Beruflich Dokumente
Kultur Dokumente
www.saigonlab.vn
ACL Overview
ACL Applications
Types of ACLs
ACL Operations
ACL Statement Processing
Wildcard Masking Process
ACL Applications
Types of ACLs
Standard ACL
Checks source address
Generally permits or denies entire protocol suite
Extended ACL
Checks source and destination address
Generally permits or denies specific protocols
10
11
Inbound
Interface
Packet
Outbound
Interfaces
Packet
Packet
Discard
Bucket
Notify Sender
12
Packet to Interface(s) in
the Access Group
Destination
Interface(s)
Packet
Discard
Bucket
Bringing a True-long Stand Vocation
13
14
15
16
17
Implementing ACLs
Configuring Standard IP ACLs
Configuring Extended IP ACLs
Using Named ACLs
Configuring vty ACLs
Guidelines for Placing ACLs
Verifying the ACL Configuration
18
19
ACL Command
Router(config)#access-list access-list-number
{permit | deny} {test conditions}
Router(config-if)#{protocol} access-group
access-list-number {in | out}
Standard IP lists (1-99)
Extended IP lists (100-199)
Bringing a True-long Stand Vocation
20
Router(config)#access-list access-list-number
{permit | deny | remark} source [mask]
Router(config-if)#ip access-group
access-list-number {in | out}
21
22
0.0.255.255
23
0.0.0.0
255.255.255.255
24
0.0.0.255
Router(config)#access-list access-list-number
{permit | deny} protocol source source-wildcard
[operator port] destination destination-wildcard
[operator port] [established] [log]
{in | out}
25
Router(config)# access-list
Router(config)# access-list
Router(config)# access-list
(implicit e deny all)
(access-list 1 deny 0.0.0.0
26
27
28
29
30
vty Commands
31
32
33
34
35
36
37
38
39
40
Interface s0
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
Interface e0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
Ip nat inside source static 10.1.1.2 192.168.1.2
41
42
Host C
10.1.1.1
Host A
192.168.1.100
Host B
192.168.1.101
E0
192.168.1.94
S0
171.69.232.182
43
Host D
172.168.1.1
44
Configuring Overloading
Router(config)#access-list access-list-number permit
source source-wildcard
45
192.168.4.1
2
192.168.3.1
E0
S0
E1
172.17.38.1
192.168.4.1
192.168.4.1
2
46
Inside local
10.10.10.1
Outside local
---
47
Outside global
---
Host A
192.168.1.2
192.168.
10.1.1.2/24
48
Host B
192.168.2.2
192.168.2.1
Host A
192.168.1.2
10.1.1.2/24
192.168.1
Host B
192.168.2.2
49
192.168.2.1
50
Verify that:
The configuration is correct
There are not any inbound ACLs denying the packets entry
to the NAT router
The ACL referenced by the NAT command is permitting all
necessary networks
There are enough addresses in the NAT pool
The router interfaces are appropriately defined as NAT
inside or NAT outside
51
VPN Technology
52
What
53
Wide-Area Network
54
Bussiness Partners
Thousands of
Remote Workers
Remote Office
Regional Office
Home Offices
Bringing a True-long Stand Vocation
55
Mobile Workers
Area
Ownership
56
LANs
57
WAN Devices
58
59
WANMultiple LANs
60
61
End-User Device
DTE
CSU/DSU
DCE
62
63
Multiplexing Technologies
Multiplexer
64
Dedicated
Switched
65
Circuit-Switched
Communication Links
Public Switched Telephone Network
Integrated Digital Services Network
Packet-Switched Communication Links
X.25
Frame Relay
Asynchronous Transfer Mode and Cell Switching
DSL
Cable
Global Internetthe Largest WAN
Bringing a True-long Stand Vocation
66
Circuit Switching
67
PSTN
Local Exchange
68
PSTN Considerations
Advantages
Simplicity
Availability
Cost
Disadvantages
Low data rates
Relatively long connection setup time
69
ISDN
70
71
ISDN Considerations
Advantages
Speed
Always-on availability
Disadvantages
Limited geographic availability
Cost
72
Packet Switching
Synchronous
Serial
Synchronous
Serial
73
74
Frame Relay
DCE or Frame
Relay Switch
75
76
ATM Switch
Cells
77
DSL
78
Down
Down
Up
79
Up
DSL Considerations
Advantages
Speed
Simultaneous voice and data transmission
Incremental additions
Always-on availability
Backward compatibility with analog phones
Disadvantages
Limited availability
Local phone company requirements
Security risks
80
Cable-Based WANs
Cable Modem
Cable
Headend
81
Leonard
Einstein
Rosie
Coaxial Cable
Coax
Jimmy
Mom
Pad
Amplifier
Grandpa
Splitter
Tap
Bringing a True-long Stand Vocation
Junior
82
83
HDLC
Encapsulation Configuration
PPP Layered Architecture
PPP Configuration
PPP Session Establishment
PPP Authentication Protocols
PPP Authentication Configuration
Serial Encapsulation Configuration Verification
PPP Authentication Configuration Troubleshooting
Bringing a True-long Stand Vocation
84
85
86
An Overview of PPP
Multiple Protocol
Encapsulations
Using NCPs in PPP
PPP can carry packets from several protocol suites using NCP
PPP controls the setup of several link options using LCP
87
88
89
90
PAP
Two-Way Handshake
Central-Site Router
(HQ)
santacruz boardwalk
91
Hash values, not actual passwords, are sent across the link
The local router or external server is in control of attempts
92
93
Configuring PPP
Router(config-if)#encapsulation ppp
94
Router(config-if)#ppp authentication
{chap | chap pap | pap chap | pap}
95
96
97
98
99
Frame
Relay Overview
Frame Relay Stack Layered Support
Frame Relay Terminology
Frame Relay Topologies
Reachability Issues in Frame Relay
Reachability Issue Resolution
Frame Relay Address Mapping
Frame Relay Signaling
How Service Providers Map Frame Relay DLCIs
Service Provider Frame Relay-to-ATM Interworking
Bringing a True-long Stand Vocation
100
101
Frame Relay
Application
Presentation
Session
Transport
Network
IP/IPX/AppleTalk, etc.
Data Link
Frame Relay
Physical
EIA/TIA-232,
EIA/TIA-449, V.35,
X.21, EIA/TIA-530
102
Router B
DLCL: 100
DLCL: 400
Local
Access
Loop = T1
Local Access
Loop = 64 kbps
103
104
Problem:
Broadcast traffic must be replicated for each active
connection
Split horizon rule prevents routing updates received on an
interface from being forwarded out the same interface
105
106
Use LMI to get locally significant DLCI from the Frame Relay switch
Use Inverse ARP to map the local DLCI to the remote router network
layer address
107
108
109
110
111
112
Configuring Subinterfaces
Point-to-point
Subinterfaces act like leased lines
Each point-to-point subinterface requires its own subnet
Point-to-point is applicable to hub-and-spoke topologies
Multipoint
Subinterfaces act like NBMA networks, so they do not
resolve the split horizon issues
Multipoint can save address space because it uses a
single subnet
Multipoint is applicable to partial mesh and full mesh
topologies
113
114
S2.2=10.17.0.1/24
S2.1=10.17.0.3/24
S2.1=10.17.0.4/24
115
116
117
118
119
120
VPN
Definition
Remote Access VPNs
Site-to-Site VPNs
Tunneling Protocols GRE
Tunneling Protocols IPSec
Tunneling Protocols L2F and L2TP
121
VPN Definition
122
123
Site-to-Site VPNs
124
125
126
127
www.saigonlab.vn