12.

ACL Principles and

Configuration

1. ACL Overview
An ACL is a list of rules used to permit or deny traffic.

These rules are processed sequentially, and the ACL matches or

distinguishes packets based on the conditions defined in each rule.

Applications of ACLs:

Traffic filtering: Control which traffic is allowed or denied through the

network.

NAT (Network Address Translation): Identify traffic for translation

processes.

Routing policies: Influence route selection or control routing behavior.

Firewall policies: Block or allow traffic based on security policies.

QoS (Quality of Service): Prioritize traffic based on rules.

Others: ACLs can also be applied in various network functions like

VPNs, load balancing, etc.

2. ACL Composition
An ACL consists of permit or deny statements, which are essentially the
rules within the ACL. Each rule defines an action (permit or deny) and a set
of conditions (such as matching IP addresses or ports).

Rule ID and Step:

Each rule in an ACL has an ID. If not manually specified, the system
automatically allocates a default ID using a step value (commonly 5).

Step value helps in organizing rules, allowing administrators to insert

new rules between existing ones.

For example, if a step value of 5 is used, the first rule might have an ID
of 5, the next 10, and so on. This makes it easier to add rules between

12. ACL Principles and Configuration 1

 existing ones without renumbering them.

3. Wildcard Masks
A wildcard mask is a 32-bit number used to specify which bits in an IP
address must match exactly and which bits can vary.

It is similar in format to a subnet mask but functions differently:

In a wildcard mask, a 0 indicates the bit must match exactly, and a 1

indicates that the bit can be either 0 or 1 (don't care).

Example: To match odd IP addresses in the network segment

192.168.1.0/24, you could use a wildcard that matches only the odd
addresses (e.g., 192.168.1.1, 192.168.1.3, etc.).

4. ACL Classification and Identification

4.1 ACL Classification Based on Rule Definition Methods
Basic ACL (2000-2999):

Rules are based on source IPv4 addresses, fragmentation information,

and time ranges.

Advanced ACL (3000-3999):

Rules are based on source and destination IPv4 addresses, protocol

types (TCP/UDP), ICMP types, port numbers, and time ranges.

Layer 2 ACL (4000-4999):

Rules are based on Layer 2 (Ethernet) information such as MAC

addresses and protocol types.

User-defined ACL (5000-5999):

Allows matching based on packet headers, offsets, character strings,

and other user-defined criteria.

User ACL (6000-6999):

Similar to Advanced ACLs but adds user-defined groups and control

lists (UCL) for both source and destination addresses.

4.2 ACL Classification Based on Identification Methods

12. ACL Principles and Configuration 2

 Numbered ACL:

Traditional method where ACLs are identified using numbers.

Named ACL:

More modern and flexible approach where ACLs are identified using
names instead of numbers, allowing for more descriptive identification.

5. ACL Matching Order and Result

The system processes ACL rules in ascending order of their Rule ID.

The rule with the smallest ID is evaluated first.

This sequential evaluation continues until a match is found.

If a rule matches, the corresponding action (permit or deny) is executed,

and the remaining rules are ignored for that packet.

6. Inbound and Outbound Directions

Inbound ACL: Applied to traffic coming into an interface before it is
processed by the router or switch. This allows filtering of traffic before it is
routed or switched further.

Outbound ACL: Applied to traffic leaving an interface after the routing

decision has been made but before the traffic exits the router or switch.

Using these two directions allows for granular control over both incoming
and outgoing traffic at different network segments.

12. ACL Principles and Configuration 3

 13. AAA Principles and
Configuration
1. Overview of AAA
Authentication: Determines whether a user is who they claim to be. It
validates user identities before granting access to the network.

Authorization: Defines what services or resources a user is allowed to

access once they are authenticated.

Accounting: Monitors and records user activities and resource usage for
auditing and billing purposes.

2. Common AAA Architecture

The architecture includes the User, Network Access Server (NAS), and
AAA Server.

The NAS acts as a gateway that collects and manages user access
requests in a centralized manner.

The AAA Server (e.g., RADIUS or TACACS+) processes these requests

based on the configured AAA schemes for each domain.

Domains: The NAS can manage users based on domains, with each domain
associated with different AAA schemes for authentication, authorization,
and accounting.

For example, if a username is formatted as user1@domain1 , it specifies that

user1 belongs to domain1 .

Users without a domain specification are assigned to the default

domain.

3. Authentication
AAA supports several authentication modes:

Non-authentication:

Users are trusted without verifying their identity.

13. AAA Principles and Configuration 1

 This mode is rarely used due to its lack of security.

Local Authentication:

The NAS itself stores and verifies user information (e.g., username and
password).

This mode is fast and cost-effective but limited by the hardware’s

storage capacity.

It’s often used for login users (e.g., Telnet or FTP users).

Remote Authentication:

User information is stored on an external authentication server (e.g.,

RADIUS or TACACS+).

The NAS functions as a client that communicates with the remote

server for authentication.

This mode is more scalable and secure.

4. Authorization
Authorization defines what authenticated users can access:

Non-authorization:

Users have unrestricted access rights after authentication.

Local Authorization:

The NAS locally manages permissions based on the domain

configuration.

Remote Authorization:

The RADIUS or TACACS+ server provides authorization details.

In RADIUS, authentication and authorization are integrated, meaning

authorization cannot occur without authentication.

In TACACS+, the server can provide authorization separately after

authentication.

If both the NAS and the authorization server provide authorization

information, the server's information takes priority.

13. AAA Principles and Configuration 2

 5. Accounting
Accounting tracks and records user activity and network resource usage:

Non-accounting:

No records are kept, and users can access services without logging
their activity.

Remote Accounting:

The RADIUS or TACACS+ server records user activities such as

duration, data usage, or services accessed.

6. AAA Implementation Protocol - RADIUS

RADIUS (Remote Authentication Dial-In User Service) is the most
commonly used protocol for AAA implementation.

It uses a client-server architecture:

The NAS functions as the RADIUS client and sends authentication and
accounting requests to the RADIUS server.

The RADIUS server processes these requests, verifies user credentials,

and responds with accept or reject messages.

RADIUS uses UDP as its transport protocol:

UDP Port 1812 for authentication.

UDP Port 1813 for accounting.

It supports high real-time performance, retransmission, and standby

servers for reliability.

Message Exchange Process:

1. The user initiates a connection request, sending their username and

password to the NAS (RADIUS client).

2. The NAS forwards an authentication request to the RADIUS server,

which processes and responds based on the credentials provided.

7. Common AAA Application Scenarios

13. AAA Principles and Configuration 3

 AAA for Internet Access Users Through RADIUS: ISPs use RADIUS to
authenticate users (e.g., broadband users) before granting internet access
and monitor user activity for billing or usage tracking.

Local Authentication and Authorization for Administrative Users: NAS

uses local authentication and authorization for admin access, such as
managing login credentials for Telnet or FTP.

13. AAA Principles and Configuration 4

 14. NAT

1. Motivation Behind NAT

With the growing number of Internet users, public IPv4 addresses are
becoming scarce. The uneven distribution of these addresses has
worsened the shortage in certain regions.

NAT helps address this shortage by allowing multiple devices on a private

network to share a limited number of public IP addresses.

2. Private IP Addresses
Public IP Addresses: Allocated by dedicated organizations (like IANA) and
can communicate directly over the Internet.

Private IP Addresses: Used within private networks (e.g., corporate or

home networks) but cannot be used for direct communication on the
Internet.

Reserved Private Address Ranges:

Class A: 10.0.0.0 - 10.255.255.255

Class B: 172.16.0.0 - 172.31.255.255

Class C: 192.168.0.0 - 192.168.255.255

These private IP addresses need NAT to access external networks.

3. NAT Implementation
NAT translates IP addresses in data packets as they move between private
and public networks. It’s typically deployed on egress devices such as
routers or firewalls.

Typical Scenario:

Internal devices use private IP addresses.

When these devices need to access external networks, the NAT device
at the egress translates their private IP addresses to public addresses.

14. NAT 1
 For incoming traffic, the NAT device translates the destination public IP
address back to the corresponding private IP address.

4. Static NAT Implementation

Static NAT creates a one-to-one mapping between a private IP address
and a public IP address.

Bidirectional Access:

Internal hosts with private IP addresses can access the Internet, and
external hosts can also reach internal hosts using the mapped public IP
address.

Example: If an internal server needs to be accessible from the Internet, a

static NAT rule ensures that requests to a specific public IP are forwarded
to the internal server’s private IP.

5. Dynamic NAT Implementation

Dynamic NAT uses a pool of public IP addresses instead of mapping each
internal host to a fixed public IP.

When an internal host initiates communication with an external network:

An available IP address from the NAT pool is temporarily assigned to it.

When the host stops communicating, the IP address is returned to the

pool for reuse.

This prevents the inefficient use of public IP addresses, as addresses are

only assigned when needed.

6. NAPT (Network Address and Port Translation)

Implementation
NAPT extends dynamic NAT by translating not only IP addresses but also
port numbers. This allows multiple private IP addresses to share a single
public IP address.

Mapping:

14. NAT 2
 Unlike dynamic NAT, where each private address maps to one public
address (1:1), NAPT maps multiple private addresses to one public
address using different port numbers (1).

This significantly improves the utilization of public IP addresses and is

widely used for home and small business networks.

7. Easy IP
Easy IP is a variation of NAPT where the NAT device uses its own public
interface IP address instead of an address from a pool.

It applies to scenarios where the public IP address may be dynamically

assigned through mechanisms like DHCP or PPPoE.

Since it doesn’t require an address pool, it’s suitable for small networks with
dynamically obtained IP addresses.

8. NAT Server
NAT Server is used when an internal server needs to provide services to
external clients.

It creates a one-to-one mapping between a [public IP address:port number]

and a [private IP address:port number].

This allows external hosts to access an internal server by using the public
IP and port number.

For example, if a web server is running inside the private network, a NAT
rule can be set to allow external users to access it using a designated
public IP and port (e.g., HTTP on port 80).

14. NAT 3