abbreviation has
been used for the IP address of the source.
Denying a Specific Subnet
(access-list 1 deny) 172.16.4.0 0.0.0.255
access-list 1 permit any
(implicit deny any)
access-list 1 deny any
interface ethernet 0
ip access-group 1 out
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
STANDARDACLEXAMPLE
Establishing Internet Connectivity
43. Writing an ACL to Deny FTP on an Ethernet Interface
The figure shows an example of an extended ACL that blocks FTP traffic.
The interface E0 access-group 101 command links ACL 101 to outgoing interface E0.
Note that blocking port 21 prevents FTP commands from being transmitted, thus
preventing FTP file transfers. Blocking port 20 prevents the traffic itself from being
transmitted, but does not block FTP commands. FTP servers can easily be configured to
work on different ports.
You should understand that well-known port numbers are just that: well-known. There
are no guarantees that services will be on those ports, although they usually are.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
STANDARDACLEXAMPLE
Establishing Internet Connectivity
44. Writing an ACL that denies SMTP out of an Ethernet
Port but permits all other Traffic
The figure shows an example of an extended ACL that blocks SNMP traffic.
The interface E0 access-group 101 command links ACL 101 to outgoing interface E0.
Note that blocking port 25 prevents SMTP traffic from being transmitted. Mail servers
can easily be configured to work on different ports. You should understand that well-
known port numbers are just that: well-known. There are no guarantees that services
will be on those ports, although they usually are.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
STANDARDACLEXAMPLE
Establishing Internet Connectivity
45. Configuring Named ACLs
Named ACLs allow standard and extended IP ACLs to be identified with an alphanumeric
string (name) instead of the current numeric (1 to 199) representation. Named ACLs can
be used to delete individual entries from a specific ACL. This enables you to modify your
ACLs without deleting and then reconfiguring them. Use named ACLs when:
You want to intuitively identify ACLs using an alphanumeric name.
You have more than 99 simple and 100 extended ACLs to be configured in a router
for a given protocol.
Consider the following before implementing named ACLs:
Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.
You cannot use the same name for multiple ACLs. In addition, ACLs of different types
cannot have the same name. For example, it is illegal to specify a standard ACL named
George and an extended ACL with the same name.
To name the ACL, use the following command:
Router(config)# ip access-list {standard | extended} name
In ACL configuration mode, specify one or more conditions permitted or denied. This
determines whether the packet is passed or dropped:
Router(config {std- | ext-}nacl)# deny {source [source-wildcard] | any}
or
Router(config {std- | ext-}nacl)# permit {source [source-wildcard] | any}.
The configuration shown in the Figure creates a standard ACL named Internetfilter and
an extended ACL named marketing_group. 08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
46. The DENY Command
You use the deny ACL configuration command to set conditions for a named ACL. The
full syntax for this command is:
deny {source [source-wildcard] | any}
You use the no form of this command to remove a deny condition, using the following
syntax:
no deny {source [source-wildcard] | any}
The PERMIT Command
You use the permit access-list configuration command to set conditions for a named
standard ACL. The full syntax of this command is:
permit {source [source-wildcard] | any}[log]
You use the no form of this command to remove a condition from an ACL, using the
following syntax:
no permit {source [source-wildcard]| any}
You use this command in access list configuration mode, following the ip access-
list command, to define the conditions under which a packet passes the ACL.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
47. The following example is for a standard ACL named Internetfilter:
ip access-list standard Internetfilter
deny 192.5.34.0 0.0.0.255
permit 128.88.0.0 0.0.255.255
permit 36.0.0.0 0.255.255.255
!(Note: all other access implicitly denied)
In this example, permit and deny statements have no number and no removes the
specific test from the named ACL:
Router(config {std- | ext-}nacl)# {permit | deny} {ip ACL test conditions}
{permit | deny} {ip ACL test conditions}
no {permit | deny} {ip ACL text conditions}
This example activates the IP named ACL on an interface:
Router(config-if)# ip access-group {name | 1-199 {in | out}}
Verifying ACLs
The show ip interface command displays IP interface information and indicates whether
any ACLs are set. The show access-lists command displays the contents of all ACLs. By
entering the ACL name or number as an option for this command, you can see a specific
list.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
48. Establishing Internet Connectivity
Configure a router interface
Paris(config)#interface FastEthernet 0/0
Paris(config-if)#ip address 172.16.1.1 255.255.0.0
Paris(config-if)#no shutdown
Paris(config-if)#exit
Interface names vary, depending on whether the
router is modular and on the bandwidth.
E.g. interface Ethernet 0 on an older router
Establishing Internet Connectivity
49. Paris(config)#interface serial 0/0
Paris(config-if)#ip address 192.168.4.1 255.255.255.0
(Paris(config-if)#clock rate 64000)
Paris(config-if)#no shutdown
Paris(config-if)#exit
Give Switch IP ADDRESS :
The switch IP address goes on a virtual interface, not a real one, normally VLAN1.
SwA(config)#interface VLAN1
SwA(config-if)#ip address 172.16.255.1 255.255.0.0
SwA(config-if)#no shutdown
SwA(config-if)#exit
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
50. Give Switch A default Gateway
SwA(config)#ip default gateway 172.16.255.254
Just like a workstation, a switch needs a default
gateway if it exchanges messages with devices on a
different network.
The default gateway is the address of the local router.
Establishing Internet Connectivity
51. Up And Down:
Interface status: Layer 1
Up
Down
Administratively down (no shutdown to bring up)
Protocol: Layer 2
Up
Down (no keepalive signal received)
Establishing Internet Connectivity
52. Ping – step by step
Ping 127.0.0.1 (loopback, is TCP/IP OK?)
Ping own IP address (are NIC hardware and software
all right? Is IP address bound?)
Ping local hosts (checks own configuration and that
of others)
Ping gateway
Ping other intermediate routers
Ping hosts on remote networks
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity
53. Find out about nodes
Ping – used from workstation, router or switch –
shows if destination can be reached
Traceroute – shows hops along the path
Arp -a on workstation – shows list of MAC and IP
addresses
show mac-address-table on switch – shows list of
MAC addresses and switch ports
Establishing Internet Connectivity
54. Lesson Summary:
Packet Delivery Process.
Exploring ACL.
Configuring Static Routing.
Establishing Internet Connectivity.
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group
Establishing Internet Connectivity