ACCESS LIST (ACL)

Saturday, November 1, 2008

Pengertian

  • Jaringan traffic flow dan pengaruh desain keamanan manajemen jaringan computer.
  • Access lists mengijinkan atau menolak pernyataan bahwa filter traffic dapat ke segmen jaringan dan dari segmen jaringan berdasarkan pada:
    • Alamat sumber
    • Alamat tujuan
    • Tipe protocol
    • Dan nomor port dari paket.

Access list adalah pengelompokan paket berdasarkan kategori. Access list bisa sangat membantu ketika membutuhkan pengontrolan dalam lalu lintas network. access list menjadi tool pilihan untuk pengambilan keputusan pada situasi ini.
Penggunaan access list yang paling umum dan paling mudah untuk dimengerti adalah penyaringan paket yang tidak diinginkan ketika mengimplementasikan kebijakan keamanan.
Sebagai contoh kita dapat mengatur access list untuk membuat keputusan yang sangat spesifik tentang peraturan pola lalu lintas sehingga access list hanya memperbolehkan host tertentu mengakses sumber daya WWW sementara yang lainnya ditolak. Dengan kombinasi access list yang benar, network manajer mempunyai kekuasaan untuk memaksa hamper semua kebijakan keamananyang bisa mereka ciptakan.
Access list juga bisa digunakan pada situasi lain yang tidak harus meliputi penolakan paket. Sebagai contoh access list digunakan untuk mengontrol network mana yang akan atau tidak dinyatakan oleh protocol dynamic routing. Konfigurasikan access list dengan cara yang sama. Perbedaannya disibni hanyalah bagaimana menerapkannya ke protocol routing dan bukan ke interface. Kita juga bisa menggunakan access list untuk mngkategorikan pakt atau antrian /layanan QOS, dan mengontrol tipe lalu lintas data nama yang akan mengaktifkan link ISDN.

Membuat access list sangat mirip dengan statement pada programming if – then jika sebuah kondisi terpenuhi maka aksi yang diberikan akan dijalankantidak terpenuhi, tidak ada yang terjadi dan statemen berikutnya akan dievaluasi. Statement ACL pada dasarnaya dalah paket filter dimana paket dibandingkan, dimana paket dikategorikan dan dimana suatu tindakan terhadap paket dilakukan.
List(daftar) yang telah dibuat bisa diterpakan baik kepada lalulintas inbound maupun outbound pada interface mana saja. Menerapkan ACL menyebabkan router menganalisa setiap paket arah spesifik yang melalui interface tersebut dan mengmbil tindakan yang sesuai.
Ketika paket dibandingkan dengan ACL, terdapat beberapa peraturan (rule) penting yang diikuti:

  • Paket selalu dibandingkan dengan setiap baris dari ACL secara berurutan, sebagai contoh paket dibandingkan dengan baris pertama dari ACL, kemudian baris kedua, ketiga, dan seterusnya.
  • Paket hanya dibandingkan baris-baris ACL sampai terjadi kecocokan. Ketika paket cocok dengan kondisi pada baris ACL, paket akan ditindaklanjuti dan tidak ada lagi kelanjutan perbandingan.
  • Terdapat statement “tolak” yang tersembunyi (impilicit deny) pada setiap akhir baris ACL, ini artinya bila suatu paket tidak cocok dengan semua baris kondisi pada ACL, paket tersebut akan ditolak








Jenis ACL

    • Standard ACL


Standard ACL hanya menggunakan alamat sumber IP di dalam paket IP sebagai kondisi yang ditest. Semua keputusan dibuat berdasarkan alamat IP sumber. Ini artinya, standard ACL pada dasarnya melewatkan atau menolak seluruh paket protocol. ACL ini tidak membedakan tipe dari lalu lintas IP seperti WWW, telnet, UDP, DSP.
    • Extended ACL

Extended ACL bisa mengevalusai banyak field lain pada header layer 3 dan layer 4 pada paket IP. ACL ini bisa mengevaluasi alamat IP sumber dan tujuan, field protocol pada header network layer dan nomor port pada header transport layer. Ini memberikan extended ACL kemampuan untuk membuat keputusan-keputusan lebih spesifik ketika mengontrol lalu lintas.

Jenis Lalu Lintas ACL

    • Inbound ACL

Ketika sebauah ACL diterapkan pada paket inbound di sebuah interface, paket tersebut diproses melalui ACL sebelum di-route ke outbound interface. Setiap paket yang ditolak tidak bisa di-route karena paket ini diabaikan sebelum proses routing diabaikan.

    • Outbond ACL

Ketika sebuah ACL diterapkan pada paket outbound pada sebuah interface, paket tersebut di-route ke outbound interface dan diproses melalui ACL malalui antrian.

Panduan Umum ACL

Terdapat beberapa panduan umum ACL yang seharusnya diikuti ketika membuat dan mengimplementasikan ACL pada router :

    • Hanya bisa menerapkan satu ACL untuk setiap interface, setiap protocol dan setiap arah. Artinya bahwa ketika membuat ACL IP, hanya bisa membuat sebuah inbound ACL dan satu Outbound ACL untuk setiap interface.
    • Organisasikan ACL sehingga test yang lebih spesifik diletakkan pada bagian atas ACL
    • Setiap kali terjadi penambahan entry baru pada ACL, entry tersebut akan diletakkan pada bagian bawah ACL. Sangat disarankan menggunakan text editor dalam menggunakan ACL
    • Tidak bisa membuang satu baris dari ACL. Jika kita mencoba demikian, kita akan membuang seluruh ACL. Sangat baik untuk mengcopy ACL ke text editor sebelum mencoba mengubah list tersebut.

  • Wildcard Masking

Wildcard masking digunakan bersama ACL untuk menentukan host tunggal, sebuah jaringan atau range tertentu dari sebuah atau banyak network. Untuk mengerti tentang wildcard, kita perlu mengerti tentang blok size yang digunkan untuk menentukan range alamat. Beberapa blok size yang berbeda adalah 4, 8, 16, 32, 64.
Ketika kita perlu menentukan range alamat, kita memilih blok size selanjutnya yang terbesar sesuai kebutuhan. Sebagai contoh, jika kita perlu menentukan 34 network, kita memerlukan blok size 64. jika kita ingin menentukan 18 host, kita memerlukan blok size 32. jiak kita perlu menunjuk 2 network, maka blok size 4 bisa digunakan. Wildcard digunakan dengan alamat host atau network untuk memberitahukan kepada router untuk difilter.
Untuk menentukan sebuah host, alamat akan tampak seperti berikut 172.16.30.5 0.0.0.0 keempat 0 mewakili setiap oktet pada alamat. Dimanapun terdapat 0, artinya oktet pada alamat tersebut harus persis sama. Untuk menentukan bahwa sebuah oktet bisa bernilai apa saja, angka yang digunakan adalah 255. sebagai contoh, berikut ini adalah subnet /24 dispesifikasikan dengan wildcard: 172.16.30.0 0.0.255 ini memberitahukan pada router untuk menentukan 3 oktet secara tepat, tapi oktet ke-4 bisa bernilai apa saja.


Standard Access List

Standard IP ACL memfilter lalu lintas network dengan menguji alamat sumber IP didalam paket. Kita membuat standard IP ACL dengan menggunakan nomor ACL 1-99 atau 1300-1999(expanded range).Tipe ACL pada ummnya dibedakan berdasarkan nomor yang digunakan ketika ACL dibuat, router akan mengetahui tipe syntax yang diharapkan untuk memesukkan daftar.
Dengan menggunakan nomor 1-99 atau 1300-1999, kita memberitahukan kepada router bahwa kita ingin membuat IPACL, jadi router akan mengharapkan syntax yang hana menspesifikasikan alamat sumber IP pada baris pengujian.
Banyak range nomor ACL pada contoh dibawah ini yang bisa kita gunakan untuk memfilter lalu lintas pada jaringan kita (protocol yang bisa kita terapkan ACL bisa tergantung pada versi IOS kita) :

Contoh Standard ACL
Standard ACL untuk menghentikan user tertentu mendapatkan akses ke LAN Department Finance.
Pada gambar, router mempunyai 3 koneksi LAN dan 1 koneksi WAN ke internet. User pada LAN Sales tidak boleh mempunyai akses ke LAN finance, tapi mereka boleh mengakses internet dan Department Marketing.
LAN Marketing perlu mengakses LAN Finance untuk layanan aplikasi
Pada router yang digambar, standard IP ACL berikut dikonfigurasi :

Lab_A#config t
Lab_A(config)#access -list 10 deny 172.16.40.0 0.0.0.255
Lab_A(config)#access-list 10 permit any

Sangatlah penting untuk diketahui bahwa perintah any sama halnya dengan menggunakan wildcard masking berikut :

Lab_A(config)#access-list 10 permit 0.0.0.0 255.255.255.255

Karena wildcard mask menyatakan bahwa tidak ada oktet yang diperiksa, setiap alamat akan sesuai dengan kondisi test. Jadi fungsi ini sama dengan penggunaan kata any. Saat ini, ACL dikonfigurasi untuk menolak alamat sumber dari LAN sales yang mengakses LAN finance, dan memperbolehkan dari akses yang lain. Tetapi untuk diingat, tidak ada tindakan yang diambil sampai akses list diterapkan pada arah yang spesifik. Tetapi dimana ACL ini seharusnya ditempatkan? Jika kita menempatkannya pada E0, kita mungkin akan mematikan juga interface Ethernet karena semua peralatan LAN Sales akan ditolak akses ke semua network yang terhubung ke router.
Tempat terbaik untuk menerapkan ACL ini adalah pada E1 sebagai outbound list:

Lab_A(config)#Int E1
Lab_A(config-if)#ip access-group 10 out

Ini menghentikan secara tuntas lalu lintas 172.16.40.0 keluar dari Ethernet 1. Ini tidak ada pengarujnya terhadap host dari LAN Sales yang mengakses LAN marketing dan internet, karena lalu lintas ke tujuan tersebut tidak melalui interface E1. Setiap paket yang mencoba keluar dari E1 harus melalui ACL terlebih dahulu. JIka terdapat inbound lit yang ditempatkan pada E0, maka setiap paket yang mancoba masuk ke interface E0 akan harus melalui ACL terlebih dahulu sebelum di route ke interface keluar.

Keistimewaan Standard Access List
Software Cisco IOS dapat memprovide pesan logging tentang paket – paket. Yang diijinkan atau ditolak oleh standard IP access list. Itulah sebabnya beberapa paket dapat cocok dengan access list.yang disebabkan oleh informasi pesan logging.tentang paket yang telah dikirimkan ke console. Level dari pesan logging ke console yang dikendalikan oleh perintah logging console.Kemampuan ini hanya terdapet pada extended IP access lists.

Triggers paket pertama access list menyebabkan logging message yang benar, dan paket – paket berikutnya yang dikunpulkan lebih dari interval 5-menit sebelum ditampilkan. Pesan logging meliputi nomor access list, apakah paket tersebut diterima atau ditolak, alamat IP sumber dari paket dan nomor asal paket yang diterima sumber atau ditolak dalam interval 5 menit.

KEUNTUNGAN
Kita dapat memantau berapa banyak paket yang diijinkan atau ditolak oleh access list khusus termasuk alamat tujuan setiap paket.
Membuat Standard Access List Menggunakan Nomor
Untuk membuat nomor standard access list dan menerima pesan logging, ditampilkan dalam mode global konfigurasi, sebagai berikut :

Membuat Standard Access List Menggunakan Nama
Untuk membuat nama standard access list dan menerima pesan logging, berikut adalah permulaan dalam mode global konfigurasi.

Untuk mendefinisikan standard IP access list dengan nomor, menggunakan standard version dari acess-list ration untuk memindahkan sebuah standard access list, maka digunakan perintah berikut :
access-list access-list-number {deny permit} source [source-wildcard] [log] no access-list access-list-number






Extended ACL

Extended ACL bisa mengevaluasi banyak field lain pada header layer 3 dan layer 4 pada paket IP. ACL ini bisa mengevaluasi IP sumber dan tujuan, field protocol dalam network header Network Layer dan nomor port pada Transport Layer. Ini memberikan extended ACL kemampuan untuk membuat keputusan – keputusan lebih spesifik ketika mengontrol lalu lintas.
Pada contoh Standard ACL, perhatikan bagaimana kita harus memblok semua akses dari LAN Sales ke Department Finance. Bagaimana jika untuk urusan keamanan, kita membutuhkan Sales mendapatkan akses ke server tertentu pada LAN Finance tapi tidak ke layanan network lainnya ? Dengan standard IP ACl, kita tidak memperbolehkan user mendapat satu layanan sementara tidak untuk yang lainnya. Dengan kata lain, ketika kita membutuhkan membuat keputusan berdasarkan alamat sumber dan tujuan, standard ACL tidak memperbolehkan kita melakukannya karena ACL ini hanya mambuta kaputusan berdasrkan alamat sumber. Tetapi extended ACl akan membantu kita karena extended ACL memperbolehkan kita menentukan alamat sumber dan tujuan serta protocol dan nomor port yang mengidentfikasikan protocol upper layer atau aplikasi. Dengan menggunakan extended ACL kita bisa secara efisien memperbolehkan user mengakses ke fisik LAN dan menghentikan host tertentu atau bahkan layanan tertentu pada host tertentu.



Contoh Extended Access List
Layanan lain pada host ini dan host lainnya bisa diakses oleh departertmen seles dan marketing. Berikut adalah access list yang dibuat:
Lab_A#config t
Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 21
Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 23
Lab_A(config)#access-list 110 permit ip any any
Access list 110 memberitahukan ke router bahwa anda membuat Extended IP Access List. TCP adalah field procol pada heather layer network. Jika pada list tidak terdapat TCP disini, anda tidak bisa menyaring berdasarkan nomor port 21 dan 23 seperti yang diperlihatkan pada contoh (yaitu FTP dan Telnet dan keduanya menggunakan TCP untuk layanan conection - oriented). Perintah any disini adalah sumber, yang berarti semua alamat IP dan host adalah alamat IP tujuan. Setelah list dibuat, maka selanjutnya perlu diterapkan pada outbound interface ethernet 1.


  • Hukum Access List
  • Daftar aplikasi router secara berurutan menunjukan apa yang ditulis ke daalm router.
  • Daftar aplikasi router untuk paket yang berurutan.
  • Packet akan diproses jika cocok dan berdasarkan criteria access list termasuk pernyataan access list.
  • Implicit deny any
    • Semua paket yang tidak memenuhi syarat dari acces list akan di blok oleh perintah permit any yang digunakan pada akhir list.
  • Hanya satu list, per protocol, per perintah yang dapat diaplikasikan pada interface.
  • Kita tidak dapat memindahkan satu baris dari access list.
  • Access list akan efektif segera setelah diaplikasikan.

Deskripsi Syntax

Beberapa bentuk fungsi access Lists dengan cisco router, meliputi
  • Implementasi keamanan prosedur access
  • Seperti [ada protocol firewall

Labels:

PPP with CHAP Authentication

PPP with CHAP Authentication
PPP (Point-to-Point Protocol)

PPP (Point-to-Point Protocol) is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. For example, your Internet server provider may provide you with a PPP connection so that the provider's server can respond to your requests, pass them on to the Internet, and forward your requested Internet responses back to you. PPP uses the Internet protocol (IP) (and is designed to handle others). It is sometimes considered a member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer's TCP/IP packets and forwards them to the server where they can actually be put on the Internet.
PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation.
PPP is usually preferred over the earlier de facto standard Serial Line Internet Protocol (SLIP) because it can handle synchronous as well as asynchronous communication. PPP can share a line with other users and it has error detection that SLIP lacks. Where a choice is possible, PPP is preferred.
CHAP (Challenge-Handshake Authentication Protocol)

CHAP (Challenge-Handshake Authentication Protocol) is a more secure procedure for connecting to a system than the Password Authentication Procedure (PAP). Here's how CHAP works:
After the link is made, the server sends a challenge message to the connection requestor. The requestor responds with a value obtained by using a one-way hash function.
The server checks the response by comparing it its own calculation of the expected hash value.
If the values match, the authentication is acknowledged; otherwise the connection is usually terminated.
At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP. RFC1334 defines both CHAP and PAP.
Configuring PPP w/CHAP on a Cisco Router
The interface command to enable ppp is:
encapsulation ppp
Place this on both ends and that is it. However, to enable authentication, we need to add the interface command
ppp authentication chap
to both routers, the routers will now require authentication over the link. They will attempt to log in with their HOSTNAME as their USERNAME and their ENABLE password as their chap PASSWORD. We must create an entry in the router that matches the remote routers username and password (global config):
username Other_Router password Other_enable_pass
That is all their is to basic PPP.
Our Samples:
(R1)s0----------s0(R2)
PPP Without CHAP
Router 1:
hostname R1
interface serial 0
encapsulation PPP
no shutdown
Router 2:
hostname R2
interface serial 0
encapsulation PPP
no shutdown
PPP With CHAP default names and password
Router 1:

hostname R1
enable secret toast1
username R2 password cool2
interface serial 0
encapsulation PPP
ppp authentication chap
no shutdown
Router 2:
hostname R2
enable secret cool2
username R1 password toast1
interface serial 0
encapsulation PPP
ppp authentication chap
no shutdown
Copyright (c) 2001 Boson Software, Inc. All Rights Reserv

Labels:

Interior Gateway Routing Protocol (IGRP)

Interior Gateway Routing Protocol (IGRP) is a standards-based, distance-vector, interior gateway protocol (IGP) used by routers to exchange routing information. IGRP uses a composite metric of bandwidth and delay to determine the best path between two locations. The metric can also be administratively configured to factor in the Maximum Transmission Unit (MTU), Reliability, and load for the link. In a IGRP network, each router broadcasts its entire IGRP table to its neighboring routers every 90 seconds. When a router receives a neighbor's IGRP table, it uses the information provided to update its own routing table and then sends the updated table to its neighbors. This procedure is repeated by each router and results in a state referred to as network convergence, in which all routers have an identical view of the internetwork topology.
P Addresses: Please set these IP addresses on the interfaces of your routers.
Router1 Router2 Router4
Interface Ethernet 0 10.1.1.1 255.255.255.0 10.1.1.2 255.255.255.0 Not Available
Interface Serial 0 172.16.10.1 255.255.0.0 Not Available 172.16.10.2 255.255.0.0

Lets connect to Router1 and get it configured. We will be using the table above for our IP addresses.

Router>en

Router#conf tEnter configuration commands, one per line. End with CNTL/Z.

Router(config)#int e0

Router(config-if)#ip address 10.1.1.1 255.255.255.0

Router(config-if)#no shut

Router(config-if)#exit00:35:15: %LINK-3-UPDOWN: Interface Ethernet0, changed state to upRouter(config)#hostname Router1

Router1(config)#int s0

Router1(config-if)#ip address 172.16.10.1 255.255.0.0

Router1(config-if)#no shut00:35:16: %LINK-3-UPDOWN: Interface Serial0, changed state to up

Router1(config-if)#exit00:35:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up

IGRP is classful, meaning it does not include the subnet mask in its routing table updates. So now lets go ahead and start the lab.
1. We first want to configure Router1 for IGRP. To enable IGRP as the routing protocol we only need to type: router IGRP AS. The AS stands for a Autonomous System number. An Autonomous System is defined as a network under a common administration with a common routing policy. You will need to use the SAME autonomous system number on every router that you would like to share its routing table with. We can see this below in the router output. Notice the new mode we have entered

Router1(config-router)# that tells us we are configuring the router.
Router1(config)#router IGRP 100

Router1(config-router)#
Now that we have IGRP running on our Router we need to tell the router which networks it is connected to. We do this by using the network statement. What this means is every interface of our router that is directly connected to an active network needs a network number. We will have some networks using the same ip addressing schemes with different subnets, and some are using entirely different addressing schemes. Look at the diagram below. In this diagram we have three different kinds of addressing schemes. Lets look at these in more detail. On Router 1 we have an IP address of 10.1.1.1 with a /24 subnet mask. Since IGRP is classful you are only required to enter the class part of the address for the network statement. For example on Router1 we have already issued the command router IGRP, we then need to specify the directly connected networks to Router1 so the router can advertise these routes in its routing table. To do this we would only need to type: network 10.0.0.0 now we have not told the router about the network on his serial interface, to do this we would type: network 172.16.0.0 Lets look at Router 2 what network statement would we need to use on this router ______________________________________(see the answer below the diagram.)



The answer is network 10.0.0.0. The network statement for the ethernet link is the same for Router1 and Router2. On router1 what network statement would you need for the serial link? For this network statement you used the classful portion of the address 172.16.10.1 which would be just network 172.16.0.0.
Now that we understand the network command lets enter it on our Router1.
Router1(config-router)#network 172.16.0.0
Router1(config-router)#network 10.0.0.0
Router1(config-router)#
If you notice we only needed to enter 10.0.0.0 for our network statement, this is because 10.0.0.0 is a Class B address and IGRP only uses the classful portion of the address. Now we have configured Router1 for IGRP lets connect to Router2 and get it setup.
We need to connect to Router2 and follow the same instructions. Lets select Router2 from the Window pull down menu. When we connect we are going to set a hostname to Router2, then set the ip addresses to the table above and configure IGRP.
Router>en
Router#conf tEnter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Router2
Router2(config)#int e0
Router2(config-if)#ip address 10.1.1.2 255.255.255.0
Router2(config-if)#no shut
Router2(config-if)#exit01:23:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up01:23:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up
Router2(config)#
Now add the IGRP stuff!
Router2(config)#router IGRP 100
Router2(config-router)#network 10.0.0.0
Router2(config-router)#exit
Router2(config)#exit
Router2#
We should now have IGRP running on our network between Router1 and Router2. We need to get Router4 setup.
We need to connect to Router4 and follow the same instructions. Lets select Router4 from the Window pull down menu. When we connect we are going to set a hostname to Router4, then set the ip addresses to the table above and configure IGRP.
Router>en
Router#conf tEnter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname
Router2Router4(config)#int s0
Router4(config-if)#ip address 172.16.10.2 255.255.0.0
Router4(config-if)#no shut
Router4(config-if)#exit01:23:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up01:23:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up
Router4(config)#
Now add the IGRP stuff!
Router4(config)#router IGRP 100
Router4(config-router)#network 172.16.0.0
Router4(config-router)#exit
Router4(config)#exit
Router4#

Now that we have IGRP running on our entire network lets verify that it is receiving routes. To do this we will be using some show commands. The most common one is show ip route. This displays all entries in the routing table. If we do this on our Router B we will see the route to our directly connected Router1. Lets take a look at our routing table, to do this type: show ip route from the privilege mode.
Lets look at the first entry I 10.1.1.0/24 [100/1] via 172.16.10.2, 00:00:21, Serial0. It starts off with I this says it is a IGRP route it then says the destination network with sunbet mask in this case it is 10.1.1.0 with a /24 (255.255.255.0) subnet mask. Next it gives 100/1 the 100 is the administrative distance, IGRP's default administrative distance is 100. Administrative distance is considered the trustworthiness of the route. If you have two routing protocols with the same route the router will pick the route with the lower number. The 1 is the hops required to get to the destination network. The next piece of information is the via 172.16.10.1 that is the next hop address it must go to. The last item is that this information was learned via Serial0.
Another great command is show ip protocols. This displays information about the ip routing protocols you have enabled. Lets type the command : show ip protocols and see what we get.
Router4#show ip protocols
Routing Protocol is igrp 100
Sending updates every 90 seconds, next due in 12 secondsInvalid after 270 seconds, hold down 280, flushed after 630
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updatesDefault networks accepted from incoming updates
IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0IGRP maximum hopcount 100
IGRP maximum metric variance 1Redistributing: igrp 100Routing for Networks:172.16.0.0
Routing Information Sources:Gateway Distance Last Update172.16.10.2 100 00:00:09
Distance: (default is 100)
Router4#
Looking at the output in detail we see we are sending updates every 90 seconds. We know IGRP is a distance vector routing protocol so it exchanges its entire routing table every 90 seconds. We also see our network statements are working by noticing the networks are both under the Routing for Networks area. The last area to notice is the Distance which we said was administrative distance. This tells us the default is 100 and that is what we are using.
Conclusion:
In this lab we have configured our routers for IGRP so that we can exchange information with more than the directly connected neighbor. We have learned that IGRP's metric is hop count and the routers send updates every 30 seconds be default. Now in the next lab we will go into IGRP (Interior Gateway Routing Protocol).

Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

Labels:

ROUTING INFORMATION PROTOCOL

Prerequisites: To start this lab you need to have a connection to Router1, Router2, and Router4.
IP Addresses: Please set these IP addresses on the interfaces of your routers.
Router1 Router2 Router4

Interface Ethernet 0 10.1.1.1 255.255.255.0 10.1.1.2 255.255.255.0 Not Available

Interface Serial 0 172.16.10.1 255.255.0.0 Not Available 172.16.10.2 255.255.0.0


Goals:
1) Set our hostname and get our interfaces up.
2) Configure Rip routing protocol
3) Select the directly connected networks
4) View our routing table
5) View the Rip protocol information
6) Observe Rip debugging information
--------------------------------------------------------------------------------



Routing Information Protocol (RIP) is a standards-based, distance-vector, interior gateway protocol (IGP) used by routers to exchange routing information. RIP uses hop count to determine the best path between two locations. Hop count is the number of routers the packet must go through till it reaches the destination network. The maximum allowable number of hops a packet can traverse in an IP network implementing RIP is 15 hops. In a RIP network, each router broadcasts its entire RIP table to its neighboring routers every 30 seconds. When a router receives a neighbor's RIP table, it uses the information provided to update its own routing table and then sends the updated table to its neighbors. This procedure is repeated by each router and results in a state referred to as network convergence, in which all routers have an identical view of the internetwork topology.



Lets connect to Router1 and get it configured. We will be using the table above for our IP addresses.
Router>en

Router#conf tEnter configuration commands, one per line. End with CNTL/Z.

Router(config)#int e0Router(config-if)#ip address 10.1.1.1 255.255.255.0

Router(config-if)#no shut

Router(config-if)#exit00:35:15: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up

Router(config)#hostname Router1

Router1(config)#int s0

Router1(config-if)#ip address 172.16.10.1 255.255.0.0

Router1(config-if)#no shut0

0:35:16: %LINK-3-UPDOWN: Interface Serial0, changed state to up

Router1(config-if)#exit

00:35:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up


RIP version 1 is classful, meaning it does not include the subnet mask in its routing table updates. RIP version 2 is classless and includes the subnet information. Now lets go ahead and start the lab.
1. We first want to configure Router1 for RIP. To enable RIP as the routing protocol we only need to type: router rip We can see this below in the router output. Notice the new mode we have entered

Router1(config-router)# that tells us we are configuring the router.
Router1(config)#router rip

Router1(config-router)#
Now that we have RIP running on our Router we need to tell the router which networks it is connected to. We do this by using the network statement. What this means is every interface of our router that is directly connected to an active network needs a network number. We will have some networks using the same ip addressing schemes with different subnets, and some are using entirely different addressing schemes. Look at the diagram below. In this diagram we have three different kinds of addressing schemes. Lets look at these in more detail. On Router 1 we have an IP address of 10.1.1.1 with a /24 subnet mask. Since RIP is classful you are only required to enter the class part of the address for the network statement. For example on Router1 we have already issued the command router rip, we then need to specify the directly connected networks to Router1 so the router can advertise these routes in its routing table. To do this we would only need to type: network 10.0.0.0 now we have not told the router about the network on his serial interface, to do this we would type: network 172.16.0.0 Lets look at Router 2 what network statements do you would need to use on this router




The answers are network 10.0.0.0. The network statement for the serial link is the same for Router1 and Router2. For the network statement for the ethernet link you had to remember that a 192 address was a class C address, for this network statement you used the classful portion of the address 192.168.1.0.
Now that we understand the network command lets enter it on our Router1.
Router1(config-router)#network 172.16.0.0

Router1(config-router)#network 10.0.0.0

Router1(config-router)#



If you notice we only entered 10.0.0.0 for our network statement, this is because 10.0.0.0 is a Class B address and rip only uses the classful portion of the address. Now we have configured Router1 for RIP lets connect to Router2 and get it setup.
We need to connect to Router2 and follow the same instructions. Lets select Router2 from the Window pull down menu. When we connect we are going to set a hostname to Router2, then set the ip addresses to the table above and configure RIP.
Router>en

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname Router2

Router2(config)#int e0

Router2(config-if)#ip address 10.1.1.2 255.255.255.0

Router2(config-if)#no shut

Router2(config-if)#exit01:23:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up01:23:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up

Router2(config)#
Now add the RIP stuff!
Router2(config)#router rip

Router2(config-router)#network 10.0.0.0

Router2(config-router)#exit

Router2(config)#exit

Router2#


We should now have RIP running on our network between Router1 and Router2. Now we need to get Router4 setup.
We need to connect to Router4 and follow the same instructions. Lets select Router4 from the Window pull down menu. When we connect we are going to set a hostname to Router4, then set the ip addresses to the table above and configure RIP.
Router>en

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname Router4

Router4(config)#int s0

Router4(config-if)#ip address 172.16.10.2 255.255.0.0

Router4(config-if)#no shut

Router4(config-if)#exit01:23:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up01:23:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up

Router4(config)#
Now add the RIP stuff!
Router4(config)#router rip

Router4(config-router)#network 172.16.0.0

Router4(config-router)#exit

Router4(config)#exit

Router4#

Now that we have RIP running on our entire network lets verify that it is receiving routes. To do this we will be using some show commands. The most common one is show ip route. This displays all entries in the routing table. If we do this on our Router 4 we will see the route to our directly connected Router1, we will also see routes to the other routers we have setup on the network. Lets take a look at our routing table, to do this type: show ip route from the privilege mode.
Lets look at the first entry R 10.1.1.0/24 [120/1] via 172.16.10.2, 00:00:21, Serial0. It starts off with R this says it is a Rip route it then says the destination network with sunbet mask in this case it is 10.1.1.0 with a /24 (255.255.255.0) subnet mask. Next it gives 120/1 the 120 is the administrative distance, Rip's default administrative distance is 120. Administrative distance is considered the trustworthiness of the route. If you have two routing protocols with the same route the router will pick the route with the lower number. The 1 is the hops required to get to the destination network. The next piece of information is the via 172.16.10.1 that is the next hop address it must go to. The last item is that this information was learned via Serial0.
Another great command is show ip protocols. This displays information about the ip routing protocols you have enabled. Lets type the command : show ip protocols and see what we get.
Router4#show ip protocols

Routing Protocol is "rip"Sending updates every 30 seconds, next due in 12 secondsInvalid after 180 seconds, hold down 180, flushed after 240Outgoing update filter list for all interfaces isIncoming update filter list for all interfaces isRedistributing: ripDefault version control: send version 1, receive any versionInterface Send Recv Key-chain

Ethernet0 1 1 2

Serial0 1 1 2

Routing for Networks:172.16.0.0

Routing Information Sources:Gateway Distance Last Update172.16.10.2 120 00:00:09

Distance: (default is 120)
Router4#
Looking at the output in detail we see we are sending updates every 30 seconds. We know Rip is a distance vector routing protocol so it exchanges its entire routing table every 30 seconds. We also see our network statements are working by noticing the networks are both under the Routing for Networks area. The last area to notice is the Distance which we said was administrative distance. This tells us the default is 120 and that is what we are using.
Conclusion:
In this lab we have configured our routers for RIP so that we can exchange information with more than the directly connected neighbor. We have learned that RIP's metric is hop count and the routers send updates every 30 seconds be default. Now in the next lab we will go into IGRP (Interior Gateway Routing Protocol).

Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

Labels:

Basic IP Configuration and Verification

IP addressing is very easy to configure on a Cisco router. Although the calculation of IP addresses, subnet masks and host can be rather difficult.
The syntax to place an IP address on the interface is:
ip address ip-address mask
Given the routers below, we wish to configure IP addresses on Router1 and Router2





Remember the the /24 means 255.255.255.0. For your convenience here is a handy table:
Slash Dotted Decimal Slash Dotted Decimal Slash Dotted Decimal

/8 255.0.0.0 /16 255.255.0.0 /24 255.255.255.0

/9 255.128.0.0 /17 255.255.128.0 /25 255.255.255.128

/10 255.192.0.0 /18 255.255.192.0 /26 255.255.255.192

/11 255.224.0.0 /19 255.255.224.0 /27 255.255.255.224

/12 255.240.0.0 /20 255.255.240.0 /28 255.255.255.240

/13 255.248.0.0 /21 255.255.248.0 /29 255.255.255.248

/14 255.252.0.0 /22 255.255.252.0 /30 255.255.255.252

/15 255.254.0.0 /23 255.255.254.0 /31 255.255.255.254
Let's start configuring Router 1


Router>

Router>en

Router#conf tEnter configuration commands, one per line. End with CNTL/Z.

Router(config)#int e0

Router(config-if)#ip address 10.1.1.1 255.255.255.0

Router(config-if)#int s0

Router(config-if)#ip address 10.1.2.2 255.255.255.0

Router(config-if)#end%SYS-5-CONFIG_I: Configured from console by console

Router#



We can view the IP addresses on the interface:
Router#sh ip interface brief

Interface IP-Address OK? Method Status Protocol

BRI0 unassigned YES manual admin down down

Ethernet0 10.1.1.1 YES manual admin down down

Ethernet0 10.1.2.2 YES manual admin down down


Router#




We have assigned an IP address to each interface but the interface is still administratively down because we have not executed a 'no shutdown' command on each interface.
Now you should go to each of the interfaces and type no shutdown, this should turn the interfaces to up.
Connect to Router 2 We would also like to add ip addresses to the interfaces.
Router>

Router>en

Router#conf tEnter configuration commands, one per line. End with CNTL/Z.

Router(config)#int e0

Router(config-if)#ip address 10.1.1.2 255.255.255.0

Router(config-if)#int s0

Router(config-if)#ip address 10.1.2.2 255.255.255.0

Router(config-if)#exit%SYS-5-CONFIG_I: Configured from console by console

Router(config)#exit

Router#exit




PING
PING, the Packet Inter Net Groper, allows a user to test basic connectivity. The syntax is:
ping ip-address
The router will send out five echo requests to the destination IP address, if it receives a reply, it will not it with an '!', if not reply is received it will note it with a '.'.
A successful ping:
Router#ping 10.1.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/44 ms
Router#
A failed ping:
Router#ping 2.2.2.2
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:.....

Success rate is 0 percent (0/5)
Router#
Ping is one of the most commonly used test tools in the word. PING uses the Internet Control Message Protocol (ICMP) to communicate with other routers.
You can also view your ip addresses using the command show running-config or show ip interface.


Copyright (c) 2001 Boson Software, Inc. All Rights Reserved

Labels:

Configuring and Examining Interfaces

Examining the Interfaces

Routers can have many types of interfaces, such as token ring, FDDI, ethernet, serial, ISDN etc. We often want to view the status and settings. There are a few important commands we must know.

show interfaces is on of the more important commands.
Router#show interfaces
Ethernet0 is administratively down, line protocol is down
Hardware is Lance, address is 0060.5cc4.f445 (bia 0060.5cc4.f445)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255Encapsulation ARPA, loopback not set, keepalive set (10 sec)
[ OUTPUT OMMITTED]
This command will produce output about each interface. In this case we see that Ethernet 0 is administratively down. That means that it is turned off with the shutdown command. The different status that can occur:

Ethernet 0 is Line protocol is Meaning administratively down down The interface is turned off with the shutdown command up down Cable is connected but keep alives are not being received. down down Cabling problem or no clock rate set on DCE. Or other router interface is shutdown. up up connected and receiving keep alives. This is what we want!!!


You can view particular intefaces with the command: show interface serial 0. Or any other interface. A handy command is show ip interface brief.
Router#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 unassigned YES not set administratively down down
PCbus0 unassigned YES not set administratively down down
Serial0 unassigned YES not set up down
Router#


This allows you to rapidly see the status of all the interfaces.
Examining the Controllers
Controllers are the part of the interface that makes the physical connection. The most important to us is to find our what kind of cable is attached to a serial interface.
A DTE (data terminating equipment) cable is the normal cable you should use. Being DTE means you expect the other end to providing clocking.
A DCE data circuit-terminating equipment) means that this deving must provide the clocking on the wire.


The show controllers command will allow you to see if you are DCE or DTE.
Router#show controllers serial 0
HD unit 0, idb = 0xA2B58, driver structure at 0xA7020buffer size 1524 HD unit 0, V.35 DCE cablecpb = 0x42, eda = 0x2140, cda = 0x2000
Configuring the Interfaces
If an interface is administratively down. You must enter configuration mode, the enter interface configuration mode, and then issue the command no shutdown.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface ethernet 0
Router(config-if)#no shutdown
Router(config-if)#%LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router(config-if)#endRouter#
If your interface is the DCE, you must provide clocking using the clock rate command.
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0
Router(config-if)#clock rate 56000Router(config-if)#end
Router#


It is often useful to put a description of what the interface is used for using the description command.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0
Router(config-if)#description My Connection to the Engineering Hub
Router(config-if)#end
Router#
You can view your changes using show running-config or show interfaces or show controllers

Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

Labels:

Saving your configurations using the Copy command

Running Configuration
The currently active configuration script running on the router is referred to as the 'running-config' on the routers command-line interface. Note the privilege mode required. The running configuration script is not automatically saved on a Cisco router, and will be lost in the event of power failure. The running configuration must be manually saved with the 'copy' command (discussed in a later lab).

Router>
Router>enable
Router#show running-configBuilding configuration...
Current configuration:
!version 12.0!hostname Router
!interface Serial0
no ip address
shutdown
!interface BRI0
no ip address
shutdown
!interface Ethernet0
no ip address
shutdown
!line con 0
line aux 0
line vty 0 4
!end
Router#


If you decide you would like to start configuring a router from scratch you will need to reload the router making sure you have deleted your startup-config file that is stored in NVRAM. To do this you will need to first erase the configuration file you have in NVRAM using the command erase startup-config. Next you will need to reload the router and do not save the configurations when asked.

left#erase startup-
left#erase startup-config
Erasing the nvram filesystem will remove all files! Continue? [confirm][OK]Erase of nvram: complete
left#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]

Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

Labels:

The Cisco Discovery Protocol (CDP) Discovery Protocol

CDP allows devices to share basic configuration information without even configuring any protocol specific information. CDP is enabled by default on all interfaces.
CDP is a Datalink Protocol occuring at Layer 2 of the OSI model. This is important to understand because CDP is not routable. It can only traverse to directly connected devices.
CDP allows you to view information such Operating System Version, Protocol Information, and much more. This can be very handy for troubleshooting a variety of problems.
CDP ConfigurationBy default it is enabled on the router and all interfaces. The commands are simple:

Global Configuration Commands:
no cdp run turn off CDP for the entire router cdp run (default) turn it on for the entire router cdp timer 120 would change CDP to advertise every 120 seconds
Interface Configuration Commands:
cdp enable (default) turn it on for the interface no cdp enable turn it off for interface
Show Commands:
show cdp interface view interface settings,
show cdp neighbor view directly connected neighbors
show cdp neighbor detail view detailed information about neighbors show cdp general information Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

Labels:

Show Lab Overview 2

This lab will introduce the Cisco Internetwork Operating System (IOS) command line interface (CLI). You will need to logon to a router and become familiar with the different levels of access on the router. You will also become familiar with the commands available to you in each mode (user or privileged) and the router help facility, history, and editing features.
Show Version
The 'show version' command gives you a lot more information than at first you may think. Use 'show version' to obtain critical information, such as: router platform type, operating system revision, operating system last boot time and file location, amount of memory, number of interfaces, and configuration register.
Router>show version
Krang Operating System SoftwareRouter
uptime is 2 minutesSystem returned to
ROM by power-onSystem image file is "flash:c2500.bin"
[[[OUTPUT DELETED]]]
1 Ethernet/IEEE 802.3 interface(s)
1 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
4096K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Routing Protocols
To view the status of any routing protocols currently configured on the router, use the 'show protocols' command.
Router>show protocols
Global values:
Internet Protocol routing is enabled
BRI0 is administratively down, line protocol is Down
Ethernet0 is administratively down, line protocol is Down
Serial0 is administratively down, line protocol is Down


Flash Memory
Flash memory is a special kind of memory on the router that contains the operating system image file(s). Unlike regular router memory, Flash memory continues to maintain the file image even after power is lost.
Router>show flash


System flash directory:
File Length Name/status1 3015588 c2500.bin
[3015652 bytes used, 1178652 available, 4194304 total]
4096K bytes of processor board System flash (Read/Write)

Running Configuration
The currently active configuration script running on the router is referred to as the 'running-config' on the routers command-line interface. Note the privilege mode required. The running configuration script is not automatically saved on a Cisco router, and will be lost in the event of power failure. The running configuration must be manually saved with the 'copy' command (discussed in a later lab).
Router>
Router>enable
Router#show running-configBuilding configuration...
Current configuration:
!version 12.0
!hostname Router
!interface Serial0
no ip address
shutdown
!interface BRI0
no ip address
shutdown
!interface Ethernet0
no ip address
shutdown
!line con 0
line aux 0
line vty 0 4
!end
Router#


Command History
The routers Command Line Interface (CLI) maintains by default the last 10 commands you have entered in memory, for later retrieval. You can change this default value. You cycle through previous router commands entered (since the last power loss), using one of two methods. To view all of the past commands still in router memory at the same time, use the 'show history' command. For single line retrieval, use either the Arrow-Up (for previous command) and Arrow-Down (for next command), or Control-P (for previous command) and Control-N (for next command).
Router>show history
show version
show protocols
show flashenable
show running-configdisable
show history


Clock
The router keeps its own clock that you can use to synchronize devices to. To view the clock use the show clock command.
Krang#show clock
*00:38:35.755 UTC Mon Mar 1 1993
Krang#

Host Table
You can create a list of host name on your router. You can view the entries (if any) by typing show hosts.
Krang#show hosts
Default domain is not setName/address lookup uses static mappings
Host Flags Age Type Address(es)Krang#
Show users
The show users command displays users who are connected to the router.
Krang#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
Krang#


Show Interfaces
The show interfaces command will display statistics for all interfaces configured on the router
Krang#show interfaces
BRI0 is administratively down, line protocol is down
Hardware is BRI
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not setLast input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 packets output, 0 bytes, 0 underruns0 output errors, 0 collisions, 5 interface resets0 output buffer failures, 0 output buffers swapped out0 carrier transitions--More--



Notice the --More-- This means that there is more information pertaining to the last command. To view more commands line by line, press: enter To exit the output and return to the router prompt, press: e (this can be any letter, it's just easy to remember that e is for exit) To view more output one screen at a time, press the space bar
Show Protocols
The show protocols displays global and interface specific status of layer 3 protocols.
Krang#show protocols
Global values:
Internet Protocol routing is enabled
BRI0 is administratively down, line protocol is down
Ethernet0 is administratively down, line protocol is down
Serial0 is administratively down, line protocol is down
Serial1 is administratively down, line protocol is down
Serial2 is administratively down, line protocol is down

Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

Labels:

Basic Lab Overview

This lab will introduce the Cisco Internetwork Operating System (IOS) command line interface (CLI). You will need to logon to a router and become familiar with the different levels of access on the router. You will also become familiar with the commands available to you in each mode (user or privileged) and the router help facility, history, and editing features.

User vs. Privileged Mode
User mode is indicated with the '>' next to the router name. You can look at settings but can not make changes from user mode. In Privilege mode (indicated by the '#', you can do anything. To get into privilege mode the keyword is ENABLE.
Router>
Router>enable
Password:
Router#
HELP
To view all commands available from this mode type: ? and press: enter This will give you the list of all available commands for the router in your current mode. You can also use the question mark after you have started typing a command. For example if you want to use a show command but you do not remember which one it it use show ? this will output all commands that you can use with the show command.
r1#show ?
access-expression List access expressionaccess-lists List access listsbackup Backup statuscdp CDP informationclock Display the system clockcls DLC user informationcompress Show compression statisticsconfiguration Contents of Non-Volatile memory--More--
Configuration Mode
From privilege mode you can enter configuration mode by typing CONFIG T you can exit configuration mode type type
END or +z
Router#config t
Router(config)#end
Copyright (c) 2001 Boson Software, Inc. All Rights Reserved

Labels: