[CyberSecurityLearning 19] NAT and dynamic routing protocol RIP

table of Contents

NAT

NAT experiment demonstration:

Overview of dynamic routing

Dynamic routing protocol

Dynamic routing protocol classification

The working principle of RIP routing protocol

Formation of the routing table​

RIP measurement value and update time

Routing loop

Split horizon

RIP configuration and verification

Small experiment:

Comprehensive experimental topology diagram​

---

NAT

No company can get online without it! High status

1. Network Address Translations

2. The IPv4 address is seriously insufficient.
      xxxx x: 0-255
      A B C can be used in three categories. D Multicast E. The purpose of scientific research
and NAT is to solve the problem of insufficient addresses.

3. IP addresses are divided into public IP and private IP (public IP and private IP).
     Public IP can only be used on the public network.
     Private IP can only be used on the internal network.
     Private IP addresses are not allowed on the public network! ! ! ! ! ! (The public network is China Unicom, China Telecom, China Mobile...) The
     private network IP can be used repeatedly in the internal network.
     192.168.1.1 is a private IP address

Private IP address range:
select a small part from the ABC three categories as private IP addresses
1) 10.0.0.0/8 ( starting with 10 , only the first eight digits are checked, that is, the first decimal digit is a private address as long as 10 is What is the subnet mask?
2) 172.16.0.0/16 — 172.31.0.0/16 ( starting with 172.16 and ending with 172.31 )
3) 192.168.0.0/16 ( starting with 192.168 )
routing table on the public network router Private IP will not appear in the file, otherwise it will be killed

As long as these three ranges are not all public IPs (provided they are within the ABC three categories)
   

Every public IP is very valuable! (Maybe most of the money for broadband is the money for renting public IP addresses, and a small part is the money for bandwidth)

4. NAT mainly realizes the conversion of public and private IP addresses , which is usually done on a router or firewall. It is not recommended to configure it on a Layer 3 switch!
I hope that the private IP address of the internal network can go to the Internet through the public IP address

5. There are 3 categories of NAT:
    1) Static NAT: 1 to 1 mapping, ( static PAT , port mapping technology)

    2) Dynamic NAT (obsolete) The
   NAT address translation table does not exist, that is, the address translation table is Dynamically generated, not written by the engineer

    3) PAT (Port Address Translations) is best!
          PAT is also called port multiplexing technology ( overload multiplexing ) dynamic PAT

Port number range: 0-65535

6. NAT command:
   1) Define the internal network port:
        int f0/0
            ip nat inside
            exit
   2) Define the external network port:
        int f0/1
            ip nat outside
            exit
   3) Configure PAT: ( for multiple employees, use one public Internet IP Internet access, many-to-one ) Define the internal address pool for Internet access from the inside to the outside
: (Define who I allow to do address translation, usually the owner of the company)
acc 1 permit 192.168.0.0 0.0.255.255 (acl is in This is for the role of the container, not for traffic filtering)
Do dynamic PAT mapping:
conf t
ip nat inside source list 1 int f0/1 overload (make a nat for the IP address, I will treat you if it comes from the intranet As long as the source IP meets the list1 table, I will allow you to use the public network interface f0/1 for address conversion and reuse) The
acl table can only be used for filtering when it is applied to the interface, and it is used in other knowledge points. (In the NAT command), not for traffic filtering, just for matching

  4) Configure static port conversion: (each command is used to map a server) external to internal
conf t
ip nat inside source static  tcp   192.168.1.3 80 100.1.1.2  80 (mapped to a certain port of this server) (I want to map the port 80 of the server 192.168.1.3 to 80 on 100.1.1.2)
When the external network accesses the 80 of 100.1.1.2, it is the 80 of the internal network 192.168.1.3 address.

NAT experiment demonstration:

The router on the public network cannot be equipped with a route to a private IP address

1. Configure IP for router and PC (step omitted)

2. Define internal and external network interfaces for the company router

R1(config)#int f0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int f0/1
R1(config-if)#ip nat outside
R1(config-if)#exit

3. Match PAT to the company router

R1(config)#access-list 1 permit any
R1(config)#ip nat inside source list 1 int f0/1 overload

4. Verify that all company owners can access the Internet at the same time:

sh ip nat translations (see nat address translation table)

clear ip nat translation * (clear the nat address translation table, don’t just type this command)

 

5. Turn on the server

Netizens on the Internet (200.1.1.1) want to access our company’s web server

Now suppose that our company also bought the public IP of 100.1.1.3, and now we want to map this server address to 100.1.1.3.
Note that the f0/1 interface does not need to be configured. This interface is 100.1.1.1.

R1(config)#ip nat inside source static tcp 192.168.1.222 80 100.1.1.3 80
我们要发布192.168.1.222地址的80，映射到公司买的100.1.1.3这个公网IP的80

Open the Internet user’s computer browser:

Just enter the 100.1.1.3 purchased by the company and you can access the web server of the company's intranet (obviously you are accessing the address of the public network but you see the server of the private network---successful mapping)

Frames are routed from the internal network to the external network, and then do the NAT address translation (do it on the external network port). When the
frame enters the internal network from the external network, the router first decapsulates, first performs address translation, and then performs routing

Address translation is always done on the external network port

Summary: Employees on the internal network (many-to-one) use the IP of the external network interface of the company router to access the Internet (with PAT). When the
          external network wants to come in actively, they can only use static conversion (static port mapping, access to the server) )

What does PAT use to distinguish different people on the intranet? Through the port number, the port number is generated by the router

Overview of dynamic routing

 

Dynamic routing protocol

It can be simply understood as the agreement is the "brain" and also a kind of language

19.2Kb/s is the bandwidth

The metric value is a criterion for choosing a path

When all routers have learned all routing entries, it is called convergence completion. The sooner the better

 

Dynamic routing protocol classification

The biggest difference between these two protocols is that their metric values ​​are different. The
distance vector routing protocol only recognizes distance and direction, and does not consider comprehensive factors (using the number of hops as the metric value) RIP, IGRP, etc.
Link state routing protocols OSPF, IS-IS, etc.

The working principle of RIP routing protocol

Once the rip routing protocol is enabled on this router, with this "brain" installed, it will chat with the router next to it every once in a while (updated every
30s by default) 30s through broadcast to all routers to update my routing table, let you know me Which routes do you know, do you want to learn

 

Routing table formation

Metric is the meaning of the metric value. If it is the RIP routing protocol, the metric value is the number of hops. Writing 0 means 0 hops.
R means RIP protocol.

RIP measurement value and update time

Routing loop

Split horizon

Split horizon is enabled as soon as the RIP router is turned on, no additional configuration is required

 

RIP configuration and verification

Start the RIP process
Router(config)# router rip
announces the main network number
Router(config-router)# network network-number
View the routing table
Router# show ip route
View the configuration of the routing protocol
Router# show ip protocols

Small experiment:

Interoperability across the entire network is required

1. Configure IP (omitted)
2. Configure router

R1(config)#router rip              启用RIP协议
R1(config-router)#version 2        版本1或2都行
R1(config-router)#network 10.0.0.0 把f0/0端口激活
R1(config-router)#network 20.0.0.0 把f0/1端口激活  不是写你真正的网段，只要写开头就行

R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 20.0.0.0     激活f0/1接口
R2(config-router)#network 30.0.0.0     激活f0/0接口

R3(config)#router rip
R3(config-router)#version 2
R3(config-router)#network 30.0.0.0
R3(config-router)#network 40.0.0.0
R3(config-router)#exit

Just activate the interface, don’t care about the next hop

3. Check the R1 routing table: do sh ip route

The router does not carry the subnet mask when updating the routing table

[120/1] Yes [Management distance value/hop count]
via is the next hop

4. Ping

 

to sum up:

RIP v1:
Router  rip
   version  1
   network   10.0.0.0
   network   20.0.0.0
   exit

RIP v2:
Router  rip
   version  2
   no  auto-summary
   network   10.0.0.0
   network   20.0.0.0
   exit

 

Comprehensive experimental topology