5 - 1
Routing Fundamentals - SANS
©2001
1
Routing Fundamentals
Security Essentials
The SANS Institute
Hello, welcome to Routing Fundamentals. Just like it is important to understand how networks
operate in order to secure them, it is also critical to understand how routers and routing work in order
to have a secure network. What allows people from all over the world to communicate and what
allows the Internet to function is routers. Routers are responsible for determining the path and
sending traffic from source to destination. As you can imagine because they play such a key role, it
is critical that they are properly secured because they are often the target of attacks. If someone can
compromise a router, they can read, modify or delete any traffic that goes through it and this can
cause a variety of problems.
Based on router importance from a functionality and security standpoint, we have devoted a module
to looking into the wonderful world of routers.
5 - 2
Routing Fundamentals - SANS
©2001
2
Agenda
•Routers
• Cisco IOS
•Routing
• Routing Protocols
• Access Control Lists
•Firewalls
In this module, we are going to cover an overview of routers. We are going to start by looking at
what a router is and how it works. We will then cover the routing operating system or IOS. How
routing actually works and why there are two addresses will also be covered along with several

examples. How routers communicate with each other via routing protocols will be discussed and we
will wrap up the module with a brief look at how routers can filter traffic via access control lists.
It is important to point out that the subject of routers is very complex and there are several week
courses on each topic covered in this module. This module is meant to give you a high level
overview and introduce you to several of these topics, not to provide a comprehensive coverage of
the material. Also, this module tries to stay general but in certain cases if we have to discuss the
specifics of a router, we will be using Cisco routers and the Cisco IOS in our examples.
5 - 3
Routing Fundamentals - SANS
©2001
3
What is a Router?
• Routers connect two networks
together.
• Routers determine the path a
packet should take from source to
destination.
• Uses IP addresses to determine a
route.
Since this module is devoted to routers, we should probably cover what a router is. As you will see,
a computer is only capable of communicating with other systems that are on the same network. A
computer does not have the capability to determine the best way to get to another network and how
to send the packet. Therefore, a specialized device is needed to connect different networks together
and to move the traffic between the networks. The device that performs this work is called a router.
A router connects two or more networks together and is responsible to make sure those networks can
communicate with each other. Routers will also determine the path a packet should take to get from
a source to a destination. In order to do all of this work, routers use the source IP address and the
destination IP address that is located in the layer 3 header to determine this information. This is why
routers are sometimes referred to as layer 3 devices.
5 - 4

Routing Fundamentals - SANS
©2001
4
Starting a Router
• The following are the basic steps a
router performs on startup:
– Check hardware
– Find and locate the IOS
– Find and apply the router
configuration
As we have discussed, a router’s primary role is to connect different networks together and to route
traffic from source to destination. In order to determine how to do that, the router needs a
configuration file and other information. Most of this information is loaded when the router is
started. Let’s briefly look at the steps that are performed when a router is turned on.
1) Check the hardware and perform a self test to make sure all of the correct components are present
and that everything is working properly
2) Find, locate, and load the IOS for the router. The IOS is the operating system for the router which
tells it what to do and allows people to interface with it
3) Find and apply the router configuration information to the router. The IOS is generic and the
same for all routers, but the configuration information uniquely identifies a particular router and tells
it what it should do under different circumstances
5 - 5
Routing Fundamentals - SANS
©2001
5
Accessing the Router
• The router can be accessed via the
following:
–Telnet
–Console

– Web browser (HTTP)
• Modes of operation
– User EXEC mode
– Privilege EXEC mode
– ROM Monitor mode
In most cases once the router is configured and installed, it requires minimal user interaction in order
for it to function properly. Even in cases where the router is working perfectly there still might be a
need to periodically verify the configuration and perform maintenance on the router. The two basic
ways to access a router are: To either telnet to the router across a network, or to directly connect to
the router via a console cable where one end of the cable plugs into the router and the other end plugs
into a computer. From an ease of use standpoint telnetting in is easier because you can access the
router from a variety of places and you do not have to be sitting directly next to it. This, however,
also increases your security risks, because if you can access the router from anywhere so can a
possible attacker. Connecting via the console increases security because the only way you can
change anything is if you have physical access to the router. This increases security but makes it
difficult to remotely monitor routers. Just to touch base on the topic of physical security for routers:
It is critical that routers have proper physical protection. With most routers, if you can get physical
access to the system, you can gain access to the router and bypass any passwords or other security.
In terms of modes of operations, Cisco routers have 7 command modes to access the router. In this
section we will look at the three you will probably use most often. EXEC allows a user to type
commands and have them interpreted by the system. User mode allows someone to run basic
commands to find out information about the system. In order to make changes to the system, you
must be in privileged mode. On most systems there are two passwords, one for user mode and one
for privileged mode. These passwords should be different and hard to guess.
ROM monitor mode allows you to configure a router if the IOS does not exist, and get the router up
and running.
5 - 6
Routing Fundamentals - SANS
©2001
6

Basic Configuration
Commands
• Enable
•Configure terminal
• Hostname <router>
• Enable secret <password>
• Interface ethernet 0
• Ip address <ip address> <mask>
Just to get a better idea of how routers work, let’s look at some basic configuration commands you
might use to configure a router. When you first connect to a router, the router is operating in user
mode which has very limited functionality. By typing “enable,” you will be prompted for a password
and will enter privileged mode. The way that you can tell that you are in privileged mode is the
router prompt will be a #. In order to make changes to the router and to start to configure it, you
have to enter configuration mode by typing “configure terminal.” To give the router a name, you
would type” hostname” followed by the name of the router. To specify that the password used to
access the router is encrypted, you would type “enable secret” followed by the password. The
password will appear in plaintext on the terminal when you initially type it in, so make sure no one is
shoulder surfing or reading the screen.
Since routers are responsible for routing traffic between different interfaces, you have to go in and
configure each interface on the router so that it knows what its IP address and subnet mask is. To
enter configuration mode for a particular interface, you would type “interface ethernet” followed by
the number of the interface. Then you would type “ip address” followed by the ip address and
subnet mask for that interface.
There are a large number of commands one would use to configure a router, but this just gives you
an idea of some of the key commands you might have to use.
5 - 7
Routing Fundamentals - SANS
©2001
7
Routing

MAC and IP addresses
Now that we have a general idea of what a router is and how it works, let’s look at how routing
actually takes place on a network.
5 - 8
Routing Fundamentals - SANS
©2001
8
Two Addresses
• At a minimum, a computer has two
addresses:
– MAC address
• 48 bit address (12 hexadecimal digits)
• First half vendor code (I.e., 00-00-0c Cisco or
08-00-20 Sun)
• Usually hard-coded into NIC
•Does not change
– IP address
• 32 bit address
• Part network and part host
• Configured by user
• Changes based on location
In order to understand how routing works, we have to cover the concept that any computer connected to a network has a
minimum of two addresses. Usually there are two addresses per network interface. So, if a server has 4 network interface
cards or NICs, then each interface would have two addresses: A MAC address and an IP address. The reason you need two
addresses goes back to the OSI model and how communication is broken down into multiple layers. Layer 3 is responsible
for routing traffic across a network, and IP operates at layer 3 and needs an address in order to route the traffic. So there is an
IP address that layer 3 uses to determine how to get a packet from source to destination. But as we go down the OSI stack, the
layer 3 information gets encapsulated by layer 2 before it goes out on the wire. So layer 1 and 2 need some way to directly
send information to a given host. This is done via a MAC or Media Access Control address that operates at the lower layers.
Now let’s look at each address in more detail.

A MAC address is a 48-bit address that is usually written as 12 hexadecimal digits grouped in pairs of two. So, a typical
address might look like the following: 00-00-0c-34-15-43. Since a MAC address is usually hard-coded into the NIC card and
does not change, it is the vendor’s responsibility to make sure that every card has a unique MAC address. The way this is
done is the MAC address is broken into two pieces. The first half or 6 hexadecimal digits is assigned to a specific vendor and
the second half is a unique number assigned by that vendor. Now as long as the vendor uses the first half of their code, it is
their responsibility to make sure every card has a unique MAC address and that there are no duplicates. So, by looking at a
MAC address you can tell what vendor the NIC came from. For example, if the first half is 00-00-0c then you know the card
was produced by Cisco and if it starts with 08-00-20 you know it was produced by Sun.
An IP address is a 32 bit address, or 4 bytes, and usually written with a period between each byte. So a typical IP address
might be 15.5.10.35. An IP address is broken into two pieces: A network piece and a host piece, but depending on the type of
address it is (class A, B, or C) and whether subnet masks are being used. You can not tell where the division is just by looking
at the address. You must also look at the subnet mask to see which piece identifies the network and which piece identifies the
host. The IP address is configured by the user and as the computer moves around or changes location, the IP address must
also change.
Just to summarize the two addresses, let’s look at an example. I travel around the world and check my email from various
locations. Each time I go to a new state or country, I have to reconfigure my machine with a new IP address, but my MAC
address never changes. Actually, for my home network I know my IP address by heart because I change it so often, but I
have no idea what my MAC address is because it never changes and it operates at a layer in the protocol stack that most
people do not get that involved with.
5 - 9
Routing Fundamentals - SANS
©2001
9
MAC and IP Addresses
• There is no direct relationship between
the two addresses
• Given one address, a computer must
send out a packet to find out the other
address
– ARP (Address Resolution Protocol)

– RARP (Reverse Address Resolution
Protocol)
So now we know that there are two addresses: A MAC and an IP address, but how do we tie the two
together? Unfortunately, there is no direct relationship between the two addresses. Looking only at
an IP address, there is no way that you can determine what the MAC address is and the reverse is
also true. If I give you a MAC address of 00-00-0c-45-56-32, there is no way that you can tell me
what the IP address is. You could make a totally random guess, but that would not be a good way to
link the two together. Therefore, given one of the addresses, the only way to find out the address is
to send out a packet saying, “Hey I know one address! Can you let me know what the other address
is?” Actually, there is a protocol that will take care of this for us.
ARP or Address Resolution Protocol, given an IP address will find out what the corresponding MAC
address is.
RARP or Reverse Address Resolution Protocol, given a MAC address will find out what the
corresponding IP address is.
5 - 10
Routing Fundamentals - SANS
©2001
10
Address Resolution Protocol
(ARP)
172.20.42.1 172.20.42.2
42.1 broadcasts a packet with 42.2’s IP Address
and asks it to respond with its physical address.
01631
TARGET IP TARGET IP
TARGET MAC TARGET MAC
SOURCE IP TARGET MAC
SOURCE MAC SOURCE IP
SOURCE MAC SOURCE MAC
HLEN OPERATION

HARDWARE TYPE PROTOCOL TYPE
PLEN
Now let’s take a look at ARP and how it works. The internet protocols are specified by standards
documents called Requests For Comments (RFCs). ARP [Address Resolution Protocol] is
specified by RFC 826. It is not an internet protocol per se, because it is not carried in an internet
packet (or an IP packet). It is an Ethernet frame that is sent to all systems on a network segment (this
is what we call a broadcast). If a message is a broadcast message, that means it is sent to all of the
machines on part or all of the network.
The source host sends the ARP request and includes its source MAC and IP address, and then
presumably the destination host will pick it up and reply. Of course, the reply will contain the
destination host’s MAC and IP address. After this is done, the two systems can talk IP to one
another. If you see an ARP, you are probably on the same physical cable segment as the sending
computer, since ARPs will not be passed through a router.
5 - 11
Routing Fundamentals - SANS
©2001
11
Address Resolution Protocol (2)
172.20.42.1 172.20.42.2
172.20.35.2
Link devices such as routers and
switches keep track of these
IP/MAC pairs with ARP tables.
Why are MAC addresses so huge? Because I’ll tell you, 48 bits is a LOT of address space! The idea
was that they would be unique for all time and space – and that sounds good if you say it real fast,
but there are always “gotchas.” Further, the manufacturers of network interface cards (NICs) are
supposed to have a prefix so that part of the MAC address allows you to determine which
manufacturer built the card.
And in your notes pages, you see some ways to see your MAC address:
For Windows 9x machines:

From a command prompt, type winipcfg
For Windows NT/2000 machines:
From a command prompt, type ipconfig /all
For Linux/Unix machines:
From a command prompt, type ifconfig –a
Also, as you can imagine it is not very efficient to send all of these ARP requests every time
computers want to communicate. So most computers and devices have something called an ARP
cache. When an ARP request is received back, the IP and MAC address information is kept in cache
so the next time the system needs to know this information it can look it up and does not have to send
out another ARP request. This information probably will not change very quickly, so it can be stored
for a while to reduce the number of broadcasts required to support communications. Also, any hosts
on the network that are listening for broadcasts will see the initial ARP request and can cache the
requestor’s MAC and IP addresses. This will reduce the potential number of ARP requests
(broadcast traffic), that consumes bandwidth. So, in most cases, when a computer needs a MAC
address for a given IP address it will first look in the ARP cache and see if there is an entry. If there
is it will use it, if there is not then it will send out an ARP request to obtain the information.
5 - 12
Routing Fundamentals - SANS
©2001
12
Simple Routing
• The following are the steps that are
performed when one computer wants to talk
with another on the same network
– Using the subnet mask it determines the network
portion of the source and destination
– If they are on the same network, then it can
directly send it the packet
– The source looks to see if there is an entry in the
ARP cache

– If not, then an ARP request is sent out
– Packet sent to MAC address
To better understand how the two addresses interact, let’s look at a simple routing example where the
two hosts that are communicating are on the same network segment. First, if computer A (the source
computer) wants to send a packet to computer B (the destination computer), computer A would take
the two addresses and use the subnet mask to determine if the two computers are on the same
network segment. In this case, since the two computers are on the same network, computer A can
directly send packets to computer B and they do not need to use a router. In order to send a packet to
computer B, computer A needs to know what the MAC address is. So, it would first look up the IP
address in the ARP cache to see if there is an entry and, if so, it would use the MAC address. Since
there was not an entry in this case, it would send out an ARP request asking for the MAC address for
computer B. Once it received the reply, computer A would put an entry in its ARP cache. Now, it
has all of the information it needs so it would send out the packet with the IP address and MAC
address of computer B. Computer B would see the packet, determine that the packet is for that
computer and process the packet.
The important thing to point out with this example is that the IP address was used to determine the
route, but the MAC address was actually used to directly send a packet to a specific computer.
5 - 13
Routing Fundamentals - SANS
©2001
13
Complex Routing
• Continuing from the simple example
– Computer determines two systems are on
different networks
– Source determines default router
• Finds MAC address for default router
• Send packet to default router
– Default router determines next hop based on
destination IP

• Finds MAC address for next hop
• Sends packet to MAC address of next hop
– Continues in this fashion
– Note: MAC address changes for each packet but
IP address does not
Now let’s look at a more complex example where the two systems are on different networks. Using
the subnet mask, if the source computer determines that the two computers are on different networks,
then the source determines what its default gateway or router is, finds the MAC address by either
using the ARP cache or an ARP request and sends the packet to that router. That packet has the
MAC address of the default router but the IP address of the actual destination computer. The default
router receives the packet and uses the IP address to determine the next hop, finds the MAC address
for the next hop and forwards the packet to the next router. The process continues in this fashion
until the packet gets to the destination computer.
Notice the IP address does not change and is the same for each packet. This is key because this is the
information that each router uses to determine how to get to the next hop and eventually to the
destination. Since the MAC address is used to actually send a packet to a computer, the MAC
address changes each time to point to the next router the packet has to go to.
Now let’s look at a graphical representation of this process.
5 - 14
Routing Fundamentals - SANS
©2001
14
Routing Example
172.20.41.1 172.20.41.2
172.20.19.212172.20.19.8
41.2 wants to talk to 19.8, what has to happen?
- 41.2 builds a packet, puts it on the media
- Router forwards it to 19.8
On your slide, host 172.20.41.2 wants to talk to 172.20.19.8. The big star represents a router. Recall
that a Class B network might expect two octets of address space for the net ID, and two octets of

address space for the host ID. But we can modify that using a netmask.
Assuming a netmask of 255.255.255.0 on this Class B network, the 19 cable is a different
subnetwork than the 41 cable. For these systems to talk, they are going to need to enlist the aid of the
router.
A router is a system that has more than one network interface; we call this multihomed. A router is
something that has the ability to forward packets from one of those interfaces to the other. We call
this IP forwarding.
41.2 is going to assemble the packet that is addressed to 19.8. Because of the netmask, 41.2 knows
19.8 is not on the same network, since the third octet of the netmask (41 in one case and 19 in the
other) are not the same. So what happens? There is an IP address called the default router stored in
41.2’s network configuration. 41.2 passes the packet to the default router and the router sorts out
how to deliver it. A default router is sometimes referred to as a default gateway.
5 - 15
Routing Fundamentals - SANS
©2001
15
Router collects packet and substitutes its own
MAC address for 41.2’s; this way, when 19.8
replies, it will come back to the router.
172.20.41.2
172.20.19.8
How Routing Works
So the router has the packet. It knows which of its interfaces are the 41 cable and which are the 19
cable. So, it copies the packet from the 41 cable to the 19 cable. There is one very important
operation though, before letting the packet go.
Remember ARP? A system on the 19 cable isn’t going to have a 41 cable system in its ARP table.
So, before we can send this packet on, the router needs to put its own MAC address in the Ethernet
frame header as the source address. This is done in case the 19.8 host does not have this MAC
address in its ARP cache; it will not have to do a broadcast for the MAC address. This just makes the
process more efficient if the 19.8 host’s default router is the above router. It is possible that the 19.8

host may not use this router as the default router.
Let’s just say that this is the default router for 19.8. The reply from 19.8 will be picked up by the
router and it can then copy the packet onto the 41 cable. Once again, it can place the MAC address
of the router’s 41 subnet interface [into the frame header as the source address] and the packet gets
back to the source host, 41.2.
5 - 16
Routing Fundamentals - SANS
©2001
16
128.38.15.0
128.38.0.0
128.38.20.0
INTERNET
Routing protocols exchange
information so that routers on
the Internet know the location
of a site’s primary point of
connection(s).
How Routing Works (2)
In our first example, both of the subnetworks were directly connected to a single router. This is of
course a simple case. On the Internet, routing protocols – dynamic routing protocols – are used so
the routers can pass the packet forward until it reaches the router that is the well-known location for a
network address.
As the Internet has continued to grow, provisioning routers with enough memory to hold these very
large and growing tables has been a challenge for a number of organizations.
In the picture shown above, 128.38.0.0 and all it contains can be considered an autonomous system.
Exterior Gateway Protocols are used to communicate between autonomous systems. A well-
known example of this is the Border Gateway Protocol (BGP).
Now let’s look at routing protocols in more detail.
5 - 17

Routing Fundamentals - SANS
©2001
17
Routing Protocols
•Distance Vector
–RIP
•Link State
–OSPF
•Hybrid
–EIGRP
–BGP
We have seen how routing works and how packets get from source to destination, but how do routers
actually determine the best path a packet should take through the network? The way routers do this
is by communicating information with each other, giving each router information about possible
paths through a network. As with everything, with computers you want things done in a uniform
fashion so protocols are developed. Routing protocols are the rules that routers use to communicate
information with each other. There are two general types of routing protocols: Distance vector and
link state.
5 - 18
Routing Fundamentals - SANS
©2001
18
Distance Vectors
• Identifies neighbors and figures out
distance metrics to each network
• Problems
– Routing loops
• Solutions
– Defining a maximum
– Split Horizon

– Poison Reverse
– Hold down timers
Distance vector protocols work by each router identifying all of its neighbors or routers that it has a direct
connection to. Any router that it is directly connected to has a distance of 0. Then, by using the information it
receives from its neighbors, it builds a routing table based on metrics to determine how many hops it would take
to get to a destination network. They iterate on the number of hops to find the shortest-path spanning tree. To
get the information they need, routers typically share the entire routing table with each of its neighbors. These
algorithms tend to be simpler than link state algorithms, but by sending the entire table can not only generate
additional bandwidth but can be slow to converge, which means it leaves the routing table open to having
routing loops develop.
With distance vector routing protocols, slow convergence on a new configuration can cause inconsistent
entries to exist which cause a routing loop to be created. An example of a routing loop is: Router A sends all of
its traffic to router B and router B sends all of its traffic to router C, and router C sends all of its traffic to router
A. Now all the traffic is caught in an endless loop. This could be caused by the convergence problem. Let’s
say that router A has a direct connection to a network and router B has an indirect connection through many
hops to the same network. At this point, both router C and B will send their traffic through router A. Let’s say
the link router A has gone down. Well, router A knows that there is a slower connection through router B so it
sends its traffic to router B. Router C is slow in processing the information, so it still thinks that it can get to the
network via router A. So it tells router B, that it can get to the network in a small number of hops. Router B,
knowing that the link for router A is down, thinks this is a better link and sends its traffic to router C; little does
it know that router C is still sending it to router A. So now A sends its traffic to B, B sends it to C, and C sends
it back to A. See how quickly a routing loop can be created?
There are many different ways that routing loops can be avoided and we will briefly go over them now.
Defining a maximum hop count will limit the extent of the routing loop. Split horizon also works very well and
what it says is that you should never send information about a route back in the direction from which the
information originally came from. Poison reverse is a variation of split horizon, where router entries are not
modified so that they stay consistent with other routers until all routers have had a chance to make the update.
Hold-down timers are used with poison reverse and tell routers to hold any changes that might impact routes for
a period of time.
Now that we understand some of the issues with distance vector protocols, lets look at one of the most

common distance vector protocols, RIP.
5 - 19
Routing Fundamentals - SANS
©2001
19
RIP
• Distance vector protocol
• Hop count is used as the metric
• Maximum hop count is 15
• Routing updates every 30 seconds
• Can load balance over multiple
paths
RIP or Routing Information Protocol is a basic protocol used for routers to exchange routing
information and the details of RIP are specified in RFC 1058. Let’s look at some of the key
characteristics of RIP. RIP is a distance vector protocol and uses hop count as the metric. This is an
important limitation of RIP, the only thing it uses to determine the shortest path is the number of
hops or the number of routers a packet has to go through. It does not take into consideration
bandwidth. So, if I have one route that goes through 2 routers that are connected via 56k lines and
another route that goes through 3 routers that are all connected via T3’s, RIP will only look at hop
count and say 2 is less than 3 and send the data over the 56k connection. Also, the maximum hop
count for RIP is 15; a hop count of 16 is considered unreachable. So with large networks where
there are more than 15 routers or 15 possible hops a packet can go through, RIP will not work. RIP
works by sending routing updates to all of a router’s neighbors every 30 seconds and can also load
balance over multiple paths if they are equal in terms of metrics.
As you can see, RIP is not a complicated protocol but also has limitations based on its simplicity.
5 - 20
Routing Fundamentals - SANS
©2001
20
Link State

• SPF – shortest path first algorithm
• Maintains topology information
• Has full knowledge of all routers
and how they connect
• All routers have similar picture of
the entire network
We discussed distance vector protocols and looked at an example of RIP. As we have seen, they are
fairly basic but are also very limited. The second type of routing protocols are link state and these
overcome the limitations of distance vector protocols but also add in complexity. Link state uses
SPF or the shortest path first algorithm. The way it works is that each router maintains a database
that has topology information about the entire network. Each router not only knows about its
neighbors, but knows about all routers that are on the network and how they are connected. Since all
routers maintain full knowledge, each router should have a similar picture of the network and
therefore similar information.
Now let’s look at a common link state protocol, BGP.
5 - 21
Routing Fundamentals - SANS
©2001
21
BGP – Border Gateway Protocol
• Specifies routing between autonomous
systems or networks that are very large
• Is an exterior gateway protocol (EGP)
• Performs 3 types of routing:
–
inter-autonomous system routing
–
intra-autonomous system routing
–
pass-through autonomous system routing

BGP or border gateway protocol is an exterior gateway protocol which determines how routing
should be performed between autonomous systems. An autonomous system is a network or group of
networks that are under the control of a single entity. The Internet is composed of a large number of
autonomous systems that are interconnected. BGP performs 3 general types of routing:
inter-autonomous system routing
intra-autonomous system routing
pass-through autonomous system routing
Inter-autonomous system routing occurs between two or more BGP routers in different autonomous
systems. Peer routers in these systems use BGP to maintain a consistent view of the internetwork
topology. BGP neighbors communicating between autonomous systems must reside on the same
physical network.
Intra-autonomous system routing occurs between two or more BGP routers located within the same
autonomous system. Peer routers within the same autonomous system use BGP to maintain a
consistent view of the system topology. BGP also is used to determine which router will serve as the
connection point for specific external autonomous systems.
Pass-through autonomous system routing occurs between two or more BGP peer routers that
exchange traffic across an autonomous system that does not run BGP. In a pass-through autonomous
system environment, the BGP traffic did not originate within the autonomous system in question and
is not destined for a node in the autonomous system.
5 - 22
Routing Fundamentals - SANS
©2001
22
Distance Vector vs. Link State
•Distance Vector
– Only has
information on
neighbors
–Simple metric
such as hop count

– Frequent updates
–Slow convergence
• Link State
–View of entire
network
–Calculates
shortest path to
each router
– Event triggered
updates
–Fast convergence
Now that we have covered both distance vector and link state protocols, let’s summarize this section
by taking a brief comparison of the two. From a simplicity standpoint distance vector is simpler but
it also does not scale as well to larger networks. Distance vector only has information about each of
its neighbors, while link state protocols have a view of the entire network. Distance vector uses a
simple metric such as hop count and does not include critical elements like bandwidth. Link state
calculates the shortest path to each router and looks at various elements like bandwidth and
congestion. Distance vector protocol automatically updates on frequent intervals whether there is a
change or not, which results in slow convergence. Link state only updates the routing tables when
certain events occur and therefore can converge much quicker.
Let’s finish our study of routers by looking at access control lists and how routers can filter out
certain traffic.
5 - 23
Routing Fundamentals - SANS
©2001
23
Access Control Lists
Adding security filtering
to routers
Let’s finish up this module on routers and look at access control lists or ACLs. ACLs allow routers

to perform filtering capabilities so a router can act as a packet filtering firewall.
5 - 24
Routing Fundamentals - SANS
©2001
24
Access Control Lists (ACLs)
• Access lists control what traffic can
pass through a router
– In-bound
–Out-bound
• Two main types
– Standard
–Extended
A router is a device that routes traffic between different networks. Therefore, when a network
connects to another network such as the Internet, the way they connect is via a router. This means
that all traffic must pass through the router to enter or leave the network. Therefore, to provide
access control and to limit who can access what, a router is an ideal place to perform filtering of
traffic. Because a router is reviewing traffic, it can perform what we call packet filtering, which
means based on the information in the headers of a packet it will determine whether it should allow
or deny specific traffic. It can do this for traffic coming into the router, traffic leaving the router, or
both.
There are two general types of access lists that we will cover: Standard and extended ACLs.
5 - 25
Routing Fundamentals - SANS
©2001
25
Standard ACLs
•ID 1-99
• Check source address of packets
• Denies or allows IP based on

address
A standard access control list performs very limited filtering of packets. With standard ACLs you
can deny or allow traffic based on the source IP address of packets. In Cisco IOS every ACL must
have an ID, and the ID number can tell you the type of access list you are working with. If the ID is
between 1 through 99, then it is a standard ACL.
For more advanced filtering, let’s look at extended access control lists.