eye, iris, biometrics-3926906.jpg

Network+ Preparation Series: NAT, PAT and ACL

Almost every router on the market today can block packets depending on their port number or IP address, but these are basic procedures meant to safeguard an internal network. What if you need to limit the amount of bandwidth utilised by certain devices or applications? In such circumstance, quality of service (QoS) policies are required to prioritise traffic according to predetermined rules. These rules determine how much bandwidth a protocol, a computer, a user, a VLAN, or an IP address may utilise.

QoS may be implemented on many modern routers and switches using bandwidth management, such as traffic shaping, which allows you to regulate the flow of packets into and out of the network based on the kind of packet or other restrictions.

When you need to guarantee a device or application a set amount of bandwidth and/or delay, such as with VoIP or video, traffic shaping is critical. In areas like schools, where IT workers need to manage user activities like restricting HTTP consumption or prohibiting specific harmful apps like peer-to-peer file sharing, traffic shaping is particularly common.

When discussing quality of service, we must consider the notion of distinct services (DiffServ). DiffServ is the underlying architecture that allows all of the QoS functionality to function. The two bits of data that go into every IP header on every piece of data are the cornerstones of DiffServ: ECN and DSCP. DSCP stands for differentiated services code point, while ECN stands for explicit congestion notification. The field of differentiated services (DS) is made up of these two.

QoS-aware devices may send a “congestion encountered” signal to other QoS-aware devices using the ECN field, which is a two-bit field. In that field, the following four values may appear:

00 Not QoS aware (default)

01 QoS aware, no congestion

10 QoS aware, no congestion

11 QoS aware, congestion encountered

The following six bits are DSCP, resulting in a total of eight service classifications. A class of service (CoS) is just a value that you may apply to services, ports, or whatever your QoS device uses (think of it as a group).

NAT/PAT

Many parts of the globe have already run out of IPv4 addresses, and the end is near for the rest of the world.

For many years, NAT (Network Address Translation) has prolonged the usable life of IPv4 addressing on the Internet. Because NAT is so popular and widely used, understanding how it works is crucial. It’s worth noting that many routers have NAT as a function in addition to routing. NAT is a different technique from routing.

Here’s what’s going on. You have a LAN with five machines that need Internet connection. Several things must happen with traditional TCP/IP and routing. To begin, you must first get from an Internet service provider a block of authentic, distinctive, and pricey IP numbers (ISP). You might acquire a network ID from an ISP, such as 1.2.3.136/29. Second, you assign an IP address to each machine as well as the router’s LAN connection. Third, you give the ISP’s router’s IP address, such as 1.2.4.1, to the WAN connection on the local router. After everything has been set up. The default gateway for all clients on the network is the same (1.2.3.137).

For the first 20 years or so, this network design mirrored how computers in LANs throughout the globe linked to the Internet, but the primary issue of a limited quantity of IP addresses increased as more computers joined.

Of course, today’s internal networks do not have a single machine. For the hosts within the network, they instead employ a block of private IP addresses. They share a single public IP address to connect to the Internet.

Port Address Translation (PAT), the most prevalent kind of NAT that handles this one-to-many connection, employs port numbers to map traffic from particular computers in the network. To make the method apparent, let’s take a basic example. Bob has a network at his workplace that utilises the 192.168.1.0/24 private IP addressing space. A single NAT router with the global IP address of 208.190.121.12/24 connects all of the machines in the private network to the Internet.

An IP address and a port number are combined to form a socket.

The receiving system reverses the IP addresses (at Layer 3) and ports when the packet is returned (at Layer 4). The router checks the incoming destination port and source IP address to the item in the NAT translation table to determine which IP address (and possibly port) to convert back to. The packet is then sent to the relevant network machine.

This mapping of an internal IP address and port number to a translated IP address and port number allows for accurate packet tracing outbound and inbound. Because the TCP/IP port number space is large, with values ranging from 1 to 65535, PAT can accommodate multiple internal machines with a single public IP address. Some of those port numbers are utilised for standard protocols, but there are tens of thousands more for NAT to use.

It’s a no-brainer to set up NAT on residential routers since they almost always have it switched on by default.

The router’s default setting is Gateway, which is Linksys jargon meaning “NAT is enabled.”

The apparent disadvantage of relying only on NAT for network address translation is that it only works for outgoing traffic and not for incoming traffic. Other technologies are required to access an internal computer, such as a Web server located inside your network, from traffic coming from outside the network.

You may define a particular local address for different network services via port forwarding. The public IP address of the router and the port number of the requested service may be used by computers outside the network to request a service. The port-forwarding router would inspect the packet, check the list of services mapped to local addresses, and then forward it to the appropriate internal computer.

By altering the default port number for a service hosted inside your network, you may utilise port forwarding to conceal it. You may, for example, modify the request port number to anything other than port 80, which is the default for HTTP traffic, to conceal an internal Web server.

You’d have to update the URL in the Web browser by supplying the port request number to access that internal Web site from outside your local network.

When using a nondefault port number, most browsers require you to type down the whole URL, including HTTP://.

Access Control Lists

Modern firewalls have a plethora of functions, and setting them may be a difficult undertaking for any network administrator. But, at its most basic level, designing a firewall is all about determining which traffic is allowed to pass and which traffic is not. This rule is often implemented in the form of an access control list (ACL). An ACL is a set of assertions that may be applied to an interface to allow or refuse traffic. The source IP address, which might be a host’s 32-bit address, a subnet ID, or a major classful network, can be used in standard ACLs to filter traffic. Filtering by source IP address, destination IP address, protocol, and port is possible with extended ACLs.

An ACL is similar to a stateless packet filter firewall. Many of the first firewalls were just ACLs on routers.

Let’s look at an ACL that you may discover on a Cisco router now that we know what it is:

access-list 10 deny 10.11.12 0.0.0.255

access-list 20 permit any

At first sight, it seems obscure, yet it accomplishes a fairly basic task. The first line, access-list 10, informs Cisco IOS that we want to construct an ACL with the number 10 (named ACLs are also supported in addition to numbered ACLs). The actual rule we want the firewall to implement is at the end of the first line, deny 10.11.12.0 0.0.0.255. Deny all traffic from the 10.11.12.0/24 network in this situation.

That’s OK; any communication originating from the 10.11.12.0/24 network will be discarded like a bad habit. But what’s the deal with access-list 20 allowed any on the second line? That’s because of an essential feature of ACLs: they have an implicit or automatic refuse any, or automatically reject any packets that don’t fit a rule. So, if we stopped after the first line, no traffic would be allowed to pass since we don’t have a rule that expressly allows it! So, in order for our ACL to function as a firewall rather than a brick wall, the final rule in this list will allow any traffic that was not blocked by the first rule to pass through.

To be of any use, the ACL must be assigned to an interface and a direction after it has been constructed. The router, not the network, is always in charge of directing traffic. Local traffic entering a default gateway’s interface is outgoing as far as the network is concerned, but inbound as far as the router is concerned. Traffic meant for local hosts exiting a default gateway’s interface is inbound as far as the network is concerned, but outbound as far as the router is concerned.

Leave a Comment

Shopping Cart