Category Archives: CCNP – Access-Lists

OSPF: Important details regarding Summarization and Default Routes for exam day, it’s a long but worthwhile read!

OSPF_Base_Topology

OSPF Summarization is done only on ABR and ASBR routers in your OSPF domain, and use two completely different commands, but what if a router is an ABR and an ASBR?

For example, did you know that using the command “default-information originate …” you are telling the router to create a Type 5 LSA to be propagated throughout the network, thus turning that router into an ASBR?

Another very interesting fact I did not know – OSPF will not allow you to redistribute a static default route. It cannot be done.

Being that I have never knew either of these things that seem like fairly good questions for exam day, I wanted to give them a run for their money to see if that they are true:

R1(config)#ip route 0.0.0.0 0.0.0.0 null0
R1(config)#router ospf 1
R1(config-router)#redistribute static subnets
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:00:11, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:00:11, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:00:11, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
R2#sh ip ospf data

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         45          0x80000005 0x00DC9D 1
2.2.2.2         2.2.2.2         1013        0x80000004 0x009AD9 1
3.3.3.3         3.3.3.3         132         0x80000005 0x006008 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
172.12.123.1    1.1.1.1         905         0x80000004 0x0023BE

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         1.1.1.1         1416        0x80000003 0x0043EE
2.2.2.2         2.2.2.2         1013        0x80000003 0x00F633
3.3.3.3         3.3.3.3         321         0x80000001 0x00AE75
172.12.15.0     1.1.1.1         1154        0x80000005 0x0072F9
172.12.23.0     2.2.2.2         696         0x80000001 0x000460
172.12.23.0     3.3.3.3         692         0x80000009 0x00D582

Nothing! I never knew that was a behavior before, so you HAVE to use the default-information originate command to propagate a static route even though it still uses a Type 5 LSA just like redistribution would have!!!

Keep that in mind on exam day, if you see redistribution in ospf of a static default route, that is beyond a red flag.

Now. Back to this about the default-information originate command making a router an ASBR, I don’t really want to assign a default route to the logical trash bin (null0), so I’m just going to add “always” so no static default route is needed:

R1(config)#router ospf 1
R1(config-router)#default-information originate always
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route

Gateway of last resort is 172.12.123.1 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:07:10, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:07:10, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:07:10, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:00:12, Serial0/0

R2#

There we go, now R2 has a default route, and what appears to be an External Type 5 LSA route so I am guessing when I go back to R1:

R1(config-router)#do sh ip ospf
 Routing Process “ospf 1” with ID 1.1.1.1
 Start time: 00:00:18.800, Time elapsed: 01:39:06.588
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Event-log enabled, Maximum number of events: 1000, Mode: cyclic
 It is an area border and autonomous system boundary router

 Redistributing External Routes from,
 Router is not originating router-LSAs with maximum metric

The interesting thing here is that I’ve never seen any other protocol leave the “Redistributing External Routes from” field empty, and it sure is both an ABR and an ASBR now.

So can I do both types of Summarization now? Lets break some stuff and find out! To be clear on how real this is getting:

R1(config-if)#do sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
FastEthernet0/1            172.12.15.1     YES NVRAM  up                    up
Serial0/0/0                172.12.123.1    YES NVRAM  up                    up
Serial0/0/1                100.100.100.1   YES NVRAM  administratively down down
Loopback1                  1.1.1.1         YES NVRAM  up                    up
Loopback8                  172.16.8.1      YES manual up                    up

Loopback9                  172.16.9.1      YES manual up                    up

Loopback10                 172.16.10.1     YES manual up                    up

Loopback11                 172.16.11.1     YES manual up                    up

Loopback101                100.1.0.1       YES manual up                    up

Loopback102                100.2.0.1       YES manual up                    up

Loopback103                100.3.0.1       YES manual up                    up

Loopback104                100.4.0.1       YES manual up                    up

Loopback105                100.5.0.1       YES manual up                    up

Loopback106                100.6.0.1       YES manual up                    up

Loopback107                100.7.0.1       YES manual up                    up

Summary Address = 172.16.8.0 /22
Summary Address = 100.0.0.0  /13

Now for the ABR, the routes need to be put in via the “network” command, being that you are specifying the Area containing the routes, so they need to be entered into OSPF in the same Area.

I was actually just cursing looking at that for some reason thinking the Loopback # dictated the Area # or something, but I got it now lets give it a go here:

R1(config-if)#router ospf 1
R1(config-router)#network 100.1.0.0 0.0.255.255 area 100
R1(config-router)#network 100.2.0.0 0.0.255.255 area 100
R1(config-router)#network 100.3.0.0 0.0.255.255 area 100
R1(config-router)#network 100.4.0.0 0.0.255.255 area 100
R1(config-router)#network 100.5.0.0 0.0.255.255 area 100
R1(config-router)#network 100.6.0.0 0.0.255.255 area 100
R1(config-router)#network 100.7.0.0 0.0.255.255 area 100
R1(config-router)#area 100 range 100.0.0.0 255.248.0.0 ?
  advertise      Advertise this range (default)
  cost           User specified metric for this range
  not-advertise  DoNotAdvertise this range
  <cr>

R1(config-router)#area 100 range 100.0.0.0 255.248.0.0
R1(config-router)#

Cost can be defined as a modifier to the command as highlighted in red there, otherwise OSPF will use the best Prefix’s Cost value for the Summary Route which I think should be left alone unless you have a reason to change it.

So lets take a look at R2’s OSPF route table to verify we have one type of summarization at work:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:43:36, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:16:54, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:43:36, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:43:36, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:16:49, Serial0/0
R2#sh ip ospf data

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         750         0x80000006 0x00DA9E 1
2.2.2.2         2.2.2.2         1590        0x80000005 0x0098DA 1
3.3.3.3         3.3.3.3         920         0x80000006 0x005E09 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
172.12.123.1    1.1.1.1         1487        0x80000005 0x0021BF

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         1.1.1.1         1971        0x80000004 0x0041EF
2.2.2.2         2.2.2.2         1590        0x80000004 0x00F434
3.3.3.3         3.3.3.3         920         0x80000002 0x00AC76
100.0.0.0       1.1.1.1         1028        0x80000001 0x00409A
172.12.15.0     1.1.1.1         1730        0x80000006 0x0070FA
172.12.23.0     2.2.2.2         1347        0x80000002 0x000261
172.12.23.0     3.3.3.3         1421        0x8000000A 0x00D383

So it is being advertised as an Inter-Area (Type 3 LSA) route as can be seen both in the IP route table, as it should because this is the ABR way to summarize routes. Ahem.

Also if you want to get granular with how you look at the LSA Database, to see this summary route for example, you can type in as follows:

R2#sh ip ospf data summ 100.0.0.0

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Summary Net Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 1347
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 100.0.0.0 (summary Network Number)
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000001
  Checksum: 0x409A
  Length: 28
  Network Mask: /13

        TOS: 0  Metric: 1

This command will give you a ton of output, like the Database itself, except with details which makes it incredibly hard to dig through if you have a decent amount of Areas it is reporting all these details before.

However, I did want you to see, you can verify if a route is a Summary from the LSA Database – And that is a good thing to know. You can also look at sections of it with “sh ip ospf data summ” and so on but I won’t flood the page with all that output.

So all this ABR Summarization is all fine and good you say, but what about ASBR Summarization? I am glad you asked.

I am not sure if it requires the networks to be entered via the “network” command, so I’ll test out whether they need to be added, lets take a look:

R1(config-router)#summary-address 172.16.8.0 255.255.252.0
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:55:55, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:29:13, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:55:55, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:55:55, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:29:08, Serial0/0
R2#

Well that stinks. Let me add the routes via “network” on R1 and try that again:

R1(config-router)#
R1(config-router)#network 172.16.8.0 0.0.0.255 area 51
R1(config-router)#network 172.16.9.0 0.0.0.255 area 51
R1(config-router)#network 172.16.10.0 0.0.0.255 area 51
R1(config-router)#network 172.16.11.0 0.0.0.255 area 51
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:58:21, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:31:40, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:58:21, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:58:21, Serial0/0
     172.16.0.0/32 is subnetted, 4 subnets
O IA    172.16.9.1 [110/65] via 172.12.123.1, 00:00:11, Serial0/0

O IA    172.16.8.1 [110/65] via 172.12.123.1, 00:00:21, Serial0/0

O IA    172.16.11.1 [110/65] via 172.12.123.1, 00:00:01, Serial0/0

O IA    172.16.10.1 [110/65] via 172.12.123.1, 00:00:11, Serial0/0

O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:00:06, Serial0/0
R2#

Now things are getting interesting, because if I remove the summarization R1 is doing as an ABR, will the summarization command as an ASBR kick into action? Lets see:

R1(config-router)#no area 100 range 100.0.0.0 255.248.0.0
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 01:01:04, Serial0/0
     100.0.0.0/32 is subnetted, 7 subnets
O IA    100.5.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.4.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.7.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.6.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.1.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.3.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.2.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 01:01:04, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 01:01:04, Serial0/0
     172.16.0.0/32 is subnetted, 4 subnets
O IA    172.16.9.1 [110/65] via 172.12.123.1, 00:02:54, Serial0/0

O IA    172.16.8.1 [110/65] via 172.12.123.1, 00:03:04, Serial0/0

O IA    172.16.11.1 [110/65] via 172.12.123.1, 00:02:45, Serial0/0

O IA    172.16.10.1 [110/65] via 172.12.123.1, 00:02:55, Serial0/0

O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:00:08, Serial0/0
R2#

No it did not, so I am wondering if perhaps order of commands comes into play here, as I configured the summary-address of routes that weren’t in the OSPF config yet.

So after a lot of failure with trying to redistribute an actual static route to make it an official “ASBR”, remove and re-add commands, I caved and watched the Summarization portion of my training video for summary address and I’ll be damned if this can’t ONLY be done by the ASBR because you redistribute the friggin connected routes! Gah!

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#no network 172.16.8.0 0.0.0.255 area 51
R1(config-router)#no network 172.16.9.0 0.0.0.255 area 51
R1(config-router)#no network 172.16.10.0 0.0.0.255 area 51
R1(config-router)#no network 172.16.11.0 0.0.0.255 area 51
R1(config-router)#redistribute connected subnets
R1(config-router)#area 100 range 100.0.0.0 255.248.0.0
R1(config-router)#summary-address 172.16.8.0 255.255.252.0
R1(config-router)#

Now for the moment of truth (I removed 172.x routes from OSPF):

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 01:31:24, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:01:19, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 01:31:24, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 01:31:24, Serial0/0
     172.16.0.0/22 is subnetted, 1 subnets
O E2    172.16.8.0 [110/20] via 172.12.123.1, 00:01:14, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:01:14, Serial0/0
R2#

FINALLY!! So that is why summary-address can only be done on the ASBR, because you need to redistribute the sequential routes to be summarized before entering the command to summarize them!

Also we now know that we can issue both commands on R1 as an ABR, and an ASBR with no problems.

HOWEVER WE ARE NOT DONE YET, AS WE HAVEN’T GONE INTO THE SECOND WAY OSPF CAN CREATE A STATIC ROUTE – AND THIS TIME IT AIN’T A TYPE 5 LSA!

The other way is to make an Area a Stub Area. By doing this, the Stub creates a default route for itself out of the network, does not allow LSA Type 5’s into the Area at all actually, so the default route created in this case is a Summary Type 3 LSA.

Lets look at Area 34 quick to wrap this one up:

R3(config-router)#area 34 stub
R3(config-router)#
ASR#4
[Resuming connection 4 to r4 … ]

R4#
R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#router ospf 1
R4(config-router)#area 34 stub

That is all there is to the stub command, and the default route can be seen here, but there is still a LOT of clutter from Inter-Area routes:

R4(config-router)#do sh ip route ospf

Gateway of last resort is 172.12.34.3 to network 0.0.0.0

O*IA  0.0.0.0/0 [110/2] via 172.12.34.3, 00:00:15, FastEthernet0/1

      1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/66] via 172.12.34.3, 00:00:15, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.34.3, 00:00:15, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/2] via 172.12.34.3, 00:00:15, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
O IA     100.0.0.0 [110/66] via 172.12.34.3, 00:00:15, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA     172.12.15.0/24 [110/66] via 172.12.34.3, 00:00:15, FastEthernet0/1
O IA     172.12.23.0/24 [110/2] via 172.12.34.3, 00:00:15, FastEthernet0/1
O IA     172.12.123.0/24 [110/65] via 172.12.34.3, 00:00:15, FastEthernet0/1
R4(config-router)#

In the LSDB under the Area 34 Summary Header we can see the route there as well:

 Summary Net Link States (Area 34)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         3.3.3.3         320         0x80000001 0x0057DA

1.1.1.1         3.3.3.3         320         0x80000001 0x00AB42
2.2.2.2         3.3.3.3         320         0x80000001 0x007D6C
3.3.3.3         3.3.3.3         320         0x80000001 0x00CC59
100.0.0.0       3.3.3.3         320         0x80000001 0x00A4EF
172.12.15.0     3.3.3.3         320         0x80000001 0x00DE4B
172.12.23.0     3.3.3.3         320         0x80000001 0x00045E
172.12.123.0    3.3.3.3         320         0x80000001 0x002C92

Now the thing that kind of amazes me, is the only verification command I could find outside of “show run” to verify this router is a stub router, was to do “sh ip ospf” and scroll all the way down under the Area 34 Header to find it:

Area 34
        Number of interfaces in this area is 1
        It is a stub area
        Area has no authentication
        SPF algorithm last executed 00:09:14.524 ago
        SPF algorithm executed 4 times
        Area ranges are
        Number of LSA 11. Checksum Sum 0x0528C8
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

So to finish this off, lets make it a total stub, and get rid of those Inter-Area routes all together:

R3(config-router)#no area 34 stub
R3(config-router)#area 34 stub no-summary
R3(config-router)#
ASR#4
[Resuming connection 4 to r4 … ]

*May 19 00:03:42.155: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done

R4#sh ip route ospf

Gateway of last resort is 172.12.34.3 to network 0.0.0.0

O*IA  0.0.0.0/0 [110/2] via 172.12.34.3, 00:12:49, FastEthernet0/1
R4#

So lets see if waaaay across the Topology R5 can still ping 4.4.4.4:

R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 0 msec 0 msec 4 msec
  2 172.12.15.1 !H  *  !H
R5#

That was interesting traceroute traffic, upon looking at R1, it does have the network 172.12.34.0 in its Summary Type 3 LSA’s, but no Area 34 or Area 4 at all in its LSDB. However I know what’s going on here, as 4.4.4.4 belong to Area 4 which to Area 34 would be blocked as an Inter-Area route, so if we do this:

R4(config)#router ospf 1
R4(config-router)#no network 4.4.4.4 0.0.0.0 area 4
R4(config-router)#network 4.4.4.4 0.0.0.0 area 34
R4(config-router)#

Then we should now be able to do this:

R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/69 ms
R5#

There we go, logical thinking isn’t always easy, but it does usually work.

I have one very last thing to add to this and I am done on this topic, seriously.

It has to do with the default-information originate command, because you can actually set it to track a certain route, and if that route goes down OSPF “Poisons” the default route and removes it from route tables / LSDB’s.

Lets take a look at the configuration:

R1#conf t
R1(config)#int lo99
R1(config-if)#ip add 99.99.99.99 255.255.255.255
R1(config)#access-list 99 permit 99.99.99.99
R1(config)#route-map 99bananas permit 10
R1(config-route-map)#match ip add 99
R1(config-route-map)#route-map 99bananas permit 20
R1(config-route-map)#exit
R1(config)#router ospf 1
R1(config-router)#default-information originate always route-map 99bananas

R1(config-router)#

Adding this route-map to it will “track” that route, so if that route or interface goes bye bye, so does our default route! Lets see this in action:

R2#sh ip route

Gateway of last resort is 172.12.123.1 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 02:13:02, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:42:57, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 02:13:02, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/66] via 172.12.123.3, 00:09:41, Serial0/0
     99.0.0.0/32 is subnetted, 1 subnets
O E2    99.99.99.99 [110/20] via 172.12.123.1, 00:05:35, Serial0/0

     172.12.0.0/24 is subnetted, 4 subnets
O IA    172.12.34.0 [110/65] via 172.12.123.3, 00:18:17, Serial0/0
O IA    172.12.15.0 [110/65] via 172.12.123.1, 02:13:06, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     172.16.0.0/22 is subnetted, 1 subnets
O E2    172.16.8.0 [110/20] via 172.12.123.1, 00:09:38, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:01:02, Serial0/0

R2#

Now lets remove the loopback and see the havoc it wreaks:

R1(config)#no int lo99
R1(config)#
*May 19 01:32:13.539: %LINK-5-CHANGED: Interface Loopback99, changed state to administratively down
*May 19 01:32:14.539: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback99, changed state to down
R1(config)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route

Gateway of last resort is not set

So that is something excellent to know for exam day and the real world, that your default routes can have dependencies or be conditional upon other routes being available.

Pretty cool stuff. Ok this post has gone on way too long, that its for these topics!

EIGRP: DEEP Dive into Prefix-List configurations, Access-list vs Prefix-list, using Prefix-Lists to Filter EIGRP routes with Distribute-Lists!

EIGRP_New_Topology

Only the NBMA and Ethernet segments will be used for quick demonstrations and clarity, unless R4 or R5 is needed for demonstration.

Now the idea of a Prefix-List in comparison to an Access-List may be hard to follow, but I will try to explain it.

An Access-List at its most specific (Extended) matches only on source and destination networks, and also filter protocols between the two – This is essential what they should be considered is Protocol Filters.

A Prefix-List uses the Permit and Deny like an access-list, but only uses the actual Network Prefix and how far to match it (ex: 172.12.123.0/27) to Filter Routes only – This should only be considered a Route Filter and should only be used to Filter Routes.

There is no overhead of writing out masks and allowing protocols, just a simple this is what I need, and how far I need it matched to in the 32 bit Prefix (with a permit or deny).

Now that we understand exactly the difference between those, some fundamentals:

  • Prefix lists generally use names, but can use numbers as well
  • Prefix lists can use subnet masks (not wildcard), or cider notation
  • Prefix lists have an implicit deny at the end (discards any non-allowed traffic for whatever it is applied to)
  • Uses Sequence numbers that by default increments by 5, for later use in case you need to add new lines to it
  • Prefix lists are configured at the global level like an access-list
  • Prefix lists go from the top down looking for a match until the implicit deny discards the packet

Now to understand a prefix-list, you must understand the concepts that at its base form of prefix/mask, it matches on the EXACT mask and no variations of it, for example:

ip prefix-list TEST seq 10 permit 172.12.123.0/24
ip prefix-list TEST seq 15 permit 3.3.3.3/32

Say this simple prefix-list is defined in the Distribute-List (later to be configured), and you get route updates from a neighbor as such:

172.12.123.64/26
172.12.123.32/27
172.12.123.16/30

None of these routes will be learned, because if the was that a Prefix-List operates. The top line:

prefix-list TEST 5 permit 172.12.123.0/24

This means it will match on and ONLY allow prefixes matching this exact IP Prefix, meaning both the IP address and the Subnet Mask, it will not allow variations (small subnets within the larger network) to be permitted and will move down the list as can be seen eventually being discarded after not being matched and hitting the implicit deny.

This is a very important detail to understand.

An ACL will match a network / prefix up to the subnets number, and allow any traffic beyond that subnet by, while Prefixes are very exact with how they match IP Prefixes.

So the only match for the example list, is the network 172.12.123.0/24 and that’s it. This is also where the power of Prefix-Lists come in, because it can be so exact, and is why it is the best option for Route Filtering.

There is one more concept, but I am getting bored with typing, so lets see it live:

Now, because these addresses spaces overlap with the NBMA network address, I had to bring in R5 with some loopbacks to save the day, however I am not taking the time to alter the above Topology as its late and my brain is getting exhausted:

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#router eigrp 100
R5(config-router)#network 172.12.15.0 0.0.0.255
R5(config-router)#
*Apr  1 00:42:18.301: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.15.1 (FastEthernet0/1) is up: new adjacency
R5(config-router)#^Z
R5#
*Apr  1 00:42:38.915: %SYS-5-CONFIG_I: Configured from console by console
R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int lo10
R5(config-if)#
*Apr  1 00:42:58.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to up
R5(config-if)#ip add 172.12.123.65 255.255.255.192
R5(config-if)#int lo20
*Apr  1 00:43:36.345: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback20, changed state to up
R5(config-if)#ip add 172.12.123.33 255.255.255.224
R5(config-if)#int lo30
R5(config-if)#
*Apr  1 00:43:51.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback30, changed state to up
R5(config-if)#ip add 172.12.123.17 255.255.255.252
R5(config-if)#router eigrp 100
R5(config-router)#network 172.12.123.64 0.0.0.63
R5(config-router)#network 172.12.123.33 0.0.0.31
R5(config-router)#network 172.12.123.16 0.0.0.3
R5(config-router)#

If you are wondering if that was hard to figure out and get right on the first try for all those discontiguous networks and get right the first time, I assure you, it was.

So now on R1 lets verify what we are seeing both in the Topology and Route table:

The Topology Table

R1#sh ip eigrp top
EIGRP-IPv4 Topology Table for AS(100)/ID(1.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
       r – reply Status, s – sia Status

P 11.11.11.11/32, 1 successors, FD is 128256
        via Connected, Loopback11
P 172.12.123.0/24, 1 successors, FD is 2169856
        via Connected, Serial0/0/0
P 172.12.15.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/1
P 172.12.23.0/24, 2 successors, FD is 2173416
        via 172.12.123.2 (2173416/29160), Serial0/0/0
        via 172.12.123.3 (2173416/29160), Serial0/0/0
P 2.2.2.2/32, 1 successors, FD is 2297856
        via 172.12.123.2 (2297856/128256), Serial0/0/0
        via 172.12.123.3 (2300416/156160), Serial0/0/0
P 172.12.123.16/30, 1 successors, FD is 156160
        via 172.12.15.5 (156160/128256), FastEthernet0/1
P 172.12.123.64/26, 1 successors, FD is 156160
        via 172.12.15.5 (156160/128256), FastEthernet0/1
P 172.12.123.32/27, 1 successors, FD is 156160
        via 172.12.15.5 (156160/128256), FastEthernet0/1
P 3.3.3.3/32, 1 successors, FD is 2297856
        via 172.12.123.3 (2297856/128256), Serial0/0/0
        via 172.12.123.2 (2300416/156160), Serial0/0/0

R1#

The EIGRP IP Route Table

R1#sh ip route eigrp

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/2297856] via 172.12.123.2, 00:57:01, Serial0/0/0
      3.0.0.0/32 is subnetted, 1 subnets
D        3.3.3.3 [90/2297856] via 172.12.123.3, 00:56:50, Serial0/0/0
      172.12.0.0/16 is variably subnetted, 8 subnets, 5 masks
D        172.12.23.0/24 [90/2173416] via 172.12.123.3, 00:56:50, Serial0/0/0
                        [90/2173416] via 172.12.123.2, 00:56:50, Serial0/0/0
D        172.12.123.16/30
           [90/156160] via 172.12.15.5, 00:05:33, FastEthernet0/1
D        172.12.123.32/27
           [90/156160] via 172.12.15.5, 00:05:55, FastEthernet0/1
D        172.12.123.64/26
           [90/156160] via 172.12.15.5, 00:06:22, FastEthernet0/1

The IP Route Table

R1#sh ip route

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback1
      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/2297856] via 172.12.123.2, 00:57:58, Serial0/0/0
      3.0.0.0/32 is subnetted, 1 subnets
D        3.3.3.3 [90/2297856] via 172.12.123.3, 00:57:47, Serial0/0/0
      11.0.0.0/32 is subnetted, 1 subnets
C        11.11.11.11 is directly connected, Loopback11
      172.12.0.0/16 is variably subnetted, 8 subnets, 5 masks
C        172.12.15.0/24 is directly connected, FastEthernet0/1
L        172.12.15.1/32 is directly connected, FastEthernet0/1
D        172.12.23.0/24 [90/2173416] via 172.12.123.3, 00:57:47, Serial0/0/0
                        [90/2173416] via 172.12.123.2, 00:57:47, Serial0/0/0
C        172.12.123.0/24 is directly connected, Serial0/0/0
L        172.12.123.1/32 is directly connected, Serial0/0/0
D        172.12.123.16/30
           [90/156160] via 172.12.15.5, 00:06:30, FastEthernet0/1
D        172.12.123.32/27
           [90/156160] via 172.12.15.5, 00:06:52, FastEthernet0/1
D        172.12.123.64/26
           [90/156160] via 172.12.15.5, 00:07:19, FastEthernet0/1
R1#

Now, if we want to keep our 172.12.123.0/x (non-/24) subnets learned by the router, but we don’t want to type in every single prefix as we’re not sure what may be learned but want to allow a range we know will be sending subnetted Prefixes – We use LE and GE at the end of our prefix-list statements!

For absolutely clear example directly from the command line:

R1(config)#ip prefix-list TEST seq 10 permit 172.12.123.0/24 ?
  ge  Minimum prefix length to be matched
  le  Maximum prefix length to be matched

“ge” and “le” means that it will match up to a minimum or maximum variation of the prefix length that is configured (172.12.123.0/24), however it CANNOT be equal to or lower than the Prefix length configured in the command. This means that neither value can be 24 or less, because that is an impossible range to configure.

That is a very important detail to watch for.

Now I will configure this command to match our needed Prefix-lengths, and apply it to EIGRP, and we’ll see what happens to try to wrap this explanation up:

R1(config)#ip prefix-list TEST seq 10 permit 172.12.123.0/24 ge 25 le 30
%Insertion failed – seq # exists with different policy: 10
R1(config)#

Oh snap. I couldn’t over-write an existing prefix-list line as we see here, so I will just override it by making it sequence 5 (and this is why you leave yourself space between sequence numbers in Route-Maps / Prefix-Lists / Everything):

R1(config)#ip prefix-list TEST seq 5 permit 172.12.123.0/24 ge 25 le 30
R1(config)#router eigrp 100
R1(config-router)#exit

Verification of current prefix-list, looking good
R1(config)#do sh ip prefix-list
ip prefix-list TEST: 3 entries
   seq 5 permit 172.12.123.0/24 ge 25 le 30
   seq 10 permit 172.12.123.0/24
   seq 15 deny 3.3.3.3/32

Now to configure in EIGRP using ?’s to guide the way
R1(config)#router eigrp 100
R1(config-router)#distribute-list ?

  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming address updates based on gateway
  prefix       Filter prefixes in address updates
  route-map    Filter prefixes based on the route-map

R1(config-router)#distribute-list prefix ?
  WORD  Name of an IP prefix-list

R1(config-router)#distribute-list prefix TEST ?

  gateway  Filtering incoming address updates based on gateway
  in       Filter incoming service updates
  out      Filter outgoing service updates

R1(config-router)#distribute-list prefix TEST in

R1(config-router)#
*May 11 05:35:36.327: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.5 (FastEthernet0/1) is resync: route configuration changed
*May 11 05:35:36.327: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.2 (Serial0/0/0) is resync: route configuration changed
*May 11 05:35:36.327: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.3 (Serial0/0/0) is resync: route configuration changed
R1(config-router)#

I highlighted some commands in Red in case they are getting hard to follow, as in my tired state they sure are (the pain hurts so good), however if there is a Cisco angel watching over me right now I should see all routes in my Topology table EXCEPT for 3.3.3.3/32:

R1(config-router)#do sh ip eigrp top
EIGRP-IPv4 Topology Table for AS(100)/ID(1.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
       r – reply Status, s – sia Status

P 11.11.11.11/32, 1 successors, FD is 128256
        via Connected, Loopback11
P 172.12.123.0/24, 1 successors, FD is 2169856
        via Connected, Serial0/0/0
P 172.12.15.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/1
P 172.12.123.16/30, 1 successors, FD is 156160
        via 172.12.15.5 (156160/128256), FastEthernet0/1
P 172.12.123.64/26, 1 successors, FD is 156160
        via 172.12.15.5 (156160/128256), FastEthernet0/1
P 172.12.123.32/27, 1 successors, FD is 156160
        via 172.12.15.5 (156160/128256), FastEthernet0/1

R1(config-router)#

Ha! I forgot the “implicit deny” at the end caught 2.2.2.2/32 as well, another casualty on the filtering of routing updates in EIGRP, however the command worked exactly as it should have an even laughably underscored that implicit deny at the end.

***One last subject to cover which is default routes in Prefix-Lists, and how the “ge” and “le” at the ends of them can completely effect how they work***

  • The Prefix-List entry “0.0.0.0/0” effects all Prefix/Length matches, or networks
  • The prefix-List entry “0.0.0.0/0 gr 32 le 32” effects all host routes, but NOT Prefix/Length matches aka Networks!

So if you just looking at the two bullet points above, if you put a deny statement in front of 0.0.0.0/0 you would be blocking any and all networks from being learned by EIGRP, however if you put a permit in front of the second line that would then allow any and all “host” routes to be learned via EIGRP but does not include network prefixes.

So that’s it, my brain is toast, I’m going to find a white wall to stare at and let the drool run out of my mouth onto my t-shirt. Until next time!

 

Time based ACL’s, configuring time-range and differences in types of ranges, using time-based ACL’s to limit telnet access

OSPF_Base_Topology

I’m was going to wait for the NTP part of the course to go through this, but since it looks like ACL material finishes with this I will use the time-range command for now rather than synchronizing the network to an NTP server.

A bit of a refresher from CCNA material, but it can’t help to get a refresh on subjects when it comes to Cisco. Time based ACL’s are exactly what they sound like, ACL’s that are only active during the period of time they are set for. This, however, implies that you have the correct time set on your network device which is where the “time-range” command comes in.

So you can set multiple time ranges on a router, as each time you enter “time-range (word)” it will drop you into time-range configure mode. I will work just between R5 and R1 to demonstrate how this works, and have removed the ACL’s from the previous lab so we get a fresh start! So we will start on R1 with our time-range setting and explanations:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#time-range ?
WORD  Time range name

R1(config)#time-range CCNP ?
<cr>

R1(config)#time-range CCNP
R1(config-time-range)#?
Time range configuration commands:
absolute  absolute time and date
default   Set a command to its defaults
exit      Exit from time-range configuration mode
no        Negate a command or set its defaults
periodic  periodic time and date

R1(config-time-range)#

As can be seen, we are now in time-range configuration mode, so I did ? to see what are options are and there are only two we need to concern ourselves with – absolute and periodic.

Absolute time-range’s are static starting at this time and ending at this time with no recurrence options which makes it not ideal for most situations, but I’ll demonstrate what it looks like with the ? output to show you the modifiers to go with it:

R1(config-time-range)#absolute ?
  end    ending time and date
  start  starting time and date

R1(config-time-range)#absolute start ?
  hh:mm  Starting time

R1(config-time-range)#absolute start 18:00 ?
  <1-31>  Day of the month

R1(config-time-range)#absolute start 18:00 15 ?
  MONTH  Month of the year [eg: Jan for January, Jun for June]

R1(config-time-range)#absolute start 18:00 15 Mar ?
  <1993-2035>  Year

R1(config-time-range)#absolute start 18:00 15 Mar 2017 ?
  end  ending time and date
  <cr>

R1(config-time-range)#absolute start 18:00 15 Mar 2017 end ?
  hh:mm  Ending time – stays valid until beginning of next minute

R1(config-time-range)#absolute start 18:00 15 Mar 2017 end

A couple of things to note here, after the year 2035, no more timed ACL’s according to IOS so get em while the getting is good. Seriously though, it’s very straight forward, and as can be seen at the end there that you can place the end of the time on the same command or enter it with “absolute end …” and do note it does stay active until the next minute!

I am not exactly sure what purpose this would serve unless you perhaps had a consultant coming in from x time and leaving y time, and don’t want them to access certain things in that range only and be done with it. Either way, that is not our scenario, so lets move on to period time-range’s:

R1(config-time-range)#periodic ?
  Friday     Friday
  Monday     Monday
  Saturday   Saturday
  Sunday     Sunday
  Thursday   Thursday
  Tuesday    Tuesday
  Wednesday  Wednesday
  daily      Every day of the week
  weekdays   Monday thru Friday
  weekend    Saturday and Sunday

R1(config-time-range)#periodic weekdays ?
  hh:mm  Starting time

R1(config-time-range)#periodic weekdays 08:00 ?
  to  ending day and time

R1(config-time-range)#periodic weekdays 08:00 to 17:00 ?
  <cr>

R1(config-time-range)#periodic weekdays 08:00 to 17:00
R1(config-time-range)#

I love the options, the simplicity of setting the values, and that Cisco was human enough to put “weekdays” and “weekends” as values so you don’t have to add ranges for each separate weekday or weekend day.

So I set mine with that period command, so whatever ACL I apply that to is open for business the same time I am, M-F 8am-5pm (though we may need to tweak some times on the routers to demonstrate some reactions and output).

So we now have a time range, and here is how to view it:

R1#sh time-range
time-range entry: CCNP (inactive)
   periodic weekdays 8:00 to 17:00
R1#

If you have more than one it will show all of them, but it will also show which ones are active and inactive, which can be a way to tell what time it is or isn’t loosely on a router on exam day if asked what time of day it is on the router. Speaking of time on routers, and since we are in User Exec mode which really surprised me this is where it gets configured, lets set the time for R1 and R5 simultaneously since we are not doing an NTP lab just yet:

R1#clock set ?
  hh:mm:ss  Current Time

R1#clock set 16:04:00 ?
  <1-31>  Day of the month
  MONTH   Month of the year

R1#clock set 16:04:00 15 ?
  MONTH  Month of the year

R1#clock set 16:04:00 15 Mar ?
  <1993-2035>  Year

R1#clock set 16:04:00 15 Mar 2017 ?
  <cr>

R1#clock set 16:04:00 15 Mar 2017
R1#
*Mar 15 16:04:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:05:02 UTC Fri Mar 1 2002 to 16:04:00 UTC Wed Mar 15 2017, configured from console by console.
R1#
ASR#5
[Resuming connection 5 to r5 … ]

R5#clock set 16:04:00 15 Mar 2017
R5#
*Mar 15 16:04:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:58:24 UTC Wed Mar 15 2017 to 16:04:00 UTC Wed Mar 15 2017, configured from console by console.
R5#

I am not in the UTC time zone, but I will address changing that in the NTP lab, as I have set up IOS devices to be NTP Servers for networks and I don’t want to pile extra stuff onto this lab tonight, however our routers are about as close as I could get them to the correct time.

ONE MAJOR THING TO NOTE, THE CLOCK IS SET IN USER EXEC MODE, NOT GLOBAL CONFIG MODE WHICH I THOUGHT WAS VERY WEIRD, SO WATCH THAT ON EXAM DAY!

Ok, so we have a time range, clocks are set, and we can verify this with a quick “sh clock”:

R1#sh clock
16:08:04.536 UTC Wed Mar 15 2017
R1#

Now let’s make an access-list using this time range, and I’ll make it for telnet to demonstrate how to limit access to routers when “not needed” as though such a thing exists in the real world:

 

R1(config)#access-list 123 deny ?
  <0-255>  An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco’s EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco’s GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

R1(config)#access-list 123 deny tcp ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host

R1(config)#access-list 123 deny tcp any ?
  A.B.C.D  Destination address
  any      Any destination host
  eq       Match only packets on a given port number
  gt       Match only packets with a greater port number
  host     A single destination host
  lt       Match only packets with a lower port number
  neq      Match only packets not on a given port number
  range    Match only packets in the range of port numbers

R1(config)#access-list 123 deny tcp any any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  <cr>

R1(config)#access-list 123 deny tcp any any eq ?
  <0-65535>    Port number
  bgp          Border Gateway Protocol (179)
  chargen      Character generator (19)
  cmd          Remote commands (rcmd, 514)
  daytime      Daytime (13)
  discard      Discard (9)
  domain       Domain Name Service (53)
  drip         Dynamic Routing Information Protocol (3949)
  echo         Echo (7)
  exec         Exec (rsh, 512)
  finger       Finger (79)
  ftp          File Transfer Protocol (21)
  ftp-data     FTP data connections (20)
  gopher       Gopher (70)
  hostname     NIC hostname server (101)
  ident        Ident Protocol (113)
  irc          Internet Relay Chat (194)
  klogin       Kerberos login (543)
  kshell       Kerberos shell (544)
  login        Login (rlogin, 513)
  lpd          Printer service (515)
  nntp         Network News Transport Protocol (119)
  pim-auto-rp  PIM Auto-RP (496)
  pop2         Post Office Protocol v2 (109)
  pop3         Post Office Protocol v3 (110)
  smtp         Simple Mail Transport Protocol (25)
  sunrpc       Sun Remote Procedure Call (111)
  syslog       Syslog (514)
  tacacs       TAC Access Control System (49)
  talk         Talk (517)
  telnet       Telnet (23)
  time         Time (37)
  uucp         Unix-to-Unix Copy Program (540)
  whois        Nicname (43)
  www          World Wide Web (HTTP, 80)

R1(config)#access-list 123 deny tcp any any eq 23 ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  established  Match established connections
  fin          Match on the FIN bit
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  <cr>

R1(config)#access-list 123 deny tcp any any eq 23 time-range ?
  WORD  Time-range entry name

R1(config)#access-list 123 deny tcp any any eq 23 time-range CCNP
R1(config)#

LOTS of output, but I wanted to demonstrate a few things, and I’ve also highlighted in red all the commands that I used to create the ACL along the way.

First I wanted to demonstrate that since it is telnet, I used “tcp” instead of just “ip” traffic as we don’t need that general of a statement. Next I used any any because we will be applying this to our VTY lines for telnet access control, so the source and destination can be any as the connection might come from anywhere to here so no need to split hairs when its not needed.

Next and this is a big one, I’m not sure if this still works, but you used to be able to create an ACL and type eq ? at the end to get a list of port #’s to help you along the test if you forget a certain port #. If you get a simulator or something that allows this, it may be worth doing this once quick and jotting some down you don’t have committed to memory moving forward through the test it might just save your ass.

Finally after eq, I could have put telnet or 23, I personally always use port numbers to keep them fresh in  my head but you can put the service name if listed as well and that is a valid command. Finally the time-range is added onto the end of the ACL. Now lets check it out:

R1#sh access-list
Extended IP access list 123
    10 deny tcp any any eq telnet time-range CCNP (active)
R1#sh time-range
time-range entry: CCNP (active)
   periodic weekdays 8:00 to 17:00
   used in: IP ACL entry
R1#sh clock
16:21:50.366 UTC Wed Mar 15 2017
R1#

I was expecting it to say (Inactive) there, but I forgot the UTC thing, so lets go for the final step which is configuring it in telnet or more specifically on the VTY line configuration:

R1(config)#line vty 0 4
R1(config-line)#access-group ?
% Unrecognized command
R1(config-line)#access-class ?
  <1-199>      IP access list
  <1300-2699>  IP expanded access list
  WORD         Access-list name

R1(config-line)#access-class 123 ?
  in   Filter incoming connections
  out  Filter outgoing connections

R1(config-line)#access-class 123 in ?
  vrf-also  Same access list is applied for all VRFs
  <cr>

R1(config-line)#access-class 123 in
R1(config-line)#

(Quick note at the end of the access-class command, it can be applied to non-global VRF route tables as well, worth noting while on the subject)

I highlighted what I put in, and what was correct for a reason, because it’s so easy to mess up like I just did. Access-group is on interfaces, and access-class will always be for VTY line configuration of applying ACL’s. Notice we also had to define in our out, so because this router will be receiving the telnet connections, I specified “in” as my modifier option.

So one more time, access-class = applying ACL to vty lines, followed by ACL # and in/out.

Now that we have this all configured and everything seems to be working great, lets go to R5 and give our new found access-list a go:

R5#telnet 172.12.15.1
Trying 172.12.15.1 …
% Connection refused by remote host

R5#

Wow, duh, I put DENY on my ACL. Let me change that and try it again here:

R1(config)#no access-list 123 deny tcp any any eq 23 time-range CCNP
R1(config)#access-list 123 permit tcp any any eq 23 time-range CCNP
R1(config)#
ASR#5
[Resuming connection 5 to r5 … ]

R5#telnet 172.12.15.1
Trying 172.12.15.1 … Open

User Access Verification

Password:
R1>en
Password:
R1#

Works much better when you PERMIT telnet access during the hours you want it available, eh? Now lets throw a wrench into the mix, while telnet’d into R1 I am going to change the routers time to be outside the time-range and see if that immediately boots me out:

R1#clock set 22:31:45 15 mar 2017
R1#sh time-range
time-range entry: CCNP (inactive)
   periodic weekdays 8:00 to 17:00
   used in: IP ACL entry
R1#sh access-list
Extended IP access list 123
    10 permit tcp any any eq telnet time-range CCNP (inactive) (2 matches)
R1#
R1#
R1#exit

[Connection to 172.12.15.1 closed by foreign host]
R5#telnet 172.12.15.1
Trying 172.12.15.1 …
% Connection refused by remote host

R5#

There are a couple very important real world lessons here:

  • ACL’s will only block connection attempts after they are set, they will not break current connection attempts, so we would need to manually clear that vty line to kick the user out so to say – This is for any connection on any firewall basically at all in the real world so keep this very important concept in mind
  • This brings up the “no exec-t” command that is great for labs, but if the user never gets kicked out after so long idle, they have a loophole around that time-range
  • Notice the ACL says (inactive) – That is because the time-range is not engaged and using the ACL at the moment!

I have personally accidentally deleted ACL’s that showed inactive because I didn’t know that meant it was on a time-range schedule (or what it meant at all), so do not as I do, an (Inactive) ACL is not an unused ACL!

That completes this post and I think about wraps up ACL’s, we’ve been using them on other topics so hopefully they’re comfortable with CCNP candidates reading this by now.

Next up is going to be a bit more CCNA type of material, but for thorough sake you bet your beehive I will write up a quick refresher post on that as well, it’s nice to get a break in with basically refresher material right before I hit the BGP section (which I am oddly looking forward to).

If I don’t see ya, good afternoon, good evening, and good night!

Access-List Refresher: Standard, Extended, and Named ACL’s – Very good refresher material, some of this material like best practices I had even forgotten

OSPF_Base_Topology

I was going to just use two routers for this example, after work when I was tired and rushing, so I stopped and decided to be thorough I didn’t want to work with loopbacks. So please forget the Stub things in the topology, those area’s are not stubs, however the OSPF information is correct. Also missing is the Ethernet segment off R2 and R3, 172.12.23.0 /24 Area 23, once I get some time I’ll adjust this Topology to be correct.

(Topology corrected)

A couple of key points with ACL’s that you might forget if you are rusty:

  • ACL’s use a wildcard mask, so if you see a subnet mask, it is immediately invalid
  • ACL’s must be applied to an interface to work for filtering, and a direction of traffic flow MUST be chosen for the command to go through

First there is one subject that is important to refresh for any CCNP candidate, and that is where to place the different types of ACL’s, so I just list here the type, where to put it, and why.

Where to put ACL’s and why:

The point of this conversation, is that ACL’s should be used so that the least processing on routers and network devices is used while traffic is traversing the network, so there are naturally going to be best places for these different types of ACLs:

Extended-Access Lists: You should configure on the router closest to the source of the traffic really all the time in real life, preferably going “in” the main LAN uplink port, to save the local router some resources rather than filtering them going “out” the WAN port. Either way, best practice will dictate, Extended ACL’s be closest to source they are originating from.

Standard Access-Lists: You should configure these on the routers closest to the source as possible, because they only use the source as criteria for dropping packets.

First lets look at some access-list configuration output to get some ideas of ranges:

R1(config)#access-list ?
              IP standard access list
         IP extended access list
IPX SAP access list
Extended 48-bit MAC address access list
IPX summary address access list
       IP standard access list (expanded range)
         Protocol type-code access list
       IP extended access list (expanded range)
         DECnet access list
Appletalk access list
48-bit MAC address access list
IPX standard access list
IPX extended access list
dynamic-extended  Extend the dynamic ACL absolute timer
rate-limit        Simple rate-limit specific access list


R1(config)#access-list

As can be seen we have a lot of ranges here, but there are only 4 which are highlighted in two colors, blue for standard ACL range #’s and red for extended range #’s.

  • Standard ranges are 1-99, 1300-1999
  • Extended ranges 100-199, 2000-2699

Named ACL’s are really extended ACL’s only they use names instead of numbers for their Access-List, which I like, because due to complete lack of anyone use the Remark statements on ACL’s they sometimes name it intuitively which is nice (in the real world).

So I used Loopback44 with IP add 44.44.44.1 as R4’s RID since we will be blocking some traffic to 4.4.4.4, and just got the virtual link to form, this is almost as much work as the ACL configuration (if not more)… and assuming everything goes smoothly.

SO LETS GET TO WORK SO I CAN ENJOY THE REST OF MY NIGHT 😀

First, verify R5 and R4 see each others loopbacks and can ping each other:

R4#sh ip route ospf

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.34.3, 00:06:51, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/2] via 172.12.34.3, 00:06:51, FastEthernet0/1
      5.0.0.0/32 is subnetted, 1 subnets
O IA     5.5.5.5 [110/67] via 172.12.34.3, 00:06:51, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA     172.12.15.0/24 [110/66] via 172.12.34.3, 00:06:51, FastEthernet0/1
O IA     172.12.23.0/24 [110/2] via 172.12.34.3, 00:06:51, FastEthernet0/1
O        172.12.123.0/24 [110/65] via 172.12.34.3, 00:06:51, FastEthernet0/1
R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R4#
ASR#5
[Resuming connection 5 to r5 … ]

R5(config-router)#^Z
R5#sh
*Mar 14 04:37:13.827: %SYS-5-CONFIG_I: Configured from console by console
R5#sh ip route ospf

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.15.1, 00:17:03, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/66] via 172.12.15.1, 00:13:05, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
O IA     4.4.4.4 [110/67] via 172.12.15.1, 00:07:03, FastEthernet0/1
      44.0.0.0/32 is subnetted, 1 subnets
O IA     44.44.44.1 [110/67] via 172.12.15.1, 00:02:46, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA     172.12.23.0/24 [110/66] via 172.12.15.1, 00:17:03, FastEthernet0/1
O IA     172.12.34.0/24 [110/66] via 172.12.15.1, 00:14:53, FastEthernet0/1
O IA     172.12.123.0/24 [110/65] via 172.12.15.1, 00:17:03, FastEthernet0/1
R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R5#

Beautiful, now first example is a Standard access-list blocking all traffic from reaching 4.4.4.4, but this presents a fun opportunity, because this router also has an interface in an  Ethernet Segment not yet in the Topology, so I will want to get this as close to the source address by applying it to outbound interface facing the destination network rather than “in”coming packets from the WAN:

R3(config-router)#exit
R3(config)#access-list 15 deny 172.12.15.0 0.0.0.255
R3(config)#access-list 15 permit any
R3(config)#int fa0/1
R3(config-if)#ip access-group ?
        IP access list (standard or extended)
    IP expanded access list (standard or extended)
  WORD         Access-list name

R3(config-if)#ip access-group 15

% Incomplete command.

R3(config-if)#ip access-group 15 ?
  in   inbound packets
  out  outbound packets

R3(config-if)#ip access-group 15 out
R3(config-if)#

I left that derp in there to underscore, you really need to remember a direction MUST be chosen, and in this instance it is outbound traffic toward R4 blocking network 172.12.15.0:

R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
U.U.U

Success rate is 0 percent (0/5)
R5#

Success, but we demand answers about that U.U.U, and the explanation is as part of the “security” of the router it doesn’t just want to drop pings and let a would be intruder know an ACL is set, so it responds with the same response you get when an upstream router doesn’t have a return route to your network.

Also I picked the Fa0/1 interface and direction going “out” again so it is only impacting that network, and not “in” on the WAN interface possibly interfering with traffic destined for 172.12.23.0/24 network.

So on to Extended ACL’s!

This will be an R3 configuration again, and I actually don’t want R4 to ping 1.1.1.1 on R1, which will again go on R3’s Fa0/1 interface – However we get to have an ACL going in both directions so no sweat! :

R3(config-if)#exit
R3(config)#access-list 111 ?
  deny     Specify packets to reject
  dynamic  Specify a DYNAMIC list of PERMITs or DENYs
  permit   Specify packets to forward
  remark   Access list entry comment

R3(config)#access-list 111 deny ?
    An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco’s EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco’s GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

R3(config)#access-list 111 deny ip ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host

R3(config)#access-list 111 deny ip any ?
  A.B.C.D  Destination address
  any      Any destination host
  host     A single destination host

R3(config)#access-list 111 deny ip any host 1.1.1.1 ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
 

R3(config)#access-list 111 deny ip any host 1.1.1.1
R3(config)#int fa0/1
R3(config-if)#ip access-group 111 in
R3(config-if)#

As can be seen, you always have to state permit / deny / remark with ACL’s, I like the way that has never changed, that your first order of business is always permit or deny.

I completely screwed the pooch on this configuration though, I am not sure if you (the one person reading this post maybe) caught it, I forgot the permit ip any any statement to allow all other traffic to flow without the implicit deny smacking them down.

In fact, it’s already impacting the network almost immediately, so lets examine the output that showed me I have killed the OSPF adjacencies with no regard to OSPF life, and then correct the issue:

The adjacencies dying:

R3(config-if)#ip access-group 111 in
R3(config-if)#
*Mar  2 09:59:45.761: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
R3(config-if)#
*Mar  2 09:59:51.266: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on OSPF_VL0 from FULL to DOWN, Neighbor Down: Interface down or detached

Fixing the adjacencies:

R3(config-if)#exit
R3(config)#access-list 111 permit ip any any
*Mar  2 10:04:55.661: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on FastEthernet0/1 from LOADING to FULL, Loading Done
R3(config)#
*Mar  2 10:05:10.690: %OSPF-5-ADJCHG: Process 1, Nbr 44.44.44.1 on OSPF_VL0 from LOADING to FULL, Loading Done

Now lets test a ping to 1.1.1.1 from R4, and move right along here:

[Resuming connection 4 to r4 … ]

R4(config)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R4(config)#

It is using all dots for a reply I found when working with the ACL below, check it out.

And Finally, Named ACL’s!

The exact same as an extended ACL, except it uses a name, making it a bit more intuitive. I just learned tonight (or probably re-learned) that you can actually drop into ACL mode with extended ACL #’s to revise it line by line:

R3(config)#ip access-list ?
  extended    Extended Access List
  log-update  Control access list log updates
  logging     Control access list logging
  resequence  Resequence Access List
  standard    Standard Access List

R3(config)#ip access-list extended ?
      Extended IP access-list number
    Extended IP access-list number (expanded range)
  WORD         Access-list name

R3(config)#ip access-list extended 111 ?
 

R3(config)#ip access-list extended 111
R3(config-ext-nacl)#?
Ext Access List configuration commands:
    Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment

R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip any host 1.1.1.1  
    20 permit ip any any (118 matches)
R3(config-ext-nacl)#
ASR#4
[Resuming connection 4 to r4 … ]

R4(config)#
R4(config)#do sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
       D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
       N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
       E1 – OSPF external type 1, E2 – OSPF external type 2
       i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
       ia – IS-IS inter area, * – candidate default, U – per-user static route
       o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
       + – replicated route, % – next hop override

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.34.3, 00:11:43, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/2] via 172.12.34.3, 00:11:43, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
C        4.4.4.4 is directly connected, Loopback4
      5.0.0.0/32 is subnetted, 1 subnets
O IA     5.5.5.5 [110/67] via 172.12.34.3, 00:11:43, FastEthernet0/1
      44.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        44.44.44.0/24 is directly connected, Loopback44
L        44.44.44.1/32 is directly connected, Loopback44

(At this point I have no idea 1.1.1.1 is not in the routing table, my tired mind has once again glossed over a major detail looking for some other information)

R4(config)#
ASR#3
[Resuming connection 3 to r3 … ]

R3(config-ext-nacl)#15 ?
  deny      Specify packets to reject
  dynamic   Specify a DYNAMIC list of PERMITs or DENYs
  evaluate  Evaluate an access list
  exit      Exit from access-list configuration mode
  permit    Specify packets to forward

R3(config-ext-nacl)#15 deny ?
    An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco’s EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco’s GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

R3(config-ext-nacl)#15 deny ip 172.12.34.0 0.0.0.255 ?
  A.B.C.D  Destination address
  any      Any destination host
  host     A single destination host

R3(config-ext-nacl)#15 deny ip host 172.12.34.4 ?
  A.B.C.D  Destination address
  any      Any destination host
  host     A single destination host

R3(config-ext-nacl)#15 deny ip host 172.12.34.4 host 2.2.2.2
R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip any host 1.1.1.1
    15 deny ip host 172.12.34.4 host 2.2.2.2
    20 permit ip any any (134 matches)
R3(config-ext-nacl)#
ASR#4
[Resuming connection 4 to r4 … ]

R4(config)#do ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)
R4(config)#
ASR#3
[Resuming connection 3 to r3 … ]

R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip any host 1.1.1.1
    15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
    20 permit ip any any (144 matches)
R3(config-ext-nacl)#

I actually did this to fix it before realizing I hadn’t put 1.1.1.1 into OSPF to be advertised:

R3(config-ext-nacl)#no 10
R3(config-ext-nacl)#10 deny ip host 172.12.34.4 host 1.1.1.1
R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip host 172.12.34.4 host 1.1.1.1
    15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
    20 permit ip any any (162 matches)
R3(config-ext-nacl)#

I really did want to post that just to show how easy it is, and the reason we got ….. instead of U.U.U was because we didn’t have a route to it, lets check now:

R4(config)#do sh ip route ospf | i 1.1.1.1
O IA     1.1.1.1 [110/66] via 172.12.34.3, 00:02:41, FastEthernet0/1
R4(config)#

Minimal output, maximum effort, so lets ping away and see some hits:

R3(config-ext-nacl)#do sh access-list 111
Extended IP access list 111
    10 deny ip host 172.12.34.4 host 1.1.1.1 (11 matches)
    15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
    20 permit ip any any (208 matches)
R3(config-ext-nacl)#

You will notice that other ACL of permit any any to increment for OSPF traffic, and I am sure that would have worked with “Any” defined as well, because only R4 traffic is coming into that interface so that is fine.

I won’t go into a configuration about named ACL’s as you’ve seen in the access-group on interfaces you can use (word) instead of number, but also you’ve seen the ACL (or nacl) configuration mode and how it works a bit, but I will show you this:

R3(config)#ip access-list extended ?
      Extended IP access-list number
    Extended IP access-list number (expanded range)
  WORD         Access-list name

R3(config)#ip access-list extended

Once you type a number from those ranges or a word, it puts you into the nacl config mode to build your ACL.

The only real tricky part is typing ip first when configuring the access-list to get to nacl config mode to remove and insert lines to extended lists, otherwise named ones work the exact same as extended they just swap out numbers for names.

As much as I want this to be over, a couple of commands to verify or check quickly what ACL’s is on your router or a given interface:

R3#sh access-list
Standard IP access list 15
    10 deny   172.12.15.0, wildcard bits 0.0.0.255 (8 matches)
    20 permit any
Extended IP access list 111
    10 deny ip host 172.12.34.4 host 1.1.1.1 (11 matches)
    15 deny ip host 172.12.34.4 host 2.2.2.2 (11 matches)
    20 permit ip any any (243 matches)
R3#

It doesn’t show you what interfaces they are applied to (or what mechanism on the router is using them), but it shows they are there and their hit counts. To see what ACL is configured to an interface its seen under ip access-group in sh run, but because we can’t count on that for lab day you can also use “sh ip int …”:

R3#sh ip int fa0/1
FastEthernet0/1 is up, line protocol is up
  Internet address is 172.12.34.3/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.5 224.0.0.6
  Outgoing access list is 15
  Inbound  access list is 111
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
R3#

Alright, and that concludes my middle of the night lab session on ACL’s, see you next time with some time based ACL configurations!