07-15-2011 05:46 PM - edited 03-04-2019 01:00 PM
Event Date : July 20, 2011
Event Time : 9:00 am PDT
Location : http://www.facebook.com/CiscoSupportCommunity
What is a Facebook Forum?
Facebook forum are online conversations, held at a pre-arranged time in a Facebook community.
How Do I Participate?
07-27-2011 02:19 PM
Here's a condensed summary from the event converted into a Q & A.
ACL can be used for two main purposes.
Filtering - Here we can manage IP traffic by filtering packets passing through router.
Classification – Here we can identify traffic for special handling.
Though we can effectively achieve the same filtering by configuring an inbound or an outbound ACL (once we make sure we define the right source and destination) , the basic difference between the two are as follows,
In an Inbound ACL, Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. if the packet is permitted by the test, it is then processed for routing
In an Outbound ACL, Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
Standard ACL, which checks the source address and generally permits or denies and the entire protocol suite and the extended ACL that checks both source and destination and generally permits or denies specific protocols and applications
We can also have named ACL, where we need to define it either a standard or extended ACL.
Example:-
ip access-list standard
ip access-list extended
We can effectively achieve the same filtering by configuring an inbound or an outbound acl (once we make sure we define the right source and destination) , the basic difference between the two are as follows.
In an Inbound ACL, Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. if the packet is permitted by the test, it is then processed for routing
It is used to match interesting traffic, which controls what goes through the VPN tunnel and what does not.
We do have sequence number in numbered ACL. It can be configured manually.
We can configure the following command on a cisco IOS
ip dhcp exluded-address
We can create something called a manual entry in the DHCP configurations. This configuration would make sure only the IP address mapped to the Client id would be handed out when this particular host requests for an IP. Here are some examples and commands.
Step 1
Router(config)# ip dhcp pool name
Creates a name for the a DHCP Server address pool and places you in DHCP pool configuration mode—identified by the (dhcp-config)# prompt.
Step 2
Router(dhcp-config)# host address [mask | /prefix-length]
Specifies the IP address and subnet mask of the client.
The prefix length specifies the number of bits that comprise the address prefix. The prefix is an alternative way of specifying the network mask of the client. The prefix length must be preceded by a forward slash (/).
Step 3
Router(dhcp-config)# client-identifier unique-identifier
Specifies the unique identifier for DHCP clients. This command is used for DHCP requests.
DHCP clients require client identifiers. The unique identification of the client is specified in dotted hexadecimal notation, for example, 01b7.0813.8811.66, where 01 represents the Ethernet media type.
It represents media type. For instance 01 represents the Ethernet media type.
We can configure different pools for different subnets or router interfaces as you can say it. If we have multiple interfaces which mean multiple different L3 networks, each L3 domain would need to have its own pool. There is no order of pref, rather the server decides from which domain the request is coming from and gives an ip , to be precise, the source int on which the request is received.
If we are configuring one to one NAT, we would not require an ACL. However in most cases we require acL to match the source traffic or we would match a route-map which would in turn be matching an ACL.
In that case we need to find where exactly the packets are dropped, we need to find out if connectivity ( L3 and L 2 ) is fine. Next step is to see if there is an ACL or a FW on the server that blocks these packets. Finally take a packet capture to get the exact picture.
NAT has many forms and can work in the following way
1. Static NAT : Maps an unregistered IPv4 address to a registered IPv4 address (one to one). Static NAT is particularly useful when a device must be accessible from outside the network.
2. Dynamic NAT: maps an unregistered IPv4 address to a registered IPv4 address from a group of registered IPv4 addresses.
3. NAT overloading: - Maps multiple unregistered IPv4 addresses to a single registered IPv4 address (many to one) by using different ports. Overloading is also known as PAT, and is a form of Dynamic NAT.
Route-map is extremely helpful when you want to match more than one criterion for a certain defined traffic pattern.
Route-maps have many features in common with widely known access control lists (ACLs).
Cisco recommends that you number clauses in intervals of 10, to reserve numbering space in case you need to insert clauses in the future.
For each route that is being redistributed, the router first evaluates the match command of a clause in the route-map. If the match criteria succeeds, then the route is redistributed or rejected as dictated by the permit or deny clause, and some of its attributes might be modified by set commands. If the match criteria fails, then this clause is not applicable to the route, and Cisco IOS software proceeds to evaluate the route against the next clause in the route-map. Scan of the route-map continues until a clause is found whose match command(s) match the route or until the end of the route-map is reached.
Do not configure a set command in a deny route-map clause because the deny clause prohibits route redistribution—there is no information to modify.
A route-map clause without a match or set command performs an action. An empty permit clause allows a redistribution of the remaining routes without modification. An empty deny clause does not allows a redistribution of other routes (this is the default action if a route-map is completely scanned but no explicit match is found).
It differentiates in which direction traffic is hitting the router. Outside NAT will create a NAT entry only when traffic is initiated from outside and hits the router in OUT to IN direction while it’s the other way for inside NAT.
NetFlow is the defacto standard for acquiring IP operational data. It provides network and security monitoring, network planning, traffic analysis, and IP accounting.
To understand how Netflow works we need to first understand what a flow is.
Each packet that is forwarded within a router is examined for a set of IP packet attribute to determine if the packet is unique or similar to other packets.
Traditionally, an IP Flow is defined by a set of 7 unique keys.
Source IP address
Destination IP address
Source port
Destination port
Layer 3 protocol
TOS byte (DSCP)
Input interface
All packets with the same source/destination IP address, source/destination ports, protocol, input interface and type of service are grouped into a flow and then packets and bytes are collected. This way of determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.
This information can be exported to a netflow analyser , which will act as a collector, which would be a server in your network that runs a collector
The NetFlow collector has the job of assembling and understanding the exported flows and combining or aggregating them to produce valuable reports used for traffic and security analysis on a real time basis. NetFlow export, pushes information periodically to the NetFlow reporting collector. The flows that have terminated or expired are exported to the NetFlow collector server.
Flows are terminated when the network communication has ended, (ie: when a certain flow has completed, a packet contains the TCP FIN flag or the timer has expired). The following steps are used to implement NetFlow data reporting:
NetFlow is configured to capture flows to the NetFlow cache
NetFlow export is configured to send flows to the collector
The NetFlow cache is searched for flows that have terminated/expired and these are exported to the NetFlow collector server
Flows are bundled together and typically transported in UDP format to the NetFlow collector server
The NetFlow collector software creates real-time or historical reports from the data collected.
Facebook forum dicsussion : http://www.facebook.com/CiscoSupportCommunity#!/CiscoSupportCommunity/posts/10150316114566412
Archive on Facebook notes:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: