Presentation 4 for students of professordkinney.com

801 views

Published on

Establishing Internet Connectivity Part-2 (Presentation for students of professordkinney.com)

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
801
On SlideShare
0
From Embeds
0
Number of Embeds
496
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Presentation 4 for students of professordkinney.com

  1. 1. www.professordkinney.com
  2. 2. Establishing Internet Connectivity 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group
  3. 3. Lessons Objectives: Exploring the Packet-Delivery Process. Enabling Static Routing. Managing Traffic Using ACLs. Enabling Internet Connectivity. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  4. 4. Exploring the Packet-Delivery Process- Router Paths and Packet Switching Internet Protocol (IP) packet format contains fields that provide information about the packet and the sending and receiving hosts Fields that are importance for CCNA students: -Destination IP address -Source IP address -Version & TTL -IP header length -Precedence & type of service -Packet length 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  5. 5. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  6. 6. MAC Layer Frame Format- MAC Frames are also divided into fields. They include: -Preamble -Start of frame delimiter -Destination MAC address -Source MAC address -Type/length -Data and pad -Frame check sequence 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  7. 7. A Metric is a numerical value used by routing protocols help determine the best path to a destination The smaller the metric value the better the path 2 types of metrics used by routing protocols are: -Hop count - this is the number of routers a packet must travel through to get to its destination -Bandwidth - this is the “speed” of a link also known as the data capacity of a link 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  8. 8. Equal cost metric is a condition where a router has multiple paths to the same destination that all have the same metric To solve this problem., a router will use Equal Cost Load Balancing. This means the router sends packets over the multiple exit interfaces listed in the routing table. Path determination is a process used by a router to pick the best path to a destination One of 3 path determinations results from searching for the best path  Directly connected network  Remote network  No route determined 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  9. 9. Switching Function of Router is the process used by a router to switch a packet from an incoming interface to an outgoing interface on the same router. A packet received by a router will do the following:  Strips off layer 2 headers.  Examines destination IP address located in Layer 3 header to find best route to destination.  Re-encapsulates layer 3 packet into layer 2 frame.  Forwards frame out exit interface. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  10. 10. As a packet travels from one networking device to another -The Source and Destination IP addresses NEVER change -The Source & Destination MAC addresses CHANGE as packet is forwarded from one router to the next. -TTL field decrement by one until a value of zero is reached at which point router discards packet (prevents packets from endlessly traversing the network) 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  11. 11. Path determination and switching function details. PC1 Wants to send something to PC 2 here is part of what happens Step 1 - PC1 encapsulates packet into a frame. Frame contains R1’s destination MAC address 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  12. 12. Step 2 - R1 receives Ethernet frame.  R1 sees that destination MAC address matches its own MAC.  R1 then strips off Ethernet frame.  R1 Examines destination IP.  R1 consults routing table looking for destination IP.  After finding destination IP in routing table, R1 now looks up next hop IP address.  R1 re-encapsulates IP packet with a new Ethernet frame.  R1 forwards Ethernet packet out Fa0/1 interface. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  13. 13. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  14. 14. Path determination and switching function details. PC1 Wants to send something to PC 2 here is part of what happens Step 3 - Packet arrives at R2  R2 receives Ethernet frame  R2 sees that destination MAC address matches its own MAC  R2 then strips off Ethernet frame  R2 Examines destination IP  R2 consults routing table looking for destination IP  After finding destination IP in routing table, R2 now looks up next hop IP address  R2 re-encapsulates IP packet with a new data link frame  R2 forwards Ethernet packet out S0/0 interface 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  15. 15. Path determination and switching function details. PC1 Wants to send something to PC 2 here is part of what happens Step 4 - Packet arrives at R3  R3 receives PPP frame  R3 then strips off PPP frame  R3 Examines destination IP  R3 consults routing table looking for destination IP  After finding destination IP in routing table, R3 is directly connected to destination via its fast Ethernet interface  R3 re-encapsulates IP packet with a new Ethernet frame  R3 forwards Ethernet packet out Fa0/0 interface Step 5 - IP packet arrives at PC2. Frame is decapsulated & processed by upper layer protocols. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  16. 16. Purpose of a static route A manually configured route used when routing from a network to a stub network 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  17. 17. IP route command  To configure a static route use the following command: ip route  Example:  -Router(config)# ip route network-address subnet-mask {ip- address | exit-interface } 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  18. 18. Understanding static route syntax  ip route - Static route command  172.16.1.0 – Destination network address  255.255.255.0 - Subnet mask of destination network  172.16.2.2 - Serial 0/0/0 interface IP address on R2, which is the "next-hop" to this network 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  19. 19. Configuring routes to 2 or more remote networks Use the following commands for R1  -R1(config)#ip route 192.168.1.0 255.255.255.0 172.16.2.2  -R1(config)#ip route 192.168.2.0 255.255.255.0 172.16.2.2 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  20. 20. Modifying Static routes  Existing static routes cannot be modified. The old static route must be deleted by placing no in front of the ip route  Example: -no ip route 192.168.2.0 255.255.255.0 172.16.2.2  A new static route must be rewritten in the configuration 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  21. 21. Verifying the Static Route Configuration -Use the following commands  Step 1 show running-config  Step 2 verify static route has been entered correctly  Step 3 show ip route  Step 4 verify route was configured in routing table  Step 5 issue ping command to verify packets can reach destination and that Return path is working 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  22. 22. Ethernet interfaces and ARP. – If a static route is configured on an Ethernet link -If the packet is sent to the next-hop router then… the destination MAC address will be the address of the next hop’s Ethernet interface This is found by the router consulting the ARP table. If an entry isn’t found then an ARP request will be sent out 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  23. 23. What are ACLs? ACLs are lists of instructions you apply to a router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Acceptance and denial can be based on certain specifications, such as source address, destination address and port number. ACLs enable you to manage traffic and scan specific packets by applying the ACL to a router interface. Any traffic going through the interface is tested against certain conditions that are part of the ACL. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  24. 24. Reasons for ACLs There are many reasons to create ACLs. For example, ACLs can be used to: Limit network traffic and increase network performance. For example, ACLs can designate certain packets to be processed by a router before other traffic, on the basis of a protocol. This is referred to as queuing, which ensures that routers will not process packets that are not needed. As a result, queuing limits the network traffic and reduces network congestion. Provide traffic flow control. For example, ACLs can restrict or reduce the contents of routing updates. These restrictions are used to limit information about specific networks from propagating through the network. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  25. 25. Provide a basic level of security for network access. For example, ACLs can allow one host to access a part of your network and prevent another host from accessing the same area. Host A is allowed to access the Human Resources network and Host B is prevented from accessing the Human Resources network. If you do not configure ACLs on your router, all packets passing through the router could be allowed onto all parts of the network. Decide which types of traffic are forwarded or blocked at the router interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all TELNET traffic. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  26. 26. How ACLs Work An ACL is a group of statements that define how packets:  Enter inbound interfaces  Relay through the router  Exit outbound interfaces of the router  The beginning of the communication process is the same, whether ACLs are used or not. As a packet enters an interface, the router checks to see whether the packet is routable or bridgeable. Now the router checks whether the inbound interface has an ACL. If one exists, the packet is now tested against the conditions in the list. If the packet is allowed it will then be checked against routing table entries to determine the destination interface.  Next, the router checks whether the destination interface has an ACL. If it does not, the packet can be sent to the destination interface directly; for example, if it will use E0, which has no ACLs, the packet uses E0 directly.  ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit "deny any" statement is imposed. This means that even though you will not see the "deny any" as the last line of an ACL, it is there. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  27. 27. ACL commands can be lengthy character strings. Key tasks covered in this section for creating ACLs include the following: You create ACLs by using the global configuration mode.  Specifying an ACL number from 1 to 99 instructs the router to accept standard ACL statements. Specifying an ACL number from 100 to 199 instructs the router to accept extended ACL statements. (see table below)  You must carefully select and logically order the ACL. Permitted IP protocols must be specified; all other protocols should be denied.  You should select which IP protocols to check; any other protocols are not checked. Later in the procedure, you can also specify an optional destination port for more precision.  Assigning a unique number to each ACL  When configuring ACLs on a router, you must identify each ACL uniquely by assigning a number to the protocol's ACL. When you use a number to identify an ACL, the number must be within the specific range of numbers that is valid for the protocol.  You can specify ACLs by numbers for the protocols listed in the table. The table also lists the range of ACL numbers that is valid for each protocol. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  28. 28. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group After you create a numbered ACL, you must assign it to an interface for it to be used. If you want to alter an ACL containing numbered ACL statements, you need to delete all the statements in the numbered ACL by using the command no access-list[list-number]. Establishing Internet Connectivity
  29. 29. Purpose and Function of Wildcard Mask Bits  wildcard mask is a 32-bit quantity that is divided into four octets, with each octet  containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value" and  a wildcard mask bit 1 means "do not check (ignore) that corresponding bit value".  A wildcard mask is paired with an IP address. The numbers one and zero are used to  identify how to treat the corresponding IP address bits. ACLs use wildcard masking to  identify a single or multiple addresses for permit or deny tests. The term wildcard  masking is a nickname for the ACL mask-bit matching process and comes from of an  analogy of a wildcard that matches any other card in a poker game.  Although both are 32-bit quantities, wildcard masks and IP subnet masks operate  differently. Recall that the zeros and ones in a subnet mask determine the network,  subnet and host portions of the corresponding IP address. The zeros and ones in a  wildcard, as just noted, determine whether the corresponding bits in the IP address  should be checked or ignored for ACL purposes. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  30. 30. The ANY Command Working with decimal representations of binary wildcard mask bits can be tedious. For the  most common uses of wildcard masking, you can use abbreviations. These abbreviations  reduce the amount of typing you need to do when configuring address test conditions.  For example, say you want to specify that any source address will be permitted in an ACL  test. To indicate any IP address, you would enter 0.0.0.0; then, to indicate that the ACL  should ignore (that is, allow without checking) any value, the corresponding wildcard  mask bits for this address would be all ones (that is, 255.255.255.255). You can use the  abbreviation any to communicate this same test condition to Cisco IOS ACL software.  Instead of typing 0.0.0.0 255.255.255.255, you can use the word any by itself as the  keyword. For example, instead of using this:  Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255  you can use this:  Router(config)# access-list 1 permit any 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  31. 31. The HOST Command A second common condition where Cisco IOS permits an abbreviation in the ACL wildcard  mask is when you want to match all the bits of an entire IP host address. For example,  say you want to specify that a specific IP host address will be denied in an ACL test. To  indicate a host IP address, you would enter the full address (for example, 172.30.16.29);  then, to indicate that the ACL should check all the bits in the address, the corresponding  wildcard mask bits for this address would be all zeros (that is, 0.0.0.0). You can use the  abbreviation host to communicate this same test condition to Cisco IOS ACL software.  In the example, instead of typing 172.30.16.29 0.0.0.0, you can use the word host in front  of the address. For example, instead of using this:  Router(config)# access-list 1 deny 172.30.16.29 0.0.0.0  you can use this:  Router(config)# access-list 1 deny host 172.30.16.29 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  32. 32. Standard ACLs  You use standard ACLs when you want to block all traffic from a network, allow all traffic  from a specific network, or deny protocol suites. Standard ACLs check the source  address of packets that could be routed. The result permits or denies output for an entire  protocol suite, based on the network, subnet and host addresses. For example, packets  coming in E0 are checked for source address and protocol. If they are permitted, the  packets are output through S0, which is grouped to the ACL. If they are not permitted  they are dropped. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  33. 33. We use the standard version of the access-list global configuration command to define a  standard ACL with a number. This command is used in global configuration command  mode. The full syntax of the command is  Router(config)# access-list access-list-number {deny | permit} source [source-wildcard ]  [log]  You use the no form of this command to remove a standard ACL. This is the syntax:  Router(config)# no access-list access-list-number  Examples of ACLsAccess-list 33 permit 172.16.0.0   0.0.255.255 (permits all traffic from  172.16.0.0)  Access-list 44 deny 172.16.13.7   0.0.0.0 (denies traffic from host 172.16.13.7)  Access-list 55 deny 172.16.64.0   any (denies all traffic from network 172.16.64.0) 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  34. 34. Placing ACLs The second part of establishing an access list is applying the list to a specific interface.  Router(config-if)# ip access-group 33 in (applies access-list 33 to the packets inbound to  the interface being configured)  Router(config-if)# ip access-group 44 out (applies access-list 44 to packets outbound  from the interface being configured) How to Verify Standard ACLs You use the show access-lists EXEC command to display the contents of all ACLs. In  addition, you use the show access-lists EXEC command followed by the name or number  of an ACL to display the contents of one ACL. The following example of a standard ACL  allows access for hosts on the three specified networks:  access-list 1 permit 192.5.34.0 0.0.0.255  access-list 1 permit 128.88.0.0 0.0.255.255  access-list 1 permit 36.0.0.0 0.255.255.255 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  35. 35. In the example, the wildcard bits apply to the host portions of the network addresses. Any  host with a source address that does not match the ACL statements will be rejected. To  specify a large number of individual addresses more easily, you can omit the wildcard if  it is all zeros. Thus, the following two configuration commands have the same effect:  access-list 2 permit 36.48.0.3  access-list 2 permit 36.48.0.3 0.0.0.0  The ip access-group command groups an existing ACL to an interface. Remember that  only one ACL per port per protocol per direction is allowed. The format of the command  is:  Router(config)#ip access-group access-list-number {in | out} 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  36. 36. Example of a Standard ACL  In the example below, the ACL allows only traffic from source network 172.16.0.0 to be  forwarded. Non-172.16.0.0 network traffic is blocked. The example shows how the ACL  allows only traffic from source network 172.16.0.0 to be forwarded and non-172.16.0.0 to  be blocked.  Also shown in the example, the command ip access-group 1 out groups the ACL to an  outgoing interface. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group
  37. 37. Permitting Traffic from Source Network 172.16.0.0 access-list 1 permit 172.16.0.0 0.0.255.255 (implicit deny any - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255) interface ethernet 0 ip access-group 1 out interface ethernet 1 ip access-group 1 out 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  38. 38. Writing an ACL to deny a Specific Host The example below shows how an ACL is designed to block traffic from a specific address,  172.16.4.13 and to allow all other traffic to be forwarded on interface Ethernet 0  In the second access-list command, the 0.0.0.0 255.255.255.255 IP address/ wildcard  mask combination identifies traffic from any source. This combination can also be  written using the keyword any. All zeros in the address indicate a placeholder and all  ones in the wildcard mask indicate that all 32 bits will not be checked in the source  address. Any packet that does not match the first line of the ACL will match the second  one and be forwarded.  Denying a Specific Host  access-list 1 deny host 172.16.4.13 0.0.0.0  access-list 1 permit 0.0.0.0 255.255.255.255  (implicit deny any)  (access-list 1 deny 0.0.0.0 255.255.255.255)  interface ethernet 0  ip access-group 1 out 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group STANDARDACLEXAMPLE Establishing Internet Connectivity
  39. 39. Writing a Standard ACL to deny a Specific Network  0.0.0.255: The zeros in the first three octets indicate that those bits will be tested for  matches while the last octet of all ones indicates a don't care condition for matching the  last octet of the IP address (the host portion). Note also that the any abbreviation has  been used for the IP address of the source.  Denying a Specific Subnet  (access-list 1 deny) 172.16.4.0 0.0.0.255 access-list 1 permit any  (implicit deny any)  access-list 1 deny any  interface ethernet 0  ip access-group 1 out 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group STANDARDACLEXAMPLE Establishing Internet Connectivity
  40. 40. Extended ACLs  Extended ACLs are used most often to test conditions because they provide a greater  range of control than standard ACLs. You would use an extended ACL when you want to  allow Web traffic but deny File Transfer Protocol (FTP) or TELNET from non-company  networks. Extended ACLs check for both source and destination packet addresses. They  also can check for specific protocols, port numbers and other parameters. This gives you  more flexibility to describe what checking the ACL will do. Packets can be permitted or  denied output based on where the packet originated and based on its destination. For  example, the extended ACL can allow e-mail traffic from E0 to specific S0 destinations,  while denying remote logins or file transfers.  The standard ACL (numbered 1 to 99) might not provide the traffic-filtering control you  need. Standard ACLs filter traffic based on a source address and mask. Standard ACLs  also permit or deny the entire Transmission Control Protocol (TCP) protocol suite. You  might need a more precise way to control traffic and access.  For more precise traffic-filtering control, you use extended ACLs. Extended ACL  statements check for source address and for destination address. In addition, at the end  of the extended ACL statement, you gain additional precision from a field that specifies  the optional TCP or User Datagram Protocol (UDP) protocol port number. These can be  the well-known port numbers for TCP/IP. A few of the most common port numbers are  shown in Figure. You can specify the logical operation the extended ACL will perform on  specific protocols. Extended ACLs use a number in the range 100 to 199. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  41. 41. Extended ACL Parameters The complete form of the access-list command is: Router(config)# access-list [access-list-number] {permit | deny} protocol source [source-mask destination destination-mask operator  operand] [established]  The ip access-group command links an existing extended ACL to an  interface. Remember that only one ACL per interface, per direction, per protocol is  allowed. The format of the command is: Router(config)# access-list access-list-number {in | out} 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  42. 42. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  43. 43. Writing an ACL to Deny FTP on an Ethernet Interface The figure shows an example of an extended ACL that blocks FTP traffic.  The interface E0 access-group 101 command links ACL 101 to outgoing interface E0.  Note that blocking port 21 prevents FTP commands from being transmitted, thus preventing FTP file transfers. Blocking port 20 prevents the traffic itself from being transmitted, but does not block FTP commands. FTP servers can easily be configured to work on different ports.  You should understand that well-known port numbers are just that: well-known. There are no guarantees that services will be on those ports, although they usually are. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group STANDARDACLEXAMPLE Establishing Internet Connectivity
  44. 44. Writing an ACL that denies SMTP out of an Ethernet Port but permits all other Traffic  The figure shows an example of an extended ACL that blocks SNMP traffic.  The interface E0 access-group 101 command links ACL 101 to outgoing interface E0.  Note that blocking port 25 prevents SMTP traffic from being transmitted. Mail servers can easily be configured to work on different ports. You should understand that well- known port numbers are just that: well-known. There are no guarantees that services will be on those ports, although they usually are. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group STANDARDACLEXAMPLE Establishing Internet Connectivity
  45. 45. Configuring Named ACLs Named ACLs allow standard and extended IP ACLs to be identified with an alphanumeric string (name) instead of the current numeric (1 to 199) representation. Named ACLs can be used to delete individual entries from a specific ACL. This enables you to modify your ACLs without deleting and then reconfiguring them. Use named ACLs when: You want to intuitively identify ACLs using an alphanumeric name. You have more than 99 simple and 100 extended ACLs to be configured in a router for a given protocol. Consider the following before implementing named ACLs:  Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.  You cannot use the same name for multiple ACLs. In addition, ACLs of different types cannot have the same name. For example, it is illegal to specify a standard ACL named George and an extended ACL with the same name.  To name the ACL, use the following command:  Router(config)# ip access-list {standard | extended} name  In ACL configuration mode, specify one or more conditions permitted or denied. This determines whether the packet is passed or dropped:  Router(config {std- | ext-}nacl)# deny {source [source-wildcard] | any} or  Router(config {std- | ext-}nacl)# permit {source [source-wildcard] | any}.  The configuration shown in the Figure creates a standard ACL named Internetfilter and an extended ACL named marketing_group. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  46. 46. The DENY Command  You use the deny ACL configuration command to set conditions for a named ACL. The full syntax for this command is:  deny {source [source-wildcard] | any}  You use the no form of this command to remove a deny condition, using the following syntax:  no deny {source [source-wildcard] | any} The PERMIT Command  You use the permit access-list configuration command to set conditions for a named standard ACL. The full syntax of this command is:  permit {source [source-wildcard] | any}[log]  You use the no form of this command to remove a condition from an ACL, using the following syntax:  no permit {source [source-wildcard]| any}  You use this command in access list configuration mode, following the ip access- list command, to define the conditions under which a packet passes the ACL. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  47. 47. The following example is for a standard ACL named Internetfilter:  ip access-list standard Internetfilter  deny 192.5.34.0 0.0.0.255  permit 128.88.0.0 0.0.255.255  permit 36.0.0.0 0.255.255.255  !(Note: all other access implicitly denied)  In this example, permit and deny statements have no number and no removes the specific test from the named ACL:  Router(config {std- | ext-}nacl)# {permit | deny} {ip ACL test conditions} {permit | deny} {ip ACL test conditions} no {permit | deny} {ip ACL text conditions}  This example activates the IP named ACL on an interface:  Router(config-if)# ip access-group {name | 1-199 {in | out}} Verifying ACLs The show ip interface command displays IP interface information and indicates whether any ACLs are set. The show access-lists command displays the contents of all ACLs. By entering the ACL name or number as an option for this command, you can see a specific list. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  48. 48. Establishing Internet Connectivity Configure a router interface Paris(config)#interface FastEthernet 0/0 Paris(config-if)#ip address 172.16.1.1 255.255.0.0 Paris(config-if)#no shutdown Paris(config-if)#exit Interface names vary, depending on whether the router is modular and on the bandwidth. E.g. interface Ethernet 0 on an older router Establishing Internet Connectivity
  49. 49. Paris(config)#interface serial 0/0 Paris(config-if)#ip address 192.168.4.1 255.255.255.0 (Paris(config-if)#clock rate 64000) Paris(config-if)#no shutdown Paris(config-if)#exit Give Switch IP ADDRESS : The switch IP address goes on a virtual interface, not a real one, normally VLAN1.  SwA(config)#interface VLAN1  SwA(config-if)#ip address 172.16.255.1 255.255.0.0  SwA(config-if)#no shutdown  SwA(config-if)#exit 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  50. 50. Give Switch A default Gateway SwA(config)#ip default gateway 172.16.255.254 Just like a workstation, a switch needs a default gateway if it exchanges messages with devices on a different network. The default gateway is the address of the local router. Establishing Internet Connectivity
  51. 51. Up And Down: Interface status: Layer 1 Up Down Administratively down (no shutdown to bring up) Protocol: Layer 2 Up Down (no keepalive signal received) Establishing Internet Connectivity
  52. 52. Ping – step by step Ping 127.0.0.1 (loopback, is TCP/IP OK?) Ping own IP address (are NIC hardware and software all right? Is IP address bound?) Ping local hosts (checks own configuration and that of others) Ping gateway Ping other intermediate routers Ping hosts on remote networks 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity
  53. 53. Find out about nodes Ping – used from workstation, router or switch – shows if destination can be reached Traceroute – shows hops along the path Arp -a on workstation – shows list of MAC and IP addresses show mac-address-table on switch – shows list of MAC addresses and switch ports Establishing Internet Connectivity
  54. 54. Lesson Summary: Packet Delivery Process. Exploring ACL. Configuring Static Routing. Establishing Internet Connectivity. 08/02/13 Instructional Design-Computer Networking - Bridges Educational Group Establishing Internet Connectivity

×