Presentation 4 for students of professordkinney.com

Establishing Internet Connectivity
08/02/13
Instructional Design-Computer Networking -
Bridges Educational Group

Lessons Objectives:
Exploring the Packet-Delivery Process.
Enabling Static Routing.
Managing Traffic Using ACLs.
Enabling Internet Connectivity.
08/02/13

Exploring the Packet-Delivery Process-
Router Paths and Packet Switching
Internet Protocol (IP) packet format contains fields that
provide information about the packet and the sending and
receiving hosts
Fields that are importance for CCNA students:
-Destination IP address
-Source IP address
-Version & TTL
-IP header length
-Precedence & type of service
-Packet length
08/02/13

08/02/13

MAC Layer Frame Format-
MAC Frames are also divided into fields. They include:
-Preamble
-Start of frame delimiter
-Destination MAC address
-Source MAC address
-Type/length
-Data and pad
-Frame check sequence
08/02/13

A Metric is a numerical value used by routing protocols help determine the best
path to a destination
The smaller the metric value the better the path
2 types of metrics used by routing protocols are:
-Hop count - this is the number of routers a packet must travel through to
get to its destination
-Bandwidth - this is the “speed” of a link also known as the data capacity of a
link
08/02/13

Equal cost metric is a condition where a router has multiple paths to the same
destination that all have the same metric
To solve this problem., a router will use Equal Cost Load Balancing. This means
the router sends packets over the multiple exit interfaces listed in the routing
table.
Path determination is a process used by a router to pick the best path to a
destination
One of 3 path determinations results from searching for the best path
 Directly connected network
 Remote network
 No route determined
08/02/13

Switching Function of Router is the process used by a
router to switch a packet from an incoming interface
to an outgoing interface on the same router.
A packet received by a router will do the following:
 Strips off layer 2 headers.
 Examines destination IP address located in Layer 3
header to find best route to destination.
 Re-encapsulates layer 3 packet into layer 2 frame.
 Forwards frame out exit interface.
08/02/13

As a packet travels from one networking device to another
-The Source and Destination IP addresses NEVER
change
-The Source & Destination MAC addresses CHANGE
as packet is forwarded from one router to the next.
-TTL field decrement by one until a value of zero is
reached at which point router discards packet (prevents
packets from endlessly traversing the network)
08/02/13

Path determination and switching function details.
PC1 Wants to send something to PC 2 here is part of
what happens
Step 1 - PC1 encapsulates packet into a frame. Frame
contains R1’s destination MAC address
08/02/13

Step 2 - R1 receives Ethernet frame.
 R1 sees that destination MAC address matches its
own MAC.
 R1 then strips off Ethernet frame.
 R1 Examines destination IP.
 R1 consults routing table looking for destination
IP.
 After finding destination IP in routing table, R1
now looks up next hop IP address.
 R1 re-encapsulates IP packet with a new Ethernet
frame.
 R1 forwards Ethernet packet out Fa0/1 interface.
08/02/13

Path determination and switching function details. PC1 Wants to send
something to PC 2 here is part of what happens
Step 3 - Packet arrives at R2
 R2 receives Ethernet frame
 R2 sees that destination MAC address matches its own MAC
 R2 then strips off Ethernet frame
 R2 Examines destination IP
 R2 consults routing table looking for destination IP
 After finding destination IP in routing table, R2 now looks up
next hop IP address
 R2 re-encapsulates IP packet with a new data link frame
 R2 forwards Ethernet packet out S0/0 interface
08/02/13

Path determination and switching function details. PC1 Wants to send
something to PC 2 here is part of what happens
Step 4 - Packet arrives at R3
 R3 receives PPP frame
 R3 then strips off PPP frame
 R3 Examines destination IP
 R3 consults routing table looking for destination IP
 After finding destination IP in routing table, R3 is directly
connected to destination via its fast Ethernet interface
 R3 re-encapsulates IP packet with a new Ethernet frame
 R3 forwards Ethernet packet out Fa0/0 interface
Step 5 - IP packet arrives at PC2. Frame is decapsulated
& processed by upper layer protocols.
08/02/13

Purpose of a static route
A manually configured route used when routing from a
network to a stub network
08/02/13

IP route command
 To configure a static route use the following command:
ip route
 Example:
 -Router(config)# ip route network-address subnet-mask {ip-
address | exit-interface }
08/02/13

Understanding static route syntax
 ip route - Static route command
 172.16.1.0 – Destination network address
 255.255.255.0 - Subnet mask of destination network
 172.16.2.2 - Serial 0/0/0 interface IP address on R2,
which is the "next-hop" to this network
08/02/13

Configuring routes to 2 or more remote networks
Use the following commands for R1
 -R1(config)#ip route 192.168.1.0 255.255.255.0 172.16.2.2
 -R1(config)#ip route 192.168.2.0 255.255.255.0 172.16.2.2
08/02/13

Modifying Static routes
 Existing static routes cannot be modified. The old static
route must be deleted by placing no in front of the ip
route
 Example:
-no ip route 192.168.2.0 255.255.255.0 172.16.2.2
 A new static route must be rewritten in the
configuration
08/02/13

Verifying the Static Route Configuration
-Use the following commands
 Step 1 show running-config
 Step 2 verify static route has been entered correctly
 Step 3 show ip route
 Step 4 verify route was configured in routing table
 Step 5 issue ping command to verify packets can reach
destination and that Return path is working
08/02/13

Ethernet interfaces and ARP.
– If a static route is configured on an Ethernet link
-If the packet is sent to the next-hop router then…
the destination MAC address will be the
address of the next hop’s Ethernet interface
This is found by the router consulting the ARP table.
If an entry isn’t found then an ARP request will be sent
out
08/02/13

What are ACLs?
ACLs are lists of instructions you apply to a router's
interface. These lists tell the router what kinds of packets
to accept and what kinds of packets to deny. Acceptance
and denial can be based on certain specifications, such as
source address, destination address and port number.
ACLs enable you to manage traffic and scan specific
packets by applying the ACL to a router interface. Any
traffic going through the interface is tested against certain
conditions that are part of the ACL.
08/02/13

Reasons for ACLs
There are many reasons to create ACLs. For example, ACLs can be
used to:
Limit network traffic and increase network performance. For
example, ACLs can designate certain packets to be processed by a
router before other traffic, on the basis of a protocol. This is
referred to as queuing, which ensures that routers will not process
packets that are not needed. As a result, queuing limits the
network traffic and reduces network congestion.
Provide traffic flow control. For example, ACLs can restrict or
reduce the contents of routing updates. These restrictions are used
to limit information about specific networks from propagating
through the network.
08/02/13

Provide a basic level of security for network access. For example,
ACLs can allow one host to access a part of your network and
prevent another host from accessing the same area. Host A is
allowed to access the Human Resources network and Host B is
prevented from accessing the Human Resources network. If you do
not configure ACLs on your router, all packets passing through the
router could be allowed onto all parts of the network.
Decide which types of traffic are forwarded or blocked at the router
interfaces. For example, you can permit e-mail traffic to be routed,
but at the same time block all TELNET traffic.
08/02/13

How ACLs Work
An ACL is a group of statements that define how packets:
 Enter inbound interfaces
 Relay through the router
 Exit outbound interfaces of the router
 The beginning of the communication process is the same, whether ACLs are used or not.
As a packet enters an interface, the router checks to see whether the packet is routable
or bridgeable. Now the router checks whether the inbound interface has an ACL. If one
exists, the packet is now tested against the conditions in the list. If the packet is allowed
it will then be checked against routing table entries to determine the destination
interface.
 Next, the router checks whether the destination interface has an ACL. If it does not, the
packet can be sent to the destination interface directly; for example, if it will use E0,
which has no ACLs, the packet uses E0 directly.
 ACL statements operate in sequential, logical order. If a condition match is true, the
packet is permitted or denied and the rest of the ACL statements are not checked. If all
the ACL statements are unmatched, an implicit "deny any" statement is imposed. This
means that even though you will not see the "deny any" as the last line of an ACL, it is
there.
08/02/13

ACL commands can be lengthy character strings. Key tasks covered in this section for
creating ACLs include the following:
You create ACLs by using the global configuration mode.
 Specifying an ACL number from 1 to 99 instructs the router to accept standard ACL
statements. Specifying an ACL number from 100 to 199 instructs the router to accept
extended ACL statements. (see table below)
 You must carefully select and logically order the ACL. Permitted IP protocols must be
specified; all other protocols should be denied.
 You should select which IP protocols to check; any other protocols are not checked.
Later in the procedure, you can also specify an optional destination port for more
precision.
 Assigning a unique number to each ACL
 When configuring ACLs on a router, you must identify each ACL uniquely by assigning a
number to the protocol's ACL. When you use a number to identify an ACL, the number
must be within the specific range of numbers that is valid for the protocol.
 You can specify ACLs by numbers for the protocols listed in the table. The table also lists
the range of ACL numbers that is valid for each protocol.
08/02/13

08/02/13
After you create a numbered ACL, you must assign it to an interface for it to be used. If you want
to alter an ACL containing numbered ACL statements, you need to delete all the statements in
the numbered ACL by using the command no access-list[list-number].

Purpose and Function of Wildcard Mask Bits
wildcard mask is a 32-bit quantity that is divided into four octets, with each octet
containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value" and
a wildcard mask bit 1 means "do not check (ignore) that corresponding bit value".
 A wildcard mask is paired with an IP address. The numbers one and zero are used to
identify how to treat the corresponding IP address bits. ACLs use wildcard masking to
identify a single or multiple addresses for permit or deny tests. The term wildcard
masking is a nickname for the ACL mask-bit matching process and comes from of an
analogy of a wildcard that matches any other card in a poker game.
 Although both are 32-bit quantities, wildcard masks and IP subnet masks operate
differently. Recall that the zeros and ones in a subnet mask determine the network,
subnet and host portions of the corresponding IP address. The zeros and ones in a
wildcard, as just noted, determine whether the corresponding bits in the IP address
should be checked or ignored for ACL purposes.
08/02/13

The ANY Command
Working with decimal representations of binary wildcard mask bits can be tedious. For the
most common uses of wildcard masking, you can use abbreviations. These abbreviations
reduce the amount of typing you need to do when configuring address test conditions.
For example, say you want to specify that any source address will be permitted in an ACL
test. To indicate any IP address, you would enter 0.0.0.0; then, to indicate that the ACL
should ignore (that is, allow without checking) any value, the corresponding wildcard
mask bits for this address would be all ones (that is, 255.255.255.255). You can use the
abbreviation any to communicate this same test condition to Cisco IOS ACL software.
Instead of typing 0.0.0.0 255.255.255.255, you can use the word any by itself as the
keyword.
For example, instead of using this:
 Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255
 you can use this:
 Router(config)# access-list 1 permit any
08/02/13

The HOST Command
A second common condition where Cisco IOS permits an abbreviation in the ACL wildcard
mask is when you want to match all the bits of an entire IP host address. For example,
say you want to specify that a specific IP host address will be denied in an ACL test. To
indicate a host IP address, you would enter the full address (for example, 172.30.16.29);
then, to indicate that the ACL should check all the bits in the address, the corresponding
wildcard mask bits for this address would be all zeros (that is, 0.0.0.0). You can use the
abbreviation host to communicate this same test condition to Cisco IOS ACL software.
In the example, instead of typing 172.30.16.29 0.0.0.0, you can use the word host in front
of the address.
For example, instead of using this:
 Router(config)# access-list 1 deny 172.30.16.29 0.0.0.0
 you can use this:
 Router(config)# access-list 1 deny host 172.30.16.29
08/02/13

Standard ACLs
 You use standard ACLs when you want to block all traffic from a network, allow all traffic
from a specific network, or deny protocol suites. Standard ACLs check the source
address of packets that could be routed. The result permits or denies output for an entire
protocol suite, based on the network, subnet and host addresses. For example, packets
coming in E0 are checked for source address and protocol. If they are permitted, the
packets are output through S0, which is grouped to the ACL. If they are not permitted
they are dropped.
08/02/13

We use the standard version of the access-list global configuration command to define a
standard ACL with a number. This command is used in global configuration command
mode.
The full syntax of the command is
 Router(config)# access-list access-list-number {deny | permit} source [source-wildcard ]
[log]
 You use the no form of this command to remove a standard ACL. This is the syntax:
 Router(config)# no access-list access-list-number
 Examples of ACLsAccess-list 33 permit 172.16.0.0   0.0.255.255 (permits all traffic from
172.16.0.0)
 Access-list 44 deny 172.16.13.7   0.0.0.0 (denies traffic from host 172.16.13.7)
 Access-list 55 deny 172.16.64.0   any (denies all traffic from network 172.16.64.0)
08/02/13

Placing ACLs
The second part of establishing an access list is applying the list to a specific interface.
 Router(config-if)# ip access-group 33 in (applies access-list 33 to the packets inbound to
the interface being configured)
 Router(config-if)# ip access-group 44 out (applies access-list 44 to packets outbound
from the interface being configured)
How to Verify Standard ACLs
You use the show access-lists EXEC command to display the contents of all ACLs. In
addition, you use the show access-lists EXEC command followed by the name or number
of an ACL to display the contents of one ACL. The following example of a standard ACL
allows access for hosts on the three specified networks:
 access-list 1 permit 192.5.34.0 0.0.0.255
08/02/13

In the example, the wildcard bits apply to the host portions of the network addresses. Any
host with a source address that does not match the ACL statements will be rejected. To
specify a large number of individual addresses more easily, you can omit the wildcard if
it is all zeros. Thus, the following two configuration commands have the same effect:
 access-list 2 permit 36.48.0.3
 The ip access-group command groups an existing ACL to an interface. Remember that
only one ACL per port per protocol per direction is allowed. The format of the command
is:
 Router(config)#ip access-group access-list-number {in | out}
08/02/13

Example of a Standard ACL
 In the example below, the ACL allows only traffic from source network 172.16.0.0 to be
forwarded. Non-172.16.0.0 network traffic is blocked. The example shows how the ACL
allows only traffic from source network 172.16.0.0 to be forwarded and non-172.16.0.0 to
be blocked.
 Also shown in the example, the command ip access-group 1 out groups the ACL to an
outgoing interface.
08/02/13

Permitting Traffic from Source Network 172.16.0.0
access-list 1 permit 172.16.0.0 0.0.255.255
(implicit deny any - not visible in the list)
(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0
ip access-group 1 out
interface ethernet 1
ip access-group 1 out
08/02/13

Writing an ACL to deny a Specific Host
The example below shows how an ACL is designed to block traffic from a specific address,
172.16.4.13 and to allow all other traffic to be forwarded on interface Ethernet 0
 In the second access-list command, the 0.0.0.0 255.255.255.255 IP address/ wildcard
mask combination identifies traffic from any source. This combination can also be
written using the keyword any. All zeros in the address indicate a placeholder and all
ones in the wildcard mask indicate that all 32 bits will not be checked in the source
address. Any packet that does not match the first line of the ACL will match the second
one and be forwarded.
 Denying a Specific Host
 access-list 1 deny host 172.16.4.13 0.0.0.0
 (implicit deny any)
 (access-list 1 deny 0.0.0.0 255.255.255.255)
 interface ethernet 0
 ip access-group 1 out
08/02/13
STANDARDACLEXAMPLE

Writing a Standard ACL to deny a Specific Network
 0.0.0.255: The zeros in the first three octets indicate that those bits will be tested for
matches while the last octet of all ones indicates a don't care condition for matching the
last octet of the IP address (the host portion). Note also that the any abbreviation has
been used for the IP address of the source.
 Denying a Specific Subnet
 (access-list 1 deny) 172.16.4.0 0.0.0.255
access-list 1 permit any
 (implicit deny any)
 access-list 1 deny any
 interface ethernet 0
 ip access-group 1 out
08/02/13
STANDARDACLEXAMPLE

Extended ACLs
 Extended ACLs are used most often to test conditions because they provide a greater
range of control than standard ACLs. You would use an extended ACL when you want to
allow Web traffic but deny File Transfer Protocol (FTP) or TELNET from non-company
networks. Extended ACLs check for both source and destination packet addresses. They
also can check for specific protocols, port numbers and other parameters. This gives you
more flexibility to describe what checking the ACL will do. Packets can be permitted or
denied output based on where the packet originated and based on its destination. For
example, the extended ACL can allow e-mail traffic from E0 to specific S0 destinations,
while denying remote logins or file transfers.
 The standard ACL (numbered 1 to 99) might not provide the traffic-filtering control you
need. Standard ACLs filter traffic based on a source address and mask. Standard ACLs
also permit or deny the entire Transmission Control Protocol (TCP) protocol suite. You
might need a more precise way to control traffic and access.
 For more precise traffic-filtering control, you use extended ACLs. Extended ACL
statements check for source address and for destination address. In addition, at the end
of the extended ACL statement, you gain additional precision from a field that specifies
the optional TCP or User Datagram Protocol (UDP) protocol port number. These can be
the well-known port numbers for TCP/IP. A few of the most common port numbers are
shown in Figure. You can specify the logical operation the extended ACL will perform on
specific protocols. Extended ACLs use a number in the range 100 to 199.
08/02/13

Extended ACL Parameters
The complete form of the access-list command is:
Router(config)# access-list [access-list-number] {permit | deny}
protocol source [source-mask destination destination-mask operator
operand] [established]
 The ip access-group command links an existing extended ACL to an
interface. Remember that only one ACL per interface, per direction, per protocol is
allowed. The format of the command is:
Router(config)# access-list access-list-number {in | out}
08/02/13

Writing an ACL to Deny FTP on an Ethernet Interface
The figure shows an example of an extended ACL that blocks FTP traffic.
 The interface E0 access-group 101 command links ACL 101 to outgoing interface E0.
 Note that blocking port 21 prevents FTP commands from being transmitted, thus
preventing FTP file transfers. Blocking port 20 prevents the traffic itself from being
transmitted, but does not block FTP commands. FTP servers can easily be configured to
work on different ports.
 You should understand that well-known port numbers are just that: well-known. There
are no guarantees that services will be on those ports, although they usually are.
08/02/13
STANDARDACLEXAMPLE

Writing an ACL that denies SMTP out of an Ethernet
Port but permits all other Traffic
 The figure shows an example of an extended ACL that blocks SNMP traffic.
 The interface E0 access-group 101 command links ACL 101 to outgoing interface E0.
 Note that blocking port 25 prevents SMTP traffic from being transmitted. Mail servers
can easily be configured to work on different ports. You should understand that well-
known port numbers are just that: well-known. There are no guarantees that services
will be on those ports, although they usually are.
08/02/13
STANDARDACLEXAMPLE

Configuring Named ACLs
Named ACLs allow standard and extended IP ACLs to be identified with an alphanumeric
string (name) instead of the current numeric (1 to 199) representation. Named ACLs can
be used to delete individual entries from a specific ACL. This enables you to modify your
ACLs without deleting and then reconfiguring them. Use named ACLs when:
You want to intuitively identify ACLs using an alphanumeric name.
You have more than 99 simple and 100 extended ACLs to be configured in a router
for a given protocol.
Consider the following before implementing named ACLs:
 Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.
 You cannot use the same name for multiple ACLs. In addition, ACLs of different types
cannot have the same name. For example, it is illegal to specify a standard ACL named
George and an extended ACL with the same name.
 To name the ACL, use the following command:
 Router(config)# ip access-list {standard | extended} name
 In ACL configuration mode, specify one or more conditions permitted or denied. This
determines whether the packet is passed or dropped:
 Router(config {std- | ext-}nacl)# deny {source [source-wildcard] | any}
or
 Router(config {std- | ext-}nacl)# permit {source [source-wildcard] | any}.
 The configuration shown in the Figure creates a standard ACL named Internetfilter and
an extended ACL named marketing_group. 08/02/13

The DENY Command
 You use the deny ACL configuration command to set conditions for a named ACL. The
full syntax for this command is:
 deny {source [source-wildcard] | any}
 You use the no form of this command to remove a deny condition, using the following
syntax:
 no deny {source [source-wildcard] | any}
The PERMIT Command
 You use the permit access-list configuration command to set conditions for a named
standard ACL. The full syntax of this command is:
 permit {source [source-wildcard] | any}[log]
 You use the no form of this command to remove a condition from an ACL, using the
following syntax:
 no permit {source [source-wildcard]| any}
 You use this command in access list configuration mode, following the ip access-
list command, to define the conditions under which a packet passes the ACL.
08/02/13

The following example is for a standard ACL named Internetfilter:
 ip access-list standard Internetfilter
 deny 192.5.34.0 0.0.0.255
 permit 128.88.0.0 0.0.255.255
 permit 36.0.0.0 0.255.255.255
 !(Note: all other access implicitly denied)
 In this example, permit and deny statements have no number and no removes the
specific test from the named ACL:
 Router(config {std- | ext-}nacl)# {permit | deny} {ip ACL test conditions}
{permit | deny} {ip ACL test conditions}
no {permit | deny} {ip ACL text conditions}
 This example activates the IP named ACL on an interface:
 Router(config-if)# ip access-group {name | 1-199 {in | out}}
Verifying ACLs
The show ip interface command displays IP interface information and indicates whether
any ACLs are set. The show access-lists command displays the contents of all ACLs. By
entering the ACL name or number as an option for this command, you can see a specific
list.
08/02/13

Configure a router interface
Paris(config)#interface FastEthernet 0/0
Paris(config-if)#ip address 172.16.1.1 255.255.0.0
Paris(config-if)#no shutdown
Paris(config-if)#exit
Interface names vary, depending on whether the
router is modular and on the bandwidth.
E.g. interface Ethernet 0 on an older router

Paris(config)#interface serial 0/0
Paris(config-if)#ip address 192.168.4.1 255.255.255.0
(Paris(config-if)#clock rate 64000)
Paris(config-if)#no shutdown
Paris(config-if)#exit
Give Switch IP ADDRESS :
The switch IP address goes on a virtual interface, not a real one, normally VLAN1.
 SwA(config)#interface VLAN1
 SwA(config-if)#ip address 172.16.255.1 255.255.0.0
 SwA(config-if)#no shutdown
 SwA(config-if)#exit
08/02/13

Give Switch A default Gateway
SwA(config)#ip default gateway 172.16.255.254
Just like a workstation, a switch needs a default
gateway if it exchanges messages with devices on a
different network.
The default gateway is the address of the local router.

Up And Down:
Interface status: Layer 1
Up
Down
Administratively down (no shutdown to bring up)
Protocol: Layer 2
Up
Down (no keepalive signal received)

Ping – step by step
Ping 127.0.0.1 (loopback, is TCP/IP OK?)
Ping own IP address (are NIC hardware and software
all right? Is IP address bound?)
Ping local hosts (checks own configuration and that
of others)
Ping gateway
Ping other intermediate routers
Ping hosts on remote networks
08/02/13

Find out about nodes
Ping – used from workstation, router or switch –
shows if destination can be reached
Traceroute – shows hops along the path
Arp -a on workstation – shows list of MAC and IP
addresses
show mac-address-table on switch – shows list of
MAC addresses and switch ports

Lesson Summary:
Packet Delivery Process.
Exploring ACL.
Configuring Static Routing.
Establishing Internet Connectivity.
08/02/13

Presentation 4 for students of professordkinney.com

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Presentation 4 for students of professordkinney.com

Similar to Presentation 4 for students of professordkinney.com (20)

More from Arnold Derrick Kinney

More from Arnold Derrick Kinney (8)

Recently uploaded

Recently uploaded (20)

Presentation 4 for students of professordkinney.com