TCP/IP advanced

fundamentals
& Routed
Protocol features

60
 DHCP Services
• DHCP is used to provide dynamic IP address allocation to
TCP/IP hosts and Cisco Systems devices. It utilizes a
client/server model, and the DHCP server can be a Windows
server, a UNIX-based server, or a Cisco IOS device.

• Configuring Cisco IOS devices as DHCP servers, DHCP

relay agents, and DHCP clients allows a network
administrator to implement more options for DHCP and also
to implement levels of DHCP service for a more robust and
efficient network solution.

• DHCP is structured on the Bootstrap Protocol (BOOTP)

server and BOOTP well-known ports in User Datagram
Protocol (UDP). Previous to DHCP, IP addresses were
manually administered to IP hosts, which was a tedious,
error-prone, and labor-intensive process.
DHCP allows IP addresses to be automatically assigned to
DHCP clients. The DHCP service can be implemented with a
server or with a Cisco IOS device.

61
Understanding the Function of DHCP

-It is an application using UDP ports (67 for server messages & 68
for client messages).
The figure shows the steps that occur when a DHCP client requests an
IP address from a DHCP server.
1. The host sends a DHCPDISCOVER broadcast message to locate a
DHCP server.
2. A DHCP server offers configuration parameters such as an IP address,
a MAC address of DHCP server, a domain name, a default gateway, and
a lease for the IP address to the client in a DHCPOFFER unicast
message.
3. The client returns a formal request for the offered IP address to the
DHCP server in a DHCPREQUEST broadcast message.
4. The DHCP server confirms that the IP address has been allocated to
the client by returning a DHCPACK unicast message to the client.
A DHCP client may receive offers from multiple DHCP servers and can
accept any one of the offers. However, the client usually accepts the
first offer that it receives. Also, the offer from
the DHCP server is not a guarantee that the IP address will be allocated
to the client. The server usually reserves the address until the client has
had a chance to formally accept the address. 62
DHCP supports three possible address allocation mechanisms:
- Manual: The network administrator assigns the IP address to a
specific MAC address.
DHCP is used to dispatch the assigned address to the host.
- Automatic: The IP address is permanently assigned to a host.
- Dynamic: The IP address is assigned to a host for a limited time or
until the host explicitly releases the address. This mechanism supports
automatic address reuse when the host to which the address has been
assigned no longer needs the address.

Configuring a DHCP Server

Router(config)#service dhcp
Enables DHCP features on router; it is on by default.
Router(config)#ip dhcp pool [pool name]
• Enables a DHCP pool for use by hosts
Router(config-dhcp)#network [network address][subnet mask]
• Specifies the network and subnet mask of the pool
Router(config-dhcp)#default-router [host address]
• Specifies the default router for the pool to use
Router(config)#ip dhcp excluded-address lowaddress [high address]
• Specifies the IP address that the DHCP server should not assign to
DHCP clients
Router(config-dhcp)#dns-server addres [address2...address8]
• Specifies the IP address of a Domain Name System (DNS)
server that is available to a DHCP client. One is required, but up to eight
can be specified.
Router(config-dhcp)#lease {days [hours] [minutes] | infinite}
•Specifies the duration of the lease. The default is a one-day
lease.
Router(config-if)#ip address dhcp
• Specify that in order for the router to get an IP address for its interface
it should ask a DHCP server.
63
 Configuration Example

The following is an example of the partial command syntax

for this feature:
•Central Router
ip dhcp-excluded address 10.0.0.1 10.0.0.5
ip dhcp pool central
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
domain name central.com
dns-server 10.0.0.2
interface fastethernet0/0
ip address 10.0.0.1 255.255.255.0

•Remote Router
ip dhcp pool client
network 20.0.0.0 255.255.255.0
ip dhcp-excluded address 20.0.0.2
default-router 20.0.0.2
import all
interface fastethernet0/0
ip address dhcp

# Show ip dhcp binding

Displays the bindings between IP, MAC on a DHCP server 64
 IP helper address:
-The host can not send broadcast to DHCP because the
router will block it.

-Solution:Router changes the broadcast to unicast to DHCP server.

(config)# int e0/0

(config-if)# ip helper-address < ip add.>
The interface that will receive the broadcasts for UDP
services, will translate the local broadcast address in the
packet to the specified address, it could be unicast
address or direct broadcast address, but the following
command must be enabled
(config-if)#ip directed-broadcast
By default this command will forward the following services :
• Trivial File Transfer Protocol (TFTP—port 69)
• Domain Naming System (DNS—port 53)
• NetBIOS Name Server (port 137)
• NetBIOS Datagram Server (port 138)
• Time service (port 37)
• Bootstrap Protocol (BootP) / DHCP client and server
datagrams (ports 67 and 68)
• TACACS service via the login host protocol (port 49)
• IEN-116 Name Service (port 42—obsolete)
65
To filter or add new protocols
(config-if)# [no] ip forward protocol udp <protocol name or
number>
Example: Multiple Servers: Remote Networks

Ports can be eliminated from the forwarding service, the

following is an example:
interface fastethernet0/0
ip address 144.253.1.100 255.255.255.0
ip helper-address 144.253.2.255
no ip forward-protocol udp 137
no ip forward-protocol udp 138
no ip forward-protocol udp 37
ip forward-protocol udp 8000

This configuration would cause time and NetBIOS ports to

not be forwarded, and UDP port 8000 would be added to the
forwarded list.
66
 DHCP Spoofing:
A device Spoof itself as a DHCP server
• Attacker activates DHCP server on VLAN.
• Attacker replies to valid client DHCP requests.
• Attacker assigns IP configuration information
that establishes rogue device as client default
gateway.
• Attacker establishes “man-in-the-middle”
attack.

As stated in RFC 2131:

"The client collects DHCPOFFER messages over a period of time,
selects one DHCPOFFER message from the (possibly many) incoming
DHCPOFFER messages (for example, the first DHCPOFFER message
or the DHCPOFFER message from the previously used server) and
extracts the server address from the `server identifier' option in the
DHCPOFFER message. The time over which the client collects
messages and the mechanism used to select one DHCPOFFER are
implementation dependent."
Mitigating DHCP Spoofing:
DHCP Snooping
A solution that can be used to mitigate various ARP-based network exploits
is the use of DHCP snooping . DHCP Snooping provides security by filtering
trusted DHCP messages and then using these messages to build and
maintain a DHCP snooping binding table. DHCP Snooping considers DHCP
messages originating from any user facing port that is not a DHCP server
port or an uplink to a DHCP server as untrusted. From a DHCP Snooping
perspective these untrusted, user-facing ports should not send DHCP server
type responses such as DHCPOffer, DHCPAck, or DHCPNak.
DHCP snooping acts like a firewall between untrusted hosts and DHCP
servers. It also gives the administrator a way to differentiate between
untrusted interfaces connected to the end user and trusted interfaces
connected to the DHCP server or another switch.
• DHCP snooping allows the configuration of
ports as trusted or untrusted.
• Untrusted ports cannot process DHCP
replies.
• Configure DHCP snooping on uplinks to a
DHCP server.
• Do not configure DHCP snooping
on client ports.

• DHCP Snooping Configuration Guidelines

These are the configuration guidelines for DHCP snooping.
 DHCP snooping must be enabled globally on the switch.
 DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
 Before configuring the DHCP information option on the switch, make sure to
configure the device that is acting as the DHCP server. For example, you
must specify the IP addresses that the DHCP server can assign or exclude
must be specified, or DHCP options for devices must be configured.
 The steps to configure DHCP snooping are shown in Figure .
 Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP Snooping is configured on the following VLANs:
10 30-40 100 200-220
Insertion of option 82 information is enabled.
Interface Trusted Rate limit (pps)
--------- ------- ----------------
FastEthernet2/1 yes none
FastEthernet2/2 yes none
FastEthernet3/1 no 20

• The DHCP Snooping Binding Table

The DHCP snooping binding table contains the MAC address, IP address,
lease time, binding type, VLAN number, and interface information
corresponding to the local untrusted interfaces of a switch. The table does not
have information about hosts interconnected with a trusted port because each
interconnected switch has its own DHCP snooping binding table.
• An untrusted interface is an interface configured to receive messages from
outside the network or firewall. A trusted interface is an interface that is
configured to receive only messages from within the network. The DHCP
snooping binding table can contain both dynamic as well as static MAC
address to IP address bindings.
• The show ip dhcp snooping binding command displays the DHCP snooping
binding entries for a switch, as shown in Figure .

69
NTP (Network Time Protocol)
It is an application using UDP port 123 used for dynamic time adjustement and
synchrinization, latest version is 4.
Imagine that you are reviewing device logs collected in a router’s buffer and are
attempting to correlate the events in the device logs with an issue that you are
troubleshooting. To make that correlation, the logged events need to have
accurate timestamps.

Although you could individually set the clock on each of your routers, those
clocks might drift over time and not agree. You might have heard the saying that
a man with one watch always knows what time it is, but a man with two watches
is never quite sure. This implies that devices need to have a common point of
reference for their time. Such a reference point is made possible by Network
Time Protocol (NTP), which allows routers to point to a device acting as an NTP
server. Because devices in different time zones might reference the same NTP
server, each device has its own time zone configuration, which indicates how
many hours its time zone differs from Greenwich Mean Time (GMT).

NTP uses a value, called a stratum value, to indicate the believability of a time
source. Valid stratum values are in the range 0–15, with a value of 16 being used
to indicate that a device does not have its time synchronized. However, Cisco
IOS only permits you to set stratum values in the range 1–15.
Lower stratum values are considered more authoritative than higher stratum
values, with a stratum value of 0 being the most authoritative. Stratum
calculations work much like a hop count.
For example, an Internet-based time source using a cesium clock might have a
stratum value of a 0. If one of your routers learns time from this stratum 0 time
source, your router will have a stratum level of 1.
If other devices (for example, servers, switches, and other routers) in your
network get their time from your stratum 1 router, they will each have a stratum
level of 2.

NTP Synchronization modes:

-Clients listen to NTP server btroadcasts to synchronize and adjust its clock.
- Clients polls NTP server for time.
70
Ahmed Nabil
NTP server configuration steps:
Step 1. Enter the ntp authentication-key key-id md5 key command
to specify both the secret key and a key ID, which can be used to reference the
secret key.
Step 2. Enter the ntp authenticate command to instruct the router to authenticate
time sources.
Step 3. Enter the ntp trusted-key key-id command to indicate which previously
configured key should be trusted for NTP authentication.
Step 4. (Optional) If the router is not receiving time from an external time source,
enter the ntp master stratum-number command to tell a router to use its local
clock as its time source and to specify the stratum level of the router.

NTP client configuration steps:

Step 1. Enter the ntp authentication-key key-id md5 key command to specify
both the secret key and a key ID, which can be used to reference the secret key.
Step 2. Enter the ntp authenticate command to instruct the router to authenticate
time sources.
Step 3. Enter the ntp trusted-key key-id command to indicate which previously
configured key should be trusted for NTP authentication.
Step 4. Enter the ntp server ip-address-of-ntp-server key key-id command to tell
the router to receive time from an NTP server at the specified IP address and to
use the specified key ID for authentication.

71
Ahmed Nabil
For NTP to Synchronize time, ther are two methods:
Method1:
-Clients listen to NTP server btroadcasts to synchronize and adjust its
clock.

Server(config)#ntp master 3
Server(config)#int fa0
Server(config-if)#ntp broadcast …. Allow server to send broadcast
packet containing the time.

Clinet(config)#int fa1
Client(config-if)# ntp broadcasts client ..allow ntp client to receive ntp
broadcasts on that interface

Method2:
- Clients polls (request & wait reply) NTP server for time.
Server(config)#ntp master 3

Client(config)#ntp server ip of server

ROUTER R1 (Server) CONFIGURATION for authentication:

R1# conf term
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# ntp authentication-key 1 md5 $3cretKEY
R1(config)# ntp authenticate
R1(config)# ntp trusted-key 1
R1(config)# ntp master 1 ...defines router as stratum 1
ROUTER R2 (client) CONFIGURATION for authentication
R2# conf term
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# ntp authentication-key 1 md5 $3cretKEY
R2(config)# ntp authenticate
R2(config)# ntp trusted-key 1
R2(config)# ntp server 172.16.0.1 key 1 72
Ahmed Nabil
TCP & UDP
(Transmissin control protocol & User Datagaram Protocol):
TCP is connection-oriented protocol and UDP is
connectionless protocol that mostly deals with small
segments that doenot need to be fragmented.

Three-Way Handshake
The process of setting up a TCP session involves a three-way
handshake, as listed in the following steps and as illustrated.
Step 1. The session initiator sends a Synchronization (SYN)
message to the target host.
Step 2. The target host acknowledges receipt of the SYN
message with an Acknowledgment (ACK) message and also
sends a SYN message of its own.
Step 3. The session initiator receives the SYN messages from the
target host and acknowledges receipt by sending an ACK
message.

The TCP Maximum Segment Size (MSS) is the amount of data

that can be contained in a single TCP segment. The value is
dependent on the current TCP window size.
For example if window size=14,600 Byte, and MSS=1460 Byte,
so max number of segments in a window is 10 segments.
Note
The term Maximum Segment Size (MSS) seems to imply the size
of the entire Layer 4 segment (that is, including Layer 2, Layer 3,
and Layer 4 headers). However, MSS only refers to the amount
73
of data in a segment. Ahmed Nabil
TCP Sliding Window
TCP communication uses windowing, meaning that one or more
segments are sent at one time, and a receiver can acknowledge
the receipt of all the segments in a window with a single
acknowledgment.
In some cases, as illustrated in Figure , TCP uses a sliding
window, where the window size begins with one segment. If there
is a successful acknowledgment of that one segment (that is, the
receiver sends an ACK asking for the next segment), the window
size doubles to two segments. Upon successful receipt of those
two segments, the next window contains four segments. This
exponential increase in window size continues until the receiver
does not acknowledge successful receipt of all segments within a
certain time period (known as the round-trip time [RTT], which is
sometimes called real transfer time), or until a configured
maximum window size is reached.

74
Ahmed Nabil
If a single TCP flow drops a packet, that flow might experience
TCP slow start, meaning that the window size is reduced to one
segment. The window size then grows exponentially until it
reaches one-half of its congestion window size (that is, the
window size when congestion was previously experienced). At
that point, the window size begins to grow linearly instead of
exponentially.
If a router interface‘s output queue fills to capacity, all TCP flows
can simultaneously start to drop packets, causing all TCP flows to
experience slow start. This condition, called global
synchronization or TCP synchronization, results in a very
inefficient use of bandwidth, because of all TCP flows having
reduced window sizes and therefore spending more time
waiting for acknowledgments.
That case also may happen if you added UDP traffic to your
network on same Class of Service as current TCP traffic, also
TCP will suffer GLOBAL Synchronization or that case called (UDP
Dominance), unfortunately mixing TCP and UDP with no
QoS network will suffer from:
-Starvation
- Lower Throughput
- Latency

Note
To prevent global synchronization, feature called Weighted
Random Early Detection (WRED), which can randomly drop
packets from flows based on the number of packets currently in a
queue and the quality of service (QoS)
markings on the packets. By dropping packets before the queue
fills to capacity, the global synchronization issue is avoided.

75
Ahmed Nabil
TCP now has many modern options discussed below.

TCP window scaling option:

Window scaling simply extends 16bit window field (65536 byte)
to be 32bit field (4,2xx,xxx,xxx bytes), this was done by using
optional fields in TCP header.

This feature is now available on most new Operating Systems of

end devices, and if not exist by default it needs to be set window
scaling manually on remote hosts using CMD commands,
and on router we can enable this feature using that command:
(config)#ip tcp window-size number of bytes
That comand is used to increase or even decrease the window
scale.

TCP Selective acknwoledgement (SACK) option:

TCP may experience poor performance when multiple packets
are lost from one window of data.
SACK is a strategy which corrects this behaviour in the face of
multiple dropped segments.
With selective ack the data receiver can inform the sender about
all the segments that have arrived, so other segment are
estimated to be dropped then it can be retransmitted.

This feature is considered an enhancement for TCP.

Also features helped to enhance TCP are:

-TCP keeplaive timer -(help to identify dead sessions)
-TCP ECN (Early Congestion Notification) – help end device to
notify another end users about congestion caused by them.
-TCP time stamps –used to better detect the round trip delay time
which helps to detect correct widow size between end points
(widow size equation depends on BW and Round trip delay) Ahmed Nabil76
 Routed Protocols Features
• IP v.4:
- It is a 32 bits address assigned by IANA.
- Current challenges for IP addressing:
A) IP address exhaustion (shortage).
B) Routing table growth and manageability.

A)Solutions for extending IP addressing:

1- Private addresses: ―RFC 1918‖

Class A : 10.0.0.0 10.255.255.255

Class B : 172.16.0.0 172.31.255.255

Class C : 192.168.0.0 192.168.255.255

APIPA (Automaic Private IP Address) – Non routable

169.254.0.0/16

77
2- NAT and PAT:
- Network Address Translation is used to translate the inside
local address to inside global address.
- Port Address Translation uses the IP address and port
numbers to translate many local IPs to one global IP address.
- Currently after writing the configuration related to each type of
NAT, we will need to activate the NAT on interfaces, on new
IOS use (config)#ip nat enble
that command will create NVI (NAT Virtual Interface) to activate
NAT, instead of the old commands (IP NAT inside & IP NAT
outside NAT on physical interfaces)
a) Static NAT
- Fixed one local to one global address translation, that type
mainly used with servers
(config)#ip nat inside source static private ip public ip

b) Dynamic NAT
- Each local address can be translated to one global address
picked up by the NAT device from a NAT pool of addresses
(config)#ip nat inside source list ACL no. or name pool pool name

(config)#ip nat pool pool name start ip end ip netmask mask

Or
(config)#ip nat pool pool name start ip end ip prefix-length mask

78
Ahmed Nabil
c) Dynamic NAT with Overload (PAT) or also called
NAPT (Network Address and Port Address Translation)
-Many local devices can use one global address, by translating
port numbers (tanslating socket no.)
-If you have many global address, so you need a NAT pool.

(config)#ip nat inside source list ACL no. or name pool pool name overload
(config)#ip nat pool pool name start ip end ip netmask mask
or
We can use IP on interface for PAT instead of using a pool.
(config)#ip nat inside source list ACL no. or name interface interface
overload

D) Static PAT (Port Forwarding)

We can also specify static ports to be mapped to internal
private IPs.
(config)#ip nat inside source static tcp Private IP Port Public IP Port
Ex:
(config)#ip nat inside source static tcp 192.168.1.51 80 41.1.1.1 8001
(config)#ip nat inside source static tcp 192.168.1.52 80 41.1.1.1 8002
Note:
NAT configuration cannot be modified once NAT Table is
filled. So can not delete/add a NAT command unless NAT
table is cleared using:
#clear ip nat translation
79
Ahmed Nabil
3- Using subnetting:
- Divide the major network into
subnets.
4- Using VLSM:
- Further subnetting for the subnets
of the same major network
Ex: 192.168.1.0/24

192.168.1.0/26 192.168.1.64/26 192.168.1.128/26 192.168.1.192/26

192.168.1.192/30 .1.196/30 .1.200/30 .1.204/30

Subnet mask:

/x ….give number of IPs = 2^ (32-x)

/32 … give 2^0 IP =1
/26 ….. Give 2^6 IP=64
/24 …… give 2^8 IP=256
/23…… give 2^9 IP=512
/0 ……. Give 2^32 IP= 4,2xx,xxx,xxx IP 80
Example on VLSM

Solution

192.168.49.160/30
192.168.49.164/30
192.168.49.168/30
192.168.49.172/30
192.168.49.176/30

81
5- IP un-numbered:
Any layer 3 interface need IP address to be active (live
and kicking in IP world).
But in some cases may be we need to activate interface
without wasting IPs, in that case IP unnumbered is the
solution, where you can deceive the interface by giving
it a null IP.

On router:
(config)# int s0/0
(config-if)# ip unnumbered <int. name>

- If int. name is e0/0 as example so s0/0 will inherit the IP

of e0/0.

- Mostly we inherit the IP of a loopback interface as the

most common solution in most cases.

- This is the only case that the two routers see each
other and the two serial interfaces are not in the same
subnet.

- Mostly static routing will be used in that case, cause

most dynamic routing protocols will neglect updates
from peer not on the same subnet.

82
 6- Route summarization:
- It is grouping a set of subnet and advertise them as one
summary address.
Ex1: Summarize the networks from 172.16.12.0/24 till
172.16.15.0/24

Ex2: Summarize the networks from

172.16.11.0/24 till 172.16.16.0/24

These networks
must be advertised
as 3 entries

83
 7- CIDR:
- Classless Inter Domain Routing (supernetting).
- It is grouping a set of major networks and advertise
them as one super network (CIDR block).

Ex: What is the CIDR Block for Major networks

from 192.168.8.0/24 till 192.168.15.0/24

84