Cisco Basics: Access Lists
Access lists allow you to group network objects such as IP addresses, services or users and act upon that information. They are most commonly used to permit or deny certain types of traffic though they are used for a variety of other things (filtering out routes for example).
Cisco IOS routers and switches have two types of access control list:
- Standard
Can only filter based on source IP address - Extended
Can filter based on source or destination IP address, or certain Layer-4 protocols such as TCP or UDP
When configuring access control lists (ACL’s) they can be configured as either numbered on named. Numbered ACL’s can not be edited once created. To alter a numbered ACL it must be removed and re-created. Named ACL’s can be modified after creation.
Cisco Basics: NAT and PAT
Address Translation commonly referred to as either NAT or PAT is the process of altering traffic as it passes through a router so that it appears to come from different addresses. Address translation is particularly useful due to the limited supply of IPv4 addresses. Networks can have a much larger number of internal-only addresses behind a smaller number (usually one) public internet address.
The translation process is performed by a router usually on the edge of a network, connecting to an internet service provider. In routed networks usually just the source and destination MAC address are changed as they pass through routers, with address translation the source IP address (and port) is also changed.
Generally speaking, there are two types of address translation:
- NAT
Network Address Translation translates the source address to one from a list of public addresses. The downside to this approach is that for each internal host on the network you also need an external address. - PAT
Port Address Translation usually has a single outside IP address and alters the source port when traffic leaves the router, that way traffic can be mapped back to internal addresses
Cisco has a few different NAT configurations depending on the scenario, I’ll cover them in more detail below. Before we get started, let’s assume we have the following configuration:
! Internal interface representing a LAN interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! Outside interface representing the internet interface FastEthernet0/2 ip address 1.1.1.1 255.255.255.0
The first thing we need to do is specify which interface is inside our network and which is outside:
Router(config)# int Fa0/1 Router(config-if)# ip nat inside Router(config-if)# int Fa0/2 Router(config-if)# ip nat outside
When executing the “ip nat inside/outside” commands the router may hang for a second, it’s normal behaviour. This doesn’t usually happen in Packet Tracer but may do on production devices.
Continue reading…
Cisco Basics: Port Security
Port Security is a feature of Cisco Catalyst switches which restricts the number of MAC addresses per port. The intention is to prevent users plugging in unmanaged switches to extend the network by sharing a single port. Whilst not a perfect solution as MAC addresses can be spoofed, it deters the average user.
When a device is connected to a switch port the Ethernet frame is examined and the source MAC address is recorded. If a second source MAC address is detected the switch will shut down the port to prevent multiple devices accessing the network.
Port security is enabled on a per-port basis, usually on all access ports. Enabling port security with the default options takes a single command:
Switch(config)# int fa0/1 Switch(config-if)# switchport port-security
