Concepts:Chapter 7, Routing
|
Layer | Source info | Destination info |
Network layer | Sender's IP | Receiver's IP |
Data Link layer |
Layer | Source info | Destination info |
Network layer | Sender's IP | Receiver's IP |
Data Link layer | Sender's MAC | Default Gateway MAC |
Layer | Source info | Destination info |
Network layer | Sender's IP | Receiver's IP |
Data Link layer | Default Gateway MAC | Next router's MAC |
Layer | Source info | Destination info |
Network layer | Sender's IP | Receiver's IP |
Data Link layer | Final router's MAC | Receiver's MAC |
Back to subnet masks for a bit. They are useful to know, but they are
a bit bulky. There is another way
to pass along subnet mask information. What if I was told that a message
was meant for the address 10.28.33.44/16?
What's the /16 part for? That's
CIDR notation. Classless
InterDomain Routing information tells you the subnet mask that
an address uses. /16 means that
the network the address refers to uses 16
network bits, which is the same thing as saying it has a subnet
mask of 255.255.0.0, which is
the same as 11111111.11111111.00000000.00000000, but not nearly as boring,
or nearly as prone to error.
Class A | 255.0.0.0 | 11111111.00000000.00000000.00000000 | CIDR is /8 |
Class B | 255.255.0.0 | 11111111.11111111.00000000.00000000 | CIDR is /16 |
Class C | 255.255.255.0 | 11111111.11111111.11111111.00000000 | CIDR is /24 |
In a sequence like this, the text asks you to determine the destination address of a frame, and an IP packet leaving a host. Remember that the destination address of an IP packet is the final destination address. The destination address of a frame is always the MAC address of the next device that takes us closer to the final device. A text may try to confuse you by throwing switches into the mix. Switches are not relevant to this kind of problem.
Obviously, this system would fail if routers did not have the ability to learn what routers can reach what networks. Passing a packet from one router to another is called a hop. Routers keep tables of router names, networks those routers can connect to, and how many hops away a network is through a given router. Some routers also track a cost value, which can be based on line speed. Route tables are usually constructed by using a route discovery protocol.
You need to know that static routing is not practical unless you are doing it for a small network. Every router that is added to the network must be added to the routing table of every other router. The command to set up static routing starts in configuration mode.
Router(config)#ip route remote_network_address remote_network_mask next_hop
The command is ip route. It is followed by the address of another network. That address is followed by the subnet mask used on that other network. The phrase next_hop stands for the address of the next router to send to, or the port on the current router that leads to the next router. You are only allowed to use a port name if the connection is point-to-point, such as a WAN link or a direct connection to another router. Example: assume we are configuring a route on a router whose address is 192.168.1.2. It is on network 192.168.1.0. We want a route to network 192.168.3.0.
ip route 192.168.3.0 255.255.255.0 192.168.1.4 100
This means that we are telling our current router that there is a route to network 192.168.3.0, which uses subnet mask 255.255.255.0. The route from here leads to a router addressed as 192.168.1.4. (That is its address on the .1 network. It has another address on the .3 network as well.) The final number is an Administrative Distance. The text explains it as a trustworthiness rating for the route. You can also think of it as a "cost" to use this route. Routers use the assigned cost of different routes to help choose the best one available.
Default routing is used when you only have one route out of your network, which means that all traffic leaving your network must pass through your router, and your router must have only one other router to hand off to. To use this in the example above, lets assume that:
ip route 0.0.0.0 0.0.0.0 192.168.1.2
This means the route to any network not listed in our routing table, with any subnet mask, is to pass the data to the router at address 192.168.1.2. Default routing may not work unless you configure the router with the command ip classless. This allows the router to hand off to subnets. In version 12.x of the Cisco IOS, this command is on by default.
The text tells us that setting a default route is also called setting a gateway of last resort. This setting can be accomplished with the command as shown above, or by using a port name instead of an IP address for the next hop router. It can also be set by using another command. In this example it would look like this:
ip route default-network 192.168.1.0
Note that this version of the command specifies the network the router is on, not the address of the router. The default-network command is only valid if there is only one route out of the network. Such a network is called a stub network. If this command is used, the route specified is automatically given an Administrative Distance of 0.
Dynamic routing is less labor intensive for administrator, according the text, but more processor intensive for routers. Of course, this is what routers are for, so the warning in the text is hard to take seriously.
Some basic information about IP networks may help:
The text returns to the concept of Administrative Distance. The value of AD can be any integer from 0 to 255. 0 is most trusted, 255 is not trusted. Cisco assigns AD values based on how a route is assigned, reached, or advertised.
Most routing protocols fall into two classes. Cisco describes a third, which is a mixture of the other two.
The count-to-infinity problem exists only in Distance Vector routing. As I have come to expect, our author calls this by a different name: a routing loop. It works like this:
To combat the count-to-infinity problem, two methods are used:
Some protocols do not allow VLSM. The text refers to these as classful protocols. RIPv1 and IGRP are classful protocols. These protocols do not allow the use of summary routes, which you would expect if you are not subnetting subnets. Protocols that do allow VLSM are called classless protocols.
More terminology: a route that goes up and down is said to be flapping. This causes an update each time its state changes, which is not necessarily helpful. A holddown timer is like an automatic timeout that starts when a router announces that a working route is no longer working. The reason it waits is to give the down route time to come back up, which would eliminate the need to remove it from the routing tables. The holddown is released if the route comes back up, or if a better route becomes available.
The chapter continues with a discussion of configuring RIP on routers. RIP has several timers to be aware of:
If you have set up static IP routes, you can remove them
with the same commands that created them, preceded by the word no.
If the command was:
ip route 192.168.3.0 255.255.255.0 192.168.1.4
the command to remove it would be:
no ip route 192.168.3.0 255.255.255.0 192.168.1.4
To activate RIP on your router, you use a sequence of commands:
router rip
network address_of_directly_connected_network
ctrl-Z
You repeat the middle command for each network directly connected to the router. This is one of the reasons people use RIP: it is easy to set up. You tell each router about the routes connected to it. It advertises them to other routers, and those routers add to their own routing tables. Then the routers keep telling each other everything they know. Over and over and over again, even if there are no changes.
Once you have enabled RIP on your router, you can check the routing table
on it with this command:
show ip route
The result should be several lines long. It may start with several lines
of a legend, indicating the meaning of each code at the start of each
line. (See page 233 of the text for an example.)
Each R line will have new information after the IP address, in the format [DDD/hh]. The part I have indicate with DDD will be the Administrative Distance of the route. The part I have indicated by hh will be the number of hops. Remember that RIPv1 will only allow 15 hops in a working route. This information will allow the router to decide whether this route to a network is better, worse, or the same as a route it may already know about. In general, the table will only hold one route line for each network, as long as one is better than the others. If a route to that network is advertised that has a lower AD than the existing route in its table, the router will replace the existing line with the new route. If they have the same AD, a lower hop count makes a route better, so the route with the lower hop count is written to the table. RIP allows a router to have up to 6 equal cost routes to a network in the routing table. The default number of equal cost routes is 4.
The text notes that if our router holds a route to a network that takes 15 hops, it will still advertise that route to other routers, even though there is no point to it. Why? Because if our router is 15 hops away from a network, that means that another router would have to hop to our router to use that route, which makes it 16 hops long, which is unusable.
It is not a good idea to advertise routes outside our own networks. On the router that connects to the Internet, the port that does so should be configured with the command passive-interface port_designation.
RIPv2 works a lot like RIP. Both are Distance Vector protocols, both
allow only 15 hops in a route. RIPv2, however, allows you to send subnet
mask information with a route advertisement, so it is considered
classless and it supports VLSM. To use RIPv2 use the same commands shown
above, but insert one new line before pressing ctrl-Z:
version 2
RIPv2 should be used if you are connecting LANs that would otherwise use RIP but cannot due to differing subnet masks.
The next improved routing protocol in the text is IGRP. It is still a Distance Vector protocol, but it has several improvements over RIP:
When you configure IGRP on a router, you declare it to
have an Autonomous System number. Only routers with the same number
will share routes with each other over this protocol. To activate IGRP,
enter configuration mode and enter these commands:
router igrp autonomous_system_number
network address_of_directly_connected_network
ctrl-Z
The text notes that you must enter the classful address of each network you add in the configuration. If you are subnetting, ignore that fact for the configuration of this protocol.
As with RIP, you can check the routing table on it with this command:
show ip route
The result should be several lines long. Each route added by IGRP will
be tagged with an I, each route configured as directly connected
will start with a C. Each IGRP line will have new information after
the IP address, in the format [DDD/cccccc]. The part
I have indicate with DDD will be the Administrative Distance
of the route. The part I have indicated by cccccc will be
a composite metric based on bandwidth and data rate. The lower the number,
the better.
IGRP allows up to six routes in the table for a given network. Unlike RIP, those six routes do not need to have equal ratings. They are used for load balancing, which gives better performance than using only one route to a destination. In addition to using multiple routes, IGRP is better for larger networks than RIP.
Even though the CCNA test covers both RIP and IGRP protocols, the author advises us that it would be better to use neither of these protocols, but one of the Link State protocols from the next chapter.
The text reminds us again that we can check configuration settings with show ip route. Several command options are discussed.
Within any organization, IP addresses in private address ranges may be used without registering the addresses with IANA. Each address you use within your network must still be unique in your network. The problem is that there is no guarantee whatsoever that any address I use in my organization is not already in use in your organization, which makes direct networking between our networks unreliable, if not impossible.
The magic part: To access the Internet, traffic from a private address network passes through a router that acts as a proxy server, providing a shared connection with a registered address. That router has both a private address on your network, and a registered public address that lets it communicate with other networks. The proxy server shares its public address with the devices on your network, allowing them to send signals to other networks through it. The service that does this sharing of the address is called Network Address Translation (NAT). This may be done on a server or on a router that provides this service.
The text abruptly jumps to the topic of firewalls, which we are told may be classified three different ways:
1. Packet-filtering firewalls
Traffic on a network is broken into packets,
smaller message units. Each packet must hold at least
two addresses: that of the sender
and that of the recipient. A packet-filtering
firewall will hold a database of rules that tell it what to do with packets.
Often the rules are based on the addresses mentioned above and the protocol
(network rules) the packet is being sent under. The rules may include
all three ideas, such as the three rules shown in a previous text:
Packet filtering firewalls come in three types.
2. Application gateway firewalls
To understand this one and the next two, I have to explain the ISO-OSI
Network Model. In fact, it will help you to understand all of these
processing types. The ISO-Open Systems Interconnect networking model has
seven layers that describe what happens to a packet as it is prepared
to be sent out on a network, and what happens when that packet is received
by the machine that is meant to act on it.
Packets leaving a device start at the top layer of the model (Application, layer 7) and are processed down to stack to the bottom layer (Physical, layer 1). Packets being received by a device arrive at the Physical layer, and are handed off to each successive layer until they are received by an application at layer 7.
The chart below shows the seven layers of the ISO-OSI model, the firewall types associated with several layers, and a summary of the many things that happen on each layer. Do you need to know all the material in the third column? Not for this lesson, but eventually you will.
So, what's an application gateway? The text tells us that a proxy
server, discussed in the last lesson, is an example of an application
gateway. It acts as an intermediary
between a requester and a more
protected device. The text tells
us that it is probably dedicated
to one application, then confuses the issue by listing five protocols.
The protocols listed correspond to particular services on a network, whose
functions live on layer 7: FTP
is for file service, Telnet
is for remote sessions, HTTP
is for web pages, SMTP
is for mail service, and SNMP
is for managing a network. The
proxy server can make the connection, and can examine the data for allowable
content. For example, a business may set up a proxy server that runs an
application to prevent staff from accessing particular kinds of web sites,
such as gambling, gaming, or sports sites.
Firewall? | Layer name |
Topics & Methods |
---|---|---|
application
gateways live here |
Application (layer 7) |
|
Presentation (layer 6) |
|
|
Session (layer 5) |
|
|
circuit gateways live here |
Transport (layer 4) |
|
packet filtering firewalls live here |
Network (layer 3) |
|
MAC layer firewalls live here |
Data
link (layer 2) |
|
no firewall lives
here: no addresses on this layer |
Physical (layer 1) |
|
3. Circuit gateways
This kind of firewall lives on the transport layer, which is associated
with guaranteed delivery of packets, Other than that, the explanation
in our last text was very unclear. The explanation at the PCStats
web site is clearer. It explains that the function of the circuit
gateway is less analytical than the proxy server, but that it does serve
as an intermediary as well, making sure that only requested data is returned
to the requester. It will not examine the data for content.
4. MAC layer firewalls
The MAC sublayer of the ISO-OSI Data Link layer is concerned with MAC
addresses, the hard coded addresses that are generally burned into
network cards when they are manufactured. This kind of firewall will check
the MAC address of a requester to determine whether the device
being used to make the connection is authorized to access the data in
question. This would be useful in situations where devices are placed
in lobbies for customers who are allowed to browse a catalog, but not
allowed to place orders that would affect inventory.
5. Hybrids - the fifth processing firewall type combines features of the other four.
Note that none of the firewall solutions discussed will protect a network from user error. You can still trigger an incident by following a link to a malware site that is not forbidden, by running a Trojan or a worm, or by any other action that a user is allowed to take.
Let's move ahead to where the text discusses some advice for configuring firewalls.
There are some rules that could be set on most firewalls. A typical approach
to firewall rules is to decide what is allowed, write rules allowing those
things, and then deny everything else. An alternative is to write rules
for everything you want to deny, then allow everything else. It is not
uncommon for a rule database to contain a mixture of rules that allow
and deny packets. This is probably the most common approach. The section
on firewall rules is pretty extensive, and a bit beyond what we want for
this course, so we will continue to the next item.
Week 4 Assignment: Labs for Chapters 7 and 8 (and
all the chapters after that)
|