Internetworks offers a comprehensive collection of articles and tutorials on computer networks, covering basic to advanced concepts such as data link layer, network layer, network security, and more. It’s a great starting point for beginners and a useful reference for advanced learners. A+ N+ CCNA CCNP CCIE
by Edgar C Francis
The firewall is a barrier between LAN and WAN networks (trusted
and untrusted networks), we configure the firewall in the forwarding path of the
network so each packet have to be checked by our firewall.
There are two kinds of firewalls one is software firewalls
just like preinstalled with Microsoft Windows. The second one is the hardware firewall
which we are going to see.
From the above diagram, we have LAN with two host PC and a cisco switch. On the other hand, you
can see a router that is connected to the ISP for an internet connection. We place
our firewall in between to protect our LAN network.
Stateless and
stateful filtering.
You can use a router
as a firewall but it's not a good choice because most the router does not spend
much time on filtering, the router checks the access list for the port number source
and destination IP address if it matches in the entry of access-list router is
going to permit or deny the packet and router do not keep track of the
packet this is called stateless filtering but the firewall uses stateful
filtering, the firewall keeps track of all incoming and outgoing connections.
ASA (Adaptive
Security Appliance) is a cisco security device that combines the classic firewall with VPN, IPS (Intrusion Prevention System), and antivirus
capabilities. ASA is capable of providing threat defense before most of the
attacks spread into our LAN network.
I think we have done
enough talking rest of the theory we will see in the next section.
The leak-map name keyword configures the stub
router to advertise selected EIGRP-learned routes which are not ordinarily
advertised. The name refers to a route map that matches one or more ACLs or
prefix lists and permits the matched subnets or addresses to be leaked.
The EIGRP Stub feature is very useful when we want to
prevent unnecessary EIGRP queries and want to filter a few routes that we
advertise but when we want to configure our EIGRP router as a stub and still we
want to make an exception to some routes (network) to advertise this is
possible with the help of Leak-map.
In summary route-
Whenever we configure our EIGRP summary route, all the networks
within the range of our summary are no longer advertised on interfacing the only
this is left is a summary route, but we want to advertise some networks separately
next to our summary route this can also be done with summary leak-map. Let's see
how to configure the leak map.
Topology: -
Goal:
Configure the topology as per the diagram.
Assigning the IP addresses to their interfaces.
Configure EIGRP 1234 on all the routers.
Configure EIGRP STUB connected on router 3.
Configure Leak-Map on router 3 with the exception that network 192.168.32.1 network only advertises to all the routers.
BGP backdoor
it’s a well-known feature of the BGP which is used to change the AD (administrative
distance) of eBGP. By default, external BGP (eBGP) has an administrative
distance value of 20 with the help of a backdoor command you can set 200 AD. If two
routing protocols provide route information for the same destination the
administrative distance is the first criterion that a router uses to determine
which routing protocol to use for the best path. The lowest AD value is a more reliable protocol
and link.
Why do we
need to change eBGP AD?
Whenever our
router learns about a network (prefix) through eBGP and also with an IGP protocol like OSPF EIGRP or RIP then our router always chooses the Ebgp route
because Ebgp uses an administrative distance value of 20 so our router by default
prefers eBGP over EIGRP AD 90, RIP AD 120, OSPF AD 110.
In some scenarios this becomes a problem let’s
see the configuration.
Topology:
Goal:
configure the topology as per the diagram.
assign the IP addresses
configure EIGRP 100 on router 1 and router 3
advertise the interfaces
configure eBGP peering between router 1 and 2
configure eBGP peering between router 2 and router 3
make sure router 1 gets the 192.168.30.1 route from serial 4/3 link via EIGRP.
configure backdoor in order to get 192.168.30.1 route via serial link 4/3 from router 3.
*May 20 13:42:50.559: %BGP-5-ADJCHANGE: neighbor 2.2.2.1 Up
R3#show ip route 192.168.10.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
192.168.10.0/32 is subnetted, 1 subnets
B 192.168.10.1 [20/0] via 2.2.2.1, 00:02:03
( as can see from the above output router 3 is getting (R1) 192.168.10.1 route from route via serial 4/0 to serial 4/1 {2.2.2.1} R2. because of the lower AD value of eBGP )
Let's see on router 1 from where it's getting 192.168.30.1 network
R1#show ip route 192.168.30.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
192.168.30.0/32 is subnetted, 1 subnets
B 192.168.30.1 [20/0] via 1.1.1.2, 00:01:44
( router 1 is also installing 192.168.30.1 network from router 1 because of lower AD of eBGP)
We need to fix this with help of the BGP backdoor command.
ARP (Address
Resolution Protocol) it’s a communication protocol. Networking devices used for
discovering MAC (media access control) addresses, associate with an IPv4 address (internet
layer address), and map the MAC addresses to IPv4 addresses this mapping is done
dynamically and stored in the ARP cache. ARP works between layer 2 and layer 3 of
the OSI because the MAC address exists on the data link layer and the IP address exists
on the network layer.
How does ARP
work?
Whenever a
fresh PC (computer) connects to LAN, it will assign an IP address statically or
dynamically to use for identity and for communication. When an incoming packet destined
for a host machine on a particular LAN arrives at a gateway, the gateway is
going to ask ARP for a MAC address that matches the IP address. There is a table
called ARP cache in this table ARP mapping record. Whenever a host asks for a MAC address in order
to send a packet to another host in the LAN, ARP looks it the cache to see if their IP
to MAC mapping translation is already stored. If it’s already stored then no need
for ARP broadcast but if there is no translation stored then ARP sends a request
for the network address (does anybody knows this IP address)
ARP sends
broadcast a request packet to all the hosts on the LAN network and asks is
there any host using this particular IP address please let me know. When a host
recognizes oh it’s my IP address it will immediately send a unicast reply so
ARP can update and store it in the cache table and now communication can proceed.
What happens
if the host (machine) doesn’t know its own IP address?
In this situation, RARP (Reverse ARP) protocol is used for discovery. next chapter we are going to see proxy ARP and RARP.
What is ARP
cache?
ARP cache is
a table where mapping or translation is stored. The size of the ARP cache is
limited and from time to time cleansed its entire entries to free its space. Mappings
are stored for a few minutes. ARP frequently updates when a host changes their
requested IP address.
ARP Commands
we used arp -a command to display the ARP table. It shows all the entries of the ARP cache or table.
arp -g: This
command works the same as the arp -a command.
we use arp -d command when we want to delete an entry from the ARP table for a
particular interface.
Time-based access-list is type of access-list which allows
network access on the basis of given time period. It is useful when you want to
place restrictions on outbound or inbound traffic on the basis of particular day
and time periods.
Sometimes it may be useful if you want to block particular
traffic on specific days or during business hours.
Time-based access-list
Time-based access-list is Easy to implement and Its provides good control over the network traffic to an admin as the traffic can be denied or permitted on the basis of time.
lets configure Time-based access-list
Topology:
configure the topology as per the diagram
configure IP addresses to their ports
configure EIGRP AS 65100 for routing
make sure PC communicate loopback 0 172.16.1.1 network before configure Time-based access-list .
configure Time-based access-list on router 1 and block PC ICMP msg for 172.16.1.1 network.
Network time protocol provides pretty much what its name says time. provide correct time to all network devices. in other words, NTP synchronizes the clock of the computer system over packet switch, variable-latency data networks. Correct network time within the network is important.
Correct time allows the tracking of the event in the network in
the correct order. Cock synchronize is critical for the correct interpretation
of events within the Syslog data.
Advantages of NTP :
It provides internet synchronization between the computer devices.
NTP provides enhanced security within the premises.
NTP is used in authentication systems.
NTP provides network
acceleration which helps in troubleshooting problems.
let's see the configuration on the router:
Topology:
Goal :
configure the topology as per the diagram above.
configure the IP addresses to their ports
configure routing with EIGRP AS 65100 and advertise all the ports
configure NTP on router 3, server address will loopback 0
make sure the rest of the routers get time which is provided by our NTP server.
*Feb 11 12:54:25.263: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency
R3(config)#router eigrp 65100
R3(config-router)#network 30.0.0.0
R3(config-router)#network 2.0.0.0
R3(config-router)#network 2.0.0.0
R3(config-router)#network 3.0.0.0
R3(config-router)#network 192.168.3.0
R3(config-router)#no au
R3(config-router)#no auto-summary
R3(config-router)#exit
R3(config)#end
*Feb 11 12:54:58.699: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 2.2.2.1 (Serial4/1) is up: new adjacency
*Feb 11 12:55:29.027: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 3.3.3.3 (Serial4/2) is up: new adjacency
R4(config)#router eigrp 65100
R4(config-router)#network 40.0.0.0
R4(config-router)#network 3.0.0.0
R4(config-router)#network 192.168.4.0
R4(config-router)#no auto-summary
R4(config-router)#exit
R4(config)#end
*Feb 11 12:55:08.211: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65100: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency
R1#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 192.168.1.1
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
R1#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 2.0.0.0/8 [90/2681856] via 1.1.1.2, 00:02:52, Serial4/0
D 3.0.0.0/8 [90/3193856] via 1.1.1.2, 00:02:00, Serial4/0
D 20.0.0.0/8 [90/2172416] via 1.1.1.2, 00:02:19, Serial4/0
D 30.0.0.0/8 [90/2684416] via 1.1.1.2, 00:02:05, Serial4/0
D 40.0.0.0/8 [90/3196416] via 1.1.1.2, 00:01:36, Serial4/0
D 192.168.2.0/24 [90/2297856] via 1.1.1.2, 00:02:47, Serial4/0
D 192.168.3.0/24 [90/2809856] via 1.1.1.2, 00:01:54, Serial4/0
D 192.168.4.0/24 [90/3321856] via 1.1.1.2, 00:01:31, Serial4/0
R2#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 192.168.2.2
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 3.0.0.0/8 [90/2681856] via 2.2.2.2, 00:01:48, Serial4/1
D 10.0.0.0/8 [90/2172416] via 1.1.1.1, 00:02:47, Serial4/0
D 30.0.0.0/8 [90/2172416] via 2.2.2.2, 00:01:53, Serial4/1
D 40.0.0.0/8 [90/2684416] via 2.2.2.2, 00:01:22, Serial4/1
D 192.168.1.0/24 [90/2297856] via 1.1.1.1, 00:02:47, Serial4/0
D 192.168.3.0/24 [90/2297856] via 2.2.2.2, 00:01:43, Serial4/1
D 192.168.4.0/24 [90/2809856] via 2.2.2.2, 00:01:17, Serial4/1
R3#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 192.168.3.3
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
R3#show ip ei
R3#show ip eigrp route
^
% Invalid input detected at '^' marker.
R3#show ip route ei
R3#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 1.0.0.0/8 [90/2681856] via 2.2.2.1, 00:01:30, Serial4/1
D 10.0.0.0/8 [90/2684416] via 2.2.2.1, 00:01:30, Serial4/1
D 20.0.0.0/8 [90/2172416] via 2.2.2.1, 00:01:30, Serial4/1
D 40.0.0.0/8 [90/2172416] via 3.3.3.3, 00:01:00, Serial4/2
D 192.168.1.0/24 [90/2809856] via 2.2.2.1, 00:01:30, Serial4/1
D 192.168.2.0/24 [90/2297856] via 2.2.2.1, 00:01:30, Serial4/1
D 192.168.4.0/24 [90/2297856] via 3.3.3.3, 00:00:54, Serial4/2
R4#show eigrp protocols
EIGRP-IPv4 Protocol for AS(65100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 192.168.4.4
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
R4#show ip route ei
R4#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
D 1.0.0.0/8 [90/3193856] via 3.3.3.2, 00:00:39, Serial4/2
D 2.0.0.0/8 [90/2681856] via 3.3.3.2, 00:00:39, Serial4/2
D 10.0.0.0/8 [90/3196416] via 3.3.3.2, 00:00:39, Serial4/2
D 20.0.0.0/8 [90/2684416] via 3.3.3.2, 00:00:39, Serial4/2
D 30.0.0.0/8 [90/2172416] via 3.3.3.2, 00:00:39, Serial4/2
D 192.168.1.0/24 [90/3321856] via 3.3.3.2, 00:00:39, Serial4/2
D 192.168.2.0/24 [90/2809856] via 3.3.3.2, 00:00:39, Serial4/2
D 192.168.3.0/24 [90/2297856] via 3.3.3.2, 00:00:39, Serial4/2
R3#show clock
*13:05:18.351 UTC Fri Feb 11 2022
R3#clock set 15:15:15 25 july 2020
*Jul 25 15:15:15.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 13:06:12 UTC Fri Feb 11 2022 to 15:15:15 UTC Sat Jul 25 2020, configured from console by console.
R3#show clock
15:15:23.199 UTC Sat Jul 25 2020
R3(config)#NTP master 8
R3(config)#exit
R3(config)#ntp source loopback 0
R3(config)#ntp server 192.168.3.3
R1#show clock
*13:14:36.687 UTC Fri Feb 11 2022
R1#show clock
*13:14:39.259 UTC Fri Feb 11 2022
R1(config)#ntp server 192.168.3.3
R1(config)#exit
R1#show clock
*15:23:34.069 UTC Sat Jul 25 2020
R2#show clock
*13:13:01.619 UTC Fri Feb 11 2022
R2(config)#ntp server 192.168.3.3
R2(config)#exit
R2#show clock
*15:24:01.200 UTC Sat Jul 25 2020
R4#show clock
*13:14:40.535 UTC Fri Feb 11 2022
R4(config)#ntp server 192.168.3.3
R4(config)#exit
R4#show clock
15:24:56.677 UTC Sat Jul 25 2020
R3#show ntp packets
Ntp In packets : 27
Ntp Out packets : 36
Ntp bad version packets : 0
Ntp protocol error packets : 0
R3#show ntp status
Clock is synchronized, stratum 8, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
ntp uptime is 55200 (1/100 of seconds), resolution is 4000
reference time is E2C6CD63.0A3E5987 (15:25:23.040 UTC Sat Jul 25 2020)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.35 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 8 sec ago.
R3#show ntp associations
address ref clock st when poll reach delay offset disp
.png)
Instagram
