Admin Distances
0 connected
1 static
5 eigrp summary
20 EBGP
90 EIGRP
110 OSPF
120 RIP
170 EIGRP External
200 IBGP
Order of Operation Inside to Out
if ipsec check input acl
decrypt ipsec
check input acl
check input rate limits
input accounting
redirect to web cache
policy routing
routing
Nat inside to outside
check output acl
inspect Cbac
tcp intercept
encryption
queing
to major difference outside to in is that NAT is done before policy and routing straight after redirect to webcache
General IP Routing
- Outbound ACL do not effect locally generated traffic it is only dataplane transit traffic
- Passive interface only affect routing updates
- Routes are selected by longest match then admin distance if all the same igp metric
- Steps in routing are find outgoing interface, switching the packet to outgoin interface and building the layer 2 header
- classfull route lookup is where the classful address is searched for then if found the subnet is searched classless is a bit by bit comparison
- classfull routing protocols do not comprehend 0.0.0.0 type default routes
- Process switching does per packet load balancing fast switching does per destination cef can do both also has port loadsharing
- Cef defaul is per destination
- per packet can cause alot of issues with out of sequence packets
- per port for cef - commonly used in nat scenerios
- Original cef had 4 bit hash for working out load balancing this caused issues such polarization
- universal cef algorithm has a 32 bit hash and uses the highest loop to randomize the algorithm
- Unsupported for cef is policy routing Nat, multipoint ppp,token ring isl
- cef punts occue if cef lookup fails, a feature is not supported,feature requires special handling
- Cef divides it lookup into 4 sub lookups one for each octet and scans down efficently the fib
- cef has adjacency table and the fib
- when static route is pointed at interface it is consider connected so can be advertised with network statement
- Static routes pointing to interface which is multipoint do not need a recursive lookup but will need to arp for every destination can cause issues if static default route to internet etc
- static route pointing to interface that p2p do not need recursive lookup or need arp to client it presumed there is only one possible next hop just goes that way
- static routing pointing to next hop address require to do a recursive lookup on how to get to the next hop address
Commands
ip cef - enable cef
no ip route-cache cef - disable cef
no ip route-cache- disables fast switching
sh arp - displays arp cache
distance {ip-address {wildcard-mask}} [ip-standard-list] [ip-extended-list] - define distance for particular address
LAB
OK so i will do a simple lab for this we will have r4 r5 and r1 connected over frame relay
they will be all in the subnet 10.229.254.0 255.255.255.0 r4 is .1 r5 .2 r1 .3
R5 will have int lo 5.5.5.5 which i will try get to from r4 with ip route
ok so for instance i put on r4
ip route 5.5.5.5 255.255.255.255 10.229.254.2
r4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
r4#
it ping successifully
it was able to look at it frame-relay map table see the dlci for 10.229.254.2 which 405 and ping out
ok next instance
r4(config)#ip route 5.5.5.5 255.255.255.255 s0/0/0
ping fails
r4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r4#
it does not now whether to go out dlci 405 or 401 on s0/0/0
r4#sh frame-relay map
Serial0/0/0 (up): ip 10.229.254.3 dlci 401(0x191,0x6410), dynamic,
broadcast,, status defined, active
Serial0/0/0 (up): ip 10.229.254.2 dlci 405(0x195,0x6450), dynamic,
broadcast,, status defined, active
r4(config)#int s0/0/0
r4(config-if)#frame-relay map ip 5.5.5.5 ?
<16-1007> DLCI
vc-bundle vc-bundle
r4(config-if)#frame-relay map ip 5.5.5.5 405
ok so i tell it to go out 405
r4#sh frame-relay map
Serial0/0/0 (up): ip 10.229.254.3 dlci 401(0x191,0x6410), dynamic,
broadcast,, status defined, active
Serial0/0/0 (up): ip 5.5.5.5 dlci 405(0x195,0x6450), static,
CISCO, status defined, active
Serial0/0/0 (up): ip 10.229.254.2 dlci 405(0x195,0x6450), dynamic,
broadcast,, status defined, active
and
r4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
r4#
ok so i create another loopback on r5 ip address 6.6.6.6
ping fails and i have to add another frame-relay map for 6.6.6.6
ping success
r4#sh frame-relay map
Serial0/0/0 (up): ip 10.229.254.3 dlci 401(0x191,0x6410), dynamic,
broadcast,, status defined, active
Serial0/0/0 (up): ip 6.6.6.6 dlci 405(0x195,0x6450), static,
CISCO, status defined, active
Serial0/0/0 (up): ip 5.5.5.5 dlci 405(0x195,0x6450), static,
CISCO, status defined, active
Serial0/0/0 (up): ip 10.229.254.2 dlci 405(0x195,0x6450), dynamic,
broadcast,, status defined, active
r4#
notice there is individual for each destination. Not bad for this example but if you had say 1000 + hosts you needed to acesss
Ok next lab is pointing to point-to-point interface
so on r4
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.1 point-to-point
ip address 10.229.254.1 255.255.255.0
frame-relay interface-dlci 405
r4#clear frame-relay inarp
r4#sh frame-relay map
Serial0/0/0.1 (up): point-to-point dlci, dlci 405(0x195,0x6450), broadcast
status defined, active
r4#
r4(config)#ip route 6.6.6.6 255.255.255.255 s0/0/0.1
r4(config)#ip route 5.5.5.5 255.255.255.255 s0/0/0.1
both successfull no recursion necessary just sends it s0/0/0.1 as it knows it is p2p
r4#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
r4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
r4#
Other default-routing options
-----------------------------
apart from ip route 0.0.0.0 0.0.0.0 10.229.254.1
you can use
ip default-gateway 'ip address' - this only used when routing is off
it usually used for remote management of switches etc so when you ssh the ssh packets knows how to get back
ip default-network- this is used in conjuction with routing protocols you flag a network as default and it advertises out. It has to be a class full network and not directly connected
so r 5
interface Loopback0
ip address 5.0.0.1 255.0.0.0
router eigrp 1
network 5.0.0.0
network 10.0.0.0
auto-summary
ip default-network 5.0.0.0
r5#
*Dec 9 20:48:00.651: %SYS-5-CONFIG_I: Configured from console by console
r5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C* 5.0.0.0/8 is directly connected, Loopback0
6.0.0.0/32 is subnetted, 1 subnets
C 6.6.6.6 is directly connected, Loopback2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.0.0.0/8 is a summary, 00:06:44, Null0
C 10.229.254.0/24 is directly connected, Serial0/0/0
r5#
the * marks it as candidate default route
on r4
------
router eigrp 1
network 10.0.0.0
no auto-summary
r4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.229.254.2 to network 5.0.0.0
D* 5.0.0.0/8 [90/2297856] via 10.229.254.2, 00:04:18, Serial0/0/0.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.0.0.0/8 [1/0] via 10.229.254.1
C 10.229.254.0/24 is directly connected, Serial0/0/0
gateway of last resort is set to 5.5.5.5 and * candidate default route
and i am able to ping 6.6.6.6
r4#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
r4#
which is not in the routing table so accessing via default route of 5.5.5.5
I took the default network off r5
r4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
D 5.0.0.0/8 [90/2297856] via 10.229.254.2, 00:00:12, Serial0/0/0.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.0.0.0/8 [1/0] via 10.229.254.1
C 10.229.254.0/24 is directly connected, Serial0/0/0.1
r4#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
no longer able to ping
No comments:
Post a Comment