- Posts: 227
- Thank you received: 0
Routing & ACL question
Test PING From User HQ
user@HQ:~$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:19:b9:6c:6d:16
inet addr:172.16.22.73 Bcast:172.16.22.255 Mask:255.255.255.0
inet6 addr: fe80::219:b9ff:fe6c:6d16/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38900 errors:0 dropped:0 overruns:0 frame:0
TX packets:17106 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16202794 (16.2 MB) TX bytes:2005551 (2.0 MB)
Interrupt:17
Test PING From User HQ to Router 1 - Gi 0/1
user@HQ:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
From 203.121.19.4 icmp_seq=1 Time to live exceeded
From 203.121.19.4 icmp_seq=2 Time to live exceeded
From 203.121.19.4 icmp_seq=3 Time to live exceeded
From 203.121.19.4 icmp_seq=4 Time to live exceeded
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms
Test PING From User HQ to Router 2 - Gi 0/1
user@HQ:~$ ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
From 203.121.19.4 icmp_seq=1 Time to live exceeded
From 203.121.19.4 icmp_seq=2 Time to live exceeded
From 203.121.19.4 icmp_seq=3 Time to live exceeded
From 203.121.19.4 icmp_seq=4 Time to live exceeded
^C
--- 192.168.0.2 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms
Test PING From User Branch
user@branch:~$ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:24:81:1a:4d:44
inet addr:172.16.32.200 Bcast:172.16.32.255 Mask:255.255.255.0
inet6 addr: fe80::224:81ff:fe1a:4d44/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6471610 errors:0 dropped:0 overruns:0 frame:0
TX packets:775635 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1137491161 (1.1 GB) TX bytes:79145687 (79.1 MB)
Interrupt:19 Memory:f0500000-f0520000
Test PING From User Branch to Router 1 - Gi 0/1
user@branch:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4032ms
Test PING From User Branch to Router 2 - Gi 0/1
user@branch:~$ ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_req=1 ttl=254 time=13.3 ms
64 bytes from 192.168.0.2: icmp_req=2 ttl=254 time=14.9 ms
64 bytes from 192.168.0.2: icmp_req=3 ttl=254 time=15.8 ms
64 bytes from 192.168.0.2: icmp_req=4 ttl=254 time=17.2 ms
64 bytes from 192.168.0.2: icmp_req=5 ttl=254 time=16.8 ms
^C
--- 192.168.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 13.379/15.678/17.260/1.393 ms
So using what we know know let me pose one basic question?
If you put a host 192.168.0.3 on router 1's connected network and a host 192.168.0.3 on router 2's connected network and then slapped a router between router 1 and 2 and told it to ping 192.168.0.3 off router 2's interface how would the router know which 192.168.0.3 path to pick?
Remember routers use subnet masks to choose their paths but in this case both IP and mask is the same.
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
PING From Router 1 To host inside HQ (using network 2) with IP's 192.168.0.3
router-1#ping 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
router-1#traceroute 192.168.0.3
Type escape sequence to abort.
Tracing the route to 192.168.0.3
1 192.168.0.3 0 msec 0 msec *
router-1#
PING From Router 2 To host inside branch (using network 2) with IP's 192.168.0.3
router-2#ping 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
router-2traceroute 192.168.0.3
Type escape sequence to abort.
Tracing the route to 192.168.0.3
1 192.168.0.3 0 msec 0 msec *
router-2
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
we can consider that router 1 and router 2 is a different island... is it?
But why fa 0/0/0 at router 1 and router 2 can use the same network?
IP: 199.199.199.1
Subnet Mask: 255.255.255.0
And your trying to contact(ping)
IP:199.199.199.2
Subnet Mask: 255.255.255.0
The very first thing a source host does is compare it's IP and Mask to the destinations IP and mask to determine if the destination is on the same local area network.
In this case the valid hosts that are within the local lan are numbered from
199.199.199.1 to 199.199.199.254
and anything bettween that range with the mask of /24 will be on the same lan.
Knowing 199.199.199.2/24 is within that network range your network card your network card decides 199.199.199.2/24 if it does indeed exist anywhere it will exist on your local segment so it checks its mac address table for 199.199.199.2's mac address so it can make the proper frame for transmission over the 199.199.199.0/24 ethernet network.
If 199.199.199.1 finds 199.199.199.2 in it's mac address table it will simply encode the frame with it's mac address as the source port 199.199.199.2's mac address as the destination port and encapsulate the packet within the frame. Once the frame is sent out onto the ethernet only a device with 199.199.199.2's mac address will accept the packet.
Alternitively if 199.199.199.2's mac addres is not in 199.199.199.1's mac address table 199.199.199.1 will attempt to gather that information by use of an *( ARP REQUEST )* which only 199.199.199.2 would reply to and return it's mac address so 199.199.199.1 can forward the intended data a ping to 199.199.199.2
Thats great but what if I want to ping 199.199.200.1/24 which is on a completely different network from 199.199.199.200/25? Well the logic is much simpler.
Host 199.199.200.1/24 makes the same check against it's own ip/mask finds that 199.199.200.1/25 is in a diffrent subnet creates a frame with it's default gateway mac address of the router which encapsulates an ip packet with the source address 199.199.199.1/24 and destination address 199.199.200.2/25 and lets the router deal with it.
Let me summarize why this is important:
When encoding and transmiting a frame a host must make the choice of sending it on the local lan with the layer 2 address of the destination or the layer 2 address of the router. This choice is made based on if the destination is local to the lan segment or not. Meaning if the destination is in the same network it will simply forward the frame to the intended reciever otherwise it will attach a mac address of the default gateway and allow the router to sort it out though IP routing.
Now lets take this logic and apply it to our current situation. If you *are* a host pc on the router 1 attached network 196.186.0.0/24 with an ip address of 196.186.0.5 and you want to contact(ping) the address 196.136.0.6 on the router 2 attached network of 196.186.0.0/24 what will happen when 196.186.0.5/24 tries to transmit a ping to 196.186.0.6/24?
*edit was to clean up image and fix grammar*
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html