1 00:00:00,000 --> 00:00:00,750 2 00:00:00,750 --> 00:00:03,600 When dealing with other people, we like to be treated fairly. 3 00:00:03,600 --> 00:00:05,970 Well, in computer networks, we don't always 4 00:00:05,970 --> 00:00:07,617 want to be fair to our traffic. 5 00:00:07,617 --> 00:00:09,450 So in this Nugget, I'd like to chat with you 6 00:00:09,450 --> 00:00:12,030 about a mechanism we can use to identify traffic 7 00:00:12,030 --> 00:00:13,290 for special treatment. 8 00:00:13,290 --> 00:00:17,790 And that is in the form of an access control list, or ACL. 9 00:00:17,790 --> 00:00:19,590 An access control lists are usually 10 00:00:19,590 --> 00:00:21,690 used as part of a 1-2 punch. 11 00:00:21,690 --> 00:00:23,670 The first part of the 1-2 punch is 12 00:00:23,670 --> 00:00:26,250 to identify specific types of traffic, 13 00:00:26,250 --> 00:00:29,850 either looking at information at layer 2 in the layer 2 header 14 00:00:29,850 --> 00:00:32,750 or looking at information layer 3 header and sometimes even 15 00:00:32,750 --> 00:00:34,590 in layer 4 at the transport layer. 16 00:00:34,590 --> 00:00:36,870 And then based on that, give it special treatment 17 00:00:36,870 --> 00:00:39,030 or give those packets, or segments, or frames 18 00:00:39,030 --> 00:00:41,310 special treatment as they go through the network. 19 00:00:41,310 --> 00:00:44,460 And a logical question might be-- well, if I'm a packet, 20 00:00:44,460 --> 00:00:46,130 and I want special treatment, what 21 00:00:46,130 --> 00:00:47,894 could those special treatment look like? 22 00:00:47,894 --> 00:00:49,560 Well, one element would be whether we're 23 00:00:49,560 --> 00:00:52,720 going to permit or deny that traffic on the network. 24 00:00:52,720 --> 00:00:55,150 Maybe we don't want some specific type of traffic. 25 00:00:55,150 --> 00:00:58,110 Let's say, we have it out for the computer 1 here. 26 00:00:58,110 --> 00:01:01,587 So computer 1 is at address 10.1.0.11. 27 00:01:01,587 --> 00:01:04,170 And we see that that computer's been going out to the internet 28 00:01:04,170 --> 00:01:09,420 to a specific server at 67.83.0.2 29 00:01:09,420 --> 00:01:12,150 and as it communicates to that host in choosing the transport 30 00:01:12,150 --> 00:01:14,349 layer, UDP, User Datagram Protocol. 31 00:01:14,349 --> 00:01:16,890 And if we did not want to allow that, we could, first of all, 32 00:01:16,890 --> 00:01:20,460 create an access control list that identifies that traffic 33 00:01:20,460 --> 00:01:23,010 between these two specific IP addresses 34 00:01:23,010 --> 00:01:25,650 and at layer 4 including the fact that it's UDP. 35 00:01:25,650 --> 00:01:28,140 And we could simply say, we want to deny that traffic 36 00:01:28,140 --> 00:01:32,470 and then apply that access list to the router interface. 37 00:01:32,470 --> 00:01:35,160 Another example of where an access control list can be used 38 00:01:35,160 --> 00:01:38,557 is to identify traffic that should be translated. 39 00:01:38,557 --> 00:01:40,140 From an earlier Nugget, we took a look 40 00:01:40,140 --> 00:01:42,320 at network address and port address translation, 41 00:01:42,320 --> 00:01:45,360 where we translated the source IP address of computer 1 42 00:01:45,360 --> 00:01:46,980 before it went out to the internet. 43 00:01:46,980 --> 00:01:50,220 Well, we can be very granular with exactly who 44 00:01:50,220 --> 00:01:51,450 gets to be translated. 45 00:01:51,450 --> 00:01:53,910 And we can do that also by creating an access control 46 00:01:53,910 --> 00:01:57,480 list that identifies the source IP addresses that we're 47 00:01:57,480 --> 00:01:59,730 willing to translate and then combining 48 00:01:59,730 --> 00:02:02,190 that with the translation rules on our NAT device or PAT 49 00:02:02,190 --> 00:02:02,970 device. 50 00:02:02,970 --> 00:02:05,650 Only those devices that match that access control list 51 00:02:05,650 --> 00:02:08,130 will actually get the benefit of the translation 52 00:02:08,130 --> 00:02:09,739 as they go through that NAT router. 53 00:02:09,739 --> 00:02:11,280 Another variation of that is maybe we 54 00:02:11,280 --> 00:02:13,860 have two servers-- one is a web server on port 80, 55 00:02:13,860 --> 00:02:18,180 and one's a web server with security on TCP port 443. 56 00:02:18,180 --> 00:02:20,700 However, if we only have one IP address that's globally 57 00:02:20,700 --> 00:02:24,620 reachable-- let's say we have 23.1.1.50 58 00:02:24,620 --> 00:02:27,546 as our only reachable IP address from the internet, 59 00:02:27,546 --> 00:02:28,920 we could set up an access control 60 00:02:28,920 --> 00:02:32,100 list that says specifically, if the traffic is coming 61 00:02:32,100 --> 00:02:34,087 in to that IP address on port 80, 62 00:02:34,087 --> 00:02:36,420 then we're going to translate to this server right here. 63 00:02:36,420 --> 00:02:39,330 We'll call it server B. And if the incoming request 64 00:02:39,330 --> 00:02:43,230 is destined for TCP 443 based on the access control 65 00:02:43,230 --> 00:02:45,089 list and the translation statement, 66 00:02:45,089 --> 00:02:47,130 then we'll go ahead and forward that traffic over 67 00:02:47,130 --> 00:02:51,120 to server A who's listening for those incoming requests 68 00:02:51,120 --> 00:02:52,445 on port 443. 69 00:02:52,445 --> 00:02:55,560 And when we're doing translation on a specific port like that, 70 00:02:55,560 --> 00:02:58,752 that's commonly referred to as port forwarding 71 00:02:58,752 --> 00:03:00,210 because we're basing the forwarding 72 00:03:00,210 --> 00:03:03,999 decisions specifically on the port that is being requested. 73 00:03:03,999 --> 00:03:06,540 Another great example of where we could use an access control 74 00:03:06,540 --> 00:03:08,190 list is to identify traffic that we 75 00:03:08,190 --> 00:03:10,620 want to give preferential or different treatment 76 00:03:10,620 --> 00:03:14,040 to as that traffic crosses our various network devices. 77 00:03:14,040 --> 00:03:17,460 An example could be traffic is crossing this wide area network 78 00:03:17,460 --> 00:03:19,800 link that's connecting our corporate headquarters over 79 00:03:19,800 --> 00:03:23,220 here on the left to this branch office over here on the right. 80 00:03:23,220 --> 00:03:24,660 And wide-area network connectivity 81 00:03:24,660 --> 00:03:28,260 is going to be relatively slower than our high-speed ethernet 82 00:03:28,260 --> 00:03:30,330 connectivity up here generally speaking. 83 00:03:30,330 --> 00:03:32,370 And if it is, we may have traffic 84 00:03:32,370 --> 00:03:35,070 that needs to be sent back and forth over this link. 85 00:03:35,070 --> 00:03:37,260 And there may not be enough bandwidth to send 86 00:03:37,260 --> 00:03:40,260 all that traffic the moment it shows up at the router. 87 00:03:40,260 --> 00:03:44,430 And the concept of traffic shaping is to help the routers 88 00:03:44,430 --> 00:03:46,380 not just drop all the traffic, but rather 89 00:03:46,380 --> 00:03:49,830 to queue it up and make sure that the data can be sent even 90 00:03:49,830 --> 00:03:52,080 if there is temporary burst where we have more traffic 91 00:03:52,080 --> 00:03:54,350 than we can send instantaneously. 92 00:03:54,350 --> 00:03:56,070 Another performance-related concept 93 00:03:56,070 --> 00:03:58,650 that can be used in conjunction with access control lists 94 00:03:58,650 --> 00:04:03,660 is QoS, which is an acronym that stands for Quality of Service. 95 00:04:03,660 --> 00:04:05,530 And as packets go into the network, 96 00:04:05,530 --> 00:04:08,010 depending on what device they come from and what device 97 00:04:08,010 --> 00:04:10,950 they're going into, we can do special manipulation-- 98 00:04:10,950 --> 00:04:13,500 or they call it marking of the packets-- 99 00:04:13,500 --> 00:04:14,574 in the IP header. 100 00:04:14,574 --> 00:04:15,990 And then, we can train our routers 101 00:04:15,990 --> 00:04:17,970 to pay attention to those markings. 102 00:04:17,970 --> 00:04:20,040 So if we have a user like Bob-- 103 00:04:20,040 --> 00:04:23,460 actually a better example, if we had an application like voice 104 00:04:23,460 --> 00:04:26,604 over IP, which is very sensitive to delays. 105 00:04:26,604 --> 00:04:28,020 If we want to have a conversation, 106 00:04:28,020 --> 00:04:30,060 and it's going over voice over IP network, 107 00:04:30,060 --> 00:04:33,330 we can't tolerate large amounts of variations or delays. 108 00:04:33,330 --> 00:04:35,970 So with quality of service, we could mark all that voice 109 00:04:35,970 --> 00:04:39,240 over IP traffic with specific markings in the IP header. 110 00:04:39,240 --> 00:04:40,740 And then, we could train the routers 111 00:04:40,740 --> 00:04:42,330 that when they see that traffic, they 112 00:04:42,330 --> 00:04:44,610 should give that traffic priority treatment 113 00:04:44,610 --> 00:04:47,100 with the intent of making sure that our voice over IP 114 00:04:47,100 --> 00:04:48,940 communications are working-- 115 00:04:48,940 --> 00:04:50,580 or at least working well enough so 116 00:04:50,580 --> 00:04:52,064 that the users have functionality. 117 00:04:52,064 --> 00:04:53,730 And when we're doing quality of service, 118 00:04:53,730 --> 00:04:55,800 we're marking packets and treating various packets 119 00:04:55,800 --> 00:04:57,633 differently at routers, that can be referred 120 00:04:57,633 --> 00:04:59,650 to as differentiated services. 121 00:04:59,650 --> 00:05:02,640 We're differentiating between one protocol or one set 122 00:05:02,640 --> 00:05:04,320 of markings and another. 123 00:05:04,320 --> 00:05:07,080 Differentiated services is what that's implying. 124 00:05:07,080 --> 00:05:09,930 We can also do marking of traffic and prioritization 125 00:05:09,930 --> 00:05:12,174 of traffic at layer 2 in switching. 126 00:05:12,174 --> 00:05:13,590 And when that's done, that's often 127 00:05:13,590 --> 00:05:16,530 referred to as paying attention or working with COS, 128 00:05:16,530 --> 00:05:18,250 which is class of service. 129 00:05:18,250 --> 00:05:20,430 So if we see someone referring to class of service, 130 00:05:20,430 --> 00:05:22,305 we can think to ourselves, OK, that's dealing 131 00:05:22,305 --> 00:05:24,620 with the preferential treatment based on layer 2 frame 132 00:05:24,620 --> 00:05:25,530 markings. 133 00:05:25,530 --> 00:05:27,946 And if we hear of the concept of diffserv or QoS, 134 00:05:27,946 --> 00:05:30,570 quality of service that's going to be higher up in the protocol 135 00:05:30,570 --> 00:05:34,200 stack, primarily focused on markings in the IP header 136 00:05:34,200 --> 00:05:36,150 at layer 3. 137 00:05:36,150 --> 00:05:38,340 I hope this has been informative for you. 138 00:05:38,340 --> 00:05:41,678 And I'd like to thank you for viewing. 139 00:05:41,678 --> 00:05:42,178