Chapter 7

IP ADDESSING SERVICES

To cope with the depletion of IP addresses, several short-term solutions were developed. Two short-

term solutions are private addresses and Network Address Translation (NAT).

NAT enables inside network hosts to borrow a legitimate Internet IP address while accessing Internet

resources. When the requested traffic returns, the legitimate IP address is repurposed and available for

the next Internet request by an inside host. Using NAT, network administrators only need one or a few

IP addresses for the router to provide to the hosts, instead of one unique IP address for every client

joining the network.

The main feature of IPv6 that is driving adoption today is the larger address space: addresses in IPv6 are

128 bits long versus 32 bits in IPv4.

DHCP Operation

Providing IP addresses to clients is the most fundamental task performed by a DHCP server. DHCP

includes three different address allocation mechanisms to provide flexibility when assigning IP

addresses:

Manual Allocation: The administrator assigns a pre-allocated IP address to the client and DHCP

only communicates the IP address to the device.

Automatic Allocation: DHCP automatically assigns a static IP address permanently to a device,

selecting it from a pool of available addresses. There is no lease and the address is permanently

assigned to a device.

Dynamic Allocation: DHCP automatically dynamically assigns, or leases, an IP address from a

pool of addresses for a limited period of time chosen by the server, or until the client tells the

DHCP server that it no longer needs the address.

This section focuses on dynamic allocation. When the client boots or otherwise wants to join a network,

it completes four (4) steps in obtaining a lease:

1. In the first step, the client broadcasts a 1) DHCPDISCOVER message. The DHCPDISCOVER

message finds DHCP servers on the network. Because the host has no valid IP information at

bootup, it uses L2 and L3 broadcast addresses to communicate with the server.

2. When the DHCP server receives a DHCDISCOVER message, it finds an available IP address to

lease, creates an ARP entry consisting of the MAC address of the requesting host and the leased

IP address, and transmits a binding offer with a 2) DHCPOFFER message. The DHCPOFFER

message is sent as a unicast, using the L2 MAC address of the server as the source address and

the L2 address of the client as the destination.

Section 7 Page 1 of 62

3. When the client receives the DHCPOFFER from the server, it sends back a 3) DHCPREQUEST

message. This message has two purposes: lease origination and lease renewal and verification.

When used for lease origination, the DHCPREQUEST of the client is requesting that the IP

information be verified just after it has been assigned. The DHCPREQUEST also serves as a

binding acceptance notice to the selected server and an implicit decline to any other servers

that may have provided the host a binding offer.

4. On receiving the DHCPREQUEST message, the server verifies the lease information, creates a

new ARP entry for the client lease, and replies with a unicast 4) DHCPACK message. The

DHCPACK message is a duplicate of the DHCPOFFER, except for a change in the message type

field. When the client receives the DHCPACK message, it logs the configuration information and

performs an ARP lookup for the assigned address. If it does not receive a reply, it knows that the

IP address is valid and starts using it as its own.

BOOTP and DHCP

The Bootstrap Protocol (BOOTP), defined in RFC 951, is the predecessor of DHCP and shares some

operational characteristics. BOOTP is a way to download address and boot configurations for diskless

workstations. A diskless workstation does not have a hard drive or an operating system. For example,

many automated cash register systems at your local super market are examples of diskless workstations.

Both DHCP and BOOTP are client/server based and use UDP ports 67 and 68.

DHCP and BOOTP have two components. The server is a host with a static IP address that allocates,

distributes, and manages IP and configuration data assignments. Each allocation (IP and configuration

data) is stored on the server in a data set called a binding.

DHCP: Dynamic mappings - Lease - Supports over 20 configuration parameters

BOOTP: Static mappings - Permanent assignment - Only support four configuration parameters

There are three primary differences between DHCP and BOOTP:

1. The main difference is that BOOTP was designed for manual pre-configuration of the host

information in a server database, while DHCP allows for dynamic allocation of network

addresses and configurations to newly attached hosts. When a BOOTP client requests an IP

address, the BOOTP server searches a predefined table for an entry that matches the MAC

address for the client. If an entry exists, the corresponding IP address for that entry is returned

to the client. This means that the binding between the MAC address and the IP address must

have already been configured in the BOOTP server.

2. DHCP allows for recovery and reallocation of network addresses through a leasing mechanism.

Specifically, DHCP defines mechanisms through which clients can be assigned an IP address for a

finite lease period. This lease period allows for reassignment of the IP address to another client


later, or for the client to get another assignment if the client moves to another subnet. Clients

may also renew leases and keep the same IP address. BOOTP does not use leases. Its clients

have reserved IP address which cannot be assigned to any other host.

3. BOOTP provides a limited amount of information to a host. DHCP provides additional IP

configuration parameters, such as WINS and domain name.

DHCP Message Format

The developers of DHCP needed to maintain compatibility with BOOTP and consequently used the same

BOOTP message format. However, because DHCP has more functionality than BOOTP, the DHCP options

field was added. When communicating with older BOOTP clients, the DHCP options field is ignored.

The fields are as follows:

Operation Code (OP) - Specifies the general type of message. A value of 1 indicates a request

message; a value of 2 is a reply message.

Hardware Type - Identifies the type of hardware used in the network. For example, 1 is

Ethernet, 15' is Frame Relay, and 20 is a serial line. These are the same codes used in ARP

messages.

Hardware Address length - 8 bits to specify the length of the address.

Hops - Set to 0 by a client before transmitting a request and used by relay agents to control the

forwarding of DHCP messages.

Transaction Identifier - 32-bit identification generated by the client to allow it to match up the

request with replies received from DHCP servers.

Seconds - Number of seconds elapsed since a client began attempting to acquire or renew a

lease. Busy DHCP servers use this number to prioritize replies when multiple client requests are

outstanding.

Flags - Only one of the 16 bits is used, which is the broadcast flag. A client that does not know its

IP address when it sends a request, sets the flag to 1. This value tells the DHCP server or relay

agent receiving the request that it should send the reply back as a broadcast.

Client IP Address - The client puts its own IP address in this field if and only if it has a valid IP

address while in the bound state; otherwise, it sets the field to 0. The client can only use this

field when its address is actually valid and usable, not during the process of acquiring an

address.

Your IP Address - IP address that the server assigns to the client.

Server IP Address - Address of the server that the client should use for the next step in the

bootstrap process, which may or may not be the server sending this reply. The sending server

always includes its own IP address in a special field called the Server Identifier DHCP option.

Gateway IP Address - Routes DHCP messages when DHCP relay agents are involved. The

gateway address facilitates communications of DHCP requests and replies between the client

and a server that are on different subnets or networks.


DHCP Discovery and Offer Methods

These figures provide some detail of the packet content of the DHCP discover and offer messages. The

Client IP Address = CIADDR & Default Gateway Address = GIADDR are fields that appear in the

DHCPDISCOVER

Configuring a DHCP Server

Cisco routers running Cisco IOS software provide full support for a router to act as a DHCP server. The

Cisco IOS DHCP server assigns and manages IP addresses from specified address pools within the router

to DHCP clients.

The steps to configure a router as a DHCP server are as follows:

Step 1. Define a range of addresses that DHCP is not to allocate. These are usually static addresses

reserved for the router interface, switch management IP address, servers, and local network printers.

Step 2. Create the DHCP pool using the ip dhcp pool command.

The ip dhcp pool command creates a pool with the specified name and puts the router in DHCP

configuration mode, which is identified by the Router(dhcp-config)# prompt.

Step 3. Configure the specifics of the pool.

Use the network statement to define the range of available addresses. You should also define the

default gateway or router for the clients to use with the default-router command.

Note: A best practice is to configure excluded addresses in global configuration mode before creating

the DHCP pool. This ensures that DHCP does not assign reserved addresses accidentally. To exclude

specific addresses, use the ip dhcp excluded-address command.

The next DHCP pool commands are considered optional:

- You can configure the IP address of the DNS server that is available to a DHCP client using the

dns-server command. When configured, one address is required, but up to eight addresses can

be listed.

- Other parameters include configuring the duration of the DHCP lease. The default setting is one

day, but you can change this by using the lease command. You can also configure a NetBIOS

WINS server that is available to a Microsoft DHCP client. Usually, this would be configured in an

environment that supports pre-Windows 2000 clients.

Note: To disable the service, use the no service dhcp command. Use the service dhcp global

configuration command to re-enable the DHCP server process. Enabling the service has no effect if the

parameters are not configured.


Sample DHCP Configuration:

ip dhcp excluded-address 192.168.10.1 192.168.10.9

ip dhcp excluded-address 192.168.10.254

ip dhcp pool LAN-POOL-1

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

domain-name span.com

Note: To verify the operation of DHCP, use the show ip dhcp binding command. This command displays

a list of all IP address to MAC address bindings that have been provided by the DHCP service. To view

the statistics of DHCP use the show ip dhcp server statistics. Another useful command to view multiple

pools is the show ip dhcp pool command.

Configuring a DHCP Client

Typically, small broadband routers for home use, such as Linksys routers, can be configured to connect

to an ISP using a DSL or cable modem. In most cases, small home routers are set to acquire an IP address

automatically from their ISPs.

To configure an Ethernet interface as a DHCP client, the ip address dhcp command must be configured.

What is DHCP Relay?

In a complex hierarchical network, enterprise servers are usually contained in a server farm. These

servers may provide DHCP, DNS, TFTP, and FTP services for the clients. The problem is that the network

clients typically are not on the same subnet as those servers. Therefore, the clients must locate the

servers to receive services and often these services are located using broadcast messages.

Certain Windows clients have a feature called Automatic Private IP Addressing (APIPA). With this

feature, a Windows computer can automatically assign itself an IP address in the 169.254.x.x range in

the event that a DHCP server is n To make matters worse, DHCP is not the only critical service that uses

broadcasts. For example, Cisco routers and other devices may use broadcasts to locate TFTP servers or

to locate an authentication server such as a TACACS server.

As a solution to this problem, an administrator could add DHCP servers on all the subnets. However,

running these services on several computers creates both cost and administrative overhead.

A simpler solution is to configure the Cisco IOS helper address feature on intervening routers and

switches. This solution enables routers to forward DHCP broadcasts to the DHCP servers. When a router

forwards address assignment/parameter requests, it is acting as a DHCP relay agent.

Note: To configure router R1 as a DHCP relay agent, you need to configure the nearest interface to the

client with the ip helper-address interface configuration command. This command relays broadcast


requests for key services to a configured address. Configure the IP helper address on the interface

receiving the broadcast.

DHCP is not the only service that the router can be configured to relay. By default, the ip helper-address

command forwards the following eight UDP services:

Port 37: Time

Port 49: TACACS

Port 53: DNS

Port 67: DHCP/BOOTP client

Port 68: DHCP/BOOTP server

Port 69: TFTP

Port 137: NetBIOS name service

Port 138: NetBIOS datagram service

To specify additional ports, use the ip forward-protocol command to specify exactly which types of

broadcast packets to forward.

Troubleshooting DHCP Configuration

DHCP problems can arise for a multitude of reasons, such as software defects in operating systems, NIC

drivers, or DHCP/BOOTP relay agents, but the most common are configuration issues. Because of the

number of potentially problematic areas, a systematic approach to troubleshooting is required.

Troubleshooting Task 1: Resolve IP Address Conflicts

An IP address lease can expire on a client still connected to a network. If the client does not renew the

lease, the DHCP server can reassign that IP address to another client. When the client reboots, it

requests an IP address. If the DHCP server does not respond quickly, the client uses the last IP address.

The situation then arises that two clients are using the same IP address, creating a conflict.

The show ip dhcp conflict command displays all address conflicts recorded by the DHCP server. The

server uses the ping command to detect conflicts. The client uses Address Resolution Protocol (ARP) to

detect clients. If an address conflict is detected, the address is removed from the pool and not assigned

until an administrator resolves the conflict.

Troubleshooting Task 2: Verify Physical Connectivity

First, use the show interface command to confirm that the router interface acting as the default

gateway for the client is operational.


Troubleshooting Task 3: Test Network Connectivity by Configuring a Client Workstation with a Static

IP Address

When troubleshooting any DHCP issue, verify network connectivity by configuring a static IP address on

a client workstation. If the workstation is unable to reach network resources with a statically configured

IP address, the root cause of the problem is not DHCP

Troubleshooting Task 4: Verify Switch Port Configuration (STP PortFast and Other Commands)

If the DHCP client is unable to obtain an IP address from the DHCP server on startup, attempt to obtain

an IP address from the DHCP server by manually forcing the client to send a DHCP request.

Note: If there is a switch between the client and the DHCP server, verify that the port has STP PortFast

enabled and trunking/channeling disabled. The default configuration is PortFast disabled and

trunking/channeling auto, if applicable. These configuration changes resolve the most common DHCP

client issues that occur with an initial installation of a Catalyst switch. A review of CCNA Exploration: LAN

Switching and Wireless assists in solving this issue.

Troubleshooting Task 5: Distinguishing Whether DHCP Clients Obtain IP Address on the Same Subnet

or VLAN as DHCP Server

It is important to distinguish whether DHCP is functioning correctly when the client is on the same

subnet or VLAN as the DHCP server. If the DHCP is working correctly, the problem may be the

DHCP/BOOTP relay agent. If the problem persists even with testing DHCP on the same subnet or VLAN

as the DHCP server, the problem may actually be with the DHCP server.

Verify Router DHCP/BOOTP Relay Configuration

Step 1. Verify that the ip helper-address command is configured on the correct interface. It must be

present on the inbound interface of the LAN containing the DHCP client workstations and must be

directed to the correct DHCP server. In the figure, the output of the show running-config command

verifies that the DHCP relay IP address is referencing the DHCP server address at 192.168.11.5.

Step 2. Verify that the global configuration command no service dhcp has not been configured. This

command disables all DHCP server and relay functionality on the router. The command service dhcp

does not appear in the configuration, because it is the default configuration.

Verify that the Router Is Receiving DHCP Requests Using debug Commands.

On routers configured as DHCP servers, the DHCP process fails if the router is not receiving requests

from the client. As a troubleshooting task, verify that the router is receiving the DHCP request from the

client. This troubleshooting step involves configuring an access control list for debugging output. The

debug access control list is not intrusive to the router.


In global configuration mode, create the following access control list:

access-list 100 permit ip host 0.0.0.0 host 255.255.255.255

Start debugging by using ACL 100 as the defining parameter. In exec mode, enter the following debug

command:

debug ip packet detail 100

The output in the figure shows that the router is receiving the DHCP requests from the client. The source

IP address is 0.0.0.0 because the client does not yet have an IP address. The destination is

255.255.255.255 because the DHCP discovery message from the client is a broadcast. The UDP source

and destination ports, 68 and 67, are the typical ports used for DHCP.

Verify that the Router Is Receiving and Forwarding DHCP Request Using debug ip dhcp server packet

Command

A useful command for troubleshooting DHCP operation is the debug ip dhcp server events command.

This command reports server events, like address assignments and database updates. It is also used for

decoding DHCP receptions and transmissions.

Public & Private Addressing

For a more in-depth look at the development of the RIR system, see the Cisco Internet Protocol Journal

article at http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_4-

4/regional_internet_registries.html.

NAT Terminology:

Inside local address - Usually not an IP address assigned by a RIR or service provider and is most

likely an RFC 1918 private address. In the figure, the IP address 192.168.10.10 is assigned to the

host PC1 on the inside network.

Inside global address - Valid public address that the inside host is given when it exits the NAT

router. When traffic from PC1 is destined for the web server at 209.165.201.1, router R2 must

translate the address. In this case, IP address 209.165.200.226 is used as the inside global

address for PC1.

Outside global address - Reachable IP address assigned to a host on the Internet. For example,

the web server is reachable at IP address 209.165.201.1.

Outside local address - The local IP address assigned to a host on the outside network. In most

situations, this address will be identical to the outside global address of that outside device.

Note: The "inside" of a NAT configuration is not synonymous with private addresses as defined by RFC

1918. What we call "non-routable" addresses are not always unroutable. An administrator can configure

any router to pass traffic over private subnets. However, if they try to pass a packet to the ISP for any

private address, the ISP drops it. Non-routable means not routable on the Internet.


http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_4-4/regional_internet_registries.html

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_4-4/regional_internet_registries.html

Dynamic Mapping and Static Mapping

There are two types of NAT translation: dynamic and static.

Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When

a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP address

from the pool that is not already in use by another host. This is the mapping described so far.

Static NAT uses a one-to-one mapping of local and global addresses, and these mappings remain

constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address

that is accessible from the Internet. These internal hosts may be enterprise servers or networking

devices.

Both static and dynamic NAT require that enough public addresses are available to satisfy the total

number of simultaneous user sessions.

Note: For another look at how dynamic NAT works, go to http://www.cisco.com/warp/public /

556/nat.swf.

NAT Overload

NAT overloading (sometimes called Port Address Translation or PAT) maps multiple private IP addresses

to a single public IP address or a few addresses. With NAT overloading, multiple addresses can be

mapped to one or to a few addresses because each private address is also tracked by a port number.

When a client opens a TCP/IP session, the NAT router assigns a port number to its source address. NAT

overload ensures that clients use a different TCP port number for each client session with a server on

the Internet. When a response comes back from the server, the source port number, which becomes the

destination port number on the return trip, determines to which client the router routes the packets. It

also validates that the incoming packets were requested, thus adding a degree of security to the session.

Using Next Available Port: NAT overload attempts to preserve the original source port. However, if this

source port is already used, NAT overload assigns the first available port number starting from the

beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. When there are no more ports

available and there is more than one external IP address configured, NAT overload moves to the next IP

address to try to allocate the original source port again. This process continues until it runs out of

available ports and external IP addresses.

Differences Between NAT and NAT Overload

Summarizing the differences between NAT and NAT overload will help your understanding. NAT

generally only translates IP addresses on a 1:1 correspondence between publicly exposed IP addresses

and privately held IP addresses. NAT overload modifies both the private IP address and port number of

the sender. NAT overload chooses the port numbers seen by hosts on the public network.


http://www.cisco.com/warp/public%20/%20556/nat.swf

http://www.cisco.com/warp/public%20/%20556/nat.swf

NAT routes incoming packets to their inside destination by referring to the incoming source IP address

given by the host on the public network. With NAT overload, there is generally only one or a very few

publicly exposed IP addresses. Incoming packets from the public network are routed to their

destinations on the private network by referring to a table in the NAT overload device that tracks public

and private port pairs. This is called connection tracking.

NAT Benefits:

Conserves the legally registered addressing scheme

Increases the flexibility of connections to the public network

Provides consistency for internal network addressing schemes.

Provides network security

NAT conserves the legally registered addressing scheme by allowing the privatization of intranets. NAT

conserves addresses through application port-level multiplexing. With NAT overload, internal hosts can

share a single public IP address for all external communications. In this type of configuration, very few

external addresses are required to support many internal hosts.

NAT increases the flexibility of connections to the public network. Multiple pools, backup pools, and

load-balancing pools can be implemented to ensure reliable public network connections.

NAT provides consistency for internal network addressing schemes. On a network without private IP

addresses and NAT, changing public IP addresses requires the renumbering of all hosts on the existing

network. The costs of renumbering hosts can be significant. NAT allows the existing scheme to remain

while supporting a new public addressing scheme. This means an organization could change ISPs and not

need to change any of its inside clients.

NAT provides network security. Because private networks do not advertise their addresses or internal

topology, they remain reasonably secure when used in conjunction with NAT to gain controlled external

access. However, NAT does not replace firewalls.

NAT Drawbacks:

Performance is degraded

End-to-end functionality is degraded

End-to-end IP traceability is lost

Tunneling is more complicated

Initiating TCP connections can be disrupted

Architectures need to be rebuilt to accommodate changes

The first disadvantage affects performance. NAT increases switching delays because the translation of

each IP address within the packet headers takes time. The first packet is process-switched, meaning it

always goes through the slower path. The router must look at every packet to decide whether it needs

translation. The router needs to alter the IP header, and possibly alter the TCP or UDP header.


Remaining packets go through the fast-switched path if a cache entry exists; otherwise, they too are

delayed.

Many Internet protocols and applications depend on end-to-end functionality, with unmodified packets

forwarded from the source to the destination. By changing end-to-end addresses, NAT prevents some

applications that use IP addressing. For example, some security applications, such as digital signatures,

fail because the source IP address changes. Applications that use physical addresses instead of a

qualified domain name do not reach destinations that are translated across the NAT router. Sometimes,

this problem can be avoided by implementing static NAT mappings.

End-to-end IP traceability is also lost. It becomes much more difficult to trace packets that undergo

numerous packet address changes over multiple NAT hops, making troubleshooting challenging. On the

other hand, hackers who want to determine the source of a packet find it difficult to trace or obtain the

original source or destination address.

Using NAT also complicates tunneling protocols, such as IPsec, because NAT modifies values in the

headers that interfere with the integrity checks done by IPsec and other tunneling protocols.

Services that require the initiation of TCP connections from the outside network, or stateless protocols

such as those using UDP, can be disrupted. Unless the NAT router makes a specific effort to support such

protocols, incoming packets cannot reach their destination. Some protocols can accommodate one

instance of NAT between participating hosts (passive mode FTP, for example), but fail when both

systems are separated from the Internet by NAT.

Static NAT

Remember that static NAT is a one-to-one mapping between an inside address and an outside address.

Static NAT allows connections initiated by external devices to inside devices. For instance, you may want

to map an inside global address to a specific inside local address that is assigned to your web server.

Configuring static NAT translations is a simple task. You need to define the addresses to translate and

then configure NAT on the appropriate interfaces. Packets arriving on an inside interface from the

identified IP address are subject to translation. Packets arriving on an outside interface addressed to the

identified IP address are subject to translation.

Configuring Dynamic NAT

To configure dynamic NAT, you need an ACL to permit only those addresses that are to be translated.

When developing your ACL, remember there is an implicit "deny all" at the end of each ACL. An ACL that

is too permissive can lead to unpredictable results. Cisco advises against configuring access contol lists

referenced by NAT commands with the permit any command. Using permit any can result in NAT

consuming too many router resources, which can cause network problems.


Steps:

1. Define a pool of global addresses to be allocated as needed.

Router(config)#ip nat pool name start-ip end-ip {netmask netmask|prefix-length prefix-length}

2. Define a standard access list permitting those addresses that are to be translated.

Router(config)#access-list access-list-number permit source [source-wildcard]

3. Establish dynamic source translation, specifying the access list defined in the prior step.

Router(config)#ip nat inside source list access-list-number pool name

4. Specify the inside interface.

Router(config)#interface type number

5. Mark the interface as connected to the inside.

Router(config-if)#ip nat inside

6. Specify the outside interface.


7. Mark the interface as connected to the outside.

Router(config-if)#ip nat outside

Configuration TIPs:

Enter the global command no ip nat pool name to remove the pool of global addresses before configuring NAT

Enter the global command no access-list access-list-number to remove the access list before configuring NAT

Configuring NAT Overload for a Single Public IP Address

Steps:


Router(config)#access-list acl-number permit source [source-wildcard]

2. Establish dynamic source translation, specifying the access list defined in the prior step.

Router(config)#ip nat inside source list acl-number interface interface overload





Router(config-if)#interface type number



Configuration TIPs:

Enter the global command no access-list access-list-number to remove the access list.

Enter the global command no ip nat inside source to remove the dynamic source

translation. The overload keyword enables PAT.

The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the interface keyword is used to identify the outside IP address. Therefore, no NAT pool is defined. The overload keyword enables the addition of the port number to the translation.

Configuring NAT Overload for a Pool of Public IP Addresses

Steps:


Router(config)#access-list acl-number permit source [source-wildcard]

2. Specify the global address, as a pool, to be used for overloading.

Router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}.

3. Establish overload translation.

Router {config}#ip nat inside source list acl-number pool name overload.





Router(config-if)#interface type number


Port Forwarding

Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside through a NAT-enabled router.

Typically, peer-to-peer file-sharing programs and key operations, such as web serving and outgoing FTP, require that router ports be forwarded or opened to allow these applications to work. Because NAT hides internal addresses, peer-to-peer only works from the inside out where NAT can map register outgoing requests against incoming replies. The problem is that NAT does not allow requests initiated from the outside. This situation can be resolved with manual intervention. Port forwarding allows you to identify specific ports that can be forwarded to inside hosts.

Configuring Port Forwarding

Port forwarding allows users on the Internet to access internal servers by using the WAN port address and the matched external port number.


When users send these types of requests to your WAN port IP address via the Internet, the router forwards those requests to the appropriate servers on your LAN. For security reasons, broadband routers do not by default permit any external network request to be forwarded to an inside host.

The approach you take to configure port forwarding depends on the brand and model of the broadband router in the network. However, there are some generic steps to follow. If the instructions supplied by your ISP or that came with the router do not provide adequate guidance, the website www.portforward.com provides guides for several broadband routers. You can follow the instructions to add or delete ports as required to meet the needs of any applications you want to allow or deny.

Verifying NAT and NAT Overload

It is important to verify NAT operation. There are several useful router commands to view and clear NAT translations:

1. show ip nat translations - Before using the show commands to verify NAT, you must clear any dynamic translation entries that might still be present, because by default, dynamic address translations time out from the NAT translation table after a period of non-use.

2. show ip nat translations verbose - This command displays the details of NAT assignments. Adding verbose to the command displays additional information about each translation, including how long ago the entry was created and used.

3. show ip nat statistics - This command displays information about the total number of active translations, NAT configuration parameters, how many addresses are in the pool, and how many have been allocated.

4. show run - Use this command and look for NAT, access command list, interface, or pool commands with the required values. Examine these carefully and correct any errors you discover.

5. ip nat translation timeout timeout_ second - By default, translation entries time out after 24 hours, unless the timers have been reconfigured with this command (global command).

6. To clear dynamic entries before the timeout has expired, use the clear ip nat translation global command.

Troubleshooting NAT and NAT Overload Configuration When you have IP connectivity problems in a NAT environment, it is often difficult to determine the cause of the problem. The first step in solving your problem is to rule out NAT as the cause. Follow these steps to verify that NAT is operating as expected:

Step 1. Based on the configuration, clearly define what NAT is supposed to achieve. This may reveal a problem with the configuration.

Step 2. Verify that correct translations exist in the translation table using the show ip nat translations command.

Step 3. Use the clear and debug commands to verify that NAT is operating as expected. Check to see if dynamic entries are recreated after they are cleared.

Step 4. Review in detail what is happening to the packet, and verify that routers have the correct routing information to move the packet.

Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip nat detailed command generates a


description of each packet considered for translation. This command also outputs information about certain errors or exception conditions, such as the failure to allocate a global address.

When decoding the debug output, note what the following symbols and values indicate:

* - The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process-switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists.

s = - Refers to the source IP address.

a.b.c.d--->w.x.y.z - Indicates that source address a.b.c.d is translated to w.x.y.z.

d= - Refers to the destination IP address.

[xxxx] - The value in brackets is the IP identification number. This information may be useful for debugging in that it enables correlation with other packet traces from protocol analyzers.

You can view the following demonstrations about verifying and troubleshooting NAT at these sites:

Flash Animation Case Study: Can Ping Host, but Cannot Telnet: This is a seven-minute Flash animation on why a device can ping the host, but cannot telnet: http://www.cisco.com/warp/public/556/index.swf.

Flash Animation Case Study: Cannot Ping Beyond NAT: This is a ten-minute Flash animation on why a device cannot ping beyond NAT: http://www.cisco.com/ warp/public/ 556/ TS_NATcase2/Index.swf.

Reasons for Using IPv6

Enhanced IP addressing:

Global reachability and flexibility

Aggregation

Multihoming

Autoconfiguration

Plug-and-play

End-to-end without NAT

Renumbering

Mobility and security:

Mobile IP RFC-compliant

IPsec mandatory (or native) for IPv6

Simple header:

Routing efficiency

Performance and forwarding rate scalability

No broadcasts


http://www.cisco.com/

No checksums

Extension headers

Flow labels

Transition richness:

Dual-stack

6to4 and manual tunnels

Translation

Transition Richness

IPv4 will not disappear overnight. Rather, it will coexist with and then gradually be replaced by IPv6. For this reason, IPv6 was delivered with migration techniques to cover every conceivable IPv4 upgrade case. However, many were ultimately rejected by the technology community.

Currently, there are three main approaches:

1. Dual stack 2. 6to4 tunneling 3. NAT-PT, ISATAP tunneling, and Teredo tunneling (last resort methods)

Note: The current advice for transitioning to IPv6 is "Dual stack where you can, tunnel where you must!"

The figure shows the address 2031:0000:130F:0000:0000:09C0:876A:130B. IPv6 does not require explicit address string notation. The figure shows how to shorten the address by applying the following guidelines:

Leading zeros in a field are optional. For example, the field 09C0 equals 9C0, and the field 0000 equals 0. So 2031:0000:130F:0000:0000:09C0:876A:130B can be written as 2031:0:130F:0000:0000:9C0:876A:130B.

Successive fields of zeros can be represented as two colons "::". However, this shorthand method can only be used once in an address. For example 2031:0:130F:0000:0000:9C0:876A:130B can be written as 2031:0:130F::9C0:876A:130B.

An unspecified address is written as "::" because it contains only zeros.

IPv6 Global Unicast Address

IPv6 has an address format that enables aggregation upward eventually to the ISP. Global unicast addresses typically consists of a 48-bit global routing prefix and a 16-bit subnet ID. Individual organizations can use a 16-bit subnet field to create their own local addressing hierarchy. This field allows an organization to use up to 65,535 individual subnets.

Note: Private addresses have a first octet value of "FE" in hexadecimal notation, with the next hexadecimal digit being a value from 8 to F.

These addresses are further divided into two types, based upon their scope:

Site-local addresses: are addresses similar to the RFC 1918 Address Allocation for Private Internets in IPv4 today. However, the use of site-local addresses is problematic and is being


deprecated as of 2003 by RFC 3879. In hexadecimal, site-local addresses begin with "FE" and then "C" to "F" for the third hexadecimal digit. So, these addresses begin with "FEC", "FED", "FEE", or "FEF".

Link-local addresses: are new to the concept of addressing with IP in the Network layer. These addresses have a smaller scope than site-local addresses; they refer only to a particular physical link (physical network). Routers do not forward datagrams using link-local addresses at all, not even within the organization; they are only for local communication on a particular physical network segment.

The IPv6 is broken down by bits and represents different Entities involved with a slash number similar to CIDR:

/23 = Represents the Registry, that assigned the IP Block, Prefix

/32 = The ISP Prefix

/48 = The Site Prefix

/64 = The Subnet Prefix

Loopback Address

Just as in IPv4, a provision has been made for a special loopback IPv6 address for testing; datagrams sent to this address "loop back" to the sending device. However, in IPv6 there is just one address, not a whole block, for this function. The loopback address is 0:0:0:0:0:0:0:1, which is normally expressed using zero compression as "::1".

Unspecified Address

In IPv4, an IP address of all zeroes has a special meaning; it refers to the host itself, and is used when a device does not know its own address.

IPv6 Address Management

IPv6 addresses use interface identifiers to identify interfaces on a link. Think of them as the host portion of an IPv6 address. Interface identifiers are required to be unique on a specific link. Interface identifiers are always 64 bits and can be dynamically derived from a Layer 2 address (MAC).

You can assign an IPv6 address ID statically or dynamically:

Static assignment using a manual interface ID

Static assignment using an EUI-64 interface ID

Stateless auto-configuration Dynamic

DHCP for IPv6 (DHCPv6) Dynamic

To configure an IPv6 address on a Cisco router interface, use the ipv6 address ipv6-address/prefix-length command in interface configuration mode. The following example shows the assignment of an IPv6 address to the interface of a Cisco router:

Router(config-if)#ipv6 address 2001:DB8:2222:7272::72/64

EUI-64 Interface ID Assignment

Another way to assign an IPv6 address is to configure the prefix (network) portion of the IPv6 address


and derive the interface ID (host) portion from the Layer 2 MAC address of the device, which is known as the EUI-64 interface ID.

DHCPv6 (Stateful)

DHCPv6 enables DHCP servers to pass configuration parameters, such as IPv6 network addresses, to IPv6 nodes. It offers the capability of automatic allocation of reusable network addresses and additional configuration flexibility.

IPv6 Transition Strategies

The transition from IPv4 does not require upgrades on all nodes at the same time. Many transition mechanisms enable smooth integration of IPv4 and IPv6.

Recall the advice: "Dual stack where you can, tunnel where you must." These two methods are the most common techniques to transition from IPv4 to IPv6.

Dual Stacking

Dual stacking is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network. This is the recommended option and involves running IPv4 and IPv6 at the same time. Router and switches are configured to support both protocols, with IPv6 being the preferred protocol.

Tunneling

The second major transition technique is tunneling. There are several tunneling techniques available, including:

Manual IPv6-over-IPv4 tunneling - An IPv6 packet is encapsulated within the IPv4 protocol. This method requires dual-stack routers.

Dynamic 6to4 tunneling - Automatically establishes the connection of IPv6 islands through an IPv4 network, typically the Internet. It dynamically applies a valid, unique IPv6 prefix to each IPv6 island, which enables the fast deployment of IPv6 in a corporate network without address retrieval from the ISPs or registries.

NAT-Protocol Translation (NAT-PT)

Cisco IOS Release 12.3(2)T and later (with the appropriate feature set) also include NAT-PT between IPv6 and IPv4. This translation allows direct communication between hosts that use different versions of the IP protocol. These translations are more complex than IPv4 NAT. At this time, this translation technique is the least favorable option and should be used as a last resort.

Cisco IOS Dual Stack

Dual stacking is an integration method that allows a node to have connectivity to an IPv4 and IPv6 network simultaneously. Each node has two protocol stacks with the configuration on the same interface or on multiple interfaces.

A new application programming interface (API) has been defined to support IPv4 and IPv6 addresses and DNS requests. An API facilitates the exchange of messages or data between two or more different software applications. An example of an API is the virtual interface between two software functions,


such as a word processor and a spreadsheet. The API is built into software applications to translate IPv4 into IPv6, and vice versa using the IP conversion mechanism. New applications can use both IPv4 and IPv6.

Cisco IOS Release 12.2(2)T and later (with the appropriate feature set) are IPv6-ready. As soon as you configure basic IPv4 and IPv6 on the interface, the interface is dual-stacked and forwards IPv4 and IPv6 traffic on that interface. Note that an IPv4 and an IPv6 address have been configured.

Using IPv6 on a Cisco IOS router requires that you use the global configuration command ipv6 unicast-routing. This command enables the forwarding of IPv6 datagrams.

You must configure all interfaces that forward IPv6 traffic with an IPv6 address using the ipv6 addressIPv6-address [/prefix length] interface command.

IPv6 Tunneling

Tunneling is an integration method where an IPv6 packet is encapsulated within another protocol, such as IPv4. This method enables the connection of IPv6 islands without needing to convert the intermediary networks to IPv6. When IPv4 is used to encapsulate the IPv6 packet, a protocol type of 41 is specified in the IPv4 header, and the packet includes a 20-byte IPv4 header with no options and an IPv6 header and payload. It also requires dual-stack routers.

Tunneling presents these two issues.

The maximum transmission unit (MTU) is effectively decreased by 20 octets if the IPv4 header does not contain any optional fields.

In addition, a tunneled network is often difficult to troubleshoot.

Note: Tunneling is an intermediate integration and transition technique and should not be considered as a final solution. A native IPv6 architecture should be the ultimate goal.

Manually Configured IPv6 Tunnel

Administrators manually configure a static IPv6 address on a tunnel interface, and assign manually configured static IPv4 addresses to the tunnel source and the tunnel destination. The host or router at each end of a configured tunnel must support both the IPv4 and IPv6 protocol stacks. Manually configured tunnels can be configured between border routers or between a border router and a host.

Routing Configurations with IPv6

Like IPv4 classless interdomain routing (CIDR), IPv6 uses longest prefix match routing. IPv6 uses modified versions of most of the common routing protocols to handle longer IPv6 addresses and different header structures.

A brief review of how a router functions in a network helps illustrate how IPv6 affects routing. Conceptually, a router has three functional areas:

The control plane handles the interaction of the router with the other network elements, providing the information needed to make decisions and control the overall router operation.


This plane runs processes such as routing protocols and network management. These functions are generally complex.

The data plane handles packet forwarding from one physical or logical interface to another. It involves different switching mechanisms such as process switching and Cisco Express Forwarding (CEF) on Cisco IOS software routers.

Enhanced services include advanced features applied when forwarding data, such as packet filtering, quality of service (QoS), encryption, translation, and accounting.

IPv6 Control Plane

Enabling IPv6 on a router starts its CONTROL PLANE operating processes specifically for IPv6. Protocol characteristics shape the performance of these processes and the amount of resources necessary to operate them:

IPv6 address size - Address size affects the information-processing functions of a router. Systems using a 64-bit CPU, bus, or memory structure can pass both the IPv4 source and destination address in a single processing cycle. For IPv6, the source and destination addresses require two cycles each-four cycles to process source and destination address information. As a result, routers relying exclusively on software processing are likely to perform slower than when in an IPv4 environment.

Multiple IPv6 node addresses - Because IPv6 nodes can use several IPv6 unicast addresses, memory consumption of the Neighbor Discovery cache may be affected.

IPv6 routing protocols - IPv6 routing protocols are similar to their IPv4 counterparts, but since an IPv6 prefix is four times larger than an IPv4 prefix, routing updates have to carry more information.

Routing table Size -Increased IPv6 address space leads to larger networks and a much larger Internet. This implies larger routing tables and higher memory requirements to support them.

IPv6 Data Plane

The DATA PLANE forwards IP packets based on the decisions made by the control plane. The forwarding engine parses the relevant IP packet information and does a lookup to match the parsed information against the forwarding policies defined by the control plane. IPv6 affects the performance of parsing and lookup functions:

Parsing IPv6 extension headers - Applications, including mobile IPv6, often use IPv6 address information in extension headers, thus increasing their size. These additional fields require additional processing. For example, a router using ACLs to filter Layer 4 information needs to apply the ACLs to packets with extension headers as well as those without. If the length of the extension header exceeds the fixed length of the hardware register of the router, hardware switching fails, and packets may be punted to software switching or dropped. This severely affects the forwarding performance of the router.

IPv6 address lookup - IPv6 performs a lookup on packets entering the router to find the correct output interface. In IPv4, the forwarding decision process parses a 32-bit destination address. In IPv6, the forwarding decision could conceivably require parsing a 128-bit address. Most routers today perform lookups using an application-specific integrated circuit (ASIC) with a fixed configuration that performs the functions for which it was originally designed - IPv4. Again, this could result in punting packets into slower software processing, or dropping them all together.


RIPNg Routing Protocol IPv6 routes use the same protocols and techniques as IPv4. Although the addresses are longer, the protocols used in routing IPv6 are simply logical extensions of the protocols used in IPv4. RFC 2080 defines Routing Information Protocol next generation (RIPng) as a simple routing protocol based on RIP. RIPng is no more or less powerful than RIP, however, it provides a simple way to bring up an IPv6 network without having to build a new routing protocol. RIPng is a distance vector routing protocol with a limit of 15 hops that uses split horizon and poison reverse updates to prevent routing loops. Its simplicity comes from the fact that it does not require any global knowledge of the network. Only neighboring routers exchange local messages. RIPng includes the following features:

Based on IPv4 RIP version 2 (RIPv2) and is similar to RIPv2

Uses IPv6 for transport

Includes the IPv6 prefix and next-hop IPv6 address

Uses the multicast group FF02::9 as the destination address for RIP updates (this is similar to the broadcast function performed by RIP in IPv4)

Sends updates on UDP port 521

Is supported by Cisco IOS Release 12.2(2)T and later

Note: In dual-stacked deployments, both RIP and RIPng are required.

Enabling IPv6 on Cisco Routers

To activate it between interfaces, you must configure the global command ipv6 unicast-routing.

The ipv6 address command can configure a global IPv6 address. The link-local address is automatically configured when an address is assigned to the interface. You must specify the entire 128-bit IPv6 address or specify to use the 64-bit prefix by using the eui-64 option.

RouterX(config)#ipv6 unicast-routing - Enables IPv6 on Cisco Routers RouterX(config-if)#ipv6 address ipv6prefix/prefix-length eui-64 - Configures the interface IPv6

addresses

Note: You can completely specify the IPv6 address or compute the host identifier (rightmost 64 bits) from the EUI-64 identifier of the interface.

Configure RIPng with IPv6

When configuring supported routing protocols in IPv6, you must create the routing process, enable the routing process on interfaces, and customize the routing protocol for your particular network.

To enable RIPng routing on the router, use the ipv6 router rip name global configuration command. The name parameter identifies the RIP process. This process name is used later when configuring RIPng on participating interfaces.


For RIPng, instead of using the network command to identify which interfaces should run RIPng, you use the command ipv6 rip name enable in interface configuration mode to enable RIPng on an interface. The name parameter must match the name parameter in the ipv6 router rip comman

Cisco IOS IPv6 Name Resolution

There are two ways to perform name resolution from the Cisco IOS software process:

1. Define a static name for an IPv6 address using the ipv6 host name [port] ipv6-address1 [ipv6-address2...ipv6-address4] command. You can define up to four IPv6 addresses for one hostname. The port option refers to the Telnet port to be used for the associated host. Configuration Commands:

RouterX(config)#ipv6 host name [port] ipv6addr [{ipv6addr} ...] - Define a static name for IPv6 addresses

RouterX(config)#ipv6 host router1 3ffe:b00:ffff:b::1 - Define a static name for IPv6

2. Specify the DNS server used by the router with the ip name-server address command. The address can be an IPv4 or IPv6 address. You can specify up to six DNS servers with this command. Configuration Commands:

RouterX(config)#ip name-server address - Configure a DNS server or servers to query

RouterX(config)#ip name-server 3ffe:b00:ffff:1::10 - Configure a DNS server or servers to query

Verifying Troubleshooting RIPng for IPv6

Look up commands on the internet


All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 17

Todd Hamilton CIS-143(4365), NetLab

Lab 7.4.1: Basic DHCP and NAT Configuration

Topology Diagram

Addressing Table

Device Interface IP Address Subnet Mask

R1

S0/0/0 10.1.1.1 255.255.255.252

Fa0/0 192.168.10.1 255.255.255.0

Fa0/1 192.168.11.1 255.255.255.0

R2

S0/0/0 10.1.1.2 255.255.255.252

S0/0/1 209.165.200.225 255.255.255.252

Fa0/0 192.168.20.254 255.255.255.0

ISP S0/0/1 209.165.200.226 255.255.255.252

Learning Objectives

Upon completion of this lab, you will be able to:

Prepare the network.

Perform basic router configurations.

Configure a Cisco IOS DHCP server.


CCNA Exploration Accessing the WAN: IP Addressing Services Lab 7.4.1: Basic DHCP and NAT Configuration


Configure static and default routing.

Configure static NAT.

Configure dynamic NAT with a pool of addresses.

Configure NAT overload.

Scenario

In this lab, you will configure the DHCP and NAT IP services. One router is the DHCP server. The other router forwards DHCP requests to the server. You will also configure both static and dynamic NAT configurations, including NAT overload. When you have completed the configurations, verify the connectivity between the inside and outside addresses.

Task 1: Prepare the Network

Step 1: Cable a network that is similar to the one in the topology diagram.

You can use any current router in your lab as long as it has the required interfaces shown in the topology.

Note: If you use a 1700, 2500, or 2600 series router, the router outputs and interface descriptions may look different. On older routers some commands may be different, or not exist.

Step 2: Clear all existing configurations on the routers.

Task 2: Perform Basic Router Configurations

Configure the R1, R2, and ISP routers according to the following guidelines:

Configure the device hostname.

Disable DNS lookup.

Configure a privileged EXEC mode password.

Configure a message-of-the-day banner.

Configure a password for the console connections.

Configure a password for all vty connections.

Configure IP addresses on all routers. The PCs receive IP addressing from DHCP later in the lab.

Enable OSPF with process ID 1 on R1 and R2. Do not advertise the 209.165.200.224/27 network.

Note: Instead of attaching a server to R2, you can configure a loopback interface on R2 to use the IP address 192.168.20.254/24. If you do this, you do not need to configure the Fast Ethernet interface.

Task 3: Configure PC1 and PC2 to receive an IP address through DHCP

On a Windows PC go to Start -> Control Panel -> Network Connections -> Local Area Connection. Right mouse click on the Local Area Connection and select Properties.




Scroll down and highlight Internet Protocol (TCP/IP). Click on the Properties button.

Make sure the button is selected that says Obtain an IP address automatically.




Once this has been done on both PC1 and PC2, they are ready to receive an IP address from a DHCP server.

Task 4: Configure a Cisco IOS DHCP Server

Cisco IOS software supports a DHCP server configuration called Easy IP. The goal for this lab is to have devices on the networks 192.168.10.0/24 and 192.168.11.0/24 request IP addresses via DHCP from R2.

Step 1: Exclude statically assigned addresses.

The DHCP server assumes that all IP addresses in a DHCP address pool subnet are available for assigning to DHCP clients. You must specify the IP addresses that the DHCP server should not assign to clients. These IP addresses are usually static addresses reserved for the router interface, switch management IP address, servers, and local network printer. The ip dhcp excluded-address command prevents the router from assigning IP addresses within the configured range. The following commands exclude the first 10 IP addresses from each pool for the LANs attached to R1. These addresses will not be assigned to any DHCP clients.

R2(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.10

R2(config)#ip dhcp excluded-address 192.168.11.1 192.168.11.10

Step 2: Configure the pool.

Create the DHCP pool using the ip dhcp pool command and name it R1Fa0.

R2(config)#ip dhcp pool R1Fa0

Specify the subnet to use when assigning IP addresses. DHCP pools automatically associate with an interface based on the network statement. The router now acts as a DHCP server, handing out addresses in the 192.168.10.0/24 subnet starting with 192.168.10.1.

R2(dhcp-config)#network 192.168.10.0 255.255.255.0

Configure the default router and domain name server for the network. Clients receive these settings via DHCP, along with an IP address.

R2(dhcp-config)#dns-server 192.168.11.5

R2(dhcp-config)#default-router 192.168.10.1

Note: There is not a DNS server at 192.168.11.5. You are configuring the command for practice only.

Because devices from the network 192.168.11.0/24 also request addresses from R2, a separate pool must be created to serve devices on that network. The commands are similar to the commands shown above:

R2(config)#ip dhcp pool R1Fa1

R2(dhcp-config)#network 192.168.11.0 255.255.255.0

R2(dhcp-config)#dns-server 192.168.11.5

R2(dhcp-config)#default-router 192.168.11.1

Step 3: Test DHCP

On PC1 and PC2 test whether each has received an IP address automatically. On each PC go to Start -> Run -> cmd -> ipconfig

What are the results of your test? There are no IP addresses configured on either PC1 or PC2.




Why are these the results? These are the results because DHCP requests are not routable and therefore they aren’t sent to the router R2.

Step 4: Configure a helper address.

Network services such as DHCP rely on Layer 2 broadcasts to function. When the devices providing these services exist on a different subnet than the clients, they cannot receive the broadcast packets. Because the DHCP server and the DHCP clients are not on the same subnet, configure R1 to forward DHCP broadcasts to R2, which is the DHCP server, using the ip helper-address interface configuration command.

Notice that ip helper-address must be configured on each interface involved.

R1(config)#interface fa0/0

R1(config-if)#ip helper-address 10.1.1.2

R1(config)#interface fa0/1

R1(config-if)#ip helper-address 10.1.1.2

Step 5: Release and Renew the IP addresses on PC1 and PC2

Depending upon whether your PCs have been used in a different lab, or connected to the internet, they may already have learned an IP address automatically from a different DHCP server. We need to clear this IP address using the ipconfig /release and ipconfig /renew commands.

Step 6: Verify the DHCP configuration.

You can verify the DHCP server configuration in several different ways. Issue the command ipconfig on PC1 and PC2 to verify that they have now received an IP address dynamically. You can then issue commands on the router to get more information. The show ip dhcp binding command provides information on all currently assigned DHCP addresses. For instance, the following output shows that the IP address 192.168.10.11 has been assigned to MAC address 3031.632e.3537.6563. The IP lease expires on September 14, 2007 at 7:33 p.m.

R1#show ip dhcp binding

Bindings from all pools not associated with VRF:

IP address Client-ID/ Lease expiration Type

Hardware address/

User name

192.168.10.11 0063.6973.636f.2d30. Sep 14 2007 07:33 PM Automatic

3031.632e.3537.6563.




2e30.3634.302d.566c.

31

The show ip dhcp pool command displays information on all currently configured DHCP pools on the router. In this output, the pool R1Fa0 is configured on R1. One address has been leased from this pool. The next client to request an address will receive 192.168.10.12.

R2#show ip dhcp pool

Pool R1Fa0 :

Utilization mark (high/low) : 100 / 0

Subnet size (first/next) : 0 / 0

Total addresses : 254

Leased addresses : 1

Pending event : none

1 subnet is currently in the pool :

Current index IP address range Leased addresses

192.168.10.12 192.168.10.1 - 192.168.10.254 1

The debug ip dhcp server events command can be extremely useful when troubleshooting DHCP leases with a Cisco IOS DHCP server. The following is the debug output on R1 after connecting a host. Notice that the highlighted portion shows DHCP giving the client an address of 192.168.10.12 and mask of 255.255.255.0

*Sep 13 21:04:18.072: DHCPD: Sending notification of DISCOVER:

*Sep 13 21:04:18.072: DHCPD: htype 1 chaddr 001c.57ec.0640

*Sep 13 21:04:18.072: DHCPD: remote id 020a0000c0a80b01010000000000

*Sep 13 21:04:18.072: DHCPD: circuit id 00000000

*Sep 13 21:04:18.072: DHCPD: Seeing if there is an internally specified pool

class:


*Sep 13 21:04:18.072: DHCPD: remote id 020a0000c0a80b01010000000000


*Sep 13 21:04:18.072: DHCPD: there is no address pool for 192.168.11.1.

*Sep 13 21:04:18.072: DHCPD: Sending notification of DISCOVER:

R1#


*Sep 13 21:04:18.072: DHCPD: remote id 020a0000c0a80a01000000000000


*Sep 13 21:04:18.072: DHCPD: Seeing if there is an internally specified pool

class:


*Sep 13 21:04:18.072: DHCPD: remote id 020a0000c0a80a01000000000000


R1#

*Sep 13 21:04:20.072: DHCPD: Adding binding to radix tree (192.168.10.12)

*Sep 13 21:04:20.072: DHCPD: Adding binding to hash tree

*Sep 13 21:04:20.072: DHCPD: assigned IP address 192.168.10.12 to client

0063.6973.636f.2d30.3031.632e.3537.6563.2e30.3634.302d.566c.31.

*Sep 13 21:04:20.072: DHCPD: Sending notification of ASSIGNMENT:

*Sep 13 21:04:20.072: DHCPD: address 192.168.10.12 mask 255.255.255.0


*Sep 13 21:04:20.072: DHCPD: lease time remaining (secs) = 86400

*Sep 13 21:04:20.076: DHCPD: Sending notification of ASSIGNMENT:

*Sep 13 21:04:20.076: DHCPD: address 192.168.10.12 mask 255.255.255.0

R1#


*Sep 13 21:04:20.076: DHCPD: lease time remaining (secs) = 86400




Task 5: Configure Static and Default Routing

ISP uses static routing to reach all networks beyond R2. However, R2 translates private addresses into public addresses before sending traffic to ISP. Therefore, ISP must be configured with the public addresses that are part of the NAT configuration on R2. Enter the following static route on ISP:

ISP(config)#ip route 209.165.200.240 255.255.255.240 serial 0/0/1

This static route includes all addresses assigned to R2 for public use.

Configure a default route on R2 and propagate the route in OSPF.

R2(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.226

R2(config)#router ospf 1

R2(config-router)#default-information originate

Allow a few seconds for R1 to learn the default route from R2 and then check the R1 routing table. Alternatively, you can clear the routing table with the clear ip route * command. A default route pointing to R2 should appear in the R1 routing table. Note that the static route that is configured on the ISP only routes to the public addresses that the R1 hosts will use after NAT is configured on R2. Until NAT is configured, the static route will lead to an unknown network, causing the pings from R1 to fail.

Task 6: Configure Static NAT

Step 1: Statically map a public IP address to a private IP address.

The inside server attached to R2 is accessible by outside hosts beyond ISP. Statically assign the public IP address 209.165.200.254 as the address for NAT to use to map packets to the private IP address of the inside server at 192.168.20.254.

R2(config)#ip nat inside source static 192.168.20.254 209.165.200.254

Step 2: Specify inside and outside NAT interfaces.

Before NAT can work, you must specify which interfaces are inside and which interfaces are outside.

R2(config)#interface serial 0/0/1

R2(config-if)#ip nat outside

R2(config-if)#interface fa0/0

R2(config-if)#ip nat inside

Note: If using a simulated inside server, assign the ip nat inside command to the loopback interface.

Step 3: Verify the static NAT configuration.

From ISP, ping the public IP address 209.165.200.254.

Task 7: Configure Dynamic NAT with a Pool of Addresses

While static NAT provides a permanent mapping between an internal address and a specific public address, dynamic NAT maps private IP addresses to public addresses. These public IP addresses come from a NAT pool.

Step 1: Define a pool of global addresses.

Create a pool of addresses to which matched source addresses are translated. The following command creates a pool named MY-NAT-POOL that translates matched addresses to an available IP address in the 209.165.200.241–209.165.200.246 range.

R2(config)#ip nat pool MY-NAT-POOL 209.165.200.241 209.165.200.246 netmask

255.255.255.248




Step 2: Create an extended access control list to identify which inside addresses are translated.

R2(config)#ip access-list extended NAT

R2(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 any

R2(config-ext-nacl)#permit ip 192.168.11.0 0.0.0.255 any

Step 3: Establish dynamic source translation by binding the pool with the access control list.

A router can have more than one NAT pool and more than one ACL. The following command tells the router which address pool to use to translate hosts that are allowed by the ACL.

R2(config)#ip nat inside source list NAT pool MY-NAT-POOL


You have already specified the inside and outside interfaces for your static NAT configuration. Now add the serial interface linked to R1 as an inside interface.

R2(config)#interface serial 0/0/0

R2(config-if)#ip nat inside

Step 5: Verify the configuration.

Ping ISP from PC1 or the Fast Ethernet interface on R1 using extended ping. Then use the show ip nat translations and show ip nat statistics commands on R2 to verify NAT.

R2#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 209.165.200.241:4 192.168.10.1:4 209.165.200.226:4 209.165.200.226:4

--- 209.165.200.241 192.168.10.1 --- ---

--- 209.165.200.254 192.168.20.254 --- ---

R2#show ip nat statistics

Total active translations: 2 (1 static, 1 dynamic; 0 extended)

Outside interfaces:

Serial0/0/1

Inside interfaces:

Serial0/0/0, Loopback0

Hits: 23 Misses: 3

CEF Translated packets: 18, CEF Punted packets: 0

Expired translations: 3

Dynamic mappings:

-- Inside Source

[Id: 1] access-list NAT pool MY-NAT-POOL refcount 1

pool MY-NAT-POOL: netmask 255.255.255.248

start 209.165.200.241 end 209.165.200.246

type generic, total addresses 6, allocated 1 (16%), misses 0

Queued Packets: 0

To troubleshoot issues with NAT, you can use the debug ip nat command. Turn on NAT debugging and repeat the ping from PC1.

R2#debug ip nat

IP NAT debugging is on

R2#

*Sep 13 21:15:02.215: NAT*: s=192.168.10.11->209.165.200.241, d=209.165.200.226 [25]

*Sep 13 21:15:02.231: NAT*: s=209.165.200.226, d=209.165.200.241->192.168.10.11 [25]

*Sep 13 21:15:02.247: NAT*: s=192.168.10.11->209.165.200.241, d=209.165.200.226 [26]

*Sep 13 21:15:02.263: NAT*: s=209.165.200.226, d=209.165.200.241->192.168.10.11 [26]




*Sep 13 21:15:02.275: NAT*: s=192.168.10.11->209.165.200.241, d=209.165.200.226 [27]

*Sep 13 21:15:02.291: NAT*: s=209.165.200.226, d=209.165.200.241->192.168.10.11 [27]

*Sep 13 21:15:02.307: NAT*: s=192.168.10.11->209.165.200.241, d=209.165.200.226 [28]

*Sep 13 21:15:02.323: NAT*: s=209.165.200.226, d=209.165.200.241->192.168.10.11 [28]

*Sep 13 21:15:02.335: NAT*: s=192.168.10.11->209.165.200.241, d=209.165.200.226 [29]

*Sep 13 21:15:02.351: NAT*: s=209.165.200.226, d=209.165.200.241->192.168.10.11 [29]

R2#

Task 8: Configure NAT Overload

In the previous example, what would happen if you needed more than the six public IP addresses that the pool allows?

Then one of the packets would have been dropped.

By tracking port numbers, NAT overloading allows multiple inside users to reuse a public IP address.

In this task, you will remove the pool and mapping statement configured in the previous task. Then you will configure NAT overload on R2 so that all internal IP addresses are translated to the R2 S0/0/1 address when connecting to any outside device.

Step 1: Remove the NAT pool and mapping statement.

Use the following commands to remove the NAT pool and the map to the NAT ACL.

R2(config)#no ip nat inside source list NAT pool MY-NAT-POOL

R2(config)#no ip nat pool MY-NAT-POOL 209.165.200.241 209.165.200.246 netmask

255.255.255.248

If you receive the following message, clear your NAT translations.

%Pool MY-NAT-POOL in use, cannot destroy

R2#clear ip nat translation *

Step 2: Configure PAT on R2 using the serial 0/0/1 interface public IP address.

The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the interface keyword is used to identify the outside IP address. Therefore, no NAT pool is defined. The overload keyword enables the addition of the port number to the translation.

Because you already configured an ACL to identify which inside IP addresses to translate as well as which interfaces are inside and outside, you only need to configure the following:

R2(config)#ip nat inside source list NAT interface S0/0/1 overload


Ping ISP from PC1 or the Fast Ethernet interface on R1 using extended ping. Then use the show ip nat translations and show ip nat statistics commands on R2 to verify NAT.

R2#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 209.165.200.225:6 192.168.10.11:6 209.165.200.226:6 209.165.200.226:6

--- 209.165.200.254 192.168.20.254 --- ---

R2#show ip nat statistics

Total active translations: 2 (1 static, 1 dynamic; 1 extended)

Outside interfaces:

Serial0/0/1

Inside interfaces:




Serial0/0/0, Loopback0

Hits: 48 Misses: 6

CEF Translated packets: 46, CEF Punted packets: 0

Expired translations: 5

Dynamic mappings:

-- Inside Source

[Id: 2] access-list NAT interface Serial0/0/1 refcount 1

Queued Packets: 0

Note: In the previous task, you could have added the keyword overload to the ip nat inside source list NAT pool MY-NAT-POOL command to allow for more than six concurrent users.

Task 9: Document the Network

On each router, issue the show run command and capture the configurations.

R1#show run

Building configuration...

Current configuration : 1278 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$PzEf$MYu9t.hPh8SZAbga8fG9K0

!

no aaa new-model

ip cef

!

!

!

!

no ip domain lookup

!

!

!




!

!

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0

ip helper-address 10.1.1.2

duplex auto

speed auto

!


ip address 192.168.11.1 255.255.255.0


duplex auto

speed auto

!

interface Serial0/0/0

ip address 10.1.1.1 255.255.255.252

clock rate 64000

!


no ip address

shutdown

!

router ospf 1

log-adjacency-changes

passive-interface FastEthernet0/0


network 10.1.1.0 0.0.0.3 area 0

network 192.168.10.0 0.0.0.255 area 0

network 192.168.11.0 0.0.0.255 area 0

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

!




control-plane

!

banner motd ^C

Unauthorized user access strictly prohibited and will be prosecuted to the full extent of the law.

^C

!

line con 0

exec-timeout 15 0

password cisco

logging synchronous

login

line aux 0

line vty 0 4

exec-timeout 15 0

password cisco

logging synchronous

login

!

scheduler allocate 20000 1000

end R2#show run



!

version 12.4




!

hostname R2

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$pN7A$/3oC/Q/AdtMExeVgYYzCL1




!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected



!

ip dhcp pool R1Fa0

network 192.168.10.0 255.255.255.0

dns-server 192.168.11.5


!

ip dhcp pool R1Fa1

network 192.168.11.0 255.255.255.0

dns-server 192.168.11.5


!

!

no ip domain lookup

!

!

!

!

!

!


ip address 192.168.20.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!


no ip address

shutdown

duplex auto




speed auto

!


ip address 10.1.1.2 255.255.255.252

ip nat inside

!


ip address 209.165.200.225 255.255.255.252

ip nat outside

clock rate 64000

!

router ospf 1



network 10.1.1.0 0.0.0.3 area 0

network 192.168.20.0 0.0.0.255 area 0

default-information originate

!


ip route 0.0.0.0 0.0.0.0 209.165.200.226

!

no ip http server


ip nat inside source list NAT interface Serial0/0/1 overload

ip nat inside source static 192.168.20.254 209.165.200.254

!

ip access-list extended NAT

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.11.0 0.0.0.255 any

!

!

control-plane

!

banner motd ^C

Unauthorized user access is strictly prohibited and will be prosecuted to the full extent of the law.

^C

!




line con 0

exec-timeout 15 0

password cisco

logging synchronous

login

line aux 0

line vty 0 4

exec-timeout 15 0

password cisco

logging synchronous

login

!


end ISP#show run



!

version 12.4




!

hostname ISP

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$cUk4$Na3InL6ZTGUHREbUSz3fE.

!

no aaa new-model

ip cef

!

!




!

!

no ip domain lookup

!

!

!

!

!

!


no ip address

shutdown

duplex auto

speed auto

!


no ip address

shutdown

duplex auto

speed auto

!


no ip address

shutdown

clock rate 125000

!


ip address 209.165.200.226 255.255.255.252

!


no ip address

shutdown

clock rate 2000000

!


no ip address

shutdown




clock rate 2000000

!


ip route 209.165.200.240 255.255.255.240 Serial0/0/1

!

no ip http server


!

!

control-plane

!

banner motd ^C


^C

!

line con 0

exec-timeout 15 0

password cisco

logging synchronous

login

line aux 0

line vty 0 4

exec-timeout 15 0

password cisco

logging synchronous

login

!


end

Task 10: Clean Up

Erase the configurations and reload the routers. Disconnect and store the cabling. For PC hosts that are normally connected to other networks, such as the school LAN or the Internet, reconnect the appropriate cabling and restore the TCP/IP settings.



Todd Hamilton CIS-143(4365)

Lab 7.4.2: Challenge DHCP and NAT Configuration

Topology Diagram

Addressing Table


R1

S0/0/0 172.16.0.1 255.255.255.252

Fa0/0 172.16.10.1 255.255.255.0

Fa0/1 172.16.11.1 255.255.255.0

R2

S0/0/0 172.16.0.2 255.255.255.252

S0/0/1 209.165.201.1 255.255.255.252

Fa0/0 172.16.20.1 255.255.255.0

ISP S0/0/1 209.165.201.2 255.255.255.252

Learning Objectives



Perform basic router configurations.

Configure a Cisco IOS DHCP server.


CCNA Exploration Accessing the WAN: IP Addressing Services Lab 7.4.2: Challenge DHCP and NAT Configuration


Configure static and default routing.

Configure static NAT.

Configure dynamic NAT with a pool of addresses.

Configure NAT overload.

Scenario

In this lab, configure the IP address services using the network shown in the topology diagram. If you need assistance, refer back to the basic DHCP and NAT configuration lab. However, try to do as much on your own as possible.



You can use any current router in your lab as long as it has the required interfaces shown in the topology.

Note: If you use a 1700, 2500, or 2600 series router, the router outputs and interface descriptions may look different.


Task 2: Perform Basic Router Configurations

Configure the R1, R2, and ISP routers according to the following guidelines:

Configure the device hostname.

Disable DNS lookup.

Configure a privileged EXEC mode password.

Configure a message-of-the-day banner.

Configure a password for the console connections.

Configure a password for all vty connections.

Configure IP addresses on all routers. The PCs receive IP addressing from DHCP later in the lab.

Enable OSPF with process ID 1 on R1 and R2. Do not advertise the 209.165.200.224/27 network.

Note: Instead of attaching a server to R2, you can configure a loopback interface on R2 to use the IP address 192.168.20.254/24. If you do this, you do not need to configure the Fast Ethernet interface.

Task 3: Configure a Cisco IOS DHCP Server

Configure R2 as the DHCP server for the two R1 LANs.

Step 1: Exclude statically assigned addresses.

Exclude the first three addresses from each pool.

Step 2: Configure the DHCP pool.

Create two DHCP pools. Name one of them R1_LAN10 for the 172.16.10.0/24 network, and name the other R1_LAN11 for the 172.16.11.0/24 network.

Configure each pool with a default gateway and a simulated DNS at 172.16.20.254.




Step 3: Configure a helper address.

Configure helper addresses so that broadcasts from client broadcasts are forwarded to the DHCP server.

Step 4: Verify the DHCP configuration.

Task 4: Configure Static and Default Routing

Configure ISP with a static route for the 209.165.201.0/27 network. Use the exit interface as an argument.

Configure a default route on R2 and propagate the route in OSPF. Use the next-hop IP address as an argument.

Task 5: Configure Static NAT

Step 1: Statically map a public IP address to a private IP address.

Statically map the inside server IP address to the public address 209.165.201.30.


Step 3: Verify the static NAT configuration.

Task 6: Configure Dynamic NAT with a Pool of Addresses

Step 1: Define a pool of global addresses.

Create a pool named NAT_POOL for the IP addresses 209.165.201.9 through 209.165.201.14 using a /29 subnet mask.

Step 2: Create a standard named access control list to identify which inside addresses are translated.

Use the name NAT_ACL and allow all hosts attached to the two LANs on R1.

Step 3: Establish dynamic source translation.

Bind the NAT pool to the ACL and allow NAT overloading.

Step 4: Specify the inside and outside NAT interfaces.

Verify that the inside and outside interfaces are all correctly specified.


Task 7: Document the Network


R1#show run



!




version 12.3

no service timestamps log datetime msec

no service timestamps debug datetime msec


!

hostname R1

!

!

!

enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1

!

!

!

!

!

!

!

!

!

!

no ip domain-lookup

!

!

!

!

!

!


ip address 172.16.10.1 255.255.255.0


duplex auto

speed auto

!


ip address 172.16.11.1 255.255.255.0


duplex auto




speed auto

!


ip address 172.16.0.1 255.255.255.252

clock rate 64000

!


no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 1




network 172.16.11.0 0.0.0.255 area 0

network 172.16.10.0 0.0.0.255 area 0

network 172.16.0.0 0.0.0.3 area 0

!

ip classless

!

!

!

no cdp run

!

banner motd ^C


^C

!

!

!

!

line con 0

exec-timeout 15 0




password cisco

logging synchronous

login

line vty 0 4

exec-timeout 15 0

password cisco

logging synchronous

login

line vty 5 15

login

!

!

!

end

R2#show run



!

version 12.3




!

hostname R2

!

!

!


!

!



!

ip dhcp pool R1_LAN10

network 172.16.10.0 255.255.255.0





dns-server 172.16.20.254


network 172.16.11.0 255.255.255.0


dns-server 172.16.20.254

!

!

!

!

!

!

!

no ip domain-lookup

!

!

!

!

!

!


ip address 172.16.20.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!


no ip address

duplex auto

speed auto

shutdown

!


ip address 172.16.0.2 255.255.255.252

ip nat inside

!





ip address 209.165.201.1 255.255.255.252

ip nat outside

clock rate 64000

!

interface Vlan1

no ip address

shutdown

!

router ospf 1



network 172.16.20.0 0.0.0.255 area 0

network 172.16.0.0 0.0.0.3 area 0


!

ip nat pool NAT_POOL 209.165.201.9 209.165.201.14 netmask 255.255.255.248

ip nat inside source list NAT pool NAT_POOL


ip classless

ip route 0.0.0.0 0.0.0.0 209.165.201.2

!

!

ip access-list standard NAT

permit 172.16.10.0 0.0.0.255

permit 172.16.11.0 0.0.0.255

!

no cdp run

!

banner motd ^C


^C

!

!

!

!

line con 0

exec-timeout 15 0




password cisco

logging synchronous

login

line vty 0 4

exec-timeout 15 0

password cisco

logging synchronous

login

!

!

!

end

ISP#show run



!

version 12.3




!

hostname ISP

!

!

!


!

!

!

!

!

!

!

!




!

!

no ip domain-lookup

!

!

!

!

!

!


no ip address

duplex auto

speed auto

shutdown

!


no ip address

duplex auto

speed auto

shutdown

!


no ip address

shutdown

!


ip address 209.165.201.2 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 209.165.201.0 255.255.255.224 Serial0/0/1

!

!

!




no cdp run

!

banner motd ^C


^C

!

!

!

!

line con 0

exec-timeout 15 0

password cisco

logging synchronous

login

line vty 0 4

exec-timeout 15 0

password cisco

logging synchronous

login

!

!

!

end

Task 8: Clean Up

Erase the configurations and reload the routers. Disconnect and store the cabling. For PC hosts that are normally connected to other networks, such as the school LAN or the Internet, reconnect the appropriate cabling and restore the TCP/IP settings.



Todd Hamilton CIS-143(4365)

Lab 7.4.3: Troubleshooting DHCP and NAT

Topology Diagram

Addressing Table


R1

S0/0/0 172.16.0.1 255.255.255.252

Fa0/0 172.16.10.1 255.255.255.0

Fa0/1 172.16.11.1 255.255.255.0

R2

S0/0/0 172.16.0.2 255.255.255.252

S0/0/1 209.165.201.1 255.255.255.252

Fa0/0 172.16.20.1 255.255.255.0

ISP S0/0/1 209.165.201.2 255.255.255.252

Learning Objectives



Load routers with scripts.

Find and correct network errors.


CCNA Exploration Accessing the WAN: IP Addressing Services Lab 7.4.3: Troubleshooting DHCP and NAT


Document the corrected network.

Scenario

The routers, R1 and R2, at your company were configured by an inexperienced network engineer. Several errors in the configuration have resulted in connectivity issues. Your boss has asked you to troubleshoot and correct the configuration errors and document your work. Using your knowledge of DHCP, NAT, and standard testing methods, find and correct the errors. Make sure all clients have full connectivity. The ISP has been configured correctly.

Ensure that the network supports the following:

1. The router R2 should serve as the DHCP server for the 172.16.10.0/24 and 172.16.11.0/24 networks connected to R1.

2. All PCs connected to R1 should receive an IP address in the correct network via DHCP.

3. Traffic from the R1 LANs entering the Serial 0/0/0 interface on R2 and exiting the Serial 0/0/1 interface on R2 should receive NAT translation with a pool of addresses provided by the ISP.

4. The Inside Server should be reachable from outside networks using IP address 209.165.201.30, and to inside networks using IP address 172.16.20.254




Step 3: Import the configurations below.

R1

hostname R1

!

enable secret class

!

no ip domain lookup

!


ip address 172.16.10.1 255.255.255.0


no shutdown

!


ip address 172.16.11.1 255.255.255.0

no shutdown

!


ip address 172.16.0.1 255.255.255.252

clock rate 125000

no shutdown

!

router rip

version 2

network 172.16.0.0

no auto-summary




!

banner motd $AUTHORIZED ACCESS ONLY$

!

line con 0

password cisco

logging synchronous

login

line vty 0 4

password cisco

logging synchronous

login

!

end

R2

hostname R2

!

enable secret class

!



!


network 172.16.10.0 255.255.255.0

dns-server 172.16.20.254

!


network 172.16.11.0 255.255.255.0

dns-server 172.16.20.254

!

no ip domain lookup

!


ip address 172.16.20.1 255.255.255.0

ip nat inside

no shutdown

!


ip address 172.16.0.2 255.255.255.252

no shutdown

!


ip address 209.165.201.1 255.255.255.252

ip nat outside

clock rate 125000

no shutdown

!

router rip

version 2

network 172.16.0.0


no auto-summary

!

ip route 0.0.0.0 0.0.0.0 209.165.201.2

!





ip nat inside source list NAT_ACL pool NATPOOL overload

!

ip access-list standard NAT_ACL

permit 172.16.10.0 0.0.0.255

!


!

line con 0

password cisco

logging synchronous

login

line vty 0 4

password cisco

logging synchronous

login

!

end

ISP

hostname ISP

!

enable secret class

!


ip address 209.165.201.2 255.255.255.252

no shutdown

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/1

!


!

line con 0

password cisco

logging synchronous

login

line vty 0 4

password cisco

logging synchronous

login

!

end

Task 2: Find and Correct Network Errors

When the network is configured correctly:

PC1 and PC2 should be able to receive IP addresses from the correct DHCP pool as evidenced

by an ipconfig on the PCs. Additionally; a show ip dhcp bindings on R2 should show that

both PCs have received IP addresses.

Test pings from PC1 and PC2 to the ISP should receive NAT overload translation as evidenced

by a show ip nat translations on R2.

Test pings from the Inside Server to ISP should receive the static NAT translation indicated on

the topology. Use the show ip nat translations command to verify this.




A ping from the ISP to the global address of the Inside Server should be successful.

Test pings from ISP to R1 should not receive NAT translation as evidenced by a show ip nat

translations or a debug ip nat on R2.

Task 3: Document the Router Configurations


R1#copy run start

Destination filename [startup-config]?


[OK]

R1#

%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up

R1#show run



!

version 12.3




!

hostname R1

!

!

!


!

!

!

!

!

!

!




!

!

!

ip ssh version 1

no ip domain-lookup

!

!

!

!

!

!


ip address 172.16.10.1 255.255.255.0


duplex auto

speed auto

!


ip address 172.16.11.1 255.255.255.0


duplex auto

speed auto

!


ip address 172.16.0.1 255.255.255.252

clock rate 125000

!


no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2






network 172.16.0.0

no auto-summary

!

ip classless

!

!

!

banner motd ^CAUTHORIZED ACCESS ONLY^C

!

!

!

!

line con 0

exec-timeout 15 0

password cisco

logging synchronous

login

line vty 0 4

exec-timeout 15 0

password cisco

logging synchronous

login

!

!

!

end

R2#show run



!

version 12.3







!

hostname R2

!

!

!


!

!



!


network 172.16.10.0 255.255.255.0


dns-server 172.16.20.254


network 172.16.11.0 255.255.255.0


dns-server 172.16.20.254

!

!

!

!

!

!

!

ip ssh version 1

no ip domain-lookup

!

!

!

!

!

!


ip address 172.16.20.1 255.255.255.0




ip nat inside

duplex auto

speed auto

!


no ip address

duplex auto

speed auto

shutdown

!


ip address 172.16.0.2 255.255.255.252

ip nat inside

!


ip address 209.165.201.1 255.255.255.252

ip nat outside

clock rate 125000

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2


network 172.16.0.0


no auto-summary

!


ip nat inside source list NAT_ACL pool NAT_POOL overload


ip classless

ip route 0.0.0.0 0.0.0.0 209.165.201.2

!

!




ip access-list standard NAT_ACL

permit 172.16.10.0 0.0.0.255

permit 172.16.11.0 0.0.0.255

!

no cdp run

!


!

!

!

!

line con 0

exec-timeout 15 0

password cisco

logging synchronous

login

line vty 0 4

exec-timeout 15 0

password cisco

logging synchronous

login

!

!

!

end

ISP#show run



!

version 12.3




!

hostname ISP




!

!

!


!

!

!

!

!

!

!

!

!

!

ip ssh version 1

!

!

!

!

!

!


no ip address

duplex auto

speed auto

shutdown

!


no ip address

duplex auto

speed auto

shutdown

!


no ip address

shutdown

!





ip address 209.165.201.2 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 209.165.201.0 255.255.255.224 Serial0/0/1

!

!

!


!

!

!

!

line con 0

exec-timeout 15 0

password cisco

logging synchronous

login

line vty 0 4

exec-timeout 15 0

password cisco

logging synchronous

login

!

!

!

end

Task 4: Clean Up

Erase the configurations and reload the routers. Disconnect and store the cabling. For PC hosts that are normally connected to other networks, such as the school LAN or to the Internet, reconnect the appropriate cabling and restore the TCP/IP settings.


Date post:	22-Nov-2014
Category:	Documents
Upload:	todd-hamilton
View:	99 times
Download:	3 times

Chapter 7

Documents