Beruflich Dokumente
Kultur Dokumente
CIO Top 50
1/28/2013
Inspect context-based access control (CBAC) TCP intercept Encryption Here's the order of operations for the outside-to-inside list: If IPSec, then check input access list Decryptionfor CET or IPSec Check input access list Check input rate limits Input accounting NAT outside to inside (global to local translation) Policy routing Routing Redirect to Web cache Crypto (check map and mark for encryption) Check output access list Inspect CBAC TCP intercept Encryption Let's say that you have an IP packet coming in from an outside-to-inside interface. When translating that packet, you want to use an access control list to block traffic from certain IP addresses. Which IP address should you put in the ACLthe IP address before the packet's translation (i.e., the public IP address), or the IP address after the packet's translation (i.e., the private address)? By checking the order of operations, you can determine that the "NAT outside to inside" operation occurs after the "Check input access list" task. Therefore, you would use the public IP address in the ACL because the packet hasn't gone through NAT. On the other hand, what if you want to create a static route for traffic going through NAT? Should you use the public (outside) or private (inside) IP address? In this case, you would use the private (inside) IP address because the traffic has already gone through NAT when it gets to the "Routing" operation.
1/28/2013
Input policingthrough a class-based policer or CAR IPSec Cisco Express Forwarding (CEF) or Fast Switching Here's the order of operations for outbound traffic from the router: CEF or Fast Switching Output common classification Output ACLs Output marking Output policingthrough a class-based policer or CAR QueueingClass-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ))and Weighted Random Early Detection (WRED) Being familiar with the order of operations is vital when it comes to understanding how the traffic within a router is flowing and how to control that traffic. In my experience, the NAT order of operations is most important when you're using any combination of NAT, crypto, ACLs, routing, or other features on the list. Without a proper understanding of the order of operations, you can spend an entire week troubleshooting a basic NAT and ACL combinationwithout any luck. Knowing about the order of operations can really make a difference.
Miss a column?
Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns. Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday! David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis. Y ou May Also Like Cisco Aspire game helps CCNA trainingTechRepublic Installing vSphere on Cisco UCS C-Series serversTechRepublic Medicine Meets MobileQualcomm U.S. Politicians Need to Pay AttentionJobs Will Be Created Overseas if Things Dont ChangeInvestment Contrarians
abou t th ese l i n ks
techrepublic.com/article//6055946
3/3