What is Frame Relay & Its Benifits

What is Frame Relay & Its Benifits

This chapter is on What is Frame Relay & Its Benifits. Frame Relay is an alternative to dedicated WAN leased lines, which are more expensive. This section describes the benefits of Frame Relay. Frame Relay is a high performance WAN protocol that works on the physical and data link layers of the OSI reference model. While more modern services such as broadband and metropolitan Ethernet reduced the need for Frame Relay in many locations, Frame Relay is still a viable option in many sites around the world.

FRAME RELAY TECHNOLOGY

Leased lines provide permanent dedicated capacity and are widely used to build WAN networks. They are the traditional connection of preference, but have a number of disadvantages.
A disadvantage is that customers pay for leased lines with a fixed capacity . However, WAN traffic usually varies, and some of the capacity remains unused. In addition, each terminal needs an individual physical interface on the router, which increases equipment costs. In general, any change in the leased line requires that the staff of the service provider visit the site.
Frame Relay is a high performance WAN protocol that works on the physical and data link layers of the OSI reference model. Unlike leased lines, Frame Relay only requires a single access circuit to the Frame Relay service provider to communicate with other sites connected to the same provider. The capacity between two sites may vary.
Eric Scace, a Sprint International engineer, invented Frame Relay as a simpler version of the X.25 protocol for use through the integrated services digital network (ISDN) interfaces. Currently, it is also used in other types of network interfaces. When Sprint implemented Frame Relay in its public network, it used StrataCom switches. The acquisition of StrataCom by Cisco in 1996 marked its entry into the market of service providers.

FRAME RELAY USEs

Network service providers implement Frame Relay to support voice and data traffic between LAN networks through a WAN. Each end user obtains a private line, or a leased line, to a Frame Relay node.
The Frame Relay network handles transmission through a frequently changing route, transparent to all end users. As shown in Image, Frame Relay provides a solution to allow communications between several sites through a single access circuit to the provider.

Historically, Frame Relay was widely used as a WAN protocol because it was economical compared to dedicated leased lines. In addition, configuring the user's equipment in a Frame Relay network is very simple.
Frame Relay connections are created by configuring the routers or other devices on the client's local computer (CPE) so that they communicate with a Frame Relay switch from a service provider. The service provider configures the Frame Relay switch, which minimizes the configuration tasks of the end user.

BENEFITS OF FRAME RELAY WAN TECHNOLOGY

With the advent of broadband services such as DSL and cable modem, Ethernet WAN, VPN and multi-protocol tag switching (MPLS), Frame Relay became a less suitable solution to access the WAN. However, there are still sites in the world that rely on Frame Relay to get connectivity to the WAN.
Frame Relay provides more bandwidth, reliability and resistance than private or leased lines.
Using an example of a large business network helps illustrate the benefits of using a Frame Relay WAN . In the example shown in Image, the SPAN Engineering company has five campuses throughout North America. Like most organizations, SPAN has various bandwidth requirements.

The first thing to keep in mind is the bandwidth requirement of each site . When working in the head office, connecting Chicago to New York requires a maximum speed of 256 kb / s. Three other sites need a maximum speed of 48 kb / s to connect to the central office, while the connection between the New York and Dallas branches requires only 12 kb / s.

REQUIREMENTS OF THE DEDICATED LINE

Through the leased lines, each of the SPAN sites is connected through a switch in the central office (CO) of the local telephone company through the local loop, and then through the entire network.
The Chicago and New York sites use a dedicated T1 line (equivalent to 24 DS0 channels) to connect to the switch, while other sites use ISDN connections (56 kb / s), as shown in Image 3.

Because the Dallas site connects to New York and Chicago, it has two locally leased lines. Network service providers provide SPAN with a DS0 between the respective COs, except for the largest pipeline that connects Chicago and New York, and has four DS0s.
The DS0 have different prices according to the region and are generally offered at a fixed price. These lines are really dedicated, since the network service provider reserves that line for SPAN exclusive use. There is no sharing, and SPAN pays for the end-to-end circuit, regardless of how much bandwidth it uses.

DISADVANTAGES OF DEDICATED LINES

A dedicated line provides few practical opportunities to establish a one-to-many connection without obtaining more lines from the network service provider. In the example, almost all communication must flow through the company's headquarters, simply to reduce the cost of additional lines.

• After a more detailed analysis of the bandwidth requirements for each site, it is verified that there is a lack of efficiency:
• Of the 24 DS0 channels available on the T1 connection, the Chicago site uses only seven. Some service providers offer fractional T1 connections in increments of 64 kb / s, but this requires a specialized device called a “multiplexer” at the client end to channel the signals. In this case, SPAN opted for the full T1 service.
• Similarly, the New York site uses only five of its 24 available DS0s.
• Because Dallas must connect to Chicago and New York, there are two lines that connect to each site through the CO.

The leased line design also limits flexibility. Unless the circuits are already installed, connecting new sites usually requires new circuit installations, and implementing it takes a long time. From the point of view of network reliability, imagine the additional costs in money and the complexity of adding redundant replacement circuits.

PROFITABILITY AND FLEXIBILITY OF FRAME RELAY

The SPAN Frame Relay network uses permanent virtual circuits (PVC), as shown in following image.

A PVC is the logical path along a source Frame Relay link, through the network and along a Frame Relay termination link to its final destination. Compare this to the physical path that a dedicated connection uses.
In a network with access through Frame Relay, a PVC defines the route between two terminals exclusively. The concept of virtual circuits (VC) is discussed in more detail later in this section.
SPAN Frame Relay solution provides flexibility and profitability.

FRAME RELAY PROFITABILITY

Frame Relay is a more profitable option for two reasons.

• First, with dedicated lines, customers pay for an end-to-end connection that includes the local loop and network link. With Frame Relay, customers only pay for the local loop and acquire the bandwidth of the network service provider.

The distance between the nodes is not important. In a dedicated line model, customers use dedicated lines provided in increments of 64 kb / s, and Frame Relay customers can define their virtual circuit needs with much greater granularity, often in increments as small as 4 kb / s.

• The second reason for the profitability of Frame Relay is that it shares bandwidth through a larger customer base. Generally, a network service provider can serve 40 or more clients of 56 kb / s through a T1 circuit.

The use of dedicated lines would require more CSU / DSU (one for each line), as well as more complicated routing and switching. Network service providers save because there is less equipment to acquire and maintain.

THE FLEXIBILITY OF FRAME RELAY

A virtual circuit provides considerable flexibility in network design. By analyzing the illustration, you can see that all SPAN offices connect to the Frame Relay cloud through their respective local loops. At the moment, what happens in the cloud is really not of interest.
The only thing that matters is that when any SPAN office wishes to communicate with any other SPAN office, all it has to do is connect to a virtual circuit that leads to the other office.
In Frame Relay, the end of each connection has a number to identify it called " data link connection identifier " (DLCI). Any station can connect to any other by simply indicating the address of that station and the DLCI number of the line to be used.
In a later section, you will learn that when Frame Relay is configured, all data from all configured DLCIs flow through the same router port. Imagine the same flexibility through dedicated lines. Not only is it difficult, but it also requires many more equipment.

OSPF Authentication Types, Configuration & Verification

OSPF Authentication Types, Configuration & Verification

This article is relate to OSPF Authentication Types, Configuration & Verification. OSPF supports three types of authentication: null, simple password authentication and MD5 authentication. OSPF MD5 authentication can be configured globally or by interface. OSPF authentication is for security purpose. There are different types of OSPF authentication.

OSPF Authentication Types 

When neighbor authentication is configured on a router, the router authenticates the origin of each routing update package it receives. This is achieved by exchanging an authentication key (sometimes called " password ") known to both the router that sends the packet and the one that receives it.
To exchange routing update information securely, OSPF authentication must be enabled. OSPF authentication can be none (null), simple or synthesis of message 5 (MD5).
OSPF supports three types of authentication:

• Null : This is the default method and means that no authentication is used for OSPF.
• Simple password authentication : it is also known as "authentication with unencrypted text", because the password in the update is sent as unencrypted text over the network.
• MD5 authentication (MD5 authentication) : This is the most secure and recommended authentication method. MD5 authentication provides greater security, since the password is never exchanged between peers. Instead, it is calculated using the MD5 algorithm. The coincidence of the results authenticates the issuer.

OSPF MD5 Authentication

The following example shows how MD5 authentication is used to authenticate two neighboring OSPF routers.
In Image 1, R1 combines the routing message with the previously shared secret key and calculates the signature with the MD5 algorithm. The signature is also known as " hash value ".

In Image 2, R1 adds the signature to the routing message and sends it to R2.

MD5 does not encrypt the message; Therefore, the content can be read easily.
In Image 3, R2 opens the package, combines the routing message with the previously shared secret key and calculates the signature with the MD5 algorithm.

• If the signatures match, R2 accepts the routing update.
• If the signatures do not match, R2 discards the update.

OSPFv3 (OSPF for IPv6) does not include any authentication capabilities of its own . Instead, it relies entirely on IPSec to protect communications between neighbors with the ipv6 ospf authentication ipsec spi command from the interface configuration mode. This is beneficial, as it simplifies the OSPFv3 protocol and standardizes its authentication mechanism.

OSPF MD5 Authentication Configuration

OSPF supports authentication of routing protocols using MD5. MD5 authentication can be enabled globally for all interfaces or for each desired interface.

To enable OSPF MD5 authentication globally, configure the following:
Interface configuration mode command:
ip ospf message-digest-key key md5 password
Router configuration mode command:
area area-id authentication message-digest
This method imposes authentication on all interfaces with OSPF enabled. If an interface is not configured with the ip ospf message-digest-key command , you cannot establish adjacencies with other OSPF neighbors.
To provide more flexibility, interface authentication is now supported. To enable MD5 authentication per interface, configure the following:
Interface configuration mode command:
ip ospf message-digest-key key md5 password
Interface configuration mode command:
ip ospf authentication message-digest
The global OSPF MD5 authentication methods and per interface can be used on the same router. However, the configuration per interface replaces the global configuration. MD5 authentication passwords do not have to be the same in an entire area; however, they have to be the same among neighbors .
For example, suppose that all routers in the illustration converged using OSPF and that routing works correctly. OSPF authentication will be implemented on all routers.

OSPF MD5 Authentication example

In the example in Image 4, we show how to configure R1 to enable OSPF MD5 authentication on all interfaces.

Note that informational messages indicate that the adjacency of OSPF neighbors with R2 and R3 changed to the Down state (inactive), because R2 and R3 have not yet been configured to support MD5 authentication.
As an alternative to the global enable of MD5 authentication, the example in Image 5 shows how to configure R1 to enable OSPF MD5 authentication per interface. Note that, also in this case, the adjacencies of OSPF neighbors changed to the Down state.

Next, OSPF MD5 authentication is enabled globally on R2 and per interface on R3.

R2 (config) # router ospf 10
R2 (config-router) # area 0 authentication message-digest
R2 (config-router) # interface GigabitEthernet 0/0
R2 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R2 (config-if) # interface Serial 0/0/0
R2 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R2 (config-if) # interface Serial 0/0/1
R2 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R2 (config-if) # end
R2 (config) # 
* Apr 8 10: 26: 46.783:% OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on Serial0 / 0/0 from LOADING to FULL, Loading Done 
R2 (config) # 
* Apr 8 10: 27: 16,435:% OSPF-5-ADJCHG: Process 10, Nbr 3.3.3.3 on Serial0 / 0/1 from FULL to DOWN, Neighbor Down: Dead timer expired 
R2 #

Informational messages also appear here. The first message is because the neighbor adjacency with R1 was re-established. However, the adjacency with R3 changed to the Down state, because R3 has not yet been configured.

R3 (config) # interface GigabitEthernet 0/0
R3 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R3 (config-if) # ip ospf authentication message-digest
R3 (config-if) # interface Serial 0/0/0
R3 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R3 (config-if) # ip ospf authentication message-digest
R3 (config-if) # interface Serial 0/0/1
R3 (config-if) # ip ospf message-digest-key 1 md5 CISCO-123
R3 (config-if) # ip ospf authentication message-digest
R3 (config-if) # end
R3 # 
* Apr 8 10: 29: 21.859:% OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on Serial0 / 0/1 from LOADING to FULL, Loading Done 
R3 (config) # 
* Apr 8 10: 29: 27.315:% OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on Serial0 / 0/0 from LOADING to FULL, Loading Done 
R3 #

After configuring R3, all neighborhood adjacencies were re-established.

Verification of the OSPF MD5 Authentication

To verify that OSPF MD5 authentication is enabled, use the show ip ospf interface command in privileged EXEC mode. By verifying that the routing table is complete, it can be confirmed that the authentication was successful.
In Image, the verification of OSPF MD5 authentication is shown on serial interface 0/0/0 on R1.

In following Image, it is confirmed that the authentication was successful.

Cisco Discovery Protocol CDP vs LLDP

Cisco Discovery Protocol CDP vs LLDP

Cisco Discovery Protocol CDP is a Cisco proprietary protocol for network detection at the data link layer. You can share information such as device names and IOS versions with other physically connected Cisco devices. LLDP is a neutral protocol in the data link layer for network detection. Network devices advertise information, such as identities and functionalities to their neighbors.

Device Detection with CDP

Cisco Discovery Protocol (CDP) is a proprietary Cisco Layer 2 protocol that is used to collect information about Cisco devices that share the same data link. The CDP is independent of media and protocol and runs on all Cisco devices, such as routers, switches and access servers.
The device sends periodic CDP announcements to the connected devices, as shown in Image 1. These messages share information about the type of device being discovered, the name of the devices, and the number and type of interfaces.

Because most network devices connect to other devices, the CDP can help make design decisions, solve problems, and make changes to the equipment. The CDP can be used as a network analysis tool to learn about neighboring devices. This information collected from the CDP can help create a logical topology of a network when documentation or details are missing.

CDP CONFIGURATION

For Cisco devices, CDP is enabled by default. For security reasons, it may be convenient to disable the CDP on a network device globally, or by interface. With the CDP, an attacker can collect valuable information about the network design, such as IP addresses, IOS versions, and device types.
To verify the status of CDP and display information about CDP, enter the show cdp command  , as follows:
Router # show cdp
Global CDP information:
 Sending CDP packets every 60 seconds
 Sending a holdtime value of 180 seconds
 Sending CDPv2 advertisements is enabled
To enable CDP globally for all supported interfaces on the device, enter cdp run in global configuration mode. CDP can be disabled for all device interfaces with the no
cdp run command , in global configuration mode.
To disable CDP on a specific interface, such as the one that comes in contact with an ISP, enter  no cdp enable  in the interface configuration mode. The CDP is still enabled on the device; however, no more messages will be sent to the interface. To re-enable CDP on the specific interface, enter  cdp enable , as shown:
Switch (config) # interface gigabitethernet 0/1 
Switch (config-if) # cdp enable
Below is a globally disabled CDP using the no cdp run  command  and re-enabled with the cdp run command  .
Router (config) # no cdp run
Router (config) # exit
Router # show cdp
% CDP is not enabled
Router # conf t
Router (config) # cdp run

CDP VERIFICATION

To verify the status of CDP and display a list of its adjacent components, use the show cdp neighbors command  , in EXEC mode with privileges. The show cdp neighbors command   shows important information about adjacent CDP components. Currently, this device has no adjacent component because it is not physically connected to any other device:

Router # show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay
 
Device ID Local Intrfce Holdtme Capability Platform Port ID

Use the show cdp interface command   to display the interfaces that are enabled in CDP on the device. The status of each interface is also shown. The following result shows that five interfaces are enabled for CDP on the router with only one active connection to another device.

Router # show cdp interface
Embedded-Service-Engine0 / 0 is administratively down, line protocol is down
 ARPA encapsulation
 Sending CDP packets every 60 seconds
 Holdtime is 180 seconds
GigabitEthernet0 / 0 is administratively down, line protocol is down
 ARPA encapsulation
 Sending CDP packets every 60 seconds
 Holdtime is 180 seconds
GigabitEthernet0 / 1 is up, line protocol is up
 ARPA encapsulation
 Sending CDP packets every 60 seconds
 Holdtime is 180 seconds
Serial0 / 0/0 is administratively down, line protocol is down
 Encapsulation HDLC
 Sending CDP packets every 60 seconds
 Holdtime is 180 seconds
Serial0 / 0/1 is administratively down, line protocol is down
 Encapsulation HDLC
 Sending CDP packets every 60 seconds
 Holdtime is 180 seconds

DEVICE DETECTION WITH CDP

With the CDP enabled on the network, the show cdp neighbors command   can be used to determine the design of the network.

For example, consider the lack of documentation in the topology of Image 2. There is no information available related to the rest of the network.

1 # show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
 S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
 D - Remote, C - CVTA, M - Two-port Mac Relay

The show cdp neighbors command   provides useful information about each adjacent CDP device, such as the following data:

• Device identifiers  - The host name of the adjacent device (S1).
• Port Identifier  - The name of the local and remote ports (Gig 0/1 and Fas 0/5, respectively).
• Function list  - Indicates whether the device is a router or a switch (S for switch; I for IGMP is beyond the scope of this course).
• Platform  - The device hardware platform (WS-C2960 for the Cisco 2960 switch).

VIEW DETAILED INFORMATION ABOUT CDP

If more information is needed, the detailed show cdp neighbors command   can also provide information, such as the IOS version and IPv4 addresses of adjacent components, as follows:

R1 # show cdp neighbors detail
-------------------------
Device ID: S1
Entry address (s):
 IP address: 192.168.1.2
Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP
Interface: GigabitEthernet0 / 1, Port ID (outgoing port): FastEthernet0 / 5
Holdtime: 136 sec
 
Version:
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0 (2) SE7 ,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 23-Oct-14 14:49 by prod_rel_team
 
advertisement version: 2
Protocol Hello: OUI = 0x00000C, Protocol ID = 0x0112; payload len = 27,
value = 00000000FFFFFFFF010221FF000000000000002291210380FF0000
VTP Management Domain: ''
Native VLAN: 1
Duplex: full
Management address (s):
 IP address: 192.168.1.2
 
Total cdp entries displayed: 1

S2 DETECTION

By accessing S1 either remotely via SSH or physically through the console port, a network administrator can determine which other devices are connected to S1, as indicated in the show cdp command output  neighbors.

S1 # show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
 S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
 D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
S2 Fas 0/4 158 SI WS-C2960-   Fas 0/4 
R1 Fas 0/5 136 RBSI CISCO1941   Gig 0/1

TOPOLOGY COMPLETION

Another switch, S2, is revealed in the result. The network administrator then has access to S2 and displays the adjacent CDP components, as indicated in Image 5. The only device connected to S2 is S1. Therefore, there are no more devices to discover in the topology. The network administrator can now update the documentation to reflect the detected devices.

S2 # show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
 S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
 D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
S1 Fas 0/4 173 SI WS-C2960-   Fas 0/4

DEVICE DETECTION WITH LLDP

Cisco devices also support the Link Layer Detection Protocol (LLDP), which is a neutral protocol for adjacent component detection similar to CDP. The LLDP works with network devices, such as routers, switches, and wireless LAN access points. This protocol informs your identity and capabilities to other devices and receives information from a physically connected Layer 2 device.

 LLDP CONFIGURATION

On some devices, LLDP may be enabled by default. To enable LLDP globally on a Cisco network device, enter the lldp run command   in global configuration mode. To disable LLDP, enter the no lldp run command   in global configuration mode.
Like the CDP, the LLDP can be configured on specific interfaces. However, LLDP must be individually configured to transmit and receive LLDP packets, as indicated:

Switch # conf t
Enter configuration commands, one per line. End with CNTL / Z.
Switch (config) # lldp run
Switch (config) # interface gigabitethernet 0/1
Switch (config-if) # lldp transmit 
Switch (config-if) # lldp receive
Switch # show lldp

Global LLDP Information:
 Status: ACTIVE
 LLDP advertisements are sent every 30 seconds
 LLDP hold time advertised is 120 seconds
 LLDP interface reinitialisation delay is 2 seconds

LLDP VERIFICATION

To verify that LLDP has already been enabled on the device, enter the show lldp command in privileged EXEC mode.
Show the status of LLDP on R1.
R1 # show lldp
 % LLDP is not enabled
 R1 #
Enter global configuration mode to configure the following:

• Activate LLDP globally on R1.
• Disable LLDP on the S0 / 0/0 interface.
• Use the end command to exit global configuration mode.

R1 # configure terminal
 R1 (config) # lldp run
 R1 (config) # interface s0 / 0/0
 R1 (config-if) # no lldp run
 R1 (config-if) # end
 R1 #
Display the list of neighbors with LLDP on S1.
S1 # show lldp neighbors
 Capability codes:
 (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
 (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID Local Intf Hold-time Capability Port ID
 R1 Fa0 / 5 99 R Gi0 / 1

Show more details of the list of neighbors with LLDP on R1.

S1 # show lldp neighbors detail

------------------------------------------------
 Chassis id: c471.fe45.73a0
 Port id: Gi0 / 1
 Port Description: GigabitEthernet0 / 1
 System Name: R1

System Description:
 Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4 (3) M2, 
RELEASE SOFTWARE (fc2)
 Technical Support: http://www.cisco.com/techsupport
 Copyright (c) 1986-2015 by Cisco Systems, Inc.
 Compiled Fri 06-Feb-15 17:01 by prod_rel_team

Time remaining: 106 seconds
 System Capabilities: B, R
 Enabled Capabilities: R
 Management Addresses - not advertised
 Auto Negotiation - not supported
 Physical media capabilities - not advertised
 Media Attachment Unit type - not advertised
 Vlan ID: - not advertised

Total entries displayed: 1

DEVICE DETECTION WITH LLDP

With LLDP enabled, components adjacent to the device can be detected using the show lldp neighbors command  . For example, consider the lack of documentation in the topology of Image 7. The network administrator only knows that S1 is connected to two devices. If you use the show lldp neighbors command  , the network administrator detects that S1 has a router and a switch as adjacent components.

S1 # show lldp neighbors
Capability codes:
 (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
 (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
 
Device ID Local Intf Hold-time Capability Port ID
R1 Fa0 / 5 99 R Gi0 / 1
S2 Fa0 / 4 120 B Fa0 / 4

Total entries displayed: 2

From the results of  show lldp neighbors , a topology of switch S1 can be constructed as illustrated in Image 8. When more details are needed on adjacent components, the show lldp neighbors detail command   can provide information such as the IOS version , the IP address and functionality of adjacent devices.

S1 # show lldp neighbors detail
------------------------------------------------
Chassis id: fc99.4775.c3e0
Port id: Gi0 / 1
Port Description: GigabitEthernet0 / 1
System Name: R1
 
System Description:
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4 (3) M2, 
 RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Fri 06-Feb-15 17:01 by prod_rel_team
 
Time remaining: 101 seconds
System Capabilities: B, R
Enabled Capabilities: R
Management Addresses: 
IP: 192.168.1.1
Auto Negotiation - not supported
Physical media capabilities - not advertised
Media Attachment Unit type - not advertised
Vlan ID: - not advertised
 
------------------------------------------------
Chassis id: 0cd9.96d2.3f80
Port id: Fa0 / 4
Port Description: FastEthernet0 / 4
System Name: S2
<the result was omitted>

Configuring NAT with IPv6 on Cisco Router

Configuring NAT with IPv6 on Cisco Router

This is a special article in which you learn how to Configuring NAT with IPv6 on Cisco Router. The issue of IPv4 address space depletion has been a priority for the IETF since the early 1990s. The combination of private IPv4 addresses defined in RFC 1918 and NAT plays a decisive role in delaying this exhaustion. NAT has considerable disadvantages, and in January 2011, IANA assigned its latest IPv4 addresses to RIRs.
One of the benefits of NAT for IPv4 that were not intentional is that it hides the private public Internet network. NAT has the advantage that it offers a considerable level of security by denying access to internal hosts to computers on the Internet. However, it should not be considered as a substitute for adequate network security, such as that provided by a firewall.

Is NAT possible with IPV6?

In RFC 5902, the Internet Architecture Council (IAB) included the following quote on the translation of IPv6 network addresses:

“In general, it is believed that a NAT box provides a level of protection because external hosts cannot directly initiate a communication with the hosts behind a NAT. However, NAT boxes should not be confused with firewalls. As discussed in section 2.2 of RFC4864, the act of translation itself does not provide security. The state filtering function can provide the same level of protection without requiring a translation function. ”

With a 128-bit address , IPv6 provides 340 sextillion addresses . Therefore, address space is not a problem. IPv6 was developed with the intention that NAT for IPv4 with its translation between public and private IPv4 addresses is unnecessary. However, IPv6 implements a form of NAT. IPv6 includes its own private IPv6 and NAT address space, which are implemented differently from what is done for IPv4.

UNIQUE LOCAL IPV6 ADDRESSES

Unique local IPv6 addresses (ULAs) resemble private IPv4 addresses defined in RFC 1918, but there are also considerable differences. The purpose of ULAs is to provide IPv6 address space for communications within a local site, they are not intended to provide additional IPv6 address space or a security level.

As shown in the illustration, ULAs have the prefix FC00 :: / 7, which produces a range of first hextete ranging from FC00 to FDFF. The next bit is set to 1 if the prefix is ​​assigned locally. It is possible that in the future it can be set to 0. The next 40 bits correspond to a global ID followed by a 16-bit subnet ID. These first 64 bits are combined to create the ULA prefix. This allows the remaining 64 bits to be used for the interface ID or, in terms of IPv4, the host portion of the address.

ULA FEATURES

Unique local addresses are defined in RFC 4193. ULAs are also known as "local IPv6 addresses" (not to be confused with link-local IPv6 addresses) and have several features, including the following:

• They allow sites to be combined or interconnected privately, without generating conflicts between addresses and without re-numbering the interfaces that use these prefixes.
• They are independent of any ISP and can be used for communications within a site without having Internet connectivity.
• They cannot be routed over the Internet; however, if they are filtered by routing or DNS, there is no conflict with other addresses.

ULAs are not as simple as the addresses defined in RFC 1918. Unlike private IPv4 addresses, the IETF did not intend to use a NAT form to translate between unique local addresses and global unicast IPv6 addresses.

IPV6 AND NAT

NAT for IPv6 is used in a very different context than NAT for IPv4. NAT varieties for IPv6 are used to provide transparent access between IPv6 only networks and IPv4 only networks. It is not used as a form of translation from private IPv6 to global IPv6.
Ideally, IPv6 be run natively whenever possible. That is, on IPv6 devices that communicate with each other through IPv6 networks. However, to assist in the change from IPv4 to IPv6, the IETF developed several transition techniques that support a variety of situations from IPv4 to IPv6, such as dual-stack, tunneling and translation.

Dual-stack is when the devices execute protocols associated with IPv4 and IPv6. Tunneling for IPv6 is the process of encapsulating an IPv6 package within an IPv4 package. This allows the IPv6 packet to be transmitted through an IPv4-only network.
NAT for IPv6 should not be used as a long-term strategy, but as a temporary mechanism to contribute to the migration from IPv4 to IPv6. Over the years, there were several types of NAT for IPv6, including network address translation / protocol translation (NAT-PT).

Configure Cisco Port Forwarding with Cisco IOS Router

Configure Cisco Port Forwarding with Cisco IOS Router

In this article you will understand what is port forwarding and how to Configure Cisco Port Forwarding with Cisco router.
Port forwarding is used to forward traffic directed to a specific network port from one network node to another. This technique allows an external user to reach a port on a private IPv4 address (within a LAN) from outside through a router with NAT enabled.
In general, peer-to-peer operations and programs for file sharing, such as outgoing web server applications and FTP, require router ports to be forwarded or opened to allow these applications to function, as shown in Image 1. Because NAT hides internal addresses, peer-to-peer communication only works from the inside out where NAT can assign outgoing requests to incoming responses.

The problem is that NAT does not allow requests initiated from abroad. This situation can be resolved manually. Port forwarding can be configured to identify specific ports that can be forwarded to internal hosts.

What is Port Forwarding ?

Remember that Internet software applications interact with the user ports that need to be open or available for those applications. Different applications use different ports. This makes applications and routers identify network services predictably. For example, HTTP works through the well-known port 80. When someone enters the address  http://cisco.com , the browser displays the Cisco Systems, Inc. website. Note that it is not necessary to specify the port number HTTP for the page request, since the application assumes that it is port 80.
In Image 2, the owner of a small business that uses a point of sale (PoS) server is shown to track sales and inventories in the store. The server can be accessed from the store but, because it has a private IPv4 address, it is not possible to access it publicly from the Internet. Enabling the local router for port forwarding would allow the owner to access the point of sale server anywhere from the Internet. Port forwarding on the router is configured with the destination port number and the private IPv4 address of the point of sale server. To access the server, the client software would use the public IPv4 address of the router and the destination port of the server.

EXAMPLE OF WIRELESS ROUTER

Image 3 shows the configuration window of the simple assigned port forwarding corresponding to a Packet Tracer wireless router. By default, port forwarding is not enabled on the router.

If you specify the internal local address to which requests should be forwarded, it is possible to enable port forwarding for applications. In the figure, requests for HTTP services that come from the wireless router are forwarded to the web server with the following internal local address: 192.168.1.254. If the IPv4 address of the external WAN of the wireless router is 209.165.200.225, the user can enter  http://www.example.com  and the wireless router will redirect the HTTP request to the internal web server of the IPv4 address 192.168.1.254, by middle of the default port number: 80.
A port other than the default port 80 can be specified. However, the external user would have to know the specific port number to use. To specify a different port, the value of the External Port field is modified in the Single Port Forwarding window.

Configure Port Forwarding with Cisco iOS

The Cisco IOS commands used to implement port forwarding are similar to those used to configure static NAT . Basically, port forwarding is a static NAT translation with a specific TCP or UDP port number.

The static NAT command that is used to configure port forwarding with IOS is shown below.

ip nat inside source { static { tcp | udp local-ip local-port global-ip global-port} [ extendable ]

Parameter	Description
tcp or udp	Indicates whether this is a TCP or UDP port number.
ip-local	This is the IPv4 address assigned to the host in the internal network, generally, of the private address space defined in RFC 1918.
local port	Set the local TCP / UDP port in a range of 1 to 65,535. This is the port number on which the server listens.
global ip	This is the globally unique IPv4 address of an internal host. This is the IP address used by external clients to reach the internal server.
global port	Set the global TCP / UDP port in the range of 1 to 65,535. This is the port number used by external clients to reach the internal server.
extendable	The extendable option is applied automatically. The extendable keyword allows the user to configure several ambiguous static translations; that is, translations with the same local or global address. It allows the router to extend the translation to more than one port, if necessary.
Command table for port forwarding with IOS.

Port Forwarding CONFIGURATION EXAMPLE

In following figure, an example of port forwarding configuration with IOS commands on router R2 is shown.

Sets the static translation between an internal local address and a local port, and between an internal global address and a global port:
R2 (config) # ip nat inside source static 
tcp 192.168.10.254 80 209.165.200.225 8080
Identify the 0/0/0 serial interface as an internal NAT interface:
R2 (config) # interface Serial0 / 0/0
R2 (config-if) # ip nat inside
Identify the serial interface 0/1/0 as an external NAT interface:
R2 (config) # interface Serial0 / 1/0
R2 (config-if) # ip nat outside
The 192.168.10.254 address is the internal local IPv4 address of the web server listening on port 80. Users will access this internal web server with the global IPv4 address 209.165.200.225, a unique public IPv4 address globally. In this case, it is the address of the Serial interface 0/1/0 of R2. The global port is configured as 8080. This is the destination port that is used together with the global IPv4 address 209.165.200.225 to access the internal web server. Observe the following command parameters within the NAT configuration:

• ip-local = 192.168.10.254
• local port = 80
• ip-global = 209.165.200.225
• global port = 8080

When a well-known port number is not used, the client must specify the application's port number.
Like other types of NAT, port forwarding requires that internal and external NAT interfaces be configured.

VERIFICATION OF PORT FORWARDING

As in the case of static NAT, the show ip nat translations command can be used to verify port forwarding:

R2 # show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 209.165.200.225:8080 192.168.10.254:80 209.165.200.254:46088 209.165.200.254:46088
tcp 209.165.200.225:8080 192.168.10.254:80 --- ---
R2 #

In the example, when the router receives the packet with the internal global IPv4 address 209.165.200.225 and a destination TCP port 8080, the router performs a search in the NAT table with the destination IPv4 address and the destination port as keys . Next, the router translates the address to the internal local address of host 192.168.10.254 and destination port 80. Then, the R2 forwards the packet to the web server. In the case of return packages from the web server to the client, this process is reversed.

Access Control List ACL Configuration on Cisco Router

Access Control List ACL Configuration on Cisco Router

It explains Access Control List ACL Configuration on Cisco Router. If you want to learn what is Access Control List, you can visit the previous post.
To use standard ACLs numbered on a Cisco router, you must first create the standard ACL and then activate it on an interface.
The global access-list  configuration command  defines a standard ACL with a number between 1 and 99. Version 12.0.1 of the Cisco IOS software extended that range and allows numbers ranging from 1300 to 1999 to be used for standard ACLs . This allows a maximum of 798 possible standard ACLs to be generated. These additional numbers are called extended IPv4 ACLs.
List of Contents For ACL Configuration
1. Commands to configure ACL
2. Modify IPL4 ACL
3. VTY Port Protection with Standard IPv4 ACL

Commands to configure ACL

For ACL you can configure standard ACL on Cisco Router using the following commands syntax:
Router (config) # access-list access-list-number {deny | permit | remark} source [source-wildcard] [log]

In the following table, the syntax for a standard ACL is explained in detail.

Parameter	Description
access list number	Number of an ACL. It is a decimal number from 1 to 99 or from 1300 to 1999 (for standard ACLs).
deny	Deny access if conditions match.
allow	Allow access if conditions match.
remark	Add a comment about the entries in the IP access list to facilitate the understanding and analysis of the list.
origin	Network or host number from which the packet is sent. There are two ways to specify the origin. Use a 32-bit quantity in dotted decimal format of four parts. Use the keyword any as the source abbreviation and source wildcard of 0.0.0.0 255.255.255.255.
source wildcard	(Optional) 32-bit wildcard mask to apply to the source. Place some in the bit positions that you want to skip.
Standard ACL command syntax table access-list

ACEs can allow or deny a single host or a range of host addresses. To create a host instruction in ACL numbered 10 that allows a specific host with IPv4 address 192.168.10.10, you must enter the following:

R1 (config) # access-list 10 permit host 192.168.10.10

ACL REMOVAL

To create an instruction that allows a range of IPv4 addresses in an ACL numbered 10 that allows all IPv4 addresses on the 192.168.10.0/24 network, you must enter the following:

R1 (config) # access-list 10 permit 192.168.10.0 0.0.0.255

To remove the ACL, the global no access-list configuration command is used. Executing the show access-list command confirms that the access list 10 was deleted.

R1 # show access-lists
Standard IP access list 10
 10 permit 192.168.10.0, wildcard bits 0.0.0.255
R1 # conf t
Enter configuration commands, one per line. End with CNTL / Z.
R1 (config) # no access-list 10
R1 (config) # exit
R1 # show access-lists
R1 #

Usually, when an administrator creates an ACL, he knows and understands the purpose of each instruction. However, to ensure that the administrator and others remember the purpose of the instructions, comments (remarks) must be included. The remark keyword is used in documents and makes it much easier to understand access lists. The text of each comment has a limit of 100 characters. The ACL shown below, which is quite simple, is used as an example. When the ACL in the configuration is checked using the show running-config command, the comment is also displayed.

R1 (config) # access-list 10 remark Permit hosts from the 192.168.10.0 LAN 

R1 (config) # access-list 10 permit 192.168.10.0 0.0.0.255 

R1 (config) # exit 

R1 # show running-config | include access-list 10 

access-list 10 remark Permit hosts from the 192.168.10.0 LAN 

access-list 10 permit 192.168.10.0 0.0.0.255 

R1 #

APPLICATION OF STANDARD IPV4 ACLS TO INTERFACES

After a standard IPv4 ACL is configured, it is linked to an interface using the ip access-group command in interface configuration mode:

Router (config-if) # ip access-group {access-list-number | access-list-name} {in | out

To remove an ACL from an interface, first enter the  no ip access-group  command in the interface, and then enter the global no access-list command   to remove the entire ACL.

The steps and syntax for configuring and applying a standard numbered ACL on a router are listed below.

1 : Use the global access-list configuration command  to create an entry in a standard IPv4 ACL.

R1 (config) # access-list 1 permit 192.168.10.0 0.0.0.255

2 : Use the interface configuration command to select an interface to which to apply the ACL.

R1 (config) # interface serial 0/0/0

3 : Use the ip access-group interface configuration command to activate the current ACL on an interface.

R1 (config-if) # ip access-group 1 out

EXAMPLE OF AN ACL DESIGNED TO ALLOW A SINGLE NETWORK.

This ACL only allows traffic from the source network 192.168.10.0 to be forwarded via the S0 / 0/0 interface. Traffic from networks other than the 192.168.10.0 network is blocked.

R1 (config) # access-list 1 permit 192.168.10.0 0.0.0.255

R1 (config) # interface s0 / 0/0

R1 (config-if) # ip access-group 1 out

On the first line, the ACL is identified as an access list 1. This list allows traffic that matches the selected parameters. In this case, the IPv4 address and wildcard mask that identify the source network are 192.168.10.0 0.0.0.255. Remember that there is an implicit denial of all instructions that are equivalent to adding the  access-list line 1 deny 0.0.0.0 255.255.255.255  or  access-list deny any  at the end of the ACL.

The ip access-group 1 out interface configuration command   links ACL 1 to Serial 0/0/0 as an output filter.

Therefore, ACL 1 only allows hosts on the 192.168.10.0/24 network to exit router R1. This list denies any other network, including the 192.168.11.0 network

EXAMPLES OF STANDARD ACLS NUMBERED IPV4

Continuing with the example of the previous image, let's look at the following commands: (Denial of a specific host and admission of a specific subnet)

R1 (config) # no access-list 1

R1 (config) # access-list 1 deny host 192.168.10.10

R1 (config) # access-list 1 permit 192.168.10.0 0.0.0.255

R1 (config) # interface s0 / 0/0

R1 (config-if) # ip access-group 1 out

The first command removes the previous version of ACL 1. The following ACL instruction denies the host of PC1 located at 192.168.10.10. All other hosts in the 192.168.10.0/24 network are then allowed. In this case, the implicit deny statement also matches all other networks.

The ACL is reapplied to the S0 / 0/0 interface in the output direction.

Now we show an example of an ACL that denies a specific host. This ACL replaces the previous example. In this example, host traffic PC1 is still blocked, but the rest of the traffic is allowed.

R1 (config) # no access-list 1

R1 (config) # access-list 1 deny host 192.168.10.10 

R1 (config) # access-list 1 allow any

R1 (config) # interface g0 / 0

R1 (config-if) # ip access-group 1 in

The first two commands are the same as in the previous example. The first command removes the previous version of ACL 1, and the following ACL instruction denies host PC1 that is located at 192.168.10.10.

The third line is new and allows the rest of the hosts. This means that all hosts on the 192.168.10.0/24 network are allowed, except PC1, which was denied in the previous instruction.

This ACL is applied to the G0 / 0 interface in the input direction. Because the filter affects only the 192.168.10.0/24 LAN in G0 / 0, it is more efficient to apply the ACL to the input interface. The ACL can be applied to S0 / 0/0 in the outbound direction, but then R1 would have to examine the packets of all networks, including 192.168.11.0/24.

ACL SYNTAX WITH IPV4 STANDARD NAME

Naming ACLs makes it easier to understand their function. When the ACL is identified with a name instead of a number, the configuration mode and command syntax are subtly different.

Below are the steps necessary to create a standard named ACL.

• Step 1:  In global configuration mode, use the ip access-list command   to create a named ACL. ACL names are alphanumeric, are case sensitive and must be unique. The ip access-list standard name command   is used to create one with a standard name. After entering the command, the router is in standard configuration mode (std) ACL with name (nacl) as indicated by the second indicator in:

Router (config) # ip access-list [ standard | extended ] name
Router (config-std-nacl) # [ permit | deny | remark ] {source [ source-wildcard ]} [ log ]Note : Numbered ACLs use the global access-list configuration command, while named IPv4 ACLs use the ip access-list command.

• Step 2:  In the named ACL configuration mode, use the permit  or  deny instructions   to specify one or more conditions to determine if a packet is forwarded or discarded. You can use  remark  to add a comment to the ACL.
• Step 3:  Apply the ACL to an interface with the command  ip access-group  name . Specify whether the ACL should be applied to packets when they enter through the interface (in) or when they exit the interface (out).

Router (config-if) # ip access-group  name [ in | out ]

The following are the commands used to configure a standard ACL with name on router R1, in which the G0 / 0 interface denies host 192.168.11.10 access to the 192.168.10.0 network. The ACL is called NO_ACCESS.

R1 (config) # ip access-list standard NO_ACCESS

R1 (config-std-nacl) # deny host 192.168.11.10

R1 (config-std-nacl) # permit any

R1 (config-std-nacl) # exit

R1 (config) # interface g0 / 0

R1 (config-if) # ip access-group NO_ACCESS out

It is not necessary for ACL names to begin with a capital letter, but this makes them stand out when the result of show running-config is observed. It also makes it less likely that you accidentally create two different ACLs with the same name but with different capitalization.

MODIFY IPL4 ACL

After familiarizing yourself with the process of creating and editing ACLs, it may be easier to generate the ACL using a text editor such as Microsoft Notepad. This allows you to create or edit the ACL and then paste it into the router interface. For an existing ACL, you can use the show running-config command   to display the ACL, copy and paste it into the text editor, make the necessary changes and paste it back into the router interface.

Setting.  Assume, for example, that the following IPv4 host address was entered incorrectly. Instead of host 192.168.10.99, it should be host 192.168.10.10. The steps to edit and correct ACL 1 are as follows:

R1 (config) # access-list 1 deny host 192.168.10.99

R1 (config) # access-list 1 permit 192.168.0.0 0.0.255.255

• Step 1:  Display the ACL using the show running-config command  . In the example in the illustration, the include  keyword is used  to show only ACEs.

R1 # show running-config | include access-list 1
 access-list 1 deny host 192.168.10.99
access-list 1 permit 192.168.0.0 0.0.255.255

• Step 2:  Select the ACL, copy it, and then paste it into Microsoft Notepad. Edit the list as necessary. Once the ACL is displayed correctly in Microsoft Notepad, select it and copy it.

<Text editor>
access-list 1 deny host 192.168.10.10
access-list 1 permit 192.168.0.0 0.0.255.255

• Step 3:  In global configuration mode, delete the access list with the no access-list 1 command  . Otherwise, the new instructions will be added to the existing ACL. Next, paste the new ACL into the router configuration.

R1 # config t

Enter configuration commands, one per line. End with CNTL / Z.

R1 (config) # no access-list 1

R1 (config) # access-list 1 deny host 192.168.10.10

R1 (config) # access-list 1 permit 192.168.0.0 0.0.255.255

• Step 4:  Verify changes using the show running-config command  .

R1 # show running-config | include access-list 1

 access-list 1 deny host 192.168.10.10 

access-list 1 permit 192.168.0.0 0.0.255.255

It is necessary to remember that, when using the no access-list command  , the different versions of the IOS software act differently. If the ACL that was removed is still applied to an interface, some versions of the IOS act as if there is no ACL that protects the network, while others deny all traffic. For this reason, it is advisable to remove the reference to the access list of the interface before modifying the list . If there is an error in the new list, you must disable it and solve the problem. In that case, the network has no ACL during the correction process.

METHOD 2: USE SEQUENCE NUMBERS

R1 (config) # access-list 1 deny host 192.168.10.99

R1 (config) # access-list 1 permit 192.168.0.0 0.0.255.255

As shown in the scheme above, a host instruction for host 192.168.10.99 was included in the initial configuration of ACL 1. But that was a mistake. Host 192.168.10.10 should have been configured. To edit the ACL with sequence numbers, follow these steps:

• Step 1:  Display the current ACL using the show access-lists 1 command  . The result of this command will be analyzed in more detail later in this section. The sequence number is shown at the beginning of each instruction. The sequence number was automatically assigned when the access list instruction was entered. Note that the instruction that is incorrectly configured has sequence number 10.

R1 # show access-lists 1

Standard IP access list 1

 10 deny 192.168.10.99

 20 permit 192.168.0.0, wildcard bits 0.0.255.255

R1 #

• Step 2:  Enter the ip access-lists standard command   that is used to configure named ACLs. The ACL number, 1, is used as a name. First, the misconfigured instruction must be removed with command  no 10 , where "10" refers to the sequence number. Then, a new sequence number instruction 10 is added by command  10 deny host 192.168.10.10 .

R1 # conf t 

R1 (config) # ip access-list standard 1

R1 (config-std-nacl) # no 10

R1 (config-std-nacl) # 10 deny host 192.168.10.10

R1 (config-std-nacl) # end

R1 #

Note:  Instructions cannot be overwritten with the same sequence number as an existing instruction. First, the current instruction must be deleted and then the new one can be added.

• Step 3:  Verify the changes using the show access-lists command  .

R1 # show access-lists

Standard IP access list 1

 10 deny 192.168.10.10

 20 permit 192.168.0.0, wildcard bits 0.0.255.255

R1 #

As mentioned earlier, Cisco IOS implements internal logic in standard access lists. It is possible that the order in which standard ACEs are introduced is not the order in which they are stored, displayed or processed on the router. The show access-lists command   shows ACEs with their sequence numbers.

STANDARD ACL EDITION WITH NAME

In an earlier example, sequence numbers were used to edit a standard ACL numbered IPv4. By reference to the sequence numbers of the instruction, individual instructions can be easily inserted or deleted. This method can also be used to edit standard named ACLs.

In the following scheme, an example of inserting a line in a named ACL is shown.

R1 # show access-lists

Standard IP access list NO_ACCESS

 10 deny 192.168.11.10

 20 permit 192.168.11.0, wildcard bits 0.0.0.255

R1 # conf t

Enter configuration commands, one per line. End with CNTL / Z.

R1 (config) # ip access-list standard NO_ACCESS

R1 (config-std-nacl) # 15 deny host 192.168.11.11

R1 (config-std-nacl) # end

R1 # show access-lists

Standard IP access list NO_ACCESS

 10 deny 192.168.11.10

 15 deny 192.168.11.11

 20 permit 192.168.11.0, wildcard bits 0.0.0.255

R1 #

In the first result of the show command  , you can see that the ACL with the name NO_ACCESS has two numbered lines that indicate the access rules for a workstation with the IPv4 address 192.168.11.10.

Instructions can be inserted or deleted from the named access list configuration mode.

To add an instruction to deny another workstation, a numbered line must be inserted. In the example, the workstation with the IPv4 address 192.168.11.11 is added using the new sequence number 15.

Using the last result of the show command  , it is verified that the new workstation now has access denied.

Note : In the named access list configuration mode, enter the no  sequence-number command   to quickly remove individual instructions.

VERIFY Access Control List on Cisco

As shown below, the show ip interface command is used to verify the ACL on the interface. The result of this command includes the number or name of the access list and the direction in which the ACL was applied. The result shows that access list 1 is applied to the output interface S0 / 0/0 of router R1 and that the access list NO_ACCESS is applied to interface g0 / 0, also in the output direction.

R1 # show ip interface s0 / 0/0

Serial0 / 0/0 is up, line protocol is up

 Internet address is 10.1.1.1/30

<The result was omitted>

Outgoing access list is 1

Inbound access list is not set

<The result was omitted>

R1 # show ip interface g0 / 0

GigabitEthernet0 / 0 is up, line protocol is up

 Internet address is 192.168.10.1/24

<The result was omitted>

 Outgoing access list is NO_ACCESS

 Inbound access list is not set

<The result was omitted>

The result of issuing the show access-lists command   on router R1 is shown below. To view an individual access list, use the show access-lists command   followed by the number or name of the access list. The NO_ACCESS instructions may look strange. Note that sequence number 15 is shown before sequence number 10. This is due to the router's internal process and will be discussed later in this section.

R1 # show access-lists

Standard IP access list 1

 10 deny 192.168.10.10

 20 permit 192.168.0.0, wildcard bits 0.0.255.255

Standard IP access list NO_ACCESS

 15 deny 192.168.11.11

 10 deny 192.168.11.10

 20 permit 192.168.11.0, wildcard bits 0.0.0.255

R1 #

Access Control List STATISTICS

Once the ACL was applied to an interface and some tests were performed, the show access-lists command shows the statistics for each instruction that has matches. In the result shown below, notice that matches were found for some of the instructions.

R1 # show access-lists

Standard IP access list 1

 10 deny 192.168.10.10 (4 match (s))

 20 permit 192.168.0.0, wildcard bits 0.0.255.255

Standard IP access list NO_ACCESS

 15 deny 192.168.11.11

 10 deny 192.168.11.10 (4 match (s))

 20 permit 192.168.11.0, wildcard bits 0.0.0.255

R1 #

When traffic is generated that must match an ACL instruction, the matches shown in the result of the show access-lists  command  should increase. For example, in this case, if you ping from PC1 to PC3 or PC4, the result will show an increase in matches for the deny instruction of ACL 1.

R1 # show access-lists

Standard IP access list 1

10 deny 192.168.10.10 (8 match (s))

20 permit 192.168.0.0, wildcard bits 0.0.255.255

Standard IP access list NO_ACCESS

15 deny 192.168.11.11

10 deny 192.168.11.10 (4 match (s))

20 permit 192.168.11.0, wildcard bits 0.0.0.255

R1 #

Both permit and deny instructions keep track of match statistics; however, remember that each ACL has an implicit deny any instruction as the last instruction. This instruction does not appear in the show access-lists command, so no statistics are displayed for that instruction. To see the statistics of the implicit deny any instruction, the instruction can be configured manually and will appear in the result.

During the test of an ACL, the counters can be cleared using the clear access-list counters command  . This command can be used alone or with the number or name of a specific ACL. As shown below, this command clears the statistics counters for an ACL.

R1 # show access-lists

Standard IP access list 1

10 deny 192.168.10.10 (4 match (s))

20 permit 192.168.0.0, wildcard bits 0.0.255.255

Standard IP access list NO_ACCESS

15 deny 192.168.11.11

10 deny 192.168.11.10 (4 match (s))

20 permit 192.168.11.0, wildcard bits 0.0.0.255

R1 # clear access-list counters 1

R1 #

R1 # show access-lists

Standard IP access list 1

10 deny 192.168.10.10

20 permit 192.168.0.0, wildcard bits 0.0.255.255

Standard IP access list NO_ACCESS

15 deny 192.168.11.11

10 deny 192.168.11.10 (4 match (s))

20 permit 192.168.11.0, wildcard bits 0.0.0.255

VTY Port Protection with Standard IPv4 ACL

You can improve the security of administrative lines by restricting access to VTY. VTY access restriction is a technique that allows you to define the IP addresses that are allowed to remotely access the router's EXEC process. You can control which IP addresses can access the router remotely by configuring an ACL and an access-class instruction on VTY lines. Use this technique with SSH to further improve administrative access security.

The access-class command   configured in the line configuration mode restricts the input and output connections between a given VTY (on a Cisco device) and the addresses in an access list.

The syntax of the access-class command   is as follows:

Router (config) #  access-class  acl-number  {  in  [  vrf-also  ] |  out }

The in parameter   limits the input connections between the addresses in the access list and the Cisco device, while the out parameter   limits the output connections between a particular Cisco device and the addresses in the access list.

In Image 2, an example is shown in which a range of addresses is allowed to access the VTY lines from 0 to 4. The ACL in the illustration was configured to allow the 192.168.10.0 network to access the VTY lines of 0 to 4, but to deny the other networks.

To configure access lists in VTY, the following must be taken into account:

• Numbered and named access lists can be applied to VTYs.
• Identical restrictions must be established on all VTYs, because a user can try to connect to any of them.

R1 (config) # line vty 0 4

R1 (config-line) # local login

R1 (config-line) # transport input ssh

R1 (config-line) # access-class 21 in

R1 (config-line) # exit

R1 (config) # access-list 21 permit 192.168.10.0 0.0.0.255

R1 (config) # access-list 21 deny any

Note : Access lists apply to packets that are transported through a router, they are not designed to block packets that originate from the router. By default, outbound ACLs do not prevent remote access connections that are initiated from the router.

VTY PORT SECURITY VERIFICATION

After configuring the ACL to restrict access to VTY lines, it is important to verify that it works correctly. The following illustration shows two devices that try to connect to R1 via SSH. Access list 21 was configured on VTY lines on R1. PC1 manages to connect, while PC2 cannot establish an SSH connection. This is the expected behavior, since the configured access list allows access to VTY from the 192.168.10.0/24 network and denies the rest of the devices.

PC1> ssh 192.168.10.1

Login as: admin

Password: *****

R1>

PC2> ssh 192.168.11.1

ssh connect to host 192.168.11.1 port 

22: Connection refused

PC2>

The result of R1 shows what is produced by issuing the show access-lists  command  after PC1 and PC2 attempt to connect using SSH.

R1 # show access-lists

Standard IP access list 21

 10 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches)

 20 deny any (1 match)

R1 #

The coincidence in the permit line of the result is the product of a correct SSH connection of PC1. The match in the deny statement is due to the failed attempt of PC2, a device in the 192.168.11.0/24 network, to establish an SSH connection.