ICND1 Combined 4 PDF

IOS DHCP Server
www.ine.com
DHCP
» Dynamic Host Configuration Protocol
» Operates in application layer
» Provides dynamic method of leasing an IP
address to a host
» Uses UDP ports 67 and 68
» Can be useful for a small networks where a
dedicated DHCP server is not available
Copyright © www.INE.com
Configuration
» Configuring DHCP
• Router(config)# service dhcp
• Router(config)# ip dhcp pool <pool-name>
• Router(config-dhcp)# network < network-id>
• Router(config-dhcp)# default-router <default gateway>
• Router(config-dhcp)# dns-server <dns-server address>
• Router(config-dhcp)# lease <duration>
• Router(config-dhcp)# end
Configuration
» Configuring exclude list
• Router(config)# ip dhcp excluded-address <start-ip> <end-
ip>
Verifying DHCP
» Verification commands
• Router# show ip dhcp binding
Domain Name Service
www.ine.com
DNS, What Problem is Solved?
» Remembering IPv4/IPv6 addresses for devices,
websites, services, etc, is cumbersome.
» Easier to remember human-readable names.
» These names must be resolved to IP addresses for
network connectivity.
» DNS is designed to do just that.
DNS Operation
» DNS Server IP typically learned via DHCP
» Client-Server Operation
» DNS Queries and Replies
• Use UDP Port 53
• “A” Record Lookup = IPv4
• “AAAA” Record Lookup = IPv6
» DNS Updates (copying of name-resolution tables
between DNS Servers)
• Uses TCP Port 53
DNS for URL lookups
» Most common application of DNS is to resolve websites to IP addresses.
Ensure accurate time-
stamping of logging messages
www.ine.com
Why do we need to keep track of time?
» Cisco devices (routers and switches) can
utilize time for several purposes:
• Logging output
• Debugging output
• User “show” commands
• Network Management/Reporting tools
» Having an accurate timestamp on the above
features can be critical.
Where do we get the clock?
» All routers/switches have an internal “system
clock”.
» Most are battery-driven and maintain the
time/date across reloads.
» Devices with battery-driven system clocks
can also distribute this information to remote
devices via NTP.
Sources of time
» The System Clock can obtain its information
via:
• Manual Configuration
• NTP (network time protocol)
• SNTP (simple network time protocol)
• VINES Time Service (Virtual Integrated Network Service)
» In this section we’ll be concentrating on NTP.
NTP
» Network Time Protocol
» IETF Standard: RFC 1305 (version-3) and RFC 5905 (version-4)
» Uses UDP port 123 (source and destination)
» NTP Nodes obtain time from an authoritative source:
• Atomic Clock
• GPS
• Radio Clock
• Other network devices
NTP Clients and Servers
» NTP Client = Device that periodically polls a server
for time/calendar information.
» NTP Server = Provides that information to Client.
» NTP Server also considered an “authoritative
source” of time based on its Stratum Level.
• Stratum 1 = Device directly connected to a radio or
atomic clock source.
• Stratum 2 = Time Server that is one hop away from
Stratum-1 device.
NTP Master/Client Configuration
» NTP Server Configuration
• Router#clock set 07:01:30 28 Feb 2015
• Router(config)#ntp master [stratum]
» NTP Client Configuration:

• Router(config)#ntp server x.x.x.x
NTP Verification
» Show ntp status
» Show ntp associations
Access-Lists
(Overview)
www.ine.com
Access-List Overview
» Packet identification mechanism
» Can identify packets on the basis of Layer 3 and
Layer 4 header
» Each Access-List (ACL) is composed of one-or-more
Access-Control Entries (ACEs).
• Each ACE assigned a sequence number.
• ACEs processed in sequential order until a match is found.
» Should have at least one permit statement (ACE)
What can be matched by ACLs?
» Each ACE within an ACL can match one-or-more
fields in L3 and/or L4 headers.
IP Header TCP Header
Dest
TOS Protocol Src Addr Dest Addr Src Port Flags
Port
Partial Match Supported
Entire Match Required
» Some fields must be matched entirely…bit-for-bit.

» Other fields can optionally, be partially matched.
What is “Wildcarding”?
» Ability to tell a router/switch, “I don’t care
about all the bits in this field. THESE are the bits I
want you to look at.”
» A Wildcard Mask is the tool to accomplish this.
» A Wildcard Mask is compared against the value
to be inspected.
Types of IPv4 ACLs
» Standard ACL
» Extended ACL
» Named ACL
• Standard Named
• Extended Named
Standard ACLs
www.ine.com
Standard ACL
» Identifies traffic based on Layer-3 header
» Source IP address is checked
» ACL numbers range from 1 through 99
» Should be applied nearest to destination
» No method to check destination address or port
numbers
Where can a Standard ACL Look?
Ver IHL Type of Service Total Length

Identification Flags Fragment Offset
Time To Live Protocol Header Checksum
Source IP Address
Destination IP Address
IP Options (if any)
Payload
Configuring and Verifying Standard ACL
» Configuration command
• Router(config)# access-list <#> <permit | deny> <source
address> <wild card mask>
• Router# show ip access-list
• Router# show run | inc access-list
Pairing ACLs with IP Access-Groups
» IP Access-Group
• Interface-level Security feature
• Like a Primitive Firewall (forward traffic or drop traffic)
• Directional (must specify inbound or outbound traffic)
• References Access-Lists for classification/identification
• Router(config-if)# ip access-group <ACL id> <in | out>
Extended ACLs
www.ine.com
Extended ACL
» Filters traffic based on Layer-3 and 4 header
» Source and destination IP, and port numbers can
be checked
• Ideally, implemented closest to source of traffic to be
matched.
» ACL numbers range from 100 through 199
» Capable of transport header inspection
Where can an Extended ACL Look?
Ver IHL Type of Service Total Length
Identification Flags Fragment Offset
Time To Live Protocol Header Checksum
Source IP Address
Destination IP Address
IP Options (if any)
TCP Source Port Number TCP Destination Port Number
UDP Source Port UDP Destination Port Sequence Number

Number Number Acknowledgment Number
Length (UDP Hdr + Data) UDP Checksum Hdr
Resvd Control Flags Window Size
Length
Payload TCP Checksum Urgent Pointer

TCP Options (if any)
Payload
Configuring and Verifying Extended ACL
• Router(config)# access-list <ACL no> <permit | deny> <
protocol> <source address> <wildcard mask> < destination
address> <wildcard mask> < port numbers>
• Router# show ip access-list
• Router# show run | inc access-list
Named ACL
www.ine.com
Named ACL
» Individual statements can be edited, unlike
numbered ACLs
» Can be used with naming convention
» Use of name instead of number makes
management easier
» More flexible than numbered ACLs
Configuring Standard Named ACL
• Router(config)# ip access-list standard <name>
• Router(config-std-acl)# <permit | deny> <source address>
» Applying configuration
• Router(config-if)# ip access-group <name> <in | out>
Configuring Extended Named ACL
» Configuration commands
• Router(config)# ip access-list extended <name>
• Router(config-ext-acl)# <permit | deny> <protocol>
<source-address> <wildcard mask> <destination-address>
<wildcard mask>
» Applying configuration
• Router(config-if)# ip access-group <name> <in | out>
Network Address Translation
www.ine.com
Introduction to NAT
» Separates LAN from WAN and provides
accessibility to the outside world
» Translates RFC1918 space addresses into public
addresses
» Provides security
» Helps reduce public IP address consumption
» Hides private addresses from outsiders
Public & Private Addresses
» Private addresses cannot go outside the
network
» At least one public address is required for a
private host to communicate to the Internet
» Public IP addresses are globally routable
Types of NAT
» Static NAT
» Dynamic NAT
» PAT (Port Address Translation)
Static NAT
www.ine.com
Static NAT
» One to one mapping
» One private host requires a public IP address
» Usually deployed at server end
Configuring Static NAT
• Router(config-if)# ip nat inside
• Router(config-if)# ip nat outside
• Router( config)# ip nat inside source static <private
address> < public address>
Verifying Static NAT
• Router# show ip nat translation
Dynamic NAT
www.ine.com
Dynamic NAT
» Many to many mapping
» One private host requires a public IP address
obtained from a pool of available addresses.
» Usually deployed for hosts utilizing DHCP.
» Easier from the perspective of scalability
Configuring Dynamic NAT
• Router(config# access-list < acl no> <permit | deny >
<source-address> <wildcard mask>
• Router(config)# ip nat pool <name> <start-ip> <end-ip>
netmask <subnet mask>
• Router( config)# ip nat inside source list < acl no> pool
<name>
Verifying Dynamic NAT
Port Address Translation (PAT)
www.ine.com
PAT
» Port Address Translation
» One to many mapping
» One public address can provide multiple host
connections
» Usually deployed at client end
» Easier from the perspective of scalability
Configuring PAT
• Router(config# access-list < acl no> <permit | deny >
<source-address> <wildcard mask>
• Router( config)# ip nat inside source list < acl no> interface
<type/number> overload
Verifying PAT

ICND1 Combined 4 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

ICND1 Combined 4 PDF

Caricato da

Copyright:

Formati disponibili

IOS DHCP Server

» NTP Client Configuration:

» Show ntp associations

Partial Match Supported

Entire Match Required

» Some fields must be matched entirely…bit-for-bit.

Ver IHL Type of Service Total Length

UDP Source Port UDP Destination Port Sequence Number

Payload TCP Checksum Urgent Pointer

Potrebbero piacerti anche