Henry's Points

Entries Tagged as ''

IP access-list vs. IP prefix-list

Both IP access-list and IP prefix-list allow us to define rules. Route-map is the tool to implement those rules. There are quite a lot documents explain these two commands in details, but I would like to explain them in small paragraph in my point of view.

IP access-list is designed to match traffic. It will analyze IP header or TCP header. The standard IP access-list will be used to match on arbitrary bit patterns for source IP and destination IP. The extended IP access-list will provide more analysis for protocols working on IP.

R6(config-ext-nacl)#permit ?
<0-255> An IP protocol number
ahp      Authentication Header Protocol
eigrp    Cisco’s EIGRP routing protocol
esp      Encapsulation Security Payload
gre      Cisco’s GRE tunneling
icmp     Internet Control Message Protocol
igmp     Internet Gateway Message Protocol
ip       Any Internet Protocol
ipinip   IP in IP tunneling
nos      KA9Q NOS compatible IP over IP tunneling
ospf     OSPF routing protocol
pcp      Payload Compression Protocol
pim      Protocol Independent Multicast
tcp      Transmission Control Protocol
udp      User Datagram Protocol

From above we can see, the protocols such as EIGRP, OSPF and ICMP are all encapusulated as IP payload. TCP and UDP are layer 4 protocol but we can treat them as IP payload as well. If we specify TCP, we can use IP access-list to match each segmentation in TCP header.

R6(config-ext-nacl)#permit tcp any any ?
ack          Match on the ACK bit
dscp         Match packets with given dscp value
eq           Match only packets on a given port number
established Match established connections
fin          Match on the FIN bit
fragments    Check non-initial fragments
gt           Match only packets with a greater port number
log          Log matches against this entry
log-input    Log matches against this entry, including input interface
lt           Match only packets with a lower port number
match-all    Match if all specified flags are present
match-any    Match if any specified flag is present
neq          Match only packets not on a given port number
option       Match packets with given IP Options value
precedence   Match packets with given precedence value
psh          Match on the PSH bit
range        Match only packets in the range of port numbers
reflect      Create reflexive access list entry
rst          Match on the RST bit
syn          Match on the SYN bit
time-range   Specify a time-range
tos          Match packets with given TOS value
ttl          Match packets with given TTL value
urg          Match on the URG bit

IP prefix-list is designed for network reachability matching. It will not analyze IP header or TCP header. It will not analyze each bit of IP prefix. It only output the whole result, which is the network. For example:

ip prefix-list LIST seq 5 permit 1.2.3.0/24

It will not match 1.2.0.0/24 or 1.2.3.4/32. It will exactly match all host in 1.2.3.1 to 1.2.3.254.

Tags: Networks by hengdu
No Comments »

Four Types of Frame-Relay Layer 3 to Layer 2 Mapping

ARP provides a mechanism to solve IP address to MAC address mapping. Likewise, Invers-ARP provides the way that Frame-Relay dynamically from layer3 to layer 2 mapping. Although it is a simplest way but it will rarely happened in the lab exam.

Mostly, we’ll use frame-realy map ip 192.168.106.6 203 broadcast command to statically mapping IP and DLCI. The broadcast keyword is useful for IGP routing protocol to send multicast packets.

For subinterface, normally we use frame interface-dlci 203 command to mapping point-to-point interface.

For the purposes of authentication, SP will ask PPP over Frame-Relay. By using PPP over Frame-Relay we now are running IP over PPP over Frame-Relay. So as far as IP is concerned there isn’t any layer 3 to layer 2 mapping needed since it’s now running over PPP. we use frame-relay interface-dlci 203 ppp vitrual-interface command.

Tags: Networks by hengdu
No Comments »

RIP Filtering

There are three commonly used command for Distance Vector routing protocol filtering, especially for RIP Filtering.

distribute-list

offset-list

distance

Before going to details, we need an access-list. From IEWB Lab2, Lab4 and Lab6, there is a common statement that: Routes learned from Back Bone n that have an { odd | even} {1st | 2nd | 3rd | 4th} octet should be {accept | not accept | metric of #}. We all know that the last significant digital determine odd or even. “1″ is odd and “0″ is even. The wildcast in access-list will be 254 (care bits). For example, if request that R3 should not accept any routes from BB3 that have an odd number in the firest octet, the access-list will be:

ip access-list standard FIRST_OCTET_ODD

permit 1.0.0.0 254.255.255.255

offset-list is to change the route metric of distance vector prefix. In RIP, the maximum metric is “16″, which means infinite. So, we can use “offset-list FIRST_OCTET_ODD in 16 fa1/1″ to invalidate the route from routing table. Or, we can reassign metric value to the route. “offset-list FIRST_COTET_ODD in 9 vlan33″ will set the route metric to “10″.

distance command will revise administrative distance. By altering the administrative distance of these routes to infinite (255), they will be removed from the IP routing table. “distance 255 204.12.1.254 0.0.0.0 FIRST_OCTET_ODD” statement means that prefixes learned from the neighbor 204.12.1.254 that are matched in access-list will have their distances changed to 255.

Of course, the most common way to filter off a routing prefix in a distance vector protocol is to use the distribute-list command. A distribute-list is a way to apply an access-list to routing protocol updates. A routing prefix may also be filtered out by poisoning the metric or distance of the route.

Tags: Networks by hengdu
No Comments »

Terminator – Emacs-like Terminal

Since I am always working on Linux Terminal, I am looking forward some tools can be an Emacs-like environment. Recently, I noticed a tool named Terminator, which was written by Chris Jones on Jan 5 2008. Luckily I got this tool at the end of 2008, not so late.