Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
www.ine.com
DHCP
» Dynamic Host Configuration Protocol
» Operates in application layer
» Provides dynamic method of leasing an IP
address to a host
» Uses UDP ports 67 and 68
» Can be useful for a small networks where a
dedicated DHCP server is not available
Copyright © www.INE.com
Configuration
» Configuring DHCP
• Router(config)# service dhcp
• Router(config)# ip dhcp pool <pool-name>
• Router(config-dhcp)# network < network-id>
• Router(config-dhcp)# default-router <default gateway>
• Router(config-dhcp)# dns-server <dns-server address>
• Router(config-dhcp)# lease <duration>
• Router(config-dhcp)# end
Copyright © www.INE.com
Configuration
» Configuring exclude list
• Router(config)# ip dhcp excluded-address <start-ip> <end-
ip>
Copyright © www.INE.com
Verifying DHCP
» Verification commands
• Router# show ip dhcp binding
Copyright © www.INE.com
Domain Name Service
www.ine.com
DNS, What Problem is Solved?
» Remembering IPv4/IPv6 addresses for devices,
websites, services, etc, is cumbersome.
» Easier to remember human-readable names.
» These names must be resolved to IP addresses for
network connectivity.
» DNS is designed to do just that.
Copyright © www.INE.com
DNS Operation
» DNS Server IP typically learned via DHCP
» Client-Server Operation
» DNS Queries and Replies
• Use UDP Port 53
• “A” Record Lookup = IPv4
• “AAAA” Record Lookup = IPv6
» DNS Updates (copying of name-resolution tables
between DNS Servers)
• Uses TCP Port 53
Copyright © www.INE.com
DNS for URL lookups
» Most common application of DNS is to resolve websites to IP addresses.
Copyright © www.INE.com
Ensure accurate time-
stamping of logging messages
www.ine.com
Why do we need to keep track of time?
» Cisco devices (routers and switches) can
utilize time for several purposes:
• Logging output
• Debugging output
• User “show” commands
• Network Management/Reporting tools
» Having an accurate timestamp on the above
features can be critical.
Copyright © www.INE.com
Where do we get the clock?
» All routers/switches have an internal “system
clock”.
» Most are battery-driven and maintain the
time/date across reloads.
» Devices with battery-driven system clocks
can also distribute this information to remote
devices via NTP.
Copyright © www.INE.com
Sources of time
» The System Clock can obtain its information
via:
• Manual Configuration
• NTP (network time protocol)
• SNTP (simple network time protocol)
• VINES Time Service (Virtual Integrated Network Service)
» In this section we’ll be concentrating on NTP.
Copyright © www.INE.com
NTP
» Network Time Protocol
» IETF Standard: RFC 1305 (version-3) and RFC 5905 (version-4)
» Uses UDP port 123 (source and destination)
» NTP Nodes obtain time from an authoritative source:
• Atomic Clock
• GPS
• Radio Clock
• Other network devices
Copyright © www.INE.com
NTP Clients and Servers
» NTP Client = Device that periodically polls a server
for time/calendar information.
» NTP Server = Provides that information to Client.
» NTP Server also considered an “authoritative
source” of time based on its Stratum Level.
• Stratum 1 = Device directly connected to a radio or
atomic clock source.
• Stratum 2 = Time Server that is one hop away from
Stratum-1 device.
Copyright © www.INE.com
NTP Master/Client Configuration
» NTP Server Configuration
• Router#clock set 07:01:30 28 Feb 2015
• Router(config)#ntp master [stratum]
Copyright © www.INE.com
NTP Verification
» Show ntp status
Copyright © www.INE.com
Access-Lists
(Overview)
www.ine.com
Access-List Overview
» Packet identification mechanism
» Can identify packets on the basis of Layer 3 and
Layer 4 header
» Each Access-List (ACL) is composed of one-or-more
Access-Control Entries (ACEs).
• Each ACE assigned a sequence number.
• ACEs processed in sequential order until a match is found.
» Should have at least one permit statement (ACE)
Copyright © www.INE.com
What can be matched by ACLs?
» Each ACE within an ACL can match one-or-more
fields in L3 and/or L4 headers.
IP Header TCP Header
Dest
TOS Protocol Src Addr Dest Addr Src Port Flags
Port
Copyright © www.INE.com
Types of IPv4 ACLs
» Standard ACL
» Extended ACL
» Named ACL
• Standard Named
• Extended Named
Copyright © www.INE.com
Standard ACLs
www.ine.com
Standard ACL
» Identifies traffic based on Layer-3 header
» Source IP address is checked
» ACL numbers range from 1 through 99
» Should be applied nearest to destination
» No method to check destination address or port
numbers
Copyright © www.INE.com
Where can a Standard ACL Look?
Copyright © www.INE.com
Configuring and Verifying Standard ACL
» Configuration command
• Router(config)# access-list <#> <permit | deny> <source
address> <wild card mask>
» Verification commands
• Router# show ip access-list
• Router# show run | inc access-list
Copyright © www.INE.com
Pairing ACLs with IP Access-Groups
» IP Access-Group
• Interface-level Security feature
• Like a Primitive Firewall (forward traffic or drop traffic)
• Directional (must specify inbound or outbound traffic)
• References Access-Lists for classification/identification
» Configuration command
• Router(config-if)# ip access-group <ACL id> <in | out>
Copyright © www.INE.com
Extended ACLs
www.ine.com
Extended ACL
» Filters traffic based on Layer-3 and 4 header
» Source and destination IP, and port numbers can
be checked
• Ideally, implemented closest to source of traffic to be
matched.
» ACL numbers range from 100 through 199
» Capable of transport header inspection
Copyright © www.INE.com
Where can an Extended ACL Look?
Ver IHL Type of Service Total Length
Identification Flags Fragment Offset
Time To Live Protocol Header Checksum
Source IP Address
Destination IP Address
IP Options (if any)
TCP Source Port Number TCP Destination Port Number
Copyright © www.INE.com
Named ACL
www.ine.com
Named ACL
» Individual statements can be edited, unlike
numbered ACLs
» Can be used with naming convention
» Use of name instead of number makes
management easier
» More flexible than numbered ACLs
Copyright © www.INE.com
Configuring Standard Named ACL
» Configuration command
• Router(config)# ip access-list standard <name>
• Router(config-std-acl)# <permit | deny> <source address>
» Applying configuration
• Router(config-if)# ip access-group <name> <in | out>
Copyright © www.INE.com
Configuring Extended Named ACL
» Configuration commands
• Router(config)# ip access-list extended <name>
• Router(config-ext-acl)# <permit | deny> <protocol>
<source-address> <wildcard mask> <destination-address>
<wildcard mask>
» Applying configuration
• Router(config-if)# ip access-group <name> <in | out>
Copyright © www.INE.com
Network Address Translation
www.ine.com
Introduction to NAT
» Separates LAN from WAN and provides
accessibility to the outside world
» Translates RFC1918 space addresses into public
addresses
» Provides security
» Helps reduce public IP address consumption
» Hides private addresses from outsiders
Copyright © www.INE.com
Public & Private Addresses
» Private addresses cannot go outside the
network
» At least one public address is required for a
private host to communicate to the Internet
» Public IP addresses are globally routable
Copyright © www.INE.com
Types of NAT
» Static NAT
» Dynamic NAT
» PAT (Port Address Translation)
Copyright © www.INE.com
Static NAT
www.ine.com
Static NAT
» One to one mapping
» One private host requires a public IP address
» Usually deployed at server end
Copyright © www.INE.com
Configuring Static NAT
» Configuration commands
• Router(config-if)# ip nat inside
• Router(config-if)# ip nat outside
• Router( config)# ip nat inside source static <private
address> < public address>
Copyright © www.INE.com
Verifying Static NAT
» Verification commands
• Router# show ip nat translation
Copyright © www.INE.com
Dynamic NAT
www.ine.com
Dynamic NAT
» Many to many mapping
» One private host requires a public IP address
obtained from a pool of available addresses.
» Usually deployed for hosts utilizing DHCP.
» Easier from the perspective of scalability
Copyright © www.INE.com
Configuring Dynamic NAT
» Configuration commands
• Router(config-if)# ip nat inside
• Router(config-if)# ip nat outside
• Router(config# access-list < acl no> <permit | deny >
<source-address> <wildcard mask>
• Router(config)# ip nat pool <name> <start-ip> <end-ip>
netmask <subnet mask>
• Router( config)# ip nat inside source list < acl no> pool
<name>
Copyright © www.INE.com
Verifying Dynamic NAT
» Verification commands
• Router# show ip nat translation
Copyright © www.INE.com
Port Address Translation (PAT)
www.ine.com
PAT
» Port Address Translation
» One to many mapping
» One public address can provide multiple host
connections
» Usually deployed at client end
» Easier from the perspective of scalability
Copyright © www.INE.com
Configuring PAT
» Configuration commands
• Router(config-if)# ip nat inside
• Router(config-if)# ip nat outside
• Router(config# access-list < acl no> <permit | deny >
<source-address> <wildcard mask>
• Router( config)# ip nat inside source list < acl no> interface
<type/number> overload
Copyright © www.INE.com
Verifying PAT
» Verification commands
• Router# show ip nat translation
Copyright © www.INE.com