CHAPTER 1

1 Ospf routing And Acl

1.Introduction
1.1 OSPF Routing Fundamentals
OSPF stands for Open Shortest Path First. Definition: OSPF is a routing protocol used to determine the best route for delivering the packets within an IP networks. It was published by the IETF to serve as an Interior Gateway Protocol replacing RIP. The OSPF specification is published as Request For Comments (RFC) 1247. Note that OSPF is a link-state routing protocol, whereas RIP and IGRP are distance-vector routing protocols. Routers running the distance-vector algorithm send all or a portion of their routing tables in routing-update messages to their neighbors. OSPF sends link-state advertisements (LSAs) to all other routers within the same area. Information on attached interfaces, metrics used, and other variables is included in OSPF LSAs. OSPF routers use the SPF (Shortest Path First) algorithm to calculate the shortest path to each node. SPF algorithm is also known as Dijkstra algorithm.

OSPF is an open standard, not related to any particular vendor. OSPF is hierarchical routing protocol, using area 0 (Autonomous System) at the top of the hierarchy. OSPF uses Link State Algorithm, and an OSPF network diameter can be much larger than that of RIP. OSPF supports Variable Length Subnet Masks (VLSM), resulting in efficient use of networking resources. OSPF uses multicasting within areas. After initialization, OSPF only sends updates on routing table sections which have changed, it does not send the entire routing table, which in turn conserves network bandwidth. Using areas, OSPF networks can be logically segmented to improve administration, and decrease the size of routing tables.

Disadvantages of OSPF:

OSPF is very processor intensive due to implementation of SPF algorithm. OSPF maintains multiple copies of routing information, increasing the amount of memory needed. OSPF is a more complex protocol to implement compared to RIP

2 Ospf routing And Acl

OSPF Networking Hierarchy:

As mentioned earlier, OSPF is a hierarchical routing protocol. It enables better administration and smaller routing tables due to segmentation of entire network into smaller areas. OSPF consists of a backbone (Area 0) network that links all other smaller areas within the hierarchy. The following are the important components of an OSPF network:

Areas Area Border Routers Backbone Areas AS Boundary Routers Stub Areas Not-So-Stubby Areas Totally Stubby Area Transit Areas

ABR: Area Border Router ASBR: Autonomous System Boundary Router Areas: An area consists of routers that have been administratively grouped together. Usually, an area as a collection of contiguous IP subnetted networks. Routers that are totally within an area are called internal routers. All interfaces on internal routers are directly connected to networks within the area. Within an area, all routers have identical topological databases. Area Border Routers: Routers that belong to more than one area are called area border routers (ABRs). ABRs maintain a separate topological database for each area to which they are connected.

3 Ospf routing And Acl

Backbone Area: An OSPF backbone area consists of all routers in area 0, and all area border routers (ABRs). The backbone distributes routing information between different areas. AS Boundary Routers (ASBRs): Routers that exchange routing information with routers in other Autonomous Systems are called ASBRs. They advertise externally learned routes throughout the AS. Stub Areas: Stub areas are areas that do not propagate AS external advertisements. By not propagating AS external advertisements, the size of the topological databases is reduced on the internal routers of a stub area. This in turn reduces the processing power and the memory requirements of the internal routers.

Not-So-Stubby Areas (NSSA): An OSPF stub area has no external routes in it. A NSSA allows external routes to be flooded within the area. These routes are then leaked into other areas. This is useful when you have a non-OSPF router connected to an ASBR of a NSSA. The routes are imported, and flooded throughout the area. However, external routes from other areas still do not enter the NSSA.

4 Ospf routing And Acl

Totally Stubby Area: Only default summary route is allowed in Totally Stubby Area. Transit Areas: Transit areas are used to pass traffic from an adjacent area to the backbone. The traffic does not originate in, nor is it destined for, the transit area.

Link State Advertisements (LSAs):

It is important to know different Link State Advertisements (LSAs) offered by OSPF protocol. Type 1: Router link advertisements generated by each router for each area it belongs to. Type 1 LSAs are flooded to a single area only. Type 2: Network link advertisements generated by designated routers (DRs) giving the set of routers attached to a particular network. Type 2 LSAs are flooded to the area that contains the network. Type 3/4: These are summary link advertisements generated by ABRs describing inter-area routes. Type 3 describes routes to networks and is used for summarization. Type 4 describes routes to the ASBR. Type 5: Generated by the ASBR and provides links external to the Autonomous System (AS). Type 5 LSAs are flooded to all areas except stub areas and totally stubby areas. Type 6: Group membership link entry generated by multicast OSPF routers. Type 7: NSSA external routes generated by ASBR. Only flooded to the NSSA. The ABR converts LSA type 7 into LSA type 5 before flooding them into the backbone (area 0)
5 Ospf routing And Acl

1.2 Internet Routing

One of the more powerful features of packet switched systems are their ability to dynamically route packets. This power also comes with a complexity that can lead to an interesting set of problems. If one could count on a network operating in a static configuration with no failures, the routing problem would be simple; static tables could suffice as the basis for all routing decisions. For each packet destined to a particular destination, the next hop would be identified in the table, and the packet would be forwarded.

However, in the real world, nodes are added to networks, links fail, and topologies change. As networks get larger, administration and management headaches increase. Therefore, automated route management rapidly becomes a necessity. This article takes a look at two of the more significant routing mechanisms that are used in the Internet, the Routing Information Protocol (RIP), and the Open Shortest Path First (OSPF). RIP, implemented in the widely available BSD UNIX daemon routed, has been around for some time and is an example of a vector-distance routing scheme. OSPF is a newer development, and is based on a link-state algorithm. The Open Systems Interconnect (OSI) Intermediate System (IS) to IS protocol is similar in concept to OSPF as it is based on a link-state algorithm and includes many of the same features that can be found in OSPF. The Internet architecture is based on the concept of the interconnection of many "Autonomous Systems." An Autonomous System is characterized by a single management authority along with the use of a consistent routing architecture. Each of these systems is responsible for the maintenance of its own routing, and connects to the network through different routing protocols. The routing algorithms used within the Autonomous System are referred to as Interior Gateway Protocols (IGP), that can be RIP, OSPF, or whatever else is chosen by the network architects. The routing algorithm used to connect the Autonomous System to the Internet is referred to as Exterior Gateway protocols. Several exterior gateway protocols are in use today, with the most popular being the Exterior Gateway Protocol (EGP) and the Border Gateway Protocol (BGP). The term "gateway" is somewhat historical, and is the term applied in early Internet architecture efforts. The term "router" is more consistent with the concepts as defined within the OSI standards.

6 Ospf routing And Acl

1.2.1 Routing Methodologies

The two major classes of routing algorithms employed within the Internet are the vector-distance (also known as Bellman-Ford) and link-state algorithms. The distinction between these protocols is in the methods used to describe and exchange routing information. The vector-distance algorithms are based on the exchange of distance and reachability information between routers. Link-state algorithms are based on the exchange of more extensive information, including a complete database of how each routing node reaches other nodes in the network, the type of link, and more detailed cost information. With a more complete picture of the state of all links in the target network, each routing node is then able to identify the shortest path to a destination node or network. It is from this concept that the term "Shortest Path First" has been coined.
Feature

Algorithm Maximum Hops

RIP vector-distance 15. 16 hops is considered to be infinity, implying that the destination is unreachable

OSPF link-state Limited only by size of routing tables within routers

Breaks the autonomous system into Subsystem Treats the autonomous one or more areas with two levels of Segmentation system as a single subsystem routing algorithms, intra-area, and inter-area. Metric destination/hop destination/cost/link identifier Supports Authentication. Several no authentication in RIP-1, authentication algorithms are Integrity Authentication has been available ranging from simple added to RIP-2 password operations to more complex cryptographic algorithms. More Complex. Several more PDUs and exchanges are defined in the Relatively Simple - Each protocol. Routing tables are large Complexity router and include not only destinations, but also a tree representation of local network. Widely Available, BSD Acceptance newer, published in RFCs routed supports RIP Supports multiple routes to a single Route Identifies a single route to a destination. Facilitates loadOptions destination balancing traffic distribution host, network. RIP-2 adds the Types of Host, network, and subnetwork ability to transfer subnetwork Routes routes route entries
Table 1.1 - Major Features of RIP, OSPF

7 Ospf routing And Acl

While there are significant differences in the techniques applied with each of these algorithms, there are some common features. The ability to reach adjacent nodes cannot generally be derived from the link or IP layers of the network; both RIP and OSPF include features that can detect the failure of an adjacent routing node, or the link to that node. These services are based on periodic transfers between adjacent routing nodes. The lack of traffic from an adjacent node for a prescribed time-limit is used to imply a failure to reach that node. Both algorithms result in a set of route tables that define the next hop between the routing node and packet destinations. Its just the way that they calculate the next hops that is different.

Vector-Distance Routing
The basic concept used in vector-distance routing is the regular exchange of reachability information between adjacent routers. This information consists of a list of all nodes that can be reached by the broadcasting node, combined with the number of routing hops required to reach the selected node. For example, in the network configuration shown in Figure 1, with all interconnections and nodes operating properly, the route report from Node D will contain the route metrics shown in Table 2. This report contains all pertinent information that is used by adjacent nodes in making routing decisions. Node D's internal representation includes a third column, that represents the adjacent node used to reach the selected destination host (or network). Node A B C E F G H Hops 2 1 1 1 1 2 1

Table 1.2 - Normal RIP route report (See Figure 1)

This report reflects the best case routes to each of the nodes E, F, and G. Note that if the direct link between node D and E and D and F were to fail, the route through node C could be selected at a hop count of 2 rather than 1. Nodes A and B will similarly broadcast route reports, that will contain hop counts that node D can ignore while calculating its routing tables. Each node in the network can therefore calculate its hop distance on the basis of reports received by the adjacent routing nodes.

8 Ospf routing And Acl

Figure 1.2 - Example Network Architecture

The state of health of adjacent routing nodes are broadcast to all of each node's adjacent routers every 30 seconds. Through repeated transmissions over unreliable UDP services, lost routing information is recovered through subsequent transmissions. The regular transmission of the routing information serves an additional purpose. The lack of a message from an adjacent routing node within 180 seconds is used to identify failed routes. With no link state information available to indicate a routing path failure, this mechanism provides indication that the path to the indicated node is no longer available. One of the more significant problems with RIP, and with vector-distance protocols is slow convergence. As an example of slow convergence, consider a case in which the link between Node D and Node H in figure 1 fails. While Node H is no longer reachable, nodes C and B will initially determine that they reach node D through A and E. Taking a look at the interaction between nodes A and B, the following information will be transferred with regard to reaching node H:

Node D determines H is no longer directly reachable, sets its hop count to 3, based on the report from nodes B and C. On the next reporting interval, node D advertises this information to nodes B and C. Nodes B and C in turn receive the increased hop count information from node D, and increment their reachability information to H to a hop count of 4 (3 from Node D plus 1 to reach node D) Node D in turn receives the hop count of 4 and assumes that Node H is now 5 hops away.
9

Ospf routing And Acl

This pattern continues until the hop count reaches infinity, that is fortunately only 16 within RIP. Once infinite hops (16) have been reached, the routing node determines that the target is no longer reachable. With a reporting interval of 30 seconds, these types of situations can take as much as 8 to 16 minutes to resolve themselves. Strategies to speed up route resolution include "split horizon with poisoned reverse," and "triggered updates." Split horizon involves the reporting of only those routes not sourced by the destination router. Split horizon with poisoned reverse reports the destination dependent routes as having a route metric of infinity. In our example, Node B would report routing information to Node A with Node D being at infinity. This scheme works best when only two stations are involved. More involved loops, such as node A can result in more involved cases of route deception. For example, Node A is using reachability information from both Nodes B and C. Triggered updates are designed to address more complicated routing loops. They add event-driven behavior to the route reporting algorithms. When implementing the triggered update mechanism, routers immediately report changes in reachability information. By reporting the changes immediately rather than delaying until the next reporting period, convergence still requires several iterations, however, the convergence iteration is performed at the speed of the network transport rather than being paced at the reporting rate. As in the case of "split horizon with poisoned reverse," "triggered updates" are not a fool-proof solution to the RIP slow convergence. Periodic updates continue, and the receipt of a periodic update prior to the triggered transmission can prolong the convergence process. As can be seen by this discussion on routing, RIP provides the major services required to perform automated route management within an autonomous system, provided that the system complexity is kept small (no greater than 15 logical hops between any two nodes), can afford to risk faulty routing broadcasts, and does not require any form of load balancing. Systems requiring these services should consider either RIP-2 that adds features for logical subnetting and authentication, or consider using the more complex OSPF protocols. OSPF, as a link-state protocol, scales to larger topologies and avoids the slow convergence problems through routers maintaining a more complete map of the network topology.

10 Ospf routing And Acl

CHAPTER 2

11 Ospf routing And Acl

2.1 Cisco Access Control Lists

The Cisco Access Control List (ACL) is are used for filtering traffic based on a given filtering criteria on a router or switch interface. Based on the conditions supplied by the ACL, a packet is allowed or blocked from further movement. Cisco ACLs are available for several types of routed protocols including IP, IPX, AppleTalk, XNS, DECnet, and others. However, we will be discussing ACLs pertaining to TCP/IP protocol only. ACLs for TCP/IP traffic filtering are primarily divided into two types:

Standard Access Lists, and Extended Access Lists

Standard Access Control Lists: Standard IP ACLs range from 1 to 99. A Standard Access List allows you to permit or deny traffic FROM specific IP addresses. The destination of the packet and the ports involved can be anything. This is the command syntax format of a standard ACL. access-list access-list-number {permit|deny} {host|source source-wildcard|any} Standard ACL example: access-list 10 permit 192.168.2.0 0.0.0.255 This list allows traffic from all addresses in the range 192.168.2.0 to 192.168.2.255 Note that when configuring access lists on a router, you must identify each access list uniquely by assigning either a name or a number to the protocol's access list. There is an implicit deny added to every access list. If you entered the command: show access-list 10 The output looks like: access-list 10 permit 192.168.2.0 0.0.0.255 access-list 10 deny any Extended Access Control Lists: Extended IP ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to have granular control by specifying controls for different types of protocols such as ICMP, TCP, UDP, etc within the ACL statements. Extended
12 Ospf routing And Acl

IP ACLs range from 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs began to use additional numbers (2000 to 2699). 2.1.1 The syntax for IP Extended ACL is given below: access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] Note that the above syntax is simplified, and given for general understanding only. Extended ACL example: access-list 110 - Applied to traffic leaving the office (outgoing) access-list 110 permit tcp 92.128.2.0 0.0.0.255 any eq 80 ACL 110 permits traffic originating from any address on the 92.128.2.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80. The value of 0.0.0.0/255.255.255.255 can be specified as 'any'. 2.1.2 Applying an ACL to a router interface: After the ACL is defined, it must be applied to the interface (inbound or outbound). The syntax for applying an ACL to a router interface is given below: interface <interface> ip access-group {number|name} {in|out} An Access List may be specified by a name or a number. "in" applies the ACL to the inbound traffic, and "out" applies the ACL on the outbound traffic. Example: To apply the standard ACL created in the previous example, use the following commands: Rouer(config)#interface serial 0 Rouer(config-if)#ip access-group 10 out

2.2 ACCESS CONTROL LIST (ACL)

13 Ospf routing And Acl

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice, delete), this would give Alice permission to delete the file.

ACL-BASEDSECURITY MODELS
When a subject requests an operation on an object in an ACL-based security model the operating system first checks the ACL for an applicable entry to decide whether the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, namely which users and processes are granted ACL-modification access. ACL models may be applied to collections of objects as well as to individual entities within the system hierarchy.

ACL-BASEDSECURITY MODELS
When a subject requests an operation on an object in an ACL-based security model the operating system first checks the ACL for an applicable entry to decide whether the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, namely which users and processes are granted ACL-modification access. ACL models may be applied to collections of objects as well as to individual entities within the system hierarchy.

FILE SYSTEM ACLS

A Filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access control entries (ACEs) in the Microsoft Windows NT, OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object

NETWORKING ACLS
On some types of proprietary computer hardware, an Access Control List refers to rules that are applied to port numbers or network daemon names that are
14 Ospf routing And Acl

available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

NAME STANDARD ACCESS CONTROL LISTS

Numbers between 1 and 99, or any number between 1300 and 1999 can be used in a Standard ACL. The number used in this range doesn't affect how the ACL is processed or which ACL is more important to the router. A standard ACL is concerned with only one factor, the source IP address of the packet. The destination is not considered. The

NAME STANDARD ACCESS CONTROL LISTS

The difference between Named and Numbered ACL's is the name associated with the ACL and not the number. Names are easier to remember than a number. Either way, the name of an ACL is given as either a name or a number.

Extended ACl
In the standard IP access list example, notice how you had to block the whole subnet from getting to the finance department. What if you wanted them to gain access to only a certain server on the Finance LAN, but not to other network services, for obvious security reasons? With a standard IP access list, you cant allow users to get to one network service and not another. However, extended IP access lists allow you to do this. Extended IP access lists allow you to choose your IP source and Destination address as well as the protocol and port number, which identify the upper-layer protocol or application. By using extended IP access lists

2.3 PROBLEM WITH ACCESS CONTROL LIST

I.One of the most common problems associated with access lists is a lack of planning. Before you even begin the process of creating access lists on your router, you must plan exactly what needs to be filtered and where it needs to be filtered. II..Another troublesome area is the sequential nature in which you must enter the lists into the router. You cannot move individual statements once they are

15 Ospf routing And Acl

entered. When making changes, you must remove the list, using the no access-list command, and then retype the commands. III...Finally, many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list. Access list begin working the second they are applied to an interface. It is very possible that many new administrators will find themselves inadvertently blocked from the very router on which they are applying an access list.

16 Ospf routing And Acl

CHAPTER 3

17 Ospf routing And Acl

3.1 The Cisco Router User Interface

Cisco Internetwork Operating System (IOS) is the kernel of Cisco routers and most switches. A kernel is the basic, indispensable part of an operating system that allocates resources and manage things such as low-level hardware interfaces and security. Cisco has created something called Cisco Router IOS The Cisco IOS was created to deliver network services and enable networked applications. Itruns on most Cisco routers and on some Cisco Catalyst switches, such as the Catalyst 2950.These are some of the important things the Cisco router IOS software is responsible for: 1. Carrying network protocols and functions 2. Connecting high-speed traffic between devices 3. Adding security to control access and stop unauthorized network use\ 4. Providing scalability for ease of network growth and redundancy 5. Supplying network reliability for connecting to network resources 6. You can access the Cisco IOS through the console port of a router, from a modem into the 7. auxiliary (or Aux) port, or even through Telnet. Access to the IOS command line is called an EXEC session .

3.1.1 Connecting to a Cisco Router

You can connect to a Cisco router to configure it, verify its configuration, and check statistics.There are different ways to do this, but most often, the first place you would connect to is the console port. The console port is usually an RJ-45 (8p Modular) connection located at the back of the routerby default, theres no password set.in

3.1.1 Bringing Up a Router

When you first bring up a Cisco router, it will run a power-on self-test (POST). If it passes, it will then look for and load the Cisco IOS from flash memoryif an IOS file is present. In case you dont know, flash
18 Ospf routing And Acl

memory is an electronically erasable programmable read-only memory an EEPROM. The IOS then proceeds to load and looks for a valid configurationthe startupconfig thats stored by default in nonvolatile RAM, or NVRAM

3.1.2 Versioning
Cisco IOS is versioned using three numbers and some letters, in the general form a.b(c.d)e, where:

a is the major version number. b is the minor version number.

c is the release number, which begins at one and increments as new releases. d (omitted from general releases) is the interim build number. e (zero, one or two letters) is the release train identifier

Rebuilds - Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to a later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimise change and risk. Interim releases - Are usually produced on a weekly basis, and form a roll-up of current development effort. The Cisco advisory web site may list more than one possible interim to fix an associated issue (the reason for this is unknown to the general public). Maintenance releases - Rigorously tested releases that are made available and include enhancements and bug fixes. Cisco recommend upgrading to Maintenance releases where possible, over Interim and Rebuild releases.

3.1.3 Trains
Cisco IOS releases are split into several "trains", each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco is targeting. The mainline train is designed to be the most stable release the company can offer, and its feature set never expands during its lifetime. Updates are
19 Ospf routing And Acl

released only to address bugs in the product. The previous technology train becomes the source for the current mainline train for example, the 12.1T train becomes the basis for the 12.2 mainline. Therefore, to determine the features available in a particular mainline release, look at the previous T train release. The T - Technology train, gets new features and bug fixes throughout its life, and is therefore less stable than the mainline. (In releases prior to Cisco IOS Release 12.0, the P train served as the Technology train.) Cisco doesn't recommend usage of T train in production environments unless there is urgency to implement a certain T train's new IOS feature.

The S - Service Provider train, runs only on the company's core router products and is heavily customized for Service Provider customers.

The E - Enterprise train, is customized for implementation in enterprise environments. The B - broadband train, support internet based broadband features. The X* - The XA, XB ... special functionality train, needs to be documented There are other trains from time to time, designed for specific needs for example, the 12.0AA train contained new code required for Cisco's AS5800 product

3.1.4 Packaging set

Most Cisco products that run IOS also have one or more "feature sets" or "packages", typically eight packages for Cisco routers and five packages for Cisco network switches. For example, Cisco IOS releases meant for use on Catalyst switches are available as "standard" versions (providing only basic IP routing), "enhanced" versions, which provide full IPv4 routing support, and "advanced IP services" versions, which provide the enhanced features as well as IPv6 support. Each individual package corresponds to one service category, such as

IP data Converged voice and data Security and VPN

The exact feature set required for a particular function can be determined.
20 Ospf routing And Acl

Beginning with the 1900, 2900 and 3900 series of ISR Routers, Cisco have revised the licensing model of IOS. Routers come with IP Base installed, and additional feature pack licenses can be installed as bolt-on additions to expand the feature set of the device. The available feature packs are:

Data adds features like BFD, IP SLAs, IPX, L2TPv3, Mobile IP, MPLS. Security adds features like VPN, Firewall, IP SLAs, NAC Unified Comms adds features like CallManager Express

3.1.5 Architecture
In all versions of Cisco IOS, packet routing and forwarding (switching) are distinct functions. Routing and other protocols run as Cisco IOS processes and contribute to the Routing Information Base (RIB). This is processed to generate the final IP forwarding table (FIB, Forwarding Information Base), which is used by the forwarding function of the router. On router platforms with software-only forwarding (e.g., Cisco 7200) most traffic handling, including access control list filtering and forwarding, is done at interrupt level using Cisco Express Forwarding (CEF) or dCEF (Distributed CEF). This means IOS does not have to do a process context switch to forward a packet. Routing functions such as OSPF or BGP run at the process level. In routers with hardware-based forwarding, such as the Cisco 12000 series, IOS computes the FIB in software and loads it into the forwarding hardware (such as an ASIC or network processor), which performs the actual packet forwarding function. Cisco IOS has a "monolithic" architecture, which means that it runs as a single image and all processes share the same memory space. There is no memory protection between processes, which means that bugs in IOS code can potentially corrupt data used by other processes. It also has a run to completion scheduler, which means that the kernel does not pre-empt a running process the process must make a kernel call before other processes get a chance to run. For Cisco products that required very high availability, such as the Cisco CRS-1, these limitations were not acceptable. In addition, competitive router operating systems that emerged 10-20 years after IOS, such as Juniper's JUNOS, were designed not to have these limitations.[2] Cisco's response was to develop a new version of Cisco IOS called IOS XR that offered modularity and memory protection between processes, lightweight threads, pre-emptive scheduling and the ability to

21 Ospf routing And Acl

independently re-start failed processes. IOS XR uses a 3rd party real-time operating system microkernel (QNX), and a large part of the current IOS code was re-written to take advantage of the features offered by the new kernel a massive undertaking. But the microkernel architecture removes from the kernel all processes that are not absolutely required to run in the kernel, and executes them as processes similar to the application processes. Through this method, IOS XR is able to achieve the high availability desired for the new router platform. Thus IOS and IOS XR are very different codebases, though related in functionality and design. In 2005, Cisco introduced IOS XR on the Cisco 12000 series platform, extending the microkernel architecture from the CRS-1 to Cisco's widely deployed core router. In 2006, Cisco has made available IOS Software Modularity which extends the QNX microkernel into a more traditional IOS environment, but still providing the software upgrade capabilities that customers are demanding. It is currently available on the Catalyst 6500 enterprise switch.

3.2 Network Simulator & Router Simulator

The Boson NetSim Network Simulator is an application that simulates Cisco Systems' networking hardware and software and is designed to aid the user in learning the Cisco IOS command. NetSim utilizes Boson's proprietary Network Simulator, Router Simulator and EROUTER software technologies, along with the Boson Virtual Packet Technology engine, to create individual packets. These packets are routed and switched through the simulated network, allowing NetSim to build an appropriate virtual routing table and simulate true networking. Other simulation products on the market do not support this level of functionality. Boson NetSim provides more versatility and support than any other aftermarket software. NetSim software also includes a comprehensive lab menu that contains lessons and labs covering routing protocols, Cisco devices, switching, topological design and much more.

Advantages of Software-Based IT Training

Boson NetSim is a versatile tool and valuable asset, both in a classroom and for corporate use, as well as a self-paced learning tool. For many individuals, the
22 Ospf routing And Acl

availability of Cisco Routers and Switches is often limited. The cost and fragility of equipment makes rack rentals impractical at this level. Boson NetSim makes it possible to design and configure a network with 47 different router models and 3 different switch models to choose from - without having to pay a lot of money, or worrying about transporting and damaging valuable equipment. NetSim's router, switch and station sim components contained within the software are the most advanced in the industry. We include simulation of Routers, Switches and PCs into a completely customizable drag and drop network-sim package. Furthermore, Boson NetSim simulates both switching bridge tables and routing protocol tables, to allow you to go OUTSIDE of the labs and create your own labs using the Boson Network Designer

3.2.1 Advanced Features included with Boson Netsim

Simulates 47 different Cisco devices. Simulates network traffic with virtual packet technology. Provides two different viewing styles: window in window mode Supports up to 200 devices on one Network Topology. Allows instructors to include their own and offer grading for them. Create your own simulated networks with the Boson Network Designer. Supports SDM. Includes such as TFTP Server, TACACS+ and Packet Generator. Enables keyword and curriculum

23 Ospf routing And Acl

CHAPTER 4

24 Ospf routing And Acl

4.1 Implementation and evaluation

Table 1 indicates the implementation, interoperability and deployment of the major OSPF functions. The number in each column represents the number of responses in the affirmative. Feature Deployed _______________________________________________________ OSPF areas 10 10 10 Stub areas 10 10 9 Virtual links 10 9 8 Equal-cost multipath 10 7 8 NBMA support 9 8 7 CIDR addressing 8 5 6 OSPF MIB 8 5 5 Cryptographic auth. 3 2 1 Point-to-Multipointifc. 6 3 4 Implemented Interoperated

Table 5.1: Implementation of OSPF features Table 2 indicates the size of the OSPF routing domains that vendors have tested. For each size parameter, the number of responders and the range of responses (minimum, mode, mean and maximum) are listed. Parameter Responses Min Mode Mean Max _____________________________________________________________ ____ Max routers in domain 7 30 240 460 1600 Max routers in single area 7 20 240 380 1600 Max areas in domain 7 1 10 16 60 Max AS-external-LSAs 9 50 10K 10K 30K Table 5.2 : OSPF domain sizes tested

Table 3 indicates the size of the OSPF routing domains that vendors have deployed in real networks. For each size parameter, the number of responders and the range of responses (minimum, mode, mean and maximum) are listed.
25 Ospf routing And Acl

Parameter Responses Min Mode Mean Max _____________________________________________________________ ____ Max routers in domain 8 20 350 510 1000 Max routers in single area 8 20 100 160 350 Max areas in domain 7 1 15 23 60 Max AS-external-LSAs 6 50 1K 2K 5K Table 5.3: OSPF domain sizes deployed In an attempt to ascertain the extent to which OSPF is currently deployed, vendors were also asked in January 1998 to provide deployment estimates. Four vendors of OSPF routers responded, with a total estimate of 182,000 OSPF routers in service, organized into 4300 separate OSPF routing domains.

26 Ospf routing And Acl

SNAPSHOTS

27 Ospf routing And Acl

28 Ospf routing And Acl

29 Ospf routing And Acl

30 Ospf routing And Acl

31 Ospf routing And Acl

32 Ospf routing And Acl

33 Ospf routing And Acl

34 Ospf routing And Acl

35 Ospf routing And Acl

36 Ospf routing And Acl

37 Ospf routing And Acl

38 Ospf routing And Acl

39 Ospf routing And Acl

40 Ospf routing And Acl

41 Ospf routing And Acl

42 Ospf routing And Acl

43 Ospf routing And Acl

44 Ospf routing And Acl

45 Ospf routing And Acl

46 Ospf routing And Acl

47 Ospf routing And Acl

48 Ospf routing And Acl

49 Ospf routing And Acl

50 Ospf routing And Acl

51 Ospf routing And Acl

52 Ospf routing And Acl

53 Ospf routing And Acl

CHAPTER 5

54 Ospf routing And Acl

5.1 Future scope of work

5.1.1. Flooding Scope of the Router Information
LSA The flooding scope for a Router Information LSA is determined by the LSA type. For OSPFv2, type 9 (link-scoped), type 10 (area-scoped), or a type 11 (ASscoped) opaque LSA may be flooded. For OSPFv3, the S1 and S2 bits in the LSA type determine the flooding scope. If AS- wide flooding scope is chosen, the originating router should also advertise area-scoped LSA(s) into any attached Not-So-Stubby Area (NSSA) area(s). An OSPF router MAY advertise different capabilities when both NSSA area scoped LSA(s) and an AS-scoped LSA are advertised. This allows functional capabilities to be limited in scope. For example, a router may be an area border router but only support traffic engineering (TE) in a subset of its attached areas. The choice of flooding scope is made by the advertising router and is a matter of local policy. The originating router MAY advertise multiple RI LSAs as long as the flooding scopes differ. TLV flooding scope rules will be specified on a per-TLV basis and MUST be specified in the accompanying specifications for new Router Information LSA TLVs. 3. Router Information LSA Opaque Usage and Applicability : The purpose of the Router Information (RI) LSA is to advertise information relating to the aggregate OSPF router. Normally, this should be confined to TLVs with a single value or very few values. It is not meant to be a generic container to carry any and all information. The intent is to both limit the size of the RI LSA to the point where an OSPF router will always be able to contain the TLVs in a single LSA and to keep the task of determining what has changed between LSA instances reasonably simple. Hence, discretion and sound engineering judgment will need to be applied when deciding whether newly proposed TLV(s) in support of a new application are advertised in the RI LSA or warrant the creation of an application specific LSA.

55 Ospf routing And Acl

CHAPTER 6

56 Ospf routing And Acl

6.1 Appendix
6.1.1 Commands
Command ? screen 4 0.0.0.0 255.255.255.255 access-list to filter N\W enable privileged mode 4 enable password enable passwd show ip access-lists only the IP access lists show ip ospf Description Gives you a help A wildcard command Creates a list of tests Puts you into Sets the unencrypted Shows Summarizes all relative information, suchas OSPF processes, Router ID, area assignments, authentication, and

SPF statistics

6.2 Glossary
ABR Area Border Router: An OSPF router that is located on the border of one or more OSPF areas. ABRs are used to connect OSPF areas to the OSPF backbone area. access layer One of the layers in Ciscos three-layer hierarchical model. The access layer provides users with access to the internetwork. access link A link used with switches that is part of only one virtual LAN (VLAN). Trunk links carry information from multiple VLANs. access list A set of test conditions kept by routers that determines interesting traffic to and from the router for various services on the network. access method
57 Ospf routing And Acl

The manner in which network devices approach gaining access to the network itself. access rate Defines the bandwidth rate of the circuit. For example, the access rate of a T1 circuit is 1.544Mbps. In Frame Relay and other technologies, there may be a fractional T1 connection 256Kbps, for examplehowever, the access rate and clock rate are still 1.544Mbps. access server Also known as a network access server, it is a communications process connecting asynchronous devices to a LAN or WAN through network and terminal emulation software, providing synchronous or asynchronous routing of supported protocols.

address resolution The process used for resolving differences between computer addressing schemes. Address resolution typically defines a method for tracing Network layer (layer 3) addresses to Data Link layer (layer 2) addresses. adjacency The relationship made between defined neighboring routers and end nodes, using a common media segment, to exchange routing information. administrative distance (AD) A number between 0 and 255 that expresses the level of trustworthiness of a routing information source. The lower the number, the higher the integrity rating. BGP4 BGP version 4: Version 4 of the interdomain routing protocol most commonly used on the Internet. BGP4 supports CIDR and uses route-counting mechanisms to decrease the size of routing tables.

58 Ospf routing And Acl

CHAPTER 7

59 Ospf routing And Acl

7.1 References
[Ref1] Moy, J., "OSPF Version 2", RFC 2178, July 1997. [Ref2] Hinden, B.,"Internet Routing Protocol Standardization Criteria", RFC 1264, October 1991. [Ref3] Moy, J., "OSPF Version 2", RFC 1583, March 1994. [Ref4] Baker, F., and R. Coltun, "OSPF Version 2 Management Information Base", RFC 1850, November 1995. [Ref5] Moy, J., "OSPF Protocol Analysis", RFC 1245, August 1991. [Ref6] Moy, J., "Experience with the OSPF Protocol", RFC 1246, August 1991. [Ref7] Varadhan, K., Hares S., and Y. Rekhter, "BGP4/IDRP for IP--OSPF Interaction", RFC 1745, December 1994. [Ref8] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.

60 Ospf routing And Acl

CHAPTER 8

61 Ospf routing And Acl

PROJECT GUIDES REMARKS

MRS. SONIA MALIK LECTURER DEPARTMENT OF COMPUTER SCIENCE

62 Ospf routing And Acl

63 Ospf routing And Acl