The possibility of manipulating traffic a number of ways using route maps appeals to network administrators.With route maps, you can get the detail of multiple extended Access Control Lists in combination with a specific interface, or even the next-hop address, and then apply that route map to a NAT.You can produce a multitude of different combinationsto provide the specific control you want.
Configuration Example
Consider the following configuration on the router designated as NAT in Figure 1.10.This portion of the configuration defines the NAT pool and the associated route map.
Router1(config)#ip nat pool pool-110 120.110.187.1 120.110.187.254 prefix-length 24
Router1(config)#ip nat inside source route-map MAP-110 pool pool-110
Once the pool has been defined, the NAT is assigned to an interface both on the inside and the outside, as seen in the next example.
Router1(config)#interface ethernet 0
Router1(config-if)#ip address 10.10.1.1 255.255.0.0 Router1(config-if)#ip nat inside
Router1(config-if)#interface ethernet 1
Router1(config-if)#ip address 10.10.2.1 255.255.0.0 Router1(config-if)#ip nat outside
Router1(config-if)#^z
After the pool has been established and has been assigned to an interface, an access list is used to define which traffic will be used.
Router1(config)#access-list 110 permit ip 10.10.0.0 0.0.255.255 120.21.187.0 0.0.0.255
When these steps have been completed, the actual route map criteria are con-figured using the match command.
Router1(config)#route-map MAP-110 permit 10 Router1(config-route-map)#match ip address 110
www.syngress.com
Figure 1.10NAT Implementing RouteMaps
Host A Host B
Host C NAT
10.10.0.0/8 E0 .1
.1
E1 10.20.0.0/8
.2 .2
120.110.187.0/24
120.111.187.0/24 .2
In this example, if Host A sends traffic to Host B, an extended NAT will be created. On both the inside and outside interfaces, a NAT is created for translation.
Summary
In this chapter, we examined fundamental network skills, such as binary to dec-imal conversion, and explored new concepts that you may not as yet have had to implement, such as using route maps to help meet Network Address Translation requirements.
As networks continue to swell,TCP/IP subnet manipulation will become increasingly important. Classful TCP/IP addresses have three classes, namely, Classes A, B, and C.The first octet of the address defines the class of address, which defines the default subnet mask. All subnets within the network must have the same subnet mask, when advertised to another network, the default subnet will be used.
Class D and E ranges are reserved for special purposes.The Class E range is reserved for experimental and developmental purposes.The Class D range is reserved for multicasting. Unlike broadcasting, in multicasts, hosts do not have to process each packet.The only computers that process multicasts are computers that are actually participating in the multicast group.This technology dramatically saves bandwidth as well as nonmember computer processor cycles.
Classful protocols, such as RIPv1 and IGRP, do not include subnet masks with routing table updates.
RIPv1 bases its routing decisions solely on hop count, which is not always accurate, considering possible link congestion and reliability. Like all distance vector protocols, RIPv1 receives routing updates only from direct neighbors, and it sends and receives updates only at regular time intervals.
In order to make IGRP a more robust protocol than RIPv1, Cisco based IGRP’s routing decisions on more network variables, thus making the protocol more “intelligent.”The factors that IGRP takes into account when making its routing decisions are bandwidth, delay, load, and reliability. IGRP updates its routing table the same way as RIPv1, that is, by updating at regular time intervals and getting updates only from direct neighbors.
Variable-length subnet mask gives administrators the ability to break down addresses into more efficient and manageable pieces.This gives more control over the size of subnets and reduces the number of unused host addresses.
Access Control Lists enable you to shape your network traffic to make better use of the existing bandwidth. Standard ACLs allow you to control the network
traffic based on the source of the network packets. Standard ACLs do not always isolate traffic enough to properly manage it, in which case, extended ACLs may be more appropriate. Extended ACLs have a wide range of flexibility, which usu-ally gives you all the control that you need to manage network traffic in most environments.
Network Address Translation is used to hide private addresses behind a public address.While making your network more secure, NAT also minimizes public address needs, which lessens costs and contributes to the conservation of public TCP/IP addresses.
NAT’s use of ACLs enables administrators the ability to isolate traffic that is to be translated to public addresses.You can also use route maps with Network Address Translation to combine any access lists, output interface, and next-hop TCP/IP address in order to determine which NAT pool to use.
As you continue to explore Cisco’s Quality of Service, you will become more familiar with its tools and how they will help you control the data flow in your network.
Q:Should I implement a classful or a classless TCP/IP address scheme?
A:Most private networks implement a classless TCP/IP address scheme because VLSM enables you not only to conserve addresses but also to break networks down into more manageable pieces. If there is an existing network, you need to consider the routing protocol that is currently in place. If the protocol is a classful protocol, you need to either implement a classful address scheme or migrate to a classless routing protocol.
Q:You are a consultant to a small company that is implementing a network con-sisting of eight routers.The company’s engineers would like to use either RIPv1 or IGRP.Which protocol should be used?
A:You first need to consider what types of routers are being used. If all of the routers are Cisco, then you should use IGRP since it is a more robust pro-tocol. If the network consists of a mix of vendors, or perhaps has no Cisco routers at all, you would use RIPv1 because it is an open standard and most router manufacturers support this protocol.
www.syngress.com
FAQs
Visit www.syngress.com/solutions to have your questions about this chapter answered by the author.Q:You have a requirement to filter traffic by source address.What type of Access Control List would you use?
A:If you are controlling only by source addresses, the preferred ACL would be standard Access Control List. Standard ACLs are great for this type of traffic and do not require more detailed configuration. If you need more granular control, such as filtering based on source address, destination address, or type of traffic, then your preference would be extended Access Control Lists.These types of ACLs require more configuration, but they enable an administrator to gain more thorough control over the network.
Q:A company that you work for has obtained ten registered TCP/IP addresses for Internet connectivity.You want to allow a portion of your one hundred users to access the Internet with these addresses.What would you need to use in order to make this possible?
A:Network Address Translation enables you to hide private addressing from the network behind actual registered addresses.You would first configure an address pool consisting of the ten registered addresses.You then need to filter which users you want to use the NAT by using an Access Control List.
Finally, you would apply the NAT to the desired interface.