To pass your BSCI exam and earn your CCNP certification, you've got to master route summarization. When you get to the BSCI level, actually breaking the routes down into binary strings and performing summarization is second nature to you. (If it isn't, get some more practice!) What makes CCNP / BSCI route summarization more difficult is just keeping the different protocol summarization commands straight!
RIP and EIGRP both perform route summarization at the interface level with the ip summary-address command. In the following example, R2 is running RIP and was sending four routes to R3, R3's table looked like this before summarization:
R3#show ip route rip
172.16.0.0/24 is subnetted, 4 subnets
R 172.16.8.0 [120/1] via 172.23.23.2, 00:00:02, Ethernet0
R 172.16.9.0 [120/1] via 172.23.23.2, 00:00:02, Ethernet0
R 172.16.10.0 [120/1] via 172.23.23.2, 00:00:02, Ethernet0
R 172.16.11.0 [120/1] via 172.23.23.2, 00:00:02, Ethernet0
By summarizing the routes and using the ip summary-address command, RIP advertises only the summary route to the downstream neighbor.
R2(config)#int ethernet0
R2(config-if)#ip summary-address rip 172.16.8.0 255.255.252.0
R3#clear ip route *
R3#show ip route rip
172.16.0.0/22 is subnetted, 1 subnets
R 172.16.8.0 [120/1] via 172.23.23.2, 00:01:24, Ethernet0
EIGRP works much the same way, except that the EIGRP AS number must be named in the ip summary-address command.
In the following example, R2 was advertising four separate routes to R3 via EIGRP 100: 100.0.0.0, 101.0.0.0, 102.0.0.0, and 103.0.0.0, all with an eight-bit mask. What summary route can be used here?
The summary is 100.0.0.0 252.0.0.0. To send that route to downstream routers, configure the following on R2:
R2(config)#interface ethernet0
R2(config-if)#ip summary-address eigrp 100 100.0.0.0 252.0.0.0
R3 will then have only one route in its EIGRP table - the summary route.
R3#show ip route eigrp
D 100.0.0.0/6 [90/2297856] via 172.23.23.2, 00:02:33, Ethernet0
By mastering basic binary skills and keeping in mind that RIP and EIGRP perform route summarization at the interface level, you're one step closer to passing your BSCI exam and earning your CCNP certification!
In the next part of this tutorial, we'll take a detailed look at the different methods OSPF uses for route summarization.
Showing posts with label mask. Show all posts
Showing posts with label mask. Show all posts
Thursday, December 25, 2008
Cisco CCNA Exam Tutorial: Configuring Standard Access Lists
Access Control Lists (ACLs) allow a router to permit or deny packets based on a variety of criteria. The ACL is configured in global mode, but is applied at the interface level. An ACL does not take effect until it is expressly applied to an interface with the ip access-group command. Packets can be filtered as they enter or exit an interface.
If a packet enters or exits an interface with an ACL applied, the packet is compared against the criteria of the ACL. If the packet matches the first line of the ACL, the appropriate “permit” or “deny” action is taken. If there is no match, the second line’s criterion is examined. Again, if there is a match, the appropriate action is taken; if there is no match, the third line of the ACL is compared to the packet.
This process continues until a match is found, at which time the ACL stops running. If no match is found, a default “deny” takes place, and the packet will not be processed. When an ACL is configured, if a packet is not expressly permitted, it will be subject to the implicit deny at the end of every ACL. This is the default behavior of an ACL and cannot be changed.
A standard ACL is concerned with only one factor, the source IP address of the packet. The destination is not considered. Extended ACLs consider both the source and destination of the packet, and can consider the port number as well. The numerical range used for each is different: standard ACLs use the ranges 1-99 and 1300-1399; extended lists use 100-199 and 2000 to 2699.
There are several points worth repeating before beginning to configure standard ACLs.
Standard ACLs consider only the source IP address for matches.
The ACL lines are run from top to bottom. If there is no match on the first line, the second is run; if no match on the second, the third is run, and so on until there is a match, or the end of the ACL is reached. This top-to-bottom process places special importance on the order of the lines.
There is an implicit deny at the end of every ACL. If packets are not expressly permitted, they are implicitly denied.
If Router 3’s Ethernet interface should only accept packets with a source network of 172.12.12.0, the ACL will be configured like this:
R3#conf t
R3(config)#access-list 5 permit 172.12.12.0 0.0.0.255
The ACL consists of only one explicit line, one that permits packets from source IP address 172.12.12.0 /24. The implicit deny, which is not configured or seen in the running configuration, will deny all packets not matching the first line.
The ACL is then applied to the Ethernet0 interface:
R3#conf t
R3(config)#interface e0
R3(config-if)#ip access-group 5 in
But before you write any ACLs, it's a really good idea to see what other ACLs are already running on the router! To see the ACLs running on the router, use the command show access-list.
R1#show access-list
Standard IP access list 1
permit 0.0.0.0
Standard IP access list 5
permit 172.1.1.1
Standard IP access list 7
permit 23.3.3.3
Extended IP access list 100
permit tcp any any lt www (26 matches)
permit tcp any any neq telnet (12 matches)
deny ip any any
Extended IP access list 105
deny tcp any any eq www
deny tcp any any eq telnet
You're going to use ACLs all the way up the Cisco certification ladder, and throughout your career. The importance of knowing how to write and apply ACLs is paramount, and it all starts with mastering the fundamentals!
If a packet enters or exits an interface with an ACL applied, the packet is compared against the criteria of the ACL. If the packet matches the first line of the ACL, the appropriate “permit” or “deny” action is taken. If there is no match, the second line’s criterion is examined. Again, if there is a match, the appropriate action is taken; if there is no match, the third line of the ACL is compared to the packet.
This process continues until a match is found, at which time the ACL stops running. If no match is found, a default “deny” takes place, and the packet will not be processed. When an ACL is configured, if a packet is not expressly permitted, it will be subject to the implicit deny at the end of every ACL. This is the default behavior of an ACL and cannot be changed.
A standard ACL is concerned with only one factor, the source IP address of the packet. The destination is not considered. Extended ACLs consider both the source and destination of the packet, and can consider the port number as well. The numerical range used for each is different: standard ACLs use the ranges 1-99 and 1300-1399; extended lists use 100-199 and 2000 to 2699.
There are several points worth repeating before beginning to configure standard ACLs.
Standard ACLs consider only the source IP address for matches.
The ACL lines are run from top to bottom. If there is no match on the first line, the second is run; if no match on the second, the third is run, and so on until there is a match, or the end of the ACL is reached. This top-to-bottom process places special importance on the order of the lines.
There is an implicit deny at the end of every ACL. If packets are not expressly permitted, they are implicitly denied.
If Router 3’s Ethernet interface should only accept packets with a source network of 172.12.12.0, the ACL will be configured like this:
R3#conf t
R3(config)#access-list 5 permit 172.12.12.0 0.0.0.255
The ACL consists of only one explicit line, one that permits packets from source IP address 172.12.12.0 /24. The implicit deny, which is not configured or seen in the running configuration, will deny all packets not matching the first line.
The ACL is then applied to the Ethernet0 interface:
R3#conf t
R3(config)#interface e0
R3(config-if)#ip access-group 5 in
But before you write any ACLs, it's a really good idea to see what other ACLs are already running on the router! To see the ACLs running on the router, use the command show access-list.
R1#show access-list
Standard IP access list 1
permit 0.0.0.0
Standard IP access list 5
permit 172.1.1.1
Standard IP access list 7
permit 23.3.3.3
Extended IP access list 100
permit tcp any any lt www (26 matches)
permit tcp any any neq telnet (12 matches)
deny ip any any
Extended IP access list 105
deny tcp any any eq www
deny tcp any any eq telnet
You're going to use ACLs all the way up the Cisco certification ladder, and throughout your career. The importance of knowing how to write and apply ACLs is paramount, and it all starts with mastering the fundamentals!
Wednesday, December 24, 2008
Cisco CCNA Certification: Static Routing Tutorial
In studying for your CCNA exam and preparing to earn this valuable certification, you may be tempted to spend little time studying static routing and head right for the more exciting dynamic routing protocols like RIP, EIGRP, and OSPF. This is an understandable mistake, but still a mistake. Static routing is not complicated, but it's an important topic on the CCNA exam and a valuable skill for real-world networking.
To create static routes on a Cisco router, you use the ip route command followed by the destination network, network mask, and either the next-hop IP address or the local exit interface. It's vital to keep that last part in mind - you're either configuring the IP address of the downstream router, or the interface on the local router that will serve as the exit interface.
Let's say your local router has a serial0 interface with an IP address of 200.1.1.1/30, and the downstream router that will be the next hop will receive packets on its serial1 interface with an IP address of 200.1.1.2/30. The static route will be for packets destined for the 172.10.1.0 network. Either of the following ip route statements would be correct.
R1(config)#ip route 172.10.1.0 255.255.255.0 200.1.1.2 (next-hop IP address)
OR
R1(config)#ip route 172.10.1.0 255.255.255.0 serial0 ( local exit interface)
You can also write a static route that matches only one destination. This is a host route, and has 255.255.255.255 for a mask. If the above static routes should only be used to send packets to 172.10.1.1., the following commands would do the job.
R1(config)#ip route 172.10.1.1 255.255.255.255 200.1.1.2 (next-hop IP address)
OR
R1(config)#ip route 172.10.1.1 255.255.255.255 serial0 ( local exit interface)
Finally, a default static route serves as a gateway of last resort. If there are no matches for a destination in the routing table, the default route will be used. Default routes use all zeroes for both the destination and mask, and again a next-hop IP address or local exit interface can be used.
R1(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.2 (next-hop IP address)
OR
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0 ( local exit interface)
IP route statements seem simple enough, but the details regarding the next-hop IP address, the local exit interface, default static routes, and the syntax of the command are vital for success on CCNA exam day and in the real world.
To create static routes on a Cisco router, you use the ip route command followed by the destination network, network mask, and either the next-hop IP address or the local exit interface. It's vital to keep that last part in mind - you're either configuring the IP address of the downstream router, or the interface on the local router that will serve as the exit interface.
Let's say your local router has a serial0 interface with an IP address of 200.1.1.1/30, and the downstream router that will be the next hop will receive packets on its serial1 interface with an IP address of 200.1.1.2/30. The static route will be for packets destined for the 172.10.1.0 network. Either of the following ip route statements would be correct.
R1(config)#ip route 172.10.1.0 255.255.255.0 200.1.1.2 (next-hop IP address)
OR
R1(config)#ip route 172.10.1.0 255.255.255.0 serial0 ( local exit interface)
You can also write a static route that matches only one destination. This is a host route, and has 255.255.255.255 for a mask. If the above static routes should only be used to send packets to 172.10.1.1., the following commands would do the job.
R1(config)#ip route 172.10.1.1 255.255.255.255 200.1.1.2 (next-hop IP address)
OR
R1(config)#ip route 172.10.1.1 255.255.255.255 serial0 ( local exit interface)
Finally, a default static route serves as a gateway of last resort. If there are no matches for a destination in the routing table, the default route will be used. Default routes use all zeroes for both the destination and mask, and again a next-hop IP address or local exit interface can be used.
R1(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.2 (next-hop IP address)
OR
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0 ( local exit interface)
IP route statements seem simple enough, but the details regarding the next-hop IP address, the local exit interface, default static routes, and the syntax of the command are vital for success on CCNA exam day and in the real world.
Subscribe to:
Posts (Atom)
