Chapter -1-

Infrastructure Services

Dr. Hashim Mokhtar

1
Describe DNS lookup operation

A DNS lookup is the process by

which a host queries a domain
name and a DNS server returns an
IP address
2
 types of DNS
 There are two types of DNS lookups:
oForward lookup - the host asks about a
domain name and an IP address is returned
oReverse lookup - the host asks about an IP
address and a domain name is returned
3
 The DNS lookup operation
o A host requests a domain name: www.example.com
o The host looks at its own hosts file first to see if it has that domain listed with an IP address
o If it does not have it in its own hosts file, the host contacts its local DNS server as configured in the hosts network settings.
o The local DNS server is typically configured as a recursive server, which means that it will handle the remaining queries for this request
until the A Resource Record is received. The A Resource Record contains the hostname-to-IP addrses mapping.
o If the local DNS does not have an A Resource Record for the requested www.example.com domain then it first sends a request to a
Root DNS server. There are 13 Root DNS servers worldwide.
o The Root DNS server will respond to the Local DNS server with an NS Resource Record containing the nameserver and IP address of
the .com top-level domain TLD DNS server.
o The Local DNS server will then send a request to the .com TLD DNS server to resolve www.example.com
o The .com TLD DNS server responds with an NS Resource Record containing the nameserver and IP address for example.com. Let’s say
that nameserver is called authority.example.com.
o The Local DNS server will then send a request to authority.example.com to resolve www.example.com
o The authority.example.com nameserver will respond with an A Resource Record telling the Local DNS Server the hostname and IP
address of the webserver where www.example.com is located. Let’s say the website is hosted on a server called server.example.com
o The Local DNS server then responds to the host with the IP address for www.example.com. The host can now go to the IP address
4
for www.example.com and view the webpage.
Troubleshoot client connectivity
issues involving DNS
Troubleshooting client connectivity
issues involving DNS typically comes
down to whether or not a client can
resolve a domain name to an IP
address
5
 Troubleshooting client connectivity issues involving DNS typically comes
down to whether or not a client can resolve a domain name to an IP
address
 What does it look like when DNS resolution is not working on a client? If
you ping a domain name and DNS isn't working, you'll see something like
this:
 C:\Users\Joe>ping www.google.com
 Ping request could not find host www.google.com. Please check the name and tr
y again.


 There are really only a couple of reasons that DNS resolution would not
work from the client's perspective
o The DNS Server IP address is wrong in the client's Network
Configuration Settings
o The DNS Server is unreachable from the client. Either the client can't
route to it properly or the DNS Server is down. 6
 On a Windows client, open the Command Prompt and use
ipconfig /all to help troubleshoot
 Find the DNS Server IP. In this case, the DNS Server IP is a
private address and it is different than the Default Gateway
address. That is most likely the issue since the Default Gateway
would realistically be the same as the DHCP Server and DNS
Server on a private network. Change 192.168.100.1 to
192.168.0.1 and that fixes issue #1 where the DNS Server IP is
wrong. If you don't have access to change the setting on the
router you could statically set the DNS Server IP on the client
machine to the IP address of the Default Gateway or to a
known public DNS Server IP. Then test it using the same ping
command to verify.
7
ipconfig /all

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . : myrouter.home

Description . . . . . . . . . . . : My awesome Wireless Network Adapter
Physical Address. . . . . . . . . : 93-B3-BC-5F-2A-5D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, October 10, 2018 1:49:59
AM
Lease Expires . . . . . . . . . . : Saturday, November 3, 2018 7:28:23 P
M
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.100.1
NetBIOS over Tcpip. . . . . . . . : Enabled
8
Connection-specific DNS Suffix Search List : myrouter.home
 In the second case, the Client cannot reach
the DNS Server IP.
 The DNS Server IP address in our example is
now set correctly at 192.168.0.1. Simply
ping that IP address from the client to verify
connectivity.
9
 ping 192.168.0.1

C:\Users\Joe>ping google.com

Pinging 192.168.0.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 This is a layer3 connectivity issue between the client and the Default Gateway.
 If the pings responded when pinging the DNS Server IP address, but not when pinging a domain
name, it could be that the DNS service is not working properly on the Default Gateway.
 On the client, statically change the DNS Server IP to another DNS Server IP address, most likely a
public DNS Server IP, and use ping and traceroute commands to the IP address and to the domain
name to determine whether it's a networking or service issue.
10
Configure and verify DHCP
on a router – Server
The Cisco IOS DHCP Server feature is a
full DHCP Server implementation that
assigns and manages IP addresses from
specified address pools within the router
to DHCP clients.
11
 Clients send DHCPDISCOVER broadcast messages to locate a Cisco IOS
DHCP Server
 The DHCP Server responds with a DHCPOFFER unicast message
containing
o IP address
o Domain name
o lease
 The client returns a formal request for the IP address to the DHCP Server
in a DHCPREQUEST broadcast message
 The DHCP Server confirms the IP address has been allocated to the client
with a DHCPACK unicast message to the client

12
Configure and verify
DHCP on a router – Relay
A DHCP relay agent is any
host that forwards DHCP
packets between clients and
servers.
13
 Relay agents are used to forward requests and replies between
clients and servers when they are not on the same physical subnet.
 Relay agent forwarding is distinct from the normal forwarding of an
IP router, where IP datagrams are switched between networks
somewhat transparently.
 Relay agents receive DHCP messages and then generate a new
DHCP message to send out on another interface.
 The Cisco IOS DHCP relay agent supports the use of unnumbered
interfaces.
 The DHCP relay agent automatically adds a static host route
specifying the unnumbered interface as the outbound interface
14
Configure and verify DHCP
on a router – Client
The Cisco IOS DHCP client
enables a device to obtain an IP
address from a DHCP Server
dynamically using the DHCP
protocol. 15
 The Cisco IOS DHCP client enables a device to obtain an IP address
from a DHCP Server dynamically using the DHCP protocol as
specified in RFC 2131.
 In Cisco IOS Release 12.2, only Ethernet interfaces are supported;
work is in progress to support all interface types.
 The Cisco IOS DHCP client offers the following benefits:
o Reduces time to configure and deploy
o Reduces the number of configuration errors
o Enables customers to centrally control the IP address assigned to
a Cisco IOS router

16
Configure and verify DHCP on a router –
TFTP, DNS and gateway options

The Cisco IOS DHCP feature can

be configured with a few
optional, but recommended,
commands including TFTP, DNS
and Default Gateway. 17
 The Cisco IOS DHCP feature can be configured with
a few optional, but recommended, commands
including TFTP, DNS and Default Gateway IP address.
 The TFTP option 150 is used to identify an external
server that will be used to store the DHCP bindings
database.
 The DNS setting is used to identify the ip address of
the DNS server on the network.
 The gateway option is used to define a default-
gateway for the clients. 18
Configure and verify
DHCP on a router
Dynamic Host Control Protocol
(DHCP) provides configuration
parameters to hosts.
19
 The DHCP protocol configures hosts with network settings
 The DHCP protocol provides other configurable parameters including
o conflict logging - conflicts occur when 2 hosts use the same IP address
o excluded addresses - range of IPs to exclude from the DHCP pool
o default router
o domain name for the client
o lease time (days hours minutes) - default is 1 day
o DNS server IP
o WINS IP
 Useful show commands include
o show ip dhcp pool
o show ip dhcp binding
o show ip dhcp conflict

Configure and verify DHCP on a router (excluding static reservations) 20

Troubleshoot client- and router-
based DHCP connectivity issues
Client and router based DHCP
connectivity issues can be the
result of any number of issues,
but most often it is due to a
misconfiguration. 21
 Client and router based DHCP connectivity issues are typically the result of misconfigurations.
 Has the DHCP lease expired?
o If the lease has expired and another client is assigned the IP, their could be duplicate IPs on the
network causing a conflict. Use the show ip dhcp conflict command to detect.
o When dhcp conflicts are detected, the address is removed from the pool until an administrator
resolves the issue.
 Can the client get to the DHCP server?
o Troubleshoot networking issues. Check vlans, switchports, cabling and configurations.
o Set a static IP on the client and test by pinging the DHCP server (the router). If the client can't ping
the DHCP server, troubleshoot the networking more. If the client can ping the DHCP server, the issue
is most likely with the DHCP server.
 Is the issue with the DHCP server?
o In this case, the DHCP server is running on the router.
o If the client can ping the DHCP server, verify the DHCP configuration on the router is correct.
 Is the issue with the DHCP relay?
o Remove the relay from the equation by setting up the client on the same subnet as the DHCP
server. If it gets assigned an address on the directly connected subnet than the issue points to the
relay agent. 22
Configure, verify, and
troubleshoot basic HSRP
Hot Standby Routing Protocol (HSRP)
enables high availability by providing
multiple default gateways with the
same virtual IP address to hosts on a
LAN.
23
 HSRP is a Cisco proprietary protocol
 HSRP routes IP traffic without relying on the availability of any single router on the LAN
 Multiple router interfaces work together to present a single virtual IP address as the default
gateway to LAN hosts
 Those routers share a virtual MAC address and virtual IP address
 The virtual IP can be used by all routers in the HSRP group
 One of the routers is selected as the active router and the other as the standby
 The standby router will assume control of the virtual MAC and virtual IP when the active router
fails
 A new standby router is also selected at the time the active fails to the existing standby router
 Devices running HSRP send and receive multicast UDP-based hello packets to detect router
failure and designate active and standby routers
 It is possible for switches to run HSRP. To do so, they would need to be configured with some
form of Layer 3 interface (Routed port, SVI, Port-channel)

24
 Priority
 Assigning a priority allows you to select the
active and standby routers
 Priority is a required configuration setting
 The range is 1 to 255
 The default priority is 100
 The highest number represents the highest
priority 25
 Preemption
 Preemption is an optional configuration setting
 If preemption is enabled, the router with the highest
priority becomes the active router
 If priorities are equal, the current active router does
not change
 The priority of the device can change dynamically if an
interface is configured with the "standby track"
command and another interface on the router goes
down 26
 Version
 HSRPv1—Version 1 of the HSRP (the default) comes with these
features:
o Version 1 is the default HSRP version
o The HSRP group number can be from 0 to 255
o HSRPv1 uses the multicast address 224.0.0.2 to send hello
packets
o HSRPv1 and CGMP could conflict with each other so only one of
the protocols can be enabled. They are mutually exclusive
27
HSRPv2—Version 2 of the
HSRP has these features:
o HSRPv2 can use a group number from 0 to 4095 and a MAC
address from 0000.0C9F.F000 to 0000.0C9F.FFFF
o Recommended to match the HSRP group number to the VLAN
ID of a subinterface
o HSRPv2 uses the multicast address 224.0.0.102 to send hello
packets.
o HSRPv2 has a different packet format than HRSPv1
o HSRPv2 and CGMP leave processing are no longer mutually
exclusive, and both can be enabled at the same
28
time.
 A switch running HSRPv1 cannot identify the physical router that
sent a hello packet because the source MAC address of the router is
the virtual MAC address.
 HSRPv2 has a different packet format than HSRPv1. A HSRPv2 packet
uses the type-length-value (TLV) format and has a 6-byte identifier
field with the MAC address of the physical router that sent the
packet.
 If an interface running HSRPv1 gets an HSRPv2 packet, the type field
is ignored.
 The version of an HSRP group can be changed from HSRPv2 to
HSRPv1 only if the group number is less than 256.
 If you change the HSRP version on an interface, each HSRP group
resets because it now has a new virtual MAC address.
29
Configure, verify, and
troubleshoot inside source NAT
Inside source Network Address
Translation (NAT) is used to map
private IP addresses on a LAN to
a public IP address(es) on the
outside interface of the router
30
 Inside source Network Address Translation (NAT) is
used to map private IP addresses on a LAN to public IP
address(es) on the outside interface of the router
 The interface of the router connecting to the LAN
network is the inside
 The interface of the router connecting to the WAN is
the outside
 Different methods of NAT are used depending on the
desired outcome: Static, Pool and PAT
 Assign inside and outside NAT interfaces
31
 Static
 One-to-one mapping
 Translates a specific inside IP address to a specific
outside IP address
 Translations are statically configured and placed in
the translation table whether there is traffic or not
 This is mostly useful for hosts that provide
application services like mail, web, FTP, etc
32
 Pool
 A form of Dynamic NAT
 Many-to-many mappings
 Translates multiple inside IP addresses to multiple outside IP addresses
 Most useful when there are fewer addresses available (the pool) than actual
hosts to be translated
 Entries in the translation table are created when hosts initiate connections
 One-to-on mappings are created, but it's said to be many-to-many because the
mappings can vary and are dependent on the available IPs in the pool at the
time of the request
 NAT entries are removed from the translation table and the IP address is
returned to the NAT pool after a specified and configurable amount of time
where the host does not communicate
33
 Steps to configure NAT
o Create a pool of addresses. This pool consists of 100 private addresses from .100 to .199
even though the netmask covers all 256 addresses
Router(config)#ip nat pool MYNATPOOL
192.168.1.100 192.168.1.199 netmask 255.255.255.0


o Create an access-list for the inside networks that has to be mapped

Router(config)#access-list 100 permit ip
192.168.1.0 0.0.0.255 any


o Associate the access-list 100 that is selecting the internal network 192.168.1.0 0.0.0.255 to
be natted to the pool MYNATPOOL and then overload the addresses
Router(config)#ip nat inside source list 100 pool
MYNATPOOL overload
34
 PAT: Port-address translation
PAT
 An extension to NAT that permits multiple IP addresses on a LAN to be mapped to a single public IP
address
 The goal of PAT is to conserve IP addresses
 A PAT device transparently modifies IP packets as they pass through it. The modifications make all the
packets which it sends to the public network from the multiple hosts on the private network appear to
originate from a single host - the PAT device - on the public network.
 PAT is a translation method that allows the user to conserve addresses in the global address pool by
allowing source ports in TCP and UDP to be translated.
 Different local addresses map to the same global address and the port translation provides the necessary
uniqueness.
 When translation is required, the new port number is picked out of the same range as the original following
the convention of Berkeley Standard Distribution (SD).
 This prevents end stations from seeing connection requests with source ports apparently corresponding to
the Telnet, HTTP, or FTP daemon, for example.
35
 As a result, Cisco IOS PAT supports about 4000 local addresses that can be mapped
to the same global address.
 To configure PAT/NAT correctly the first time, you need to understand the Cisco
NAT terminology and how your IP networks/addresses map to each of the entities
listed below:
o Inside Local—This is the local IP address of a private host on your network (e.g.,
a workstation's IP address).
o Inside Global—This is the public IP address that the outside network sees as the
IP address of your local host.
o Outside Local—This is the local IP address from the private network, which your
local host sees as the IP address of the remote host.
o Outside Global—This is the public IP address of the remote host (e.g., the IP
address of the remote Web server that a workstation is connecting to).
 The overload command is essential to force the router to use36PAT
Configure and verify NTP
operating in a client/server mode
The Network Time Protocol (NTP)
synchronizes the time of day
among a set of distributed time
servers and clients
37
 NTP synchronizes time across devices so you can correlate system
logs and other time-specific events from multiple network devices
 NTP uses UDP as its transport protocol
 An NTP server normally receives its time from an authoritative clock
and distributes it across the network
 NTP is very efficient. 1 packet per second is all that is needed to
synchronize a client within a millisecond of the server
 Stratum is used in NTP to describe the distance between a device and
the time source
o Stratum1 = time source is directly attached
o Stratum2 = time is received from a Stratum1 source via NTP
38
 Before synchronizing, NTP compares the time reported by
several network devices and does not synchronize with one
that is significantly different, even if it is a stratum 1.
 Public NTP servers are available for use via the internet
 The time kept on a device is a critical resource. Use access
list-based restrictions and an encrypted authentication
mechanism to avoid the accidental or malicious setting of
incorrect time.
 NTP server configuration:

39
 Router#set clock 09:25:00 11 Dec 2018
Router#config t
Router(config)#ntp master 2
 NTP client configuration:
Router#config t
Router(config)#ntp server 10.0.0.2
Router(config)#ntp logging
 Optional - peers, access-lists, authentication...
Router(config)#ntp peer 192.168.0.10
Router(config)#ntp access-group peer peer-acl
Router(config)#ntp access-group serve server-ac
40
41