CCNA Routing and Switching - Chapter 9: Multiarea OSPF PDF

Summary

This document covers the sections and objectives of multiarea OSPF operation used in small and medium-sized business networks, implement multiarea OSPF v2 and OSPF v3, and verify operations. It also covers the types of OSPF routers and LSA operations.

Full Transcript

Chapter 9: Multiarea OSPF

CCNA Routing and Switching

Scaling Networks v6.0
Chapter 9 - Sections & Objectives
▪ 9.1 Multiarea OSPF Operation
Explain how multiarea OSPF operates in a small to medium-sized business network.
Explain why multiarea OSPF is used.
Explain how multiarea OSPFv2 uses link-state advertisements.
Explain how multiarea OSPF establishes neighbor adjacencies.

▪ 9.2 Implement Multiarea OSPF
Implement multiarea OSPFv2 and OSPFv3.
Configure multiarea OSPFv2 and OSPFv3 in a routed network.
Verify multiarea OSPFv2 and OSPFv3 operation.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
9.1 Multiarea OSPF
Operation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Why Multiarea OSPF?
Single-Area OSPF
▪ Issues in a large single area
OSPF:
Large routing table
Large link-state database (LSDB)
Frequent SPF algorithm
calculations
▪ To make OSPF more efficient and
scalable, OSPF supports
hierarchical routing using areas.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Why Multiarea OSPF?
Multiarea OSPF
▪ Multiarea OSPF:
Large OSPF area is divided into smaller
areas.
Reduces processing and memory
overhead.
Requires a hierarchical network design.
The main area is the backbone area
(area 0) and all other areas connect to it.
▪ Advantages of Multiarea OSPF:
Smaller routing tables - Fewer routing
table entries as network addresses can
be summarized between areas.
Reduced link-state update overhead.
Reduced frequency of SPF calculations.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Why Multiarea OSPF?
OSPF Two-Layer Area Hierarchy
▪ Multiarea OSPF is implemented in a
two-layer area hierarchy.
▪ Backbone (Transit) area - An OSPF
area whose primary function is the fast
and efficient movement of IP packets:
Interconnects with other OSPF area
types.
Also called OSPF area 0.
▪ Regular (nonbackbone) area -
Connects users and resources:
Usually set up along functional or
geographical groupings
All traffic from other areas must cross a
transit area.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Why Multiarea OSPF?
Types of OSPF Routers
▪ There are four different types of
OSPF routers:
Internal router –A router that has all
of its interfaces in the same area.
Backbone router - A router in the
backbone area. The backbone area
is set to area 0
Area Border Router (ABR) – A router
that has interfaces attached to
multiple areas.
Autonomous System Boundary Router
(ASBR) – A router that has at least one
interface attached to an external
internetwork.
▪ A router can be classified as more than
one router type.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Multiarea OSPF LSA Operation
OSPF LSA Types

▪ LSAs individually act as database records and provide specific OSPF network details.

▪ LSAs in combination describe the entire topology of an OSPF network or area.

▪ Any implementation of multiarea OSPF must support the first five LSAs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Multiarea OSPF LSA Operation
OSPF LSA Type 1
▪ Routers advertise their directly
connected OSPF-enabled links in a
type 1 LSA.
▪ Type 1 LSAs are also referred to as
router link entries.
▪ Type 1 LSAs are flooded only within
the area in which they originated.
▪ ABRs advertise the networks learned
from the type 1 LSAs to other areas
as type 3 LSAs.
▪ The type 1 LSA link ID is identified by
the router ID of the originating router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Multiarea OSPF LSA Operation
OSPF LSA Type 2
▪ Type 2 LSAs have the following
characteristics:
Only found on multiaccess and nonbroadcast
multiaccess (NBMA) networks
Contain the router ID and IP address of the
DR, along with the router ID of all other
routers on the multiaccess segment
Give other routers information about
multiaccess networks within the same area
Not forwarded outside of an area
Also referred to as network link entries
Link-state ID is DR router ID

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Multiarea OSPF LSA Operation
OSPF LSA Type 3
▪ Type 3 LSAs have the following
characteristics:
They are used by ABRs to advertise networks
from other areas.
The ABR creates a type 3 LSA for each of its
learned OSPF networks.
ABRs flood type 3 LSAs from one area to
other areas.
To reduce impact of flooding in a large OSPF
deployment, configuration of manual route
summarization on the ABR is recommended.
The link-state ID is set to the network address.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Multiarea OSPF LSA Operation
OSPF LSA Type 4
▪ Type 4 LSAs have the following
characteristics:
They identify an ASBR and provide a route to
it.
They are generated by an ABR only when an
ASBR exists within an area.
They are flooded to other areas by ABRs.
The link-state ID is set to the ASBR router ID.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Multiarea OSPF LSA Operation
OSPF LSA Type 5
▪ Type 5 LSAs have the following
characteristics:
They advertise external routes, also
referred to as external LSA entries.
They are originated by the ASBR and
flooded to the entire routing domain.
The link-state ID is the external network
number.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
OSPF Routing Table and Types of Routes
OSPF Routing Table Entries
▪ OSPF routes in an IPv4 routing table are
identified using the following descriptors:
O - The routing table reflects the link-
state information with a designation of O,
meaning that the route is intra-area
O IA - Summary LSAs appear in the
routing table as IA (interarea routes).
O E1 or O E2 - External LSAs appear in
the routing table marked as external type
1 (E1) or external type 2 (E2) routes.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
OSPF Routing Table and Types of Routes
OSPF Route Calculation
▪ The order in which the best paths are
calculated is as follows:
All routers calculate the best path or
paths to destinations within their area
(intra-area). These are the type 1 and
type 2 LSAs – O.
All routers calculate the best path or
paths to the other areas within the
internetwork. Type 3 LSAs - O IA.
All routers calculate the best path or
paths to the external autonomous system
(type 5) destinations - O E1 or an O E2.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
9.2 Configuring Multiarea OSPF

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Configuring Multiarea OSPF
Implementing Multiarea OSPF
▪ There are 4 steps to implementing multiarea OSPF:
Step 1. Gather the network requirements and parameters
Step 2. Define the OSPF parameters
Single area or multiarea OSPF?
IP addressing plan
OSPF areas
Network topology
Step 3. Configure the multiarea OSPF implementation based on the parameters.
Step 4. Verify the multiarea OSPF implementation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Configuring Multiarea OSPF
Configuring Multiarea OSPFv2

▪ There are no special commands to
implement multiarea OSPFv2.

▪ A router becomes an ABR when it has two
network statements in different areas.
▪ R1 is an ABR because it has interfaces in
area 1 and an interface in area 0.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Configuring Multiarea OSPF
Configuring Multiarea OSPFv3

▪ There are no special commands required to
implement multiarea OSPFv3.

▪ A router becomes an ABR when it has two
interfaces in different areas.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Verifying Multiarea OSPF
Verifying Multiarea OSPFv2
▪ Commands to verify multiarea OSPFv2
show ip ospf neighbor
show ip ospf
show ip ospf interface
Show ip protocols
show ip ospf interface brief
show ip route ospf
show ip ospf database

Note: For the equivalent OSPFv3 command,
simply substitute ipv6 for ip.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Verifying Multiarea OSPF
Verify General Multiarea OSPFv2 Settings
▪ Use the show ip protocols command to
verify the OSPFv2 status.
Lists routing protocols configured on router,
number of areas, router ID and networks
included in routing protocol.
▪ Use the show ip ospf interface brief
command to display OSPFv2-related
information for OSPFv2-enabled interfaces.
Lists the OSPFv2 process ID, area that the
interfaces are in, and interface cost.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Verifying Multiarea OSPF
Verify the OSPFv2 Routes

▪ Use the show ip route ospf command to verify the muliarea OSPFv2 configuration..
O represents OSPFv2 routes and IA represents interarea, which means that the route
originated from another area.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Verifying Multiarea OSPF
Verify the Multiarea OSPFv2 LSDB
▪ Use the show ip ospf database
command to verify the contents of
the OSPFv2 LSDB.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Verifying Multiarea OSPF
Verify Multiarea OSPFv3
▪ Use the show ipv6 protocols command to
verifyOSPFv3.

▪ Use the show ipv6 interface brief to verify the OSPFv3-
enabled interfaces and the area to which they belong.
▪ Use show ipv6 route ospf to display the routing table.

▪ Use show ipv6 ospf database to display the contents of
the LSDB.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
9.3 Chapter Summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Conclusion
Chapter 9: Multiarea OSPF
▪ Explain how multiarea OSPF operates in a small to medium-sized business network.

▪ Implement multiarea OSPFv2 and OSPFv3.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Chapter 7: Access Control
Lists

CCNA Routing and Switching
Routing and Switching
Essentials v6.0
Chapter 7 - Sections & Objectives
▪ 7.1 ACL Operation
Explain the purpose and operation of ACLs in small to medium-sized business networks.
Explain how ACLs filter traffic.
Explain how ACLs use wildcard masks.
Explain how to create ACLs.
Explain how to place ACLs.
▪ 7.2 Standard IPv4 ACLs
Configure standard IPv4 ACLs to filter traffic in a small to medium-sized business network.
Configure standard IPv4 ACLs to filter traffic to meet networking requirements.
Use sequence numbers to edit existing standard IPv4 ACLs.
Configure a standard ACL to secure VTY access.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Chapter 7 - Sections & Objectives (Cont.)
▪ 7.3 Troubleshoot ACLs
Troubleshoot IPv4 ACL issues.
Explain how a router processes packets when an ACL is applied.
Troubleshoot common standard IPv4 ACL errors using CLI commands.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
7.1 ACL Operation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Purpose of ACLs ▪ An ACL is a series of IOS commands that
control whether a router forwards or drops
What is an ACL? packets based on information found in the
packet header. ACLs are not configured
by default on a router.

▪ ACL's can perform the following tasks:
Limit network traffic to increase network
performance. For example, video traffic
could be blocked if it's not permitted.
Provide traffic flow control. ACLs can help
verify routing updates are from a known
source.
ACLs provide security for network access
and can block a host or a network.
Filter traffic based on traffic type such as
Telnet traffic.
Screen hosts to permit or deny access to
network services such as FTP or HTTP.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Purpose of ACLs ▪ An ACL is a sequential list of permit or deny
statements, known as access control entries
Packet Filtering (ACEs).
ACEs are commonly called ACL statements.
▪ When network traffic passes through an interface
configured with an ACL, the router compares the
information within the packet against each ACE,
in sequential order, to determine if the packet
matches one of the ACEs. This is referred to as
packet filtering.
▪ Packet Filtering:
Can analyze incoming and/or outgoing packets.
Can occur at Layer 3 or Layer 4.
▪ The last statement of an ACL is always an implicit
deny. This is automatically inserted at the end of
each ACL and blocks all traffic. Because of this,
all ACLs should have at least one permit
statement. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Purpose of ACLs
ACL Operation ▪ ACLs do not act on packets that originate
from the router itself.
ACLs define the set of rules that give
added control for packets that enter
inbound interfaces, packets that relay
through the router, and packets that exit
outbound interfaces of the router.
▪ ACLs can be configured to apply to
inbound traffic and outbound traffic:
Inbound ACLs – Incoming packets are
processed before they are routed to the
outbound interface.
OutboundACLs – Incoming packets are
routed to the outbound interface, and then
they are processed through the outbound
ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Wildcard Masks in ACLs
▪ IPv4 ACEs require the use of wildcard
Introducing ACL Wildcard Masking masks.

▪ A wildcard mask is a string of 32 binary
digits (1s and 0s) used by the router to
determine which bits of the address to
examine for a match.

▪ Wildcard masks are often referred to
as an inverse mask since unlike a
subnet mask where a binary 1 is a
match, a binary 0 is a match with
wildcard masks. For example:

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Wildcard Masks in ACLs
Wildcard Mask Examples ▪ Calculating the wildcard mask to
match IPV4 subnets takes
practice. In the first to the left:
Example 1: The wildcard mask
stipulates that every bit in the
IPv4 192.168.1.1 address must
match exactly.
Example 2: The wildcard mask
stipulates that anything will
match.
Example 3: The wildcard mask
stipulates that any host within the
192.168.1.0/24 network will
match.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Wildcard Masks in ACLs
Calculating the Wildcard Mask ▪ Calculating wildcard mask examples:
Example 1: Assume you want to permit
access to all users in the 192.168.3.0 network
with the subnet mask of
255.255.255.0. Subtract the subnet from
255.255.255.255 and the result is: 0.0.0.255.
Example 2: Assume you want to permit
network access for the 14 users in the subnet
192.168.3.32/28 with the subnet mask of
255.255.255.240. After subtracting the subnet
maks from 255.255.255.255, the result is
0.0.0.15.
Example 3: Assume you want to match only
networks 192.168.10.0 and 192.168.11.0 with
the subnet mask of 255.255.254.0. After
subtracting the subnet mask from
255.255.255.255, the result is 0.0.1.255.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Wildcard Masks in ACLs
▪ To make wildcard masks easier to
Wildcard Mask Keywords read, the keywords host and any can
help identify the most common uses of
wildcard masking.
host substitutes for the 0.0.0.0 mask
any substitutes for the
255.255.255.255 mask
▪ If you would like to match the
192.169.10.10 address, you could use
192.168.10.10 0.0.0.0 or, you can
use: host 192.168.10.10

▪ In Example 2, instead of
entering 0.0.0.0 255.255.255.255, you
can use the keyword any by itself.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Wildcard Masks in ACLs
Wildcard Mask Keyword Examples
▪ Example 1 in the figure
demonstrates how to use the any
keyword to substitute the IPv4
address 0.0.0.0 with a wildcard
mask of 255.255.255.255.

▪ Example 2 demonstrates how to
use the host keyword to
substitute for the wildcard mask
when identifying a single host.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Guidelines for ACL Creation
General Guidelines for Creating ACLs
▪ Use ACLs in firewall routers positioned
between your internal network and an
external network such as the Internet.

▪ Use ACLs on a router positioned between
two parts of your network to control traffic
entering or exiting a specific part of your
internal network.

▪ Configure ACLs on border routers such as
those situated at the edge of your network.
This will provide a basic buffer from the
outside network that is less controlled.

▪ Configure ACLs for each network protocol
configured on the border router interfaces.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Guidelines for ACL Creation
ACL Best Practices

▪ Using ACLs requires significant attention to detail. Mistakes can be very costly in terms of
downtime, troubleshooting efforts, and poor network performance.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Guidelines for ACL Creation ▪ The proper placement of an ACL can
General Guidelines for Creating ACLs make the network operate more
efficiently. For example, and ACL
can be placed to reduce
unnecessary traffic.

▪ Every ACL should be placed where it
has the greatest impact on efficiency.
Extended ACLs – Configure extended
ACLs as close as possible to the
source of the traffic to be filtered.
This will prevent undesirable traffic as
close to the source without it crossing
the network infrastructure.
Standard ACLs – Since standard
ACLs do not specify destination
addresses, they should be configured
as close to the destination as
possible.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Guidelines for ACL Creation
▪ This example demonstrates the proper
Standard ACL Placement placement of the standard ACL that is
configured to block traffic from the
192.168.10.0/24 network to the
192.168.30.0/24 network.
▪ There are two possible places to
configure the access-list on R3.

▪ If the access-list is applied to the
S0/0/1 interface, it will block traffic to
the 192.168.30.0/24 network, but also,
going to the 192.168.31.0/24 network.

▪ The best place to apply the access list
is on R3’s G0/0 interface. The access-
list list should be applied to traffic
exiting the G0/0 interface. Packets
from 192.168.10.0/24 can still reach
192.168.31.0/24.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
7.2 Standard IPv4 ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Configure Standard IPv4 ACLs
Numbered Standard IPv4 ACL Syntax
▪ The access-list global
configuration command defines a
standard ACL with a number in the
range of 1 through 99.

▪ The full syntax of the standard ACL
command is as follows:
Router(config)# access-list access-
list-number { deny | permit | remark
} source [ source-wildcard ][ log ]
To remove the ACL, the global
configuration no access-list
command is used. Use the show
access-list command to verify the
removal of the ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Configure Standard IPv4 ACLs
Applying Standard IPv4 ACLs to Interfaces
▪ After a standard IPv4 ACL is
configured, it is linked to an
interface using the ip access-
group command in interface
configuration mode:
Router(config-if)# ip access-group
{ access-list-number | access-list-
name } { in | out }
▪ To remove an ACL from an
interface, first enter the no ip
access-group command on the
interface, and then enter the
global no access-list command
to remove the entire ACL.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Configure Standard IPv4 ACLs
Numbered Standard IPv4 ACL Examples
▪ The figure to the left shows an example of
an ACL that permits traffic from a specific
subnet but denies traffic from a specific
host on that subnet.
The no access-list 1 command deletes the
previous version of ACL 1.
The next ACL statement denies the host
192.168.10.10.
What is another way to write this command
without using host?
All other hosts on the 192.168.10.0/24
network are then permitted.
There is an implicit deny statement that
matches every other network.
Next, the ACL is reapplied to the interface in
an outbound©direction.
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Configure Standard IPv4 ACLs
Numbered Standard IPv4 ACL Examples (Cont.)
▪ This next example demonstrates an
ACL that denies a specific host but will
permit all other traffic.
The first ACL statement deletes the
previous version of ACL 1.
The next command, with the deny
keyword, will deny traffic from the PC1
host that is located at 192.168.10.10.
The access-list 1 permit any
statement will permit all other hosts.
This ACL is applied to interface G0/0 in
the inbound direction since it only
affects the 192.168.10.0/24 LAN.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Configure Standard IPv4 ACLs
Named Standard IPv4 ACL Syntax ▪ Identifying an ACL with a name rather
than with a number makes it easier to
understand its function.

▪ The example to the left shows how to
configured a named standard access
list. Notice how the commands are
slightly different:
Use the ip access-list command to
create a named ACL. Names are
alphanumeric, case sensitive, and
must be unique.
Use permit or deny statements as
needed. You can also use the remark
command to add comments.
Apply the ACL to an interface using the
ip access-group name command.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Modify IPv4 ACLs
Method 1 – Use a Text Editor ▪ It is sometimes easier to create and edit
ACLs in a text editor such as Microsoft
Notepad rather making changes directly
on the router.
▪ For an existing ACL, use the show
running-config command to display the
ACL, copy and paste it into the text editor,
make the necessary changes, and then
paste it back in to the router interface.

▪ It is important to note that when using the
no access-list command, different IOS
software releases act differently.
If the ACL that has been deleted is still
applied to the interface, some IOS
versions act as if no ACL is protecting
your network while others deny all traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Modify IPv4 ACLs
Method 2 – Use Sequence Numbers
▪ The figure to the left demonstrates the
steps used to make changes to a
numbered ACL using sequence numbers.
▪ Step 1 identifies the problem. The deny
192.168.10.99 statement is incorrect. The
host to deny should be 192.168.10.10

▪ To make the edit, Step 2 shows how to go
into standard access-list 1 and make the
change. The misconfigured statement
had to be deleted with the no command:
no 10
▪ Once it was deleted, the new statement
with the correct host was added: 10 deny
host 192.168.10.10

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Modify IPv4 ACLs
▪ By referring to statement sequence
Editing Standard Named ACLs numbers, individual statements can
be easily inserted or deleted.

▪ The figure to the left shows an
example of how to insert a line into
a named ACL.

▪ By numbering it 15, it will place the
command in between statement 10
and 20.

▪ Please notice that when the ACL
was originally created, the network
administrator spaced each
command by 10 which left room for
▪ The no sequence-number named ACL command is used to edits and additions.
delete individual statements.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Modify IPv4 ACLs
Verifying ACLs
▪ Use the show ip interface command to
verify that the ACL is applied to the correct
interface.
▪ The output will display the name of the
access list and the direction in which it
was applied to the interface.

▪ Use the show access-lists command to
display the access-lists configured on the
router.

▪ Notice how the sequence is displayed out
of order for the NO_ACCESS access list.
This will be discussed later in this section.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Modify IPv4 ACLs ▪ The show access-lists command can be
ACL Statistics used to display matched statistics after an
ACL has been applied to an interface and
some testing has occurred.

▪ When traffic is generated that should
match an ACL statement, the matches
shown in the show access-lists
command output should increase.

▪ Recall that every ACL has an implicit deny
any as the last statement. The statistics
for this implicit command will not be
displayed. However, if this command is
configured manually, the results will be
displayed.
▪ The clear access-list counters command
can be used to clear the counters for
testing purposes.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Securing VTY ports with a Standard IPv4 ACL
The access-class Command ▪ Administrative VTY access to Cisco
devices should be restricted to help
improve security.

▪ Restricting VTY access is a technique that
allows you define which IP addresses are
allowed remote access to the router EXEC
process.

▪ The access-class command configured in
line configuration mode will restrict
incoming and outgoing connections
between a particular VTY (into a Cisco
device) and the addresses in an access
list.

▪ Router(config-line)# access-class
access-list-number {in [vrf-also ] | out }

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Securing VTY ports with a Standard IPv4 ACL
Verifying the VTY Port is Secured
▪ Verification of the ACL
configuration used to restrict
VTY access is important.
▪ The figure to the left shows
two devices trying to ssh into
two different devices.

▪ The show access-lists
command output shows the
results after the SSH attempts
by PC1 and PC2.

▪ Notice the match results in the
permit and the deny
statements.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
7.3 Troubleshoot ACLs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Processing Packets with ACLs
The Implicit Deny Any
▪ A single-entry ACL with only one deny
entry has the effect of denying all
traffic.
▪ At least one permit ACE must be
configured in an ACL or all traffic will
be blocked.

▪ Study the two ACLs in the figure to the
left.
Will the results be the same or
different?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Processing Packets with ACLs
The Order of ACEs in an ACL ▪ The order in which ACEs are
configured are important since ACEs
are processed sequentially.

▪ The figure to the left demonstrates a
conflict between two statements since
they are in the wrong order.
The first deny statement blocks
everything in the 192.168.10.0/24
network.
However, the second permit statement
is attempting to allow host
192.168.10.10 through.
This statement is rejected since it is a
subset of the previous statement.
Reversing the order of these two
statements will solve the problem.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Processing Packets with ACLs ▪ Note the order in which the access-list
Cisco IOS Reorders Standard ACLs statements were entered during
configuration.

▪ Notice how the order was changed
when you enter the show running-
config command.

▪ The host statements are listed first,
however, not in the order they were
entered.
▪ The IOS puts host statements in an
order using a special hashing function.
The resulting order optimizes the
search for a host ACL entry.
▪ The range statements are displayed in
the order they were entered. The
hashing function is applied to host
statements.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Processing Packets with ACLs ▪ The figure shows the logic of routing
Routing Processes and ACLs and ACL processes.

▪ When a packet arrives at a router
interface, the router process is the
same, whether ACLs are configured
or not.
▪ After the frame information is stripped
off, the router checks for an ACL on
the inbound interface. If an ACL
exists, the packet is tested against the
statements.

▪ If the packet matches a statement, the
packet is either permitted or denied.

▪ If the packet is permitted, and after
the router processes the packet, the
outgoing interface will also be
checked for an ACL.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Common IPv4 Standard ACL Errors
Troubleshooting Standard IPv4 ACLs – Example 1
▪ The most common errors involving ACLs:
Entering ACEs in the wrong order
Not specifying adequate ACL rules
Applying the ACL using the wrong direction,
wrong interface, or wrong source address
▪ In the figure to the left, PC2 should not be
able to access the File Server. However,
PC1 can not access it either.

▪ The output of the show access-list command
shows the one deny statement in the ACL.

▪ The set of commands on the right shows the
solution. The permit statement allows other
devices to access since the implicit deny
was blocking other traffic.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Common IPv4 Standard ACL Errors
Troubleshooting Standard IPv4 ACLs – Example 2
▪ The 192.168.11.0/24 network should not
be able to access the 192.168.10.0/24
network.
▪ PC2 cannot access PC1 as planned,
however, it also cannot access the
Internet through R2.

▪ Problem: access-list 20 was applied to
G0/1 on an inbound direction

▪ Where should ACL 20 be applied and in
which direction?
▪ In order for PC2 to access the Internet,
ACL 20 needs to be removed from the
G0/1 interface and applied outbound on
the G0/0 interface.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Common IPv4 Standard ACL Errors
Troubleshooting Standard IPv4 ACLs – Example 3
▪ Only PC1 should be allowed to SSH to R1.

▪ There is a problem with the config in the figure
to the left since PC1 is unable to SSH to R1.

▪ The ACL is permitting the 192.168.10.1
address which is the G0/0 interface. However,
the address that should be permitted is the
PC1 host address of 192.168.10.10.

▪ The solution is provided below:

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Common IPv4 Standard ACL Errors
Packet Tracer – Troubleshooting Standard IPv4 ACLs

▪ This Packet Tracer activity will require the
troubleshooting of various IPv4 ACL issues.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
7.4 Chapter Summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Securing VTY ports with a Standard IPv4 ACL
Packet Tracer – Skills Integration Challenge

▪ This Packet Tracer activity
will require you to finish the
IP addressing scheme,
configure routing, and
implement named access
control lists.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
CCNA 200-301, Volume 2

Chapter 3
Advanced IPv4 Access Control Lists
Objectives
Configure and verify access control lists
Comparisons of IP ACL Types
IP Header, with Focus on Required
Fields in Extended IP ACLs
Extended ACL Syntax, with Required
Fields
Extended access-list Commands and
Logic Explanations
access-list Statement What it Matches

access-list 101 deny tcp any any Any IP packet that has a TCP header
access-list 101 deny udp any any Any IP packet that has a UDP header
access-list 101 deny icmp any any Any IP packet that has an ICMP header
access-list 101 deny ip host All IP packets from host 1.1.1.1 going to
1.1.1.1 host 2.2.2.2 host 2.2.2.2, regardless of the header
after the IP header
access-list 101 deny udp All IP packets that have a UDP header
1.1.1.0 0.0.0.255 any following the IP header, from subnet
1.1.1.0/24, and going to any destination
IP Header, Followed by a TCP Header
and Port Number Fields
Extended ACL Syntax with TCP and
UDP Port Numbers Enabled
Filtering Packets Based on Destination
Port
Filtering Packets Based on Source Port
Popular Applications and Their Well-
Known Port Numbers
Port Number(s) Protocol Application access-list
Command
Keyword
20 TCP FTP Data ftp-data
21 TCP FTP control ftp
22 TCP SSH --
23 TCP Telnet telnet
25 TCP SMTP smtp
53 UDP, TCP DNS domain
67 UDP DHCP Server bootps
68 UDP DHCP Client bootpc
Popular Applications and Their Well-
Known Port Numbers (continued)
Port Number(s) Protocol Application access-list
Command
Keyword
69 UDP TFTP tftp
80 TCP HTTP (WWW) www
110 TCP POP3 pop3
161 UDP SNMP snmp
443 TCP SSL --
514 UDP Syslog --
16,384-32,767 UDP RTP (Voice, --
Video)
Extended access-list Command
Examples and Logic Explanations
access-list Statement What It Matches

access-list 101 deny tcp any Packets with a TCP header, any source IP address, with a
gt 49151 host 10.1.1.1 eq 23 source port greater than (gt) 1023, a destination IP
address of exactly 10.1.1.1, and a destination port equal
to (eq) 23.
access-list 101 deny tcp any The same as the preceding example, but any source port
host 10.1.1.1 eq 23 matches, because that parameter is omitted in this case.
access-list 101 deny tcp any The same as the preceding example. The telnet keyword
host 10.1.1.1 eq telnet is used instead of port 23.
access-list 101 deny udp A packet with a source in network 1.0.0.0/8, using UDP
1.0.0.0 with a source port less than (lt) 1023, with any
0.255.255.255 lt 1023 any destination IP address.
 Extended IP Access List Configuration
Commands
Command Configuration Mode and
Description
access-list access-list-number {deny | Global command for extended
permit} protocol source source-wildcard numbered access lists. Use a
destination destination-wildcard [log | log- number between 100 and 199 or
input] 2000 and 2699, inclusive.
access-list access-list-number {deny | A version of the access-list
permit} {tcp | udp} source source-wildcard command with parameters
[operator [port]] destination destination- specific to TCP and/or UDP.
wildcard [operator [port]] [established]
[log]
Network Diagram for Extended Access
List Example 1
R1’s Extended Access List: Example 1
R3’s Extended Access List Stopping Bob
from Reaching FTP Servers Near R1
Network Diagram for Extended Access
List Example 2
Yosemite Configuration for Extended
Access List Example 2
Building One-Line Extended ACLs:
Practice
Problem Criteria

1 From web client 10.1.1.1, sent to a web server in subnet 10.1.2.0/24.
2 From Telnet client 172.16.4.3/25, sent to a Telnet server in subnet
172.16.3.0/25. Match all hosts in the client’s subnet as well.
3 ICMP messages from the subnet in which 192.168.7.200/26 resides to
all hosts in the subnet where 192.168.7.14/29 resides.
4 From web server 10.2.3.4/23’s subnet to clients in the same subnet as
host 10.4.5.6/22.
5 From Telnet server 172.20.1.0/24’s subnet, sent to any host in the same
subnet as host 172.20.44.1/23.
Building One-Line Extended ACLs:
Practice (continued)
Problem Criteria

6 From web client 192.168.99.99/28, sent to a web server in subnet
192.168.176.0/28. Match all hosts in the client’s subnet as well.
7 ICMP messages from the subnet in which 10.55.66.77/25 resides to all
hosts in the subnet where 10.66.55.44/26 resides.
8 Any and every IPv4 packet.
Named ACL vs. Numbered ACL
Configuration
Named Access List Configuration
Removing One Command from a
Named ACL
Editing ACLs Using Sequence Numbers
Editing ACLs Using Sequence Numbers
(continued)
Adding To and
Displaying a
Numbered ACL
Configuration
General Recommendations for ACL
Implementation
Place extended ACLs as close as possible to the
source of the packet.
Place standard ACLs as close as possible to the
destination of the packet.
Place more specific statements early in the ACL.
Disable an ACL from its interface (using the no
ip access-group interface subcommand) before
making changes to the ACL.
CCNA 200-301, Volume 2
Chapter 1
Introduction to TCP/IP
Transport and Applications
Objectives
Compare TCP to UDP
Explain the role of DHCP and DNS in the
network
TCP/IP Transport Layer
TCP Header Fields
Hannah Sending Packets to Jessie,
with Three Applications
Hannah Sending Packets to Jessie, with Three
Applications Using Port Numbers to Multiplex
Connections Between Sockets
Popular Applications and Their
Well-Known Port Numbers
Port Number Protocol Application
20 TCP FTP Data
21 TCP FTP Control
22 TCP SSH
23 TCP Telnet
25 TCP SMTP
53 UDP, TCP DNS
67,68 UDP DHCP (Server, Client)
69 UDP TFTP
80 TCP HTTP (WWW)
110 TCP POP3
161 UDP SNMP
443 TCP SSL
514 UDP Syslog
TCP Connection Establishment
TCP Connection Termination
TCP Acknowledgement Without Errors
TCP Acknowledgment with Errors
TCP Windowing
UDP Header
Structure of a URI Used to Retrieve a
Web Page
DNS Resolution and Requesting a Web
Page
Recursive DNS Lookup
Multiple HTTP Get Requests/Responses
Dilemma: How Host A Chooses the App
That Should Receive This Data
Three Key Fields with Which to
Identify the Next Header