Professional Documents
Culture Documents
NOTE
Task Example
Limit network traffic to • A corporate policy prohibits video traffic on the network to reduce
increase network the network load.
performance • A policy can be enforced using ACLs to block video traffic.
• A corporate policy requires that routing protocol traffic be limited to
Provide traffic flow certain links only.
control • A policy can be implemented using ACLs to restrict the delivery of
routing updates to only those that come from a known source.
• Corporate policy demands that access to the human resources
Provide a basic level
network be restricted to authorized users only.
of security for network
• A policy can be enforced using ACLs to limit access to specified
access
networks.
Filter traffic based on • Corporate policy requires that email traffic be permitted into a
traffic type network but that Telnet access be denied.
Packet Filtering
Packet filtering controls access to a network by analysing the incoming
and/or outgoing packets and forwarding them or discarding them based on given
criteria. Packet filtering can occur at Layer 3 or Layer 4.
• Inbound ACL - filters packets before they are routed to the outbound
interface. An inbound ACL is efficient because it saves the overhead of
routing lookups if the packet is discarded. If a packet is permitted by the ACL,
it is processed for routing. Inbound ACLs are best used to filter packets when
the network attached to an inbound interface is the only source of packets
that need to be examined.
• Outbound ACL – filters packets after they are routed, regardless of the
inbound interface. Incoming packets are routed to the outbound interface,
and they are then processed through the outbound ACL. Outbound ACLs are
best used when the same filter will be applied to packets coming from multiple
inbound interfaces before exiting the same outbound interface.
Wildcard masks use the following rules to match binary 1s and 0s:
• Wildcard mask bit 0: Match the corresponding bit value in the address.
• Wildcard mask bit 1: Ignore the corresponding bit value in the address.
Decimal Binary
IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001
Wildcard mask 0.0.0.255 00000000.00000000.00000000.11111111
Permitted
IPv4 address 192.168.1.0/24 11000000.10101000.00000001.00000000
Example 1
Say that you wanted an ACE in ACL 10 to permit access to all users in the
192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask
(that is, 255.255.255.0) from 255.255.255.255.
The solution produces the wildcard mask 0.0.0.255. Therefore, the ACE
would be access-list 10 permit 192.168.3.0 0.0.0.255.
Example 2
In the command output, two ACLs are configured. The ACL 10 ACE permits
only the 192.168.10.10 host, and the ACL 11 ACE permits all hosts.
Numbered ACLs
ACLs 1 to 99 and 1300 to 1999 are standard ACLs, while ACLs 100 to 199
and 2000 to 2699 are extended ACLs.
Named ACLs
Using named ACLs is the preferred method when configuring ACLs. You can
name standard and extended ACLs to provide information about the purpose of
each ACL.
The following are the general rules to follow for named ACLs:
1. Assign a name to identify the purpose of the ACL.
2. Names can contain alphanumeric characters.
3. Names cannot contain spaces or punctuation.
4. It is suggested that a name be written in CAPITAL LETTERS.
5. Entries can be added or deleted within an ACL.
Factors
Influencing ACL Explanation
Placement
The extent of • Placement of the ACL can depend on whether the organization
organizational has control of both the source and destination networks.
control
• It may be desirable to filter unwanted traffic at the source to
Bandwidth of the
prevent transmission of bandwidth-consuming traffic.
networks involved
Prior to lease expiration, the client begins a two-step process to renew the lease
with the DHCPv4 server, as shown in the figure:
1. DHCP Request (DHCPREQUEST). Before the lease expires, the client
sends a DHCPREQUEST message directly to the DHCPv4 server that
originally offered the IPv4 address. If a DHCPACK is not received within a
specified amount of time, the client broadcasts another DHCPREQUEST so
that one of the other DHCPv4 servers can extend the lease.
2. DHCP Acknowledgment (DHCPACK). On receiving the DHCPREQUEST
message, the server verifies the lease information by returning a DHCPACK.
Step 3. Configure the DHCPv4 pool. The address pool and default gateway router
must be configured. Use the network statement to define the range of available
addresses. Use the default-router command to define the default gateway
router. These commands and other optional commands are shown in the table.
DHCPv4 Relay
• In a complex hierarchical network, enterprise servers are usually located
centrally. These servers may provide DHCP, DNS, TFTP, and FTP services
for the network. Network clients are not typically on the same subnet as those
FN-WK-16-17 IT122 – NETWORKING TECHNOLOGY 2 12
servers. In order to locate the servers and receive services, clients often use
broadcast messages.
• In the figure, PC1 is attempting to acquire an IPv4 address from a DHCPv4
server using a broadcast message. In this scenario, R1 is not configured as
a DHCPv4 server and does not forward the broadcast. Because the DHCPv4
server is located on a different network, PC1 cannot receive an IP address
using DHCP. R1 must be configured to relay DHCPv4 messages to the
DHCPv4 server.
• Configure R1 with the ip helper-address address interface configuration
command. This will cause R1 to relay DHCPv4 broadcasts to the DHCPv4
server. As shown in the example, the interface on R1 receiving the broadcast
from PC1 is configured to relay DHCPv4 address to the DHCPv4 server at
192.168.11.6.
• When R1 has been configured as a DHCPv4 relay agent, it accepts
broadcast requests for the DHCPv4 service and then forwards those
requests as a unicast to the IPv4 address 192.168.11.6. The network
administrator can use the show ip interface command to verify the
configuration.
REFERENCES
Cisco Press, Copyright 2017 Cisco System, Inc. Routing and Switching Essentials
V6: Companion Guide 9781587134289 By Cisco Networking Academy