All Cisco-Network Study Notes: 12/28/08

Configuring Cisco Wireless Using the SDM/HTTP 220

Configuring Cisco Wireless

Using the SDM/HTTP

Configuring through the SDM is absolutely the easiest way to go for wireless configurations.

Basically, all you charge to do to accompany up an admission point is to aloof about-face it on. But if you do have

a wireless agenda in your router, you’ll charge to configure it aloof as I showed you in the previous

section.

This is my router assuming that I can configure the wireless agenda I accept installed in aperture 3:

There absolutely isn’t too abundant you can do from aural SDM itself, but if I were to bang the Edit

Interface/Connection tab and again bang Summary, I could accredit and attenuate the interface, as well

as bang the Edit button, which would acquiesce me to add NAT, admission lists, and so on, to the interface:

From either the Create Connection awning apparent beforehand or the awning that appears back you click

the Edit button of the additional screen, you can bang Launch Wireless Application. This will accessible a

new HTTP awning that your wireless accessory is configured from alleged the Express Set-up screen.

This is the aforementioned awning you would see if you aloof typed HTTP into an admission point—one like

my 1242AP. The SDM will be acclimated with wireless interfaces for monitoring, for accouterment statistics,

and for accepting admission into the wireless agreement approach on a router that has wireless

interfaces. This is so we don’t accept to use the CLI for the adamantine configurations.

Again, you can configure alone some basal advice from here. But from the abutting screen,

Wireless Express Security, you can configure the wireless AP in either bridging approach or routing

mode—a absolutely air-conditioned feature!

The abutting awning shows the wireless interfaces and the basal settings:

This is the additional allotment of the Wireless Interfaces screen:

Under the Wireless Aegis branch is absolutely area HTTP administration shines! You can

configure encryption, add SSIDs, and configure your RADIUS server settings.

Now, if you were to aloof HTTP in to the 1242AG AP, you’ll see this screen:

This looks amazingly like the APs you’ll acquisition in your ISR routers, and you can configure the

same accessories and aegis too.

AP Configuration

AP Configuration
Configuring the AP is a bit different because it’s an access point (again, think hub), not a
router. I’ll configure this device from the CLI, but you can use an HTTP interface as well. But
you can’t use SDM. The HTTP interface will be easier to use when you start adding security
and when you get into some more complex configurations.
Check out the output:
ap>en
Password:
ap#config t
ap(config)#hostname 1242AP
1242AP(config)#enable secret todd
242AP(config)#int dot11Radio 0
1242AP(config-if)#description CORPWLAN
1242AP(config-if)#no shutdown
1242AP(config-if)#ssid CORPWLAN
1242AP(config-if-ssid)#guest-mode
1242AP(config-if-ssid)#authentication open
1242AP(config-if-ssid)#infrastructure-ssid
1242AP(config-if-ssid)#exit
1242AP(config-if)#exit
1242AP(config)#line con 0
1242AP(config-line)#password console
1242AP(config-line)#login
1242AP(config-line)#logging synchronous
1242AP(config-line)#exec-timeout 0 0
1242AP(config-line)#exit
1242AP(config)#line vty 0 ?
<1-15> Last Line number

1242AP(config)#line vty 0 15
1242AP(config-line)#password telnet
1242AP(config-line)#login
1242AP(config-line)#int bvi 1
1242AP(config-if)#ip address 10.1.1.2 255.255.255.0
1242AP(config-if)#no shut
1242AP(config-if)#exit
1242AP(config)#ip default-gateway 10.1.1.1
1242AP(config)#ip dhcp pool CORPWLAN
1242AP(dhcp-config)#network 10.1.1.0 255.255.255.0
1242AP(dhcp-config)#default-router 10.1.1.1
1242AP(dhcp-config)#exit
1242AP(config)#ip dhcp excluded-address 10.1.1.1
1242AP(config)#ip dhcp excluded-address 10.1.1.2
1242AP(config)#no ip domain-lookup
1242AP(config)#^Z
1242AP#copy run start
Destination filename [startup-config]?[enter]
Building configuration...
[OK]
1242AP#
Even though the SSID configuration is the same as it is for the R2 routed radio interface,
notice there’s no IP address under the Dot11radio 0 interface. Why? It’s not a routed port, so
the IP address is instead placed under the bridge virtual interface (BVI). I also set a default gateway
so this device can be managed from outside the LAN.
You need to know that, just as with a switch, you don’t need to add an IP address to the
AP for it to function. I could just as easily have added the DHCP pool to the Corp router for
the wireless LAN and not added an IP address or pool to the AP at all, and it still would have
worked just the same.

Configuring Cisco Wireless Using the IOS

Configuring Cisco Wireless
Using the IOS
I’ll configure two types of devices in this section using the CLI:

A Cisco router with a routed wireless radio

A basic Cisco wireless access point
The router and the AP configuration through the CLI are not much different. Here, in Table
9.3, are some of the minimum commands needed for configuring a wireless card in a router:
TABLE 9 . 3
Command and Meaning
Command Meaning
hostname
Sets the name for the device
interface
interface
Takes you to interface mode
ip address
Sets an IP address on an interface
no shutdown
Enables an interface
ssid
ssid
Sets an SSID on a radio
guest-mode
Broadcasts the SSID on the BSS
authentication-open
Sets the authentication to open
infrastructuire-ssid
Tells the BSS clients that the wired network can be
reached through this SSID
line con 0
Chooses the console line
password
password
Sets a password on a line
logging synchronous
Stops the console messages from overwriting what you
are typing
line vty
first_line_number
last_line _number
Chooses the Telnet or SSH line numbers
ip dhcp pool pool_name Creates a DHCP pool
network network mask Creates a pool of addresses used by the DHCP pool
default-router Sets the default gateway for the DHCP service to advertise
ip dhcp excluded-address
ip_address
Lists addresses that the DHCP will not hand out to DHCP
clients
copy running-config
startup-config
Saves the running-config to NVRAM
I’ll start by showing how to configure an 871W router with an 802.11b/g radio:
Router>en
Router#config t
Router(config)#hostname 871W
871W(config)#int vlan 1
871W(config-if)#ip address 10.1.11.2 255.255.255.0
871W(config-if)#no shut
871W(config-if)#int dot11radio 0
871W(config-if)#ip address 10.1.12.1 255.255.255.0
871W(config-if)#no shut
871W(config-if)#ssid R3WLAN
871W(config-if-ssid)#guest-mode
871W(config-if-ssid)#authentication open
871W(config-if-ssid)#infrastructure-ssid
871W(config-if-ssid)#line con 0
871W(config-line)#password console
871W(config-line)#login
871W(config-line)#logging sync
871W(config-line)#exec-timeout 0 0
871W(config-line)#exit
871W(config)#line vty 0 ?
<1-4> Last Line number

871W(config)#line vty 0 4
871W(config-line)#password telnet
871W(config-line)#login
871W(config-line)#ip dhcp pool R3WLAN
871W(dhcp-config)#network 10.1.12.0 255.255.255.0
871W(dhcp-config)#default-router 10.1.12.1
871W(dhcp-config)#exit
871W(config)#ip dhcp excluded-address 10.1.12.1
871W(config)#exit
871W#copy run start
Destination filename [startup-config]?[enter]
Building configuration...
[OK]
871W#
The 871W I configured has a four-port switch, which means you have to place the IP
address under the management VLAN interface. You just can’t get away with simply putting
IP addresses on layer-2 switch interfaces.
To be honest, I think this was a faster configuration than using SDM. But I guess, in production,
the SDM with HTTPS would really be a more secure way to administer the router.

WPA or WPA 2 Pre-Shared Key

Now we’re accepting somewhere. Although this is addition anatomy of basal aegis that’s absolutely just

an add-on to the specifications, WPA or WPA2 Pre-Shared Key (PSK) is a bigger anatomy of wireless

security than any added basal wireless aegis adjustment mentioned so far. I did say “basic.”

The PSK verifies users via a countersign or anecdotic cipher (also alleged a

passphrase

) on both

the applicant apparatus and the admission point. A applicant assets admission to the arrangement alone if its password

matches the admission point’s password. The PSK additionally provides keying actual that TKIP

or AES uses to accomplish an encryption key for anniversary packet of transmitted data. Although more

secure than changeless WEP, PSK still has a lot in accepted with changeless WEP in that the PSK is stored

on the applicant base and can be compromised if the applicant base is absent or stolen, alike though

finding this key isn’t all that accessible to do. It’s a audible advocacy to use a able PSK

passphrase that includes a admixture of letters, numbers, and nonalphanumeric characters.

WPA is adopted over changeless WEP because the ethics of WPA keys can change

dynamically while the arrangement is used.

Wi-Fi Protected Access

(WPA) is a accepted developed in 2003 by the Wi-Fi Alliance, formerly

known as WECA. WPA provides a accepted for the affidavit and encryption of

WLANs that’s advised to break accepted aegis problems absolute up to and including the

year 2003. This takes into annual the well-publicized AirSnort and man-in-the-middle

WLAN attacks.

WPA is a footfall against the IEEE 802.11i accepted and uses abounding of the aforementioned components,

with the barring of encryption—802.11i uses AES encryption. WPA’s mechanisms are

designed to be implementable by accepted accouterments vendors, acceptation that users should be able

to apparatus WPA on their systems with alone a firmware/software modification.

The IEEE 802.11i accepted replaced WEP with a specific approach of the Advanced Encryption

Standard (AES) accepted as the

Counter Approach Cipher Block Chaining-Message Authentication

Code (CBC-MAC) Protocol

(CCMP). This allows AES-CCMP to accommodate both abstracts confidentiality

(encryption) and abstracts integrity.

Unlike WEP, which uses a distinct key for unicast abstracts encryption and can use a abstracted key

for multicast and advertisement abstracts encryption, WPA2 uses four keys for anniversary wireless client/

wireless AP pair. The keys are accepted as the

pairwise banausic keys

. It additionally uses two different

keys—one for multicast and one for advertisement traffic.

OK, let’s configure some wireless accessories now!

Open Access

All WiFi-certified wireless LAN articles are alien in “open-access” mode, with their security

features angry off. Although accessible admission or no aegis may be adapted and acceptable

for accessible hot spots such as coffee shops, academy campuses, and maybe airports, it’s

definitely not an advantage for an action organization, and it’s acceptable not alike able for

your clandestine home network.

Security needs to be enabled on wireless accessories during their accession in action environments.

It may appear as absolutely a shock, but some companies absolutely don’t accredit any

WLAN aegis features. Obviously, the companies that do this are advertisement their networks

to amazing risk!

The acumen that the articles are alien with accessible admission is so that any being who knows

absolutely annihilation about computers can aloof buy an admission point, bung it into their cable

or DSL modem, and

voilà

—they’re up and running. It’s marketing, apparent and simple, and

simplicity sells.

SSIDs, WEP, and MAC Abode Authentication

What the aboriginal designers of 802.11 did to actualize basal aegis was accommodate the use of SSIDs,

open or shared-key authentication, changeless Wired Equivalency Protocol (WEP), and optional

Media Admission Control (MAC) authentication. It sounds like a lot, but none of these really

offers any blazon of austere aegis solution—all they may be abutting to able for is use on a

common home network. But I’ll awning them anyway….

SSID is a accepted arrangement name for the accessories in a WLAN arrangement that actualize the wireless

LAN. An SSID prevents admission by any applicant accessory that doesn’t accept the SSID. The affair is,

by default, an admission point broadcasts its SSID in its alarm abounding times a second. And even

if SSID broadcasting is angry off, a bad guy can ascertain the SSID by ecology the network

and aloof cat-and-mouse for a applicant acknowledgment to the admission point. Why? Well, accept it or not, that

information, as adapted in the aboriginal 802.11 specifications, charge be beatific in the clear—how

secure!

If the SSID advertisement from an AP (also called

guest mode

) is disabled, clients

can still affix to the AP by ambience the SSID amount on the applicant software to

the SSID configured on the AP.

The IEEE 802.11 board authentic two types of authentication: accessible and shared-key

authentication. Accessible affidavit involves little added than bartering the actual SSID, but

it’s the best accepted adjustment in use today. With shared-key authentication, the admission point

sends the applicant accessory a challenge-text packet that the applicant charge again encrypt with the correct

WEP key and acknowledgment to the admission point. After the actual key, affidavit will fail, and

the applicant won’t be accustomed to accessory with the admission point. But shared-key authentication

is still not advised defended because all an burglar has to do to get about this is ascertain both

the clear-text claiming and the aforementioned claiming encrypted with a WEP key and again analyze the

WEP key. Surprise—shared key isn’t acclimated in today’s WLANs because of the clear-text challenge.

With accessible authentication, alike if a applicant can complete affidavit and accessory with

an admission point, application WEP prevents the applicant from sending and accepting abstracts from the access

point unless the applicant has the actual WEP key. A WEP key is composed of either 40 or 128 bits

and, in its basal form, is usually statically authentic by the arrangement ambassador on the access

point and all audience that acquaint with that admission point. When changeless WEP keys are used,

a arrangement ambassador charge accomplish the time-consuming assignment of entering the aforementioned keys on

every accessory in the WLAN. Obviously, we now accept fixes for this because this would be

administratively absurd in today’s huge accumulated wireless networks!

Last, applicant MAC addresses can be statically typed into anniversary admission point, and any of them

that appearance up after that MAC abode in the clarify table would be denied access. That sounds

good, but of advance all MAC band advice charge be beatific in the clear—anyone equipped

with a chargeless wireless adenoids can aloof apprehend the applicant packets beatific to the admission point and spoof

their MAC address.

WEP can absolutely assignment if administered correctly. But basal changeless WEP keys are no longer

a applicable advantage in today’s accumulated networks after some of the proprietary fixes that run

on top of WEP. So, I’ll allocution about some of these now.

You can set some basal aegis for an AP by alteration the absence amount on

an AP (Cisco’s absence is tsunami) as able-bodied as configuring a new administrator

password on the AP.

ESS

ESS
Mobile wireless clients can roam around within the same network if you set all your access
points to the same SSID. Doing this creates an ESS. Figure 9.6 shows four APs configured with
the same SSID in an office thereby creating the ESS network.
For users to be able to roam throughout the wireless network—from AP to AP without losing
their connection to the network—all APs must overlap by at least 10 percent or more, and the
channels on each AP shouldn’t be set the same either. And remember, in an 802.11b/g network,
there are only three nonoverlapping channels (1, 6, 11), so design is really important here!

Wireless Security

Wireless Security
A good place to start is by discussing the standard basic security that was added to the original
802.11 standards and why those standards are way too flimsy and incomplete to enable you
to create a secure wireless network relevant to today’s challenges.

BSS/IBSS

A BSS involves alone a distinct admission point. You actualize a BSS by bringing up an AP and creating

a name for the SSID. Users can again affix to and use this SSID to admission the wireless network,

which provides connectivity to the active resources. Back the AP connects to a wired

network, it again becomes accepted as an

infrastructure basal account set

(IBSS). Keep in mind

that if you accept a BSS/IBSS, users won’t be able to advance arrangement connectivity back roaming

from AP to AP because anniversary AP is configured with a altered SSID name.

BSS wireless networks are additionally absolutely accessible if you appear to accept a brace hosts that need

to authorize wireless advice anon amid aloof them. You can additionally accomplish this happen

through article we call

ad hoc networking

, but if you accept an AP amid the hosts,

it’s aloof alleged a BSS.

Figure 9.5 shows a basal account set application one SSID

Service Sets

You can about actualize two types of wireless networks with active networks:

Basic account set (BSS)

Extended account set (ESS)

Both types of networks ascertain what we alarm a

service set ID

(SSID) that’s acclimated to advertise

your wireless arrangement so hosts can affix to the AP. And you can accept assorted SSIDs configured

on an admission point for aegis reasons. For example, you can baptize that one SSID

is accessible admission for a accessible hot spot, while addition SSID can use WEP or WPA2 for the employees

who assignment at this accessible hot spot. The SSID name is advertisement out the AP by absence so the

clients can acquisition the AP and affix to the wireless network, and of advance you can about-face this

feature off for aegis reasons.

5GHz (802.11a)

5GHz (802.11a)
The IEEE ratified the 802.11a standard in 1999, but the first 802.11a products didn’t begin
appearing on the market until late 2001—and, boy, were they pricey! The 802.11a standard
delivers a maximum data rate of 54Mbps with 12 nonoverlapping frequency channels.
Figure 9.4 shows the UNII bands.
FIGURE 9 . 4
The UNII 5GHz band has 12 nonoverlapping channels (in the United States).
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2.483GHz
Channels
2.402GHz 22MHz
161
5.15
Lower band
5.15–5.25
indoor
Upper band
5.725–5.825
outdoor
Middle band
5.25–5.35
indoor and outdoor 5.825
Channel center
frequencies
5.180 5.200 5.220 5.240 5.260 5.280 5.300 5.320 5.745 5.765 5.785 5.805
Operating
channels
36 40 44 48 52 56 60 64 149 153 157

Operating in the 5GHz radio band, 802.11a is also immune to interference from devices
that operate in the 2.4GHz band, such as microwave ovens, cordless phones, and Bluetooth
devices. 802.11a isn’t backward compatible with 802.11b because they are different frequencies,
so you don’t get to just “upgrade” part of your network and expect everything to work
together in perfect harmony. But no worries—plenty of dual-radio devices will work in both
types of networks. A definite plus for 802.11a is that it can work in the same physical environment
without interference from 802.11b users.
Similar to the 802.11b radios, all 802.11a products also have the ability to data-rate shift
while moving. The 802.11a products allow the person operating at 54Mbps to shift to
48Mbps, 36Mbps, 24Mbps, 18Mbps, 12Mbps, and 9Mbps and finally still communicate farthest
from the AP at 6Mbps. Roaming capabilities are also supported as long as all access
points are configured with the same SSID.

2.4GHz (802.11g)

2.4GHz (802.11g)
The 802.11g standard was ratified in June 2003 and is backward compatible with 802.11b. The
802.11g standard delivers the same 54Mbps maximum data rate as 802.11a but runs in
the 2.4GHz range—the same as 802.11b.
Because 802.11b/g operates in the same 2.4GHz unlicensed band, migrating to 802.11g is
an affordable choice for organizations with existing 802.11b wireless infrastructures. Just
keep in mind that 802.11b products can’t be “software upgraded” to 802.11g. This limitation
is because 802.11g radios use a different chipset in order to deliver the higher data rate.
But still, much like Ethernet and Fast Ethernet, 802.11g products can be commingled with
802.11b products in the same network. Yet, for example, completely unlike Ethernet, if you
have four users running 802.11g cards and one user starts using an 802.11b card, everyone
connected to the same access point is then forced to run the 802.11b CSMA/CA method—an
ugly fact that really makes throughput suffer. So to optimize performance, it’s recommended
that you disable the 802.11b-only modes on all your access points.
To explain this further, 802.11b uses a modulation technique called
Direct Sequence
Spread Spectrum
(DSSS) that’s just not as robust as the Orthogonal Frequency DivisionMultiplexing
(OFDM) modulation used by both 802.11g and 802.11a. 802.11g clients using
OFDM enjoy much better performance at the same ranges as 802.11b clients do, but—and
remember this—when 802.11g clients are operating at the 802.11b rates (11Mbps, 5.5Mbps,
2Mbps, and 1Mbps), they’re actually using the same modulation 802.11b does.
Figure 9.3 shows the 14 different channels (each 22MHz wide) that the FCC released in the
2.4GHz range.
FIGURE 9 . 3
ISM 2.4GHz channels
In the United States, only 11 channels are configurable, with channels 1, 6, and 11 being
nonoverlapping. This allows you to have three access points in the same area without experiencing
interference.
Some potential issues with the 2.4GHz (802.11b/g) range include interference from microwave
ovens and cordless phones—even metal file cabinets if you’re in a small office! The type
of antenna and direction also matters, and if things aren’t all good with both, you can experience
slow performance and even network drops.

2.4GHz (802.11b)

2.4GHz (802.11b)
The 802.11b standard was at one time the most widely deployed wireless standard, and it
operates in the 2.4GHz unlicensed radio band that delivers a maximum data rate of 11Mbps.
The 802.11b standard has been widely adopted by both vendors and customers who found
that its 11Mbps data rate worked pretty well for most applications. But now that 802.11b has
a big brother (802.11g), no one goes out and buys an 802.11b card or access point anymore,
because why would you buy a 10Mbps Ethernet card when you can score a 10/100 Ethernet
card for the same price?
An interesting feature of all Cisco 802.11 WLAN products is that they have the ability to
data-rate shift while moving. This allows the person operating at 11Mbps to shift to 5.5Mbps
and to 2Mbps and finally still communicate farthest from the access point at 1Mbps. And
furthermore, this rate shifting happens without losing connection and with no interaction
from the user. Rate shifting also occurs on a transmission-by-transmission basis. This is
important because it means the access point can support multiple clients at varying speeds
depending upon the location of each client.
The problem with 802.11b lies in how the Data Link layer is dealt with. To solve problems
in the RF spectrum, a type of Ethernet collision detection was created called
Carrier
Sense
Multiple Access with Collision Avoidance
(CSMA/CA), as shown in Figure 9.2.
FIGURE 9 . 2
802.11b CSMA/CA
CSMA/CA is also called a Request to Send, Clear to Send (RTS/CTS) because of the way
that hosts must communicate to the access point (AP). For every packet sent, an RTS/CTS and
acknowledgment must be received, and because of this rather cumbersome process, it’s kind
of hard to believe it all actually works!

802.11 Committees and Subcommittees

802.11 Committees and Subcommittees
Committee Purpose
IEEE 802.11a 54Mbps, 5GHz standard
IEEE 802.11b Enhancements to 802.11 to support 5.5Mbps and 11Mbps
IEEE 802.11c Bridge operation procedures; included in the IEEE 802.1D standard
IEEE 802.11d International roaming extensions
IEEE 802.11e Quality of service
802.11 Committees and Subcommittees
(continued)
Committee Purpose
IEEE 802.11F Inter-Access Point Protocol
IEEE 802.11g 54Mbps, 2.4GHz standard (backward compatible with 802.11b)
IEEE 802.11h Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC)
at 5GHz
IEEE 802.11i Enhanced security
IEEE 802.11j Extensions for Japan and U.S. public safety
IEEE 802.11k Radio resource measurement enhancements
IEEE 802.11m Maintenance of the standard; odds and ends
IEEE 802.11n Higher throughput improvements using multiple input, multiple output
(MIMO) antennas
IEEE 802.11p Wireless Access for the Vehicular Environment (WAVE)
IEEE 802.11r Fast roaming
IEEE 802.11s Extended service set mesh networking
IEEE 802.11T Wireless Performance Prediction (WPP)
IEEE 802.11u Internetworking with non-802 networks (cellular, for example)
IEEE 802.11v Wireless network management
IEEE 802.11w Protected management frames
IEEE 802.11y 3650–3700 operation in the United States

The 802.11 Standards

The 802.11 Standards
Wireless networking has its own 802 standards group—remember, Ethernet’s committee is
802.3. Wireless starts with 802.11, and there are various other up-and-coming standards
groups as well, such as for 802.16 and 802.20. And there’s no doubt that cellular networks
will become huge players in our wireless future. But for now, I’ll concentrate on the 802.11
standards committee and subcommittees.
IEEE 802.11 was the first, original standardized WLAN at 1Mbps and 2Mbps. It runs in
the 2.4GHz radio frequency and was ratified in 1997 even though we didn’t see many products
pop up until around 1999 when 802.11b was introduced. All the committees listed in
Table 9.2 are amendments to the original 802.11 standard except for 802.11F and 802.11T,
which are both stand-alone documents.

Wireless Agencies and Standards Agency Purpose Website

Wireless Agencies and Standards
Agency Purpose Website
Institute of Electrical and Electronics
Engineers (IEEE)
Creates and maintains operational
standards
www.ieee.org
Federal Communications
Commission (FCC)
Regulates the use of wireless devices
in the United States
www.fcc.gov
European Telecommunications
Standards Institute (ETSI)
Produces common standards in
Europe
www.etsi.org
Wi-Fi Alliance Promotes and tests for WLAN interoperability
www.wi-fi.com
WLAN Association (WLANA) Educates and raises consumer awareness
regarding WLANs
Because WLANs transmit over radio frequencies, they’re regulated by the same types of
laws used to govern devices such as AM/FM radios. The Federal Communications Commission
(FCC) regulates the use of wireless LAN devices, and the Institute of Electrical and Electronics
Engineers (IEEE) takes it from there and creates standards based on what frequencies the FCC
releases for public use.
The FCC has released three unlicensed bands for public use: 900MHz, 2.4GHz, and 5.7GHz.
The 900MHz and 2.4GHz bands are referred to as the
Industrial, Scientific, and Medical
(ISM)
bands, and the 5GHz band is known as the
Unlicensed National Information Infrastructure
(UNII) band. Figure 9.1 shows where the unlicensed bands sit within the RF spectrum.
So it follows that if you opt to deploy wireless in a range outside of the three public bands
shown in Figure 9.1, you need to get a specific license from the FCC to do so. Once the FCC
opened the three frequency ranges for public use, many manufacturers were able to start offering
myriad products that flooded the market, with 802.11b/g being the most widely used wireless
network today.
The Wi-Fi Alliance grants certification for interoperability among 802.11 products offered
by various vendors. This certification provides a sort of comfort zone for users purchasing
many types of products, but in my experience, it’s just a whole lot easier if you buy all your
access points from the same manufacturer!
Unlicensed frequencies
In the current U.S. wireless LAN market, there are several accepted operational standards
and drafts created and maintained by the IEEE. I’ll cover these standards next and then talk
about how the most commonly used standards work.

Introducing Wireless Technology

Introducing Wireless Technology
Transmitting a signal using the typical 802.11 specifications works a lot like it does with a
basic Ethernet hub: they’re both two-way forms of communication, and they both use the
same frequency to both transmit and receive, often referred to as
half-duplex
(mentioned earlier).
WLANs use radio frequencies (RFs) that are radiated into the air from an antenna that
creates radio waves. These waves can be absorbed, refracted, or reflected by walls, water, and
metal surfaces, resulting in low signal strength. Because of this innate vulnerability to surrounding
environmental factors, it’s pretty apparent that wireless will never offer us the same
robustness as wired networks can, but that still doesn’t mean we’re not going to run wireless.
Believe me, we definitely will!
We can increase the transmitting power and gain a greater transmitting distance, but doing
so can create some nasty distortion, so it has to be done carefully. By using higher frequencies,
we can attain higher data rates, but this is, unfortunately, at the cost of decreased transmitting
distances. And if we use lower frequencies, we get to transmit greater distances but at lower
data rates. This should make it pretty clear to you that understanding all the various types of
WLANs you can implement is imperative to creating the LAN solution that best meets the specific
requirements of your unique situation.
Also important to note is that the 802.11 specifications were developed so that there would
be no licensing required in most countries—to give the user the freedom to install and operate
without any licensing or operating fees. This means any manufacturer can create products and
sell them at a local computer store or wherever. It also means that all our computers should
be able to communicate wirelessly without configuring much, if anything at all.
Various agencies have been around for a long time to help govern the use of wireless devices,
frequencies, standards, and how the frequency spectrums are used. Table 9.1 shows the current
agencies that help create, maintain, and even enforce wireless standards worldwide.

Cisco’s Wireless Technologies

Cisco’s Wireless
Technologies

If you appetite to accept the basal wireless LANs (WLANs)

that are best frequently acclimated today, aloof anticipate 10BaseT Ethernet

with hubs. What this agency is that WLANs about run

half-duplex communication—everyone is administration the aforementioned bandwidth, and alone one user is

communicating at a time. This isn’t necessarily bad; it’s aloof not acceptable enough. Because most

people await aloft wireless networks today, it’s analytical that they advance faster than greased

lightening to accumulate up with our rapidly ascent needs. The acceptable account is that this is actually

happening—Cisco has reacted by advancing up with an acknowledgment alleged the

Cisco Unified Wireless

Solution

that works with all types of wireless connections. And it works deeply too!

In this chapter, I will awning basal wireless LAN technologies and committees, as able-bodied as

wireless security. For the accepted CCNA objectives, there are actual few commands you must

remember, so I’ll absolutely awning added technology—wireless technology you charge know—than

I will commands in this chapter.

Configuring NAT Using SDM

Configuring NAT Application SDM

Configuring NAT application the SDM is absolutely abundant easier than anyone would think—let’s booty a

look a the simple wizards Cisco created aural the SDM:

If you accept not been alien to SDM, amuse jump avant-garde to Chapter 12,

and again arch aback actuality to apprehend this section.

Basic NAT Astrologer Use this astrologer if you accept some basal PCs/hosts on your trusted network

that charge admission to the Internet. This astrologer will adviser you through the action of creating a

basic NAT configuration.

Advanced NAT Astrologer If you accept a DMZ, or servers on your central arrangement that users from

the alfresco charge to access, you absolutely appetite to opt for the avant-garde NAT configuration.

The aboriginal awning is the Actualize NAT Agreement screen.

From here, I’ll artlessly affix and actualize a basal NAT. After that, I bang Launch the Selected

Task and go to the abutting screen, which tells me what the Basal NAT Astrologer is activity to do.

As you ability guess, it rocks—all I accept to do is to bang Abutting to get to a awning from which

I’m able to baddest all my central and alfresco addresses.

After allotment my central and alfresco interfaces, I bang Next. A NAT basin is created, and

all my interfaces are assigned central or alfresco configurations, aloof like that!

Finally, I bang Finish. Let’s see what accomplishing that did to my router. Actuality are the interfaces it

configured:

interface FastEthernet0/0

ip abode 1.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

interface FastEthernet0/1

description Connection to 1242 AP

ip abode 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

[output cut]

interface Serial0/2/0

description Connection to R3$FW_OUTSIDE$

ip abode 64.1.1.5 255.255.255.252

ip access-group 103 in

ip verify unicast reverse-path

ip nat outside

ip audit SDM_LOW out

ip virtual-reassembly

clock amount 2000000

[output cut]

Here is the ip nat central antecedent account it created:

ip nat central antecedent account 2 interface Serial0/2/0 overload

[output cut]

And last, actuality is the admission account created for anniversary interface I chose as in central network:

access-list 2 acknowledgment SDM_ACL Category=2

access-list 2 admittance 1.1.1.0 0.0.0.255

access-list 2 admittance 10.1.4.0 0.0.0.255

access-list 2 admittance 10.1.1.0 0.0.0.255

access-list 2 admittance 10.1.2.0 0.0.0.255

access-list 2 admittance 10.1.3.0 0.0.0.255

I apperceive I’ve said this over and over in the book, but SDM absolutely is an abundantly advantageous tool

for creating avant-garde configurations such as ACLs, VPNs, and NAT. This is one affair I think

I’ve nailed bottomward for you, and the aftermost two capacity accept absolutely accurate that!

Simple Verification of NAT

Simple Verification of NAT
Table 8.6 is a list of commands you can use to verify NAT on your router:
Once you have configured the type of NAT you are going to use, typically Overload (PAT),
you need to be able to verify the configuration.
To see basic IP address translation information, use the following command:
Router#
show ip nat translation
TABLE 8 . 6
NAT Verification Commands
Command Meaning
show ip nat translation
Shows the basic translation table. This is probably one of the
most important NAT command for verification.
debug ip nat Shows the sending address, the translation, and the destination
address on each debug line.
show ip nat statistics Shows a summary of your configuration, your active translations,
and the inside and outside interfaces that are being used.
When looking at the IP NAT translations, you may see many translations from the same
host to the same host at the destination. This is typical of many connections to the Web. Here
is an example:
Router#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 64.1.1.5:271 10.1.9.2:271 64.1.1.10:271 64.1.1.10:271
tcp 64.1.1.5:11000 10.1.9.2:11000 64.1.1.10:23 64.1.1.10:23
Corp#
In addition, you can verify your NAT configuration with the debug ip nat command.
This output will show the sending address, the translation, and the destination address on each
debug line:
Router#debug ip nat
*May 9 22:57:47.679: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.679: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [0]
*May 9 22:57:47.683: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.683: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [0]
*May 9 22:57:47.699: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.699: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [1]
*May 9 22:57:47.703: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.703: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [1]
*May 9 22:57:47.707: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.707: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [2]
*May 9 22:57:47.711: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.711: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [3]
*May 9 22:57:47.719: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.719: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [2]
*May 9 22:57:47.723: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.723: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [3]
*May 9 22:57:47.723: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.723: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [4]
*May 9 22:57:47.731: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.731: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [5]
*May 9 22:57:47.735: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.735: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [4]
*May 9 22:57:47.735: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.735: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [6]
*May 9 22:57:47.747: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.747: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [7]
*May 9 22:57:47.951: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.951: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [8]
*May 9 22:57:48.103: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:48.103: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [5]
Corp#
Now, let’s use the command show ip nat statistics on the router:
Corp#sh ip nat stat
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Outside interfaces:
Serial0/2/0
Inside interfaces:
FastEthernet0/1, Serial0/0/0, Serial0/0/1, Serial0/1/0
Hits: 269 Misses: 13
CEF Translated packets: 227, CEF Punted packets: 0
Expired translations: 27
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool Todd refcount 2
pool Todd: netmask 255.255.255.252
start 64.1.1.5 end 64.1.1.5
type generic, total addresses 1, allocated 1 (100%), misses 0
Queued Packets: 0
Corp#
What you can see here is a summary of the configuration, the two active translations, and the
inside and outside interfaces that are being used. The pool is listed right there toward the bottom
of the output. And it all looks good, so it’s time to move on to configuring NAT using SDM.

PAT (Overloading) Configuration

PAT (Overloading) Configuration
As you’ll see in Table 8.5, the commands used for PAT are similar to what we used for
dynamic NAT:
This example shows how to configure inside global address overloading. This is the typical
NAT you would use today. It is rare you would use static or dynamic NAT unless you were
statically mapping an internal server, for example.
Here is a sample output of a PAT configuration:
ip nat pool globalnet 170.168.2.1 170.168.2.1
netmask 255.255.255.0
TABLE 8 . 5
PAT Commands
Command Meaning
ip nat pool
pool_name starting_ address
ending_address
mask
Creates a pool of inside global addresses for
the inside local hosts to use
ip nat inside source list
list_number
pool
pool_name
overload
Sets the inside local hosts that match the
access-list number to use the pool of
addresses configured by the
ip nat pool
command. The Overload command configures
PAT.
ip nat inside
Sets the inside local interface
ip nat ouside
Sets the inside global interface
access-list
list_number
permit network
inverse_mask
Creates an access list that permits the inside
local hosts to use the global pool of
addresses
ip nat inside source list 1 pool globalnet overload
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
The nice feature of PAT is that the only differences between this configuration and the
previous dynamic NAT configuration is that the pool of addresses has shrunk to only one
IP address and at the end of the
ip nat inside source
command I included the
overload
command.
Notice in the example that the one IP address that is in the pool for you to use is the IP
address of the outside interface. This is perfect if you are configuring NAT Overload for yourself
at home or for a small office that has only one IP from your ISP. You could, however, use
an additional address such as 170.168.2.2 if you had the address available to you. This could
be helpful in a large implementation where you may have so many internal users that you need
more than one overloaded IP address on the outside.

Network Abode Translation (NAT) Dynamic NAT Configuration

Network Abode Translation (NAT)

Dynamic NAT Configuration

Table 8.4 lists the commands you’ll charge to actualize activating NAT:

Dynamic NAT agency we accept a basin of addresses that we will use to accommodate absolute IP

addresses to a accumulation of users on the inside. We do not use anchorage numbers, so we charge to have

real IP addresses for every user aggravating to get alfresco the bounded network.

Here is a sample achievement of a activating NAT configuration:

ip nat basin todd 170.168.2.2 170.168.2.254

netmask 255.255.255.0

ip nat central antecedent account 1 basin todd

interface Ethernet0

ip abode 10.1.1.10 255.255.255.0

ip nat inside

interface Serial0

ip abode 170.168.2.1 255.255.255.0

ip nat outside

access-list 1 admittance 10.1.1.0 0.0.0.255

TABLE 8 . 4

Dynamic NAT Commands

Command Meaning

ip nat pool

pool_name starting_ address

ending_address mask

Creates a basin of central all-around addresses for

the central bounded hosts to use

ip nat central antecedent list

list_number

pool

pool_name

Sets the central bounded hosts that bout the

access-list cardinal to use the basin of

addresses configured by the

ip nat pool

command

ip nat inside

Sets the central bounded interface

ip nat ouside

Sets the central all-around interface

access-list

list_number

permit

network

inverse_mask

Creates an admission account that permits the inside

local hosts to use the all-around basin of addresses

The
ip nat inside source list 1 pool todd
command tells the router to translate
IP addresses that match
access-list 1
to an address found in the IP NAT pool named
todd
.
The access list in this case is not being used to permit or deny traffic as we would use it for security
reasons to filter traffic. It is being used in this case to select or designate what we often call
“interesting” traffic. When interesting traffic has been matched with the access list, it is pulled
into the NAT process to be translated. This is a common use for access lists; they don’t always
have the dull job of just blocking traffic at an interface.
The
ip nat pool todd 170.168.2.2 192.168.2.254
command creates a pool of
addresses that will be distributed to those hosts that require NAT.

Static NAT Configuration

Static NAT Configuration
OK, let’s start looking at some actual commands (see Table 8.3) used with NAT:
Let’s take a look at a simple basic static NAT configuration:
ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside
!
In the preceding router output, the
ip nat inside source
command identifies which IP
addresses will be translated. In this configuration example, the ip nat inside source
command
configures a static
translation between the inside local IP address 10.1.1.1 to the outside global
IP address 170.46.2.2.
If you look further down in the configuration, you can see an
ip nat
command under each
interface. The
ip nat inside
command identifies that interface as the inside interface. The
ip nat outside
command identifies that interface as the outside interface. When you look
back at the ip nat inside source command, you see that the command is referencing the inside
interface as the source or starting point of the translation. The command could also be used
like this—ip nat outside source—which is referencing the interface you designated as the outside
interface to be the source or starting point for the translation.
TABLE 8 . 3
Basic NAT Commands
Command Meaning
ip nat inside source static
inside_local inside_global
Statically maps a host with a private IP address to a
global Internet address
ip nat inside
Sets the interface as an inside interface
ip nat outside
Sets the interface as an outside interface

NAT Names

NAT Names
The names we use to describe the addresses used with NAT are pretty simple. Addresses used
after NAT translations are called
global
addresses. These are usually the public addresses
used on the Internet, but remember, you don’t need public addresses if you aren’t going on the
Internet.
Local
addresses are the ones we use before NAT translation. So, the inside local address is
actually the private address of the sending host that’s trying to get to the Internet, while the
outside local address is the address of the destination host. The latter is usually a public
address (web address, mail server, and so on) and is how the packet begins its journey.
After translation, the inside local address is then called the
inside global address
, and the
outside global address becomes the name of the destination host. Check out Table 8.2, which
lists all this terminology, for a clear picture of the various names used with NAT.
TABLE 8 . 2
NAT Terms
Names Meaning
Inside local Name of inside source address before translation
Outside local Name of destination host before translation
Inside global Name of inside host after translation
Outside global Name of outside destination host after translation

Types of Network Address Translation-Dynamic NAT-Overloading

Types of Network Address Translation
In this section, I’ll go over the three types of NAT with you:
Static NAT
This type of NAT is designed to allow one-to-one mapping between local and
global addresses. Keep in mind that the static version requires you to have one real Internet IP
address for every host on your network.

Dynamic NAT
This version gives you the ability to map an unregistered IP address to a registered
IP address from out of a pool of registered IP addresses. You don’t have to statically
configure your router to map an inside to an outside address as you would using static NAT,
but you do need to have enough real, bona fide IP addresses for everyone who is going to be
sending packets to and receiving them from the Internet.
Overloading
This is the most popular type of NAT configuration. Understand that overloading
really is a form of dynamic NAT that maps multiple unregistered IP addresses to a single
registered IP address—many-to-one—by using different ports. Now, why is this so special? Well,
it’s also known as Port Address Translation (PAT). And by using PAT (NAT Overload), you get
to have thousands of users connect to the Internet using only one real global IP address—pretty
slick, yeah? Seriously, NAT Overload is the real reason we haven’t run out of valid IP address
on the Internet. Really, I’m not joking.

When Do We Use NAT?

When Do We Use NAT?
Similar to Classless Inter-Domain Routing (CIDR), the original intention for NAT was to slow
the depletion of available IP address space by allowing many private IP addresses to be represented
by some smaller number of public IP addresses.
Since then, it has been discovered that NAT is also a useful tool for network migrations and
mergers, server load sharing, and virtual server creation. So in this chapter, I’ll describe the
basics of NAT functionality and the terminology common to NAT.
At times, NAT really decreases the overwhelming amount of public IP addresses required
in your networking environment. And NAT really comes in handy when two companies that
have duplicate internal addressing schemes merge. NAT is also great to have around when an
organization changes its Internet service provider (ISP) and the networking manager doesn’t
want the hassle of changing the internal address scheme.
Here are some situations when it’s best to have NAT on your side:

You need to connect to the Internet, and your hosts don’t have globally unique IP
addresses.

You change to a new ISP that requires you to renumber your network.

You need to merge two intranets with duplicate addresses.
You typically use NAT on a border router. For an illustration of this, see Figure 8.1.

Now you may be thinking, “NAT’s totally cool. It’s the grooviest, greatest network gadget,
and I just gotta have it.” Well, hang on a minute. There are truly some serious snags related
to NAT use. Oh, don’t get me wrong—it really can save you sometimes, but it has a dark side
you need to know about, too. For some of the pros and cons linked to using NAT, check out
Table 8.1.

Advantages and Disadvantages of Implementing NAT Advantages Disadvantages

Advantages and Disadvantages of Implementing NAT

Advantages Disadvantages

Conserves accurately registered addresses. Translation introduces switching aisle delays.

Reduces abode overlap occurrence. Loss of end-to-end IP traceability.

Increases adaptability back abutting to

Internet.

Certain applications will not action with

NAT enabled.

Eliminates abode renumbering as network

changes.

Network Address Translation (NAT)

Network Address
Translation (NAT)

In this chapter, I’ll give you the skinny on Network Address
Translation (NAT); Dynamic NAT; and Port Address Translation
(PAT), which is also known as NAT Overload. Of course,
I’ll demonstrate NAT, and then I’ll finish this chapter by using SDM so you can see how you
can configure NAT the easy way.
It will be helpful for you to read Chapter 7 before reading this chapter since you need to use
access lists in your NAT configurations.

Access Account Verification Commands Command Meaning

Access Account Verification Commands

Command Meaning

show access-list Displays all admission lists and their ambit configured on the

router. This command does not appearance you which interface the

list is set on.

show access-list 110 Shows alone the ambit for the admission account 110. This command

does not appearance you the interface the account is set on.

show ip access-list Shows alone the IP admission lists configured on the router.

show ip interface Shows which interfaces accept admission lists set.

show running-config Shows the admission lists and which interfaces accept admission lists set.

show mac access-group Displays MAC admission lists activated to all layer-2 interfaces or the

specified layer-2 interface (used on layer-2 switches only).

Monitoring Access Lists

Monitoring Access Lists
Again, it’s always good to be able to verify a router’s configuration. Table 7.12 lists the
commands you can use:
You’ve already seen how to use the show running-config command to verify that a
named access list was in the router as well as a MAC access list on a layer-2 switch. So now
I’ll show the output from some of the other commands.
The show access-list command will list all access lists on the router, whether they’re
applied to an interface:
Lab_A#show access-list
Standard IP access list 10
deny 172.16.40.0, wildcard bits 0.0.0.255
permit any
Standard IP access list BlockSales
deny 172.16.40.0, wildcard bits 0.0.0.255
permit any
Extended IP access list 110
deny tcp any host 172.16.30.5 eq ftp
deny tcp any host 172.16.30.5 eq telnet
permit ip any any
Lab_A#
First, notice that both access list 10 and the named access list appear on this list. Second,
notice that even though I entered actual numbers for TCP ports in access list 110, the show
command gives you the protocol names rather than TCP ports for readability (hey, not everyone
has them all memorized!).
Here’s the output of the show ip interface command:
Lab_A#show ip interface e1
Ethernet1 is up, line protocol is up
Internet address is 172.16.30.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is BlockSales
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Null turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
Web Cache Redirect is disabled
BGP Policy Mapping is disabled
Lab_A#
Be sure to notice the bold line indicating that the outgoing list on this interface is Block-
Sales, but the inbound access list isn’t set.
As I’ve already mentioned, you can use the show running-config command to see all
access lists. However, on a layer-2 switch, you can verify your interface configurations with
the show mac access-group command:
S1#sh mac access-group
Interface FastEthernet0/1:
Inbound access-list is not set
Outbound access-list is not set
Interface FastEthernet0/2:
Inbound access-list is not set
Outbound access-list is not set
S1#
Depending on how many interfaces you set your MAC access lists on, you can use the interface
command to view individual interfaces:
S1#sh mac access-group interface f0/6
Interface FastEthernet0/6:
Inbound access-list is Todd_MAC_List
Outbound access-list is not set

Switch Anchorage ACLs

You can administer anchorage ACLs to alone layer-2 interfaces on your switches. Why? They’re supported

only on concrete interfaces, that’s why. Another acceptable affair to accumulate in apperception is that you can

apply them alone as entering lists on your interfaces as well.

Port ACLs ascendancy IP cartage via IP admission lists. Any non-IP cartage is filtered through the use

of MAC addresses. And alike admitting you can administer both types of clarify to a distinct interface,

you get to administer alone one of each. If you try a put an added ACL of either blazon on an interface

that already has them in place, the new one will override the one you had there before.

So, it’s a acceptable abstraction to be accurate here—look afore you leap.

Let’s analysis out the admission account in Table 7.8 that we can use on a about-face port:

Table 7.9 lists the options:

Here’s an archetype of this command:

S1#config t

S1(config)#mac access-list ?

extended Continued Admission List

S1(config)#mac access-list continued ?

WORD access-list name

S1(config)#mac access-list continued Todd_MAC_List

S1(config-ext-macl)#deny ?

TABLE 7 . 8 About-face Admission Account Commands

Command Meaning

mac access-list Configures a MAC access-list statement

mac access-group Places a MAC admission account on a device’s concrete interface

Timed Access List Options Option Meaning

Timed Access List Options
Option Meaning

Periodic Specifies how the time range will act or be created, allowing
specific time values to be set
hh:mm Specifies time values for when the range will start and stop on
specific days

Here is an example of the time-based ACL’s:
Corp#config t
Corp(config)#time-range no-http
Corp(config-time-range)#periodic we?
Wednesday weekdays weekend
Corp(config-time-range)#periodic weekend ?
hh:mm Starting time
Corp(config-time-range)#periodic weekend 06:00 to 12:00
Corp(config-time-range)#exit
Corp(config)#time-range tcp-yes
Corp(config-time-range)#periodic weekend 06:00 to 12:00
Corp(config-time-range)#exit
Corp(config)#ip access-list extended Time
Corp(config-ext-nacl)#deny tcp any any eq www time-range no-http
Corp(config-ext-nacl)#permit tcp any any time-range tcp-yes
Corp(config-ext-nacl)#interface f0/0
Corp(config-if)#ip access-group Time in
Corp(config-if)#do show time-range
time-range entry: no-http (inactive)
periodic weekdays 8:00 to 15:00
used in: IP ACL entry
time-range entry: tcp-yes (inactive)
periodic weekend 8:00 to 13:00
used in: IP ACL entry
Corp(config-if)#
The time-range command is pretty flexible and will drive users crazy if you deny them
access to basic network access or the Internet during off-hours. Be careful with the previous
commands; make sure you test your list on a nonproduction network before you implement
the lists on your production network.

Time-Based ACLs

Time-Based ACLs
Time-based ACLs work a lot like extended ACLs do, but their type of access control is totally
time-oriented. Basically, you specify a certain time of day and week and then identify that particular
period by giving it a name referenced by a task. So, by necessity, the reference function
will fall under whatever time constraints you’ve dictated. The time period is based upon the
router’s clock, but I highly recommend using it in conjunction with Network Time Protocol
(NTP) synchronization.
Here’s an example of the command in Table 7.10:
and the options (see Table 7.11):
TABLE 7 . 1 0 Timed Access List Commands
Command Meaning
time-range Configures a time range value to be added to an access list as
an option to control traffic and access by time
TABLE 7 . 1 1 Timed Access List Options
Option Meaning
Identifies the time range by name for use in an access-list statement

Switch Access List Options Option Meaning

Switch Access List Options
Option Meaning
name Identifies an access list by name. Also allows the creation and
separation of multiple access lists.
permit or deny Specifies the effect of the access-list statement as allowing or
blocking the traffic specified.
h.h.h mac address Specifies the device by MAC address that will be acted upon in
the access-list statement.
Host Specifies a single specific host for the statement
Any Specifies that regardless of the host or device IP, it will match
the statement.
Here’s an example of this command:
S1#config t
S1(config)#mac access-list ?
extended Extended Access List
S1(config)#mac access-list extended ?
WORD access-list name
S1(config)#mac access-list extended Todd_MAC_List
S1(config-ext-macl)#deny ?
H.H.H 48-bit source MAC address
any any source MAC address
host A single source host
S1(config-ext-macl)#deny any ?
H.H.H 48-bit destination MAC address
any any destination MAC address
host A single destination host
S1(config-ext-macl)#deny any host ?
H.H.H 48-bit destination MAC address
S1(config-ext-macl)#deny any host 000d.29bd.4b85
S1(config-ext-macl)#permit ?
H.H.H 48-bit source MAC address
any any source MAC address
host A single source host
S1(config-ext-macl)#permit any any
S1(config-ext-macl)#do show access-list
Extended MAC access list Todd_MAC_List
deny any host 000d.29bd.4b85
permit any any
S1(config-ext-macl)#
You can see that you can create only an extended named access list. You have no other
options. And don’t forget to add the permit any any at the end!
Here is how you would apply the list to a switch port:
S1(config-ext-macl)#int f0/6
S1(config-if)#mac access-group Todd_MAC_List in
This is pretty much the same as it is with an IP list, except you start with the command mac.
Although it’s true there are special circumstances where you would deny based on MAC
address, there is another option, and I think it’s usually the better one: just deny access based
on the ether-type field in the Ethernet frame header instead. Take a look:
S1(config-ext-macl)#deny any any ?
<0-65535> An arbitrary EtherType in decimal, hex, or octal
aarp EtherType: AppleTalk ARP
amber EtherType: DEC-Amber
appletalk EtherType: AppleTalk/EtherTalk
cos CoS value
dec-spanning EtherType: DEC-Spanning-Tree
decnet-iv EtherType: DECnet Phase IV
diagnostic EtherType: DEC-Diagnostic
dsm EtherType: DEC-DSM
etype-6000 EtherType: 0x6000
etype-8042 EtherType: 0x8042
lat EtherType: DEC-LAT
lavc-sca EtherType: DEC-LAVC-SCA
lsap LSAP value
mop-console EtherType: DEC-MOP Remote Console
mop-dump EtherType: DEC-MOP Dump
msdos EtherType: DEC-MSDOS
mumps EtherType: DEC-MUMPS
netbios EtherType: DEC-NETBIOS
vines-echo EtherType: VINES Echo
vines-ip EtherType: VINES IP
xns-idp EtherType: XNS IDP