Professional Documents
Culture Documents
Infrastructure Services
1
Describe DNS lookup operation
There are really only a couple of reasons that DNS resolution would not
work from the client's perspective
o The DNS Server IP address is wrong in the client's Network
Configuration Settings
o The DNS Server is unreachable from the client. Either the client can't
route to it properly or the DNS Server is down. 6
On a Windows client, open the Command Prompt and use
ipconfig /all to help troubleshoot
Find the DNS Server IP. In this case, the DNS Server IP is a
private address and it is different than the Default Gateway
address. That is most likely the issue since the Default Gateway
would realistically be the same as the DHCP Server and DNS
Server on a private network. Change 192.168.100.1 to
192.168.0.1 and that fixes issue #1 where the DNS Server IP is
wrong. If you don't have access to change the setting on the
router you could statically set the DNS Server IP on the client
machine to the IP address of the Default Gateway or to a
known public DNS Server IP. Then test it using the same ping
command to verify.
7
ipconfig /all
C:\Users\Joe>ping google.com
12
Configure and verify
DHCP on a router – Relay
A DHCP relay agent is any
host that forwards DHCP
packets between clients and
servers.
13
Relay agents are used to forward requests and replies between
clients and servers when they are not on the same physical subnet.
Relay agent forwarding is distinct from the normal forwarding of an
IP router, where IP datagrams are switched between networks
somewhat transparently.
Relay agents receive DHCP messages and then generate a new
DHCP message to send out on another interface.
The Cisco IOS DHCP relay agent supports the use of unnumbered
interfaces.
The DHCP relay agent automatically adds a static host route
specifying the unnumbered interface as the outbound interface
14
Configure and verify DHCP
on a router – Client
The Cisco IOS DHCP client
enables a device to obtain an IP
address from a DHCP Server
dynamically using the DHCP
protocol. 15
The Cisco IOS DHCP client enables a device to obtain an IP address
from a DHCP Server dynamically using the DHCP protocol as
specified in RFC 2131.
In Cisco IOS Release 12.2, only Ethernet interfaces are supported;
work is in progress to support all interface types.
The Cisco IOS DHCP client offers the following benefits:
o Reduces time to configure and deploy
o Reduces the number of configuration errors
o Enables customers to centrally control the IP address assigned to
a Cisco IOS router
16
Configure and verify DHCP on a router –
TFTP, DNS and gateway options
24
Priority
Assigning a priority allows you to select the
active and standby routers
Priority is a required configuration setting
The range is 1 to 255
The default priority is 100
The highest number represents the highest
priority 25
Preemption
Preemption is an optional configuration setting
If preemption is enabled, the router with the highest
priority becomes the active router
If priorities are equal, the current active router does
not change
The priority of the device can change dynamically if an
interface is configured with the "standby track"
command and another interface on the router goes
down 26
Version
HSRPv1—Version 1 of the HSRP (the default) comes with these
features:
o Version 1 is the default HSRP version
o The HSRP group number can be from 0 to 255
o HSRPv1 uses the multicast address 224.0.0.2 to send hello
packets
o HSRPv1 and CGMP could conflict with each other so only one of
the protocols can be enabled. They are mutually exclusive
27
HSRPv2—Version 2 of the
HSRP has these features:
o HSRPv2 can use a group number from 0 to 4095 and a MAC
address from 0000.0C9F.F000 to 0000.0C9F.FFFF
o Recommended to match the HSRP group number to the VLAN
ID of a subinterface
o HSRPv2 uses the multicast address 224.0.0.102 to send hello
packets.
o HSRPv2 has a different packet format than HRSPv1
o HSRPv2 and CGMP leave processing are no longer mutually
exclusive, and both can be enabled at the same
28
time.
A switch running HSRPv1 cannot identify the physical router that
sent a hello packet because the source MAC address of the router is
the virtual MAC address.
HSRPv2 has a different packet format than HSRPv1. A HSRPv2 packet
uses the type-length-value (TLV) format and has a 6-byte identifier
field with the MAC address of the physical router that sent the
packet.
If an interface running HSRPv1 gets an HSRPv2 packet, the type field
is ignored.
The version of an HSRP group can be changed from HSRPv2 to
HSRPv1 only if the group number is less than 256.
If you change the HSRP version on an interface, each HSRP group
resets because it now has a new virtual MAC address.
29
Configure, verify, and
troubleshoot inside source NAT
Inside source Network Address
Translation (NAT) is used to map
private IP addresses on a LAN to
a public IP address(es) on the
outside interface of the router
30
Inside source Network Address Translation (NAT) is
used to map private IP addresses on a LAN to public IP
address(es) on the outside interface of the router
The interface of the router connecting to the LAN
network is the inside
The interface of the router connecting to the WAN is
the outside
Different methods of NAT are used depending on the
desired outcome: Static, Pool and PAT
Assign inside and outside NAT interfaces
31
Static
One-to-one mapping
Translates a specific inside IP address to a specific
outside IP address
Translations are statically configured and placed in
the translation table whether there is traffic or not
This is mostly useful for hosts that provide
application services like mail, web, FTP, etc
32
Pool
A form of Dynamic NAT
Many-to-many mappings
Translates multiple inside IP addresses to multiple outside IP addresses
Most useful when there are fewer addresses available (the pool) than actual
hosts to be translated
Entries in the translation table are created when hosts initiate connections
One-to-on mappings are created, but it's said to be many-to-many because the
mappings can vary and are dependent on the available IPs in the pool at the
time of the request
NAT entries are removed from the translation table and the IP address is
returned to the NAT pool after a specified and configurable amount of time
where the host does not communicate
33
Steps to configure NAT
o Create a pool of addresses. This pool consists of 100 private addresses from .100 to .199
even though the netmask covers all 256 addresses
Router(config)#ip nat pool MYNATPOOL
192.168.1.100 192.168.1.199 netmask 255.255.255.0
o Associate the access-list 100 that is selecting the internal network 192.168.1.0 0.0.0.255 to
be natted to the pool MYNATPOOL and then overload the addresses
Router(config)#ip nat inside source list 100 pool
MYNATPOOL overload
34
PAT: Port-address translation
PAT
An extension to NAT that permits multiple IP addresses on a LAN to be mapped to a single public IP
address
The goal of PAT is to conserve IP addresses
A PAT device transparently modifies IP packets as they pass through it. The modifications make all the
packets which it sends to the public network from the multiple hosts on the private network appear to
originate from a single host - the PAT device - on the public network.
PAT is a translation method that allows the user to conserve addresses in the global address pool by
allowing source ports in TCP and UDP to be translated.
Different local addresses map to the same global address and the port translation provides the necessary
uniqueness.
When translation is required, the new port number is picked out of the same range as the original following
the convention of Berkeley Standard Distribution (SD).
This prevents end stations from seeing connection requests with source ports apparently corresponding to
the Telnet, HTTP, or FTP daemon, for example.
35
As a result, Cisco IOS PAT supports about 4000 local addresses that can be mapped
to the same global address.
To configure PAT/NAT correctly the first time, you need to understand the Cisco
NAT terminology and how your IP networks/addresses map to each of the entities
listed below:
o Inside Local—This is the local IP address of a private host on your network (e.g.,
a workstation's IP address).
o Inside Global—This is the public IP address that the outside network sees as the
IP address of your local host.
o Outside Local—This is the local IP address from the private network, which your
local host sees as the IP address of the remote host.
o Outside Global—This is the public IP address of the remote host (e.g., the IP
address of the remote Web server that a workstation is connecting to).
The overload command is essential to force the router to use36PAT
Configure and verify NTP
operating in a client/server mode
The Network Time Protocol (NTP)
synchronizes the time of day
among a set of distributed time
servers and clients
37
NTP synchronizes time across devices so you can correlate system
logs and other time-specific events from multiple network devices
NTP uses UDP as its transport protocol
An NTP server normally receives its time from an authoritative clock
and distributes it across the network
NTP is very efficient. 1 packet per second is all that is needed to
synchronize a client within a millisecond of the server
Stratum is used in NTP to describe the distance between a device and
the time source
o Stratum1 = time source is directly attached
o Stratum2 = time is received from a Stratum1 source via NTP
38
Before synchronizing, NTP compares the time reported by
several network devices and does not synchronize with one
that is significantly different, even if it is a stratum 1.
Public NTP servers are available for use via the internet
The time kept on a device is a critical resource. Use access
list-based restrictions and an encrypted authentication
mechanism to avoid the accidental or malicious setting of
incorrect time.
NTP server configuration:
39
Router#set clock 09:25:00 11 Dec 2018
Router#config t
Router(config)#ntp master 2
NTP client configuration:
Router#config t
Router(config)#ntp server 10.0.0.2
Router(config)#ntp logging
Optional - peers, access-lists, authentication...
Router(config)#ntp peer 192.168.0.10
Router(config)#ntp access-group peer peer-acl
Router(config)#ntp access-group serve server-ac
40
41