Professional Documents
Culture Documents
ITP4111
Open Standards Networking
Route
Interface forwarding Interface
process
Packet
DA=3.3.3.3 SA=1.1.1.1
Packet
DA=3.3.3.1, SA=1.1.1.1
TCP, DP=80, SP=2032
To do Command
Packet
DA=3.3.3.3 SA=1.1.1.1
Interface Interface
Packet
DA=3.3.3.3 SA=1.1.1.1
Interface Interface
• Apply the ACL on the router as near to the source as possible to reduce
unnecessary traffic forwarding
• Advanced ACL
Deploy the advanced ACL to the interface near the source to be
filtered to stop unnecessary traffic
• Basic ACL
Deploy a basic ACL at a position too near to the source to be
denied may stop legal accesses of the source to some networks
Deploy the basic ACL at a position as near to the source as
possible in the guarantee of not impacting legal accesses of the
source
Public Addresses
Private Addresses
commons.wikimedia.org/wiki/File:Regional_Internet_Registries_world_map.svg
NAT Internet
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 NAT device 198.76.29.4/24
HostB
NAT table
HostA Inside Address Global Address
2 10.0.0.1 198.76.28.11 5
10.0.0.2 198.76.28.12
Address Pool Server
10.0.0.1 ( 198.76.28.11 ~
20 )
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 RTA 198.76.29.4/24
D=10.0.0.1 6 D=198.76.28.11 4
S=198.76.29.4 S=198.76.29.4
3. Associate the address pool with ACL 2000 and enable NAT in the outbound direction of
the interface
[RTA]interface Ethernet0/1
[RTA-Ethernet0/1]nat outbound 2000 address-group 1 no-pat
3. Configuring NAT
nat outbound acl-number address-group group-number no-pat
[RTA]acl number
[RTA-acl-basic-2000]rule 0 permit source
HostB
[RTA]nat address-group
[RTA]interface
[RTA-Ethernet0/1]nat outbound address-group no-pat
NAT table
Inside Address Global Address
HostA Port Port
2
10.0.0.1:1024 198.76.28.11:2001 5
10.0.0.2:1024 198.76.28.11:3001
Address Pool Server
10.0.0.1 ( 198.76.28.11 ~ 20 )
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 RTA 198.76.29.4/24
D=10.0.0.1 P=1024
6 D=198.76.28.11 P=2001
4
S=198.76.29.4 P=80 S=198.76.29.4 P=80
HostB
3. Associate the address pool with ACL 2000 and enable NAT in the outbound direction of
the interface
[RTA]interface Ethernet0/1
[RTA-Ethernet0/1] nat outbound 2000 address-group 1 no-pat
Server
10.0.0.1
Eth0/1
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 RTA
198.76.29.4/24
2. Associate the address pool with ACL 2000 and enable NAT in the outbound direction of the
interface
[RTA]interface Ethernet0/1
[RTA-Ethernet0/1] nat outbound 2000
External
10.0.0.1
Host
RTA
E0/0
Internet
Internet
198.76.28.1/24
198.76.29.4/24
HostC
10.0.0.1 (inside) 198.76.28.11 (global)
Eth0/1
Internet
Internet
198.76.28.1/24
RTA
198.76.29.4/24
[RTA]interface Ethernet0/1
#Map the private address and port to the public address and port for the internal server
[RTA-Ethernet0/1] nat server protocol tcp global 198.76.28.11
telnet inside 10.0.0.1 telnet
NAT table
Inside Address Global Address
HostA Port Port
2
10.0.0.1:1024 198.76.28.11:2001 5
10.0.0.1:5001 198.76.28.11:2002
Address Pool FTP Server
10.0.0.1 ( 198.76.28.11 ~ 20 )
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 RTA 198.76.29.4/24
D=10.0.0.1 P=5001
6 D=198.76.28.11 P=2002
4
S=198.76.29.4 P=21 S=198.76.29.4 P=21
Directory Service
RADIUS (E.g. AD)
TLS RADIUS Server
Authenticator (E.g. Microsoft NPS)
Authentication
Server
802.1X/EAP
TLS
EAP Peer
Authentication
Server
PPP
RADIUS
Network
Access Server
(NAS)
Originally defined in RFC 2716 and updated in RFC 5216, EAP-TLS is widely
supported and offers excellent security. The downside of EAP-TLS is the client-
side certificate requirement, making for a more labor intensive deployment,
© VTC 2013 ILO 5 69
especially on a large scale.
Protected Extensible Authentication
Protocol (PEAP)
SW2950(config)#interface FastEthernet0/1
SW2950(config-if)# switchport mode access
SW2950(config-if)# dot1x port-control auto
SW2950(config-if)# spanning-tree portfast
SW2950(config-if)# end
• Informs are traps that include a request for confirmation of receipt from
the SNMP manager.
interface Vlan1
ip address 192.168.19.1 255.255.255.0
no shut
!
snmp-server community public RO
[switch]snmp-agent
[switch]snmp sys ver v1
[switch]snmp community write private
[switch]snmp community read public
[switch]snmp trap enable
[switch]snmp target-host trap address udp-domain
192.168.1.201 params securityname public
//192.168.1.201 is the SNMP Management server’s IP address
Router(config)#
•snmp-server group groupname {v1 | v2c | v3 {auth |
noauth | priv}} [read readview] [write writeview]
[notify notifyview] [access access-list]
The first example (below) shows how to define a user John belonging to
the group johngroup. Authentication uses the password john2passwd
and no privacy (no encryption) is applied. The second example shows
how user Bill, belonging to the group billgroup, is defined using the
password bill3passwd and privacy (encryption) is applied
PR1(config)#snmp-server user John johngroup v3 auth md5 john2passwd
PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56
password2
PR1(config)#snmp-server group johngroup v3 auth
PR1(config)#snmp-server group billgroup v3 auth
PR1(config)#snmp-server group billgroup v3 priv
© VTC 2013 ILO 5 96
SNMP-Server Engine ID
Walked_device(config)#snmp-server group snmpgroup v3 auth
Walked_device(config)#snmp-server group snmpgroup v3 priv
Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv
des encryptpassword
The SNMP engine ID is a unique string used to identify the device for
administration purposes. Local engine ID is generated automatically once
a snmp user is created but local and remote engine ID may be configured
with the snmp-server engineID global configuration command.