Facebook Forum - IP Services - NAT,ACL,DHCP,NetFlow

Unanswered Question
Jul 15th, 2011
fbforum_gayathri.JPG
Puzzled  with how to translate ip addresses and ports efficiently ?
Wondering  how to lock down your network only for legitimate users ?
Having  issues with assigning IP addresses dynamically using Cisco router ?
Wondering  how to better manage traffic stats or check a DOS attack in your  network ?


We will be covering all these topics and of course  taking your questions. We will have our Cisco Expert, Gayathri Sundar  who is an engineer in the technical services team and focusing on  routing protocols. She has a CCNA & CCNP in R&S

Event Date : July 20, 2011

Event Time : 9:00 am PDT

Location : http://www.facebook.com/CiscoSupportCommunity

What is a Facebook Forum?

Facebook forum are online conversations, held at a pre-arranged time in a Facebook community.


How Do I Participate?

On the day of the event, go to http://www.facebook.com/CiscoSupportCommunity. Once you go to our Facebook fan page, be sure and click "Like" to become  a member of our Facebook community!
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
morao Wed, 07/27/2011 - 14:19

Here's a condensed summary from the event converted into a Q & A.

ACL

Why would someone need to use ACL?

ACL can be used for two main purposes.

Filtering - Here we can manage IP traffic by filtering packets passing through router.

  • We Permit or deny traffic moving through the router
  • We permit or deny vty access to or from the router

Classification – Here we can identify traffic for special handling.

  • Identify the type of traffic to be encrypted across VPN
  • Identify the routes that are to redistributed from one Routing protocol to another
  • Use with Route filtering to identify which routes are to be included in routing updates between routers
  • Used with PBR to identify the type of traffic that is to be routed across a designated link
  • Used with NAT to identify which addresses are to be translated

What is the difference between Inbound and outbound ACL's?

Though we can effectively achieve the same filtering by configuring an inbound or an outbound ACL (once we make sure we define the right source and destination) , the basic difference between the two are as follows,

In an Inbound ACL, Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. if the packet is permitted by the test, it is then processed for routing

In an Outbound ACL, Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.

What are the different Types of ACL?

Standard ACL, which checks the source address and generally permits or denies and the entire protocol suite and the extended ACL that checks both source and destination and generally permits or denies specific protocols and applications

We can also have named ACL, where we need to define it either a standard or extended ACL.

Example:-

ip access-list standard

ip access-list extended

I am unsure when to choose one over the other (Inbound vs Outbound). Can you help me understand?

We can effectively achieve the same filtering by configuring an inbound or an outbound acl (once we make sure we define the right source and destination) , the basic difference between the two are as follows.

In an Inbound ACL, Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. if the packet is permitted by the test, it is then processed for routing

How do we link ACL to ipsec(VPN) protocol?

It is used to match interesting traffic, which controls what goes through the VPN tunnel and what does not.

Why do we use sequence number in numbered ACL when we can’t configure it manually?

We do have sequence number in numbered ACL. It can be configured manually.

DHCP

How can we exclude a range of ip addresses from a scope of a defined pool in Cisco IOS DHCP server?

We can configure the following command on a cisco IOS

ip dhcp exluded-address

Can we configure one certain Host such that it always obtains the same IP from the Cisco IOS DHCP server?

We can create something called a manual entry in the DHCP configurations. This configuration would make sure only the IP address mapped to the Client id would be handed out when this particular host requests for an IP. Here are some examples and commands.

Step 1

Router(config)# ip dhcp pool name

Creates a name for the a DHCP Server address pool and places you in DHCP pool configuration mode—identified by the (dhcp-config)# prompt.

Step 2

Router(dhcp-config)# host address [mask | /prefix-length]

Specifies the IP address and subnet mask of the client.

The prefix length specifies the number of bits that comprise the address prefix. The prefix is an alternative way of specifying the network mask of the client. The prefix length must be preceded by a forward slash (/).

Step 3

Router(dhcp-config)# client-identifier unique-identifier

Specifies the unique identifier for DHCP clients. This command is used for DHCP requests.

DHCP clients require client identifiers. The unique identification of the client is specified in dotted hexadecimal notation, for example, 01b7.0813.8811.66, where 01 represents the Ethernet media type.

What is the benefit of adding 01 or 10 as prefix of MAC in binding table?

It represents media type. For instance 01 represents the Ethernet media type.

Why do we need to create multiple pools and what is the preference order if any?

We can configure different pools for different subnets or router interfaces as you can say it. If we have multiple interfaces which mean multiple different L3 networks, each L3 domain would need to have its own pool. There is no order of pref, rather the server decides from which domain the request is coming from and gives an ip , to be precise, the source int on which the request is received.

Can’t we configure NAT without having ACL? Is there any alternative to configuring dynamic NAT (Pool) w/o creating ACL?

If we are configuring one to one NAT, we would not require an ACL. However in most cases we require acL to match the source traffic or we would match a route-map which would in turn be matching an ACL.

If we are getting rto on remote server frequently what do we need to do? Assume everything is fine at the ISPs end.

In that case we need to find where exactly the packets are dropped, we need to find out if connectivity ( L3 and L 2 ) is fine. Next step is to see if there is an ACL or a FW on the server that blocks these packets. Finally take a packet capture to get the exact picture.

NAT

What are the different ways to configure NAT ?

NAT has many forms and can work in the following way

1. Static NAT : Maps an unregistered IPv4 address to a registered IPv4 address (one to one). Static NAT is particularly useful when a device must be accessible from outside the network.

2. Dynamic NAT: maps an unregistered IPv4 address to a registered IPv4 address from a group of registered IPv4 addresses.

3. NAT overloading: - Maps multiple unregistered IPv4 addresses to a single registered IPv4 address (many to one) by using different ports. Overloading is also known as PAT, and is a form of Dynamic NAT.

Can you elaborate on route maps?

Route-map is extremely helpful when you want to match more than one criterion for a certain defined traffic pattern.

Route-maps have many features in common with widely known access control lists (ACLs).

  • They are an ordered sequence of individual statements, each has a permit or deny result. Evaluation of ACL or route-maps consists of a list scan, in a predetermined order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.
  • They are generic mechanisms—criteria matches and match interpretation are dictated by the way they are applied. The same route-map applied to different tasks might be interpreted differently.
  • Route-map clauses are numbered. Sequence numbers allow you to do these actions:  
    • Easily delete one specific clause but not affect other parts of the route-map.
    • Insert a new clause between two existing clauses.

Cisco recommends that you number clauses in intervals of 10, to reserve numbering space in case you need to insert clauses in the future.

  • Route-maps can have permit and deny clauses. These rules apply:  
    • If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.
    • If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.
    • If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.
  • Each route-map clause has two types of commands:  
    • match—Selects routes to which this clause should be applied.
    • set—Modifies information which will be redistributed into the target protocol.

For each route that is being redistributed, the router first evaluates the match command of a clause in the route-map. If the match criteria succeeds, then the route is redistributed or rejected as dictated by the permit or deny clause, and some of its attributes might be modified by set commands. If the match criteria fails, then this clause is not applicable to the route, and Cisco IOS software proceeds to evaluate the route against the next clause in the route-map. Scan of the route-map continues until a clause is found whose match command(s) match the route or until the end of the route-map is reached.

  • A match or set command in each clause can be missed or repeated several times, if one of these conditions exist:  
    • If several match commands are present in a clause, all must succeed for a given route in order for that route to match the clause (in other words, the logical AND algorithm is applied for multiple match commands).
    • If a match command refers to several objects in one command, either of them should match (the logical OR algorithm is applied). For example, in the match ip address 101 121 command, a route is permitted if it is permitted by access list 101 or access list 121.
    • If a match command is not present, all routes match the clause.
    • If a set command is not present in a route-map permit clause then the route is redistributed without modification of its current attributes.

Do not configure a set command in a deny route-map clause because the deny clause prohibits route redistribution—there is no information to modify.

A route-map clause without a match or set command performs an action. An empty permit clause allows a redistribution of the remaining routes without modification. An empty deny clause does not allows a redistribution of other routes (this is the default action if a route-map is completely scanned but no explicit match is found).

What is the difference between inside NAT & outside NAT?

It differentiates in which direction traffic is hitting the router. Outside NAT will create a NAT entry only when traffic is initiated from outside and hits the router in OUT to IN direction while it’s the other way for inside NAT.

Netflow

What is Netflow?

NetFlow is the defacto standard for acquiring IP operational data. It provides network and security monitoring, network planning, traffic analysis, and IP accounting.

How does Netflow work?

To understand how Netflow works we need to first understand what a flow is.

Each packet that is forwarded within a router is examined for a set of IP packet attribute to determine if the packet is unique or similar to other packets.

Traditionally, an IP Flow is defined by a set of 7 unique keys.

Source IP address

Destination IP address

Source port

Destination port

Layer 3 protocol

TOS byte (DSCP)

Input interface

All packets with the same source/destination IP address, source/destination ports, protocol, input interface and type of service are grouped into a flow and then packets and bytes are collected. This way of determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.

This information can be exported to a netflow analyser , which will act as a collector, which would be a server in your network that runs a collector

The NetFlow collector has the job of assembling and understanding the exported flows and combining or aggregating them to produce valuable reports used for traffic and security analysis on a real time basis. NetFlow export, pushes information periodically to the NetFlow reporting collector. The flows that have terminated or expired are exported to the NetFlow collector server.

Flows are terminated when the network communication has ended, (ie: when a certain flow has completed, a packet contains the TCP FIN flag or the timer has expired). The following steps are used to implement NetFlow data reporting:

NetFlow is configured to capture flows to the NetFlow cache

NetFlow export is configured to send flows to the collector

The NetFlow cache is searched for flows that have terminated/expired and these are exported to the NetFlow collector server

Flows are bundled together and typically transported in UDP format to the NetFlow collector server

The NetFlow collector software creates real-time or historical reports from the data collected.

Facebook forum dicsussion : http://www.facebook.com/CiscoSupportCommunity#!/CiscoSupportCommunity/posts/10150316114566412

Archive on Facebook notes:

http://www.facebook.com/notes/cisco-online-support-community-netpro/facebook-forum-summary-ip-services-nat-acl-netflow-dhcp/229027667135844

Actions

Login or Register to take actions

This Discussion

Posted July 15, 2011 at 5:46 PM
Stats:
Replies:1 Avg. Rating:
Views:4176 Votes:0
Shares:0

Related Content

Discussions Leaderboard