Router−B#show ip route

......

D 10.10.12.0 [90/409600] via 192.168.10.1, Serial0/0 C 10.10.13.0 is directly connected, Loopback0

C 10.10.14.0 is directly connected, Loopback1

C 10.10.15.0 is directly connected, FastEthernet0/0 Router−B#

Router A is only advertising the 10.10.12.0 network to Router B; thus, Router B only knows about the 10.10.12.0 network. Now Router B must be configured such that Router A only learns the 10.10.15.0 network. Listing 1.27 displays the configuration that is needed on Router B.

Listing 1.27: Router B configured with an outbound route filter.

interface Serial0/0

ip address 192.168.10.2 255.255.255.252

!

router eigrp 50 network 10.0.0.0 network 192.168.10.0

distribute−list 3 out Serial0/0 no auto−summary

!

access−list 4 permit 10.10.15.0

Router B is configured with access list 4, which permits only the 10.10.15.0 network and has an outbound distribute−list applied to the EIGRP routing process. The next step is to check the route table of Router A to determine if the required results have been met. Listing 1.28 displays the route table of Router A.

Listing 1.28: Route table of Router A after applying an outbound route filter on Router B.

Router−A#sh ip route

......

C10.10.10.0 is directly connected, Loopback0

C10.10.11.0 is directly connected, Loopback1

C10.10.12.0 is directly connected, Ethernet0/0

D10.10.15.0 [90/409600] via 192.168.10.2, Serial0/0 Router−A#

After viewing the route table of Router A, you can determine that Router B is advertising only the 10.10.15.0 network to Router A; thus, Router A only knows about the 10.10.15.0 network.

Suppressing Route Advertisements

To prevent other routers on a network from learning about routes dynamically, you can prevent routing update messages from being sent out a router interface. To accomplish this, use the passive−interface <interface> routing process configuration command. This command can be used on all IP−based routing protocols except for the Exterior Gateway Protocol (EGP) and Border Gateway Protocol (BGP). When an interface is configured to be in a passive state, the router disables the passing of routing protocol advertisements out of the interface; however, the interface still listens and accepts any route advertisement that is received into the interface. Configuring this on a router essentially makes the router a silent host over the interfaces that were specified. To

40

configure an interface as passive, use the passive−interface <interface> command under routing protocol configuration mode; this command is all that is needed to make an interface no longer advertise networks.

Here is an example of configuring an interface as passive:

interface FastEthernet0/0

ip address 10.10.15.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.2 255.255.255.252

!

router eigrp 50

passive−interface FastEthernet0/0 passive−interface Serial0/0

!

Configuring HTTP Access

Cisco routers include an HTTP server, which makes configuration and administration easier, especially for someone who does not have a lot of experience with the command−line interface. The HTTP server function is disabled by default and must be manually enabled. Follow these steps to enable the HTTP server functionality (only the first step is mandatory):

1.To enable the HTTP server, use the ip http server global configuration command.

2.You can specify the authentication method the router should use to authenticate users who attempt a connection to the server with the following global configuration command:

ip http authentication {aaa|enable|local|tacacs}

3.You can control which hosts can access the HTTP server using this global configuration command:

ip http access−class {access list number|access list name}

4.By default, the HTTP server listens for connection attempts on port 80. This can be changed using the ip http port <number> global configuration command.

Figure 1.6 displays a host named Jeff at IP address 192.168.10.100 who uses his Web browser to administer the router. Jeff accesses the HTTP server on the router on port 8080 and uses the local method of authentication. The following example configuration displays the HTTP server configuration that is needed so that Jeff can access the router.

41

Figure 1.6: User Jeff needs HTTP access to the router.

SecureRouter#show running−config

......

username Jeff privilege 10 password 0 NewUser

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0

!

ip http server ip http port 8080 ip http access−class 20 ip http authentication local

!

access−list 20 permit 192.168.10.100

!

WarningIf the HTTP server is enabled and local authentication is used, it is possible, under some circumstances, to bypass the authentication and execute any command on the device. F o r f u r t h e r i n f o r m a t i o n , p l e a s e s e e t h e f o l l o w i n g W e b p a g e : http://www.cisco.com/warp/public/707/IOS−httplevel−pub.html.

42