Quản trị mạng - Chapter 7: Implementing ip addressing services

1Chapter 7 - Implementing IP Addressing Services CCNA Exploration 4.0 Học viện mạng Bach Khoa - Website: www.bkacad.com 2 Introduction Học viện mạng Bach Khoa - Website: www.bkacad.com 3 DHCP Học viện mạng Bach Khoa - Website: www.bkacad.com 4 Introducing DHCP • DHCP assigns IP addresses and other important network configuration information dynamically. Học viện mạng Bach Khoa - Website: www.bkacad.com 5 DHCP Operation • Manual Allocation: The administrator assigns a pre- allocated IP address to the client and DHCP only communicates the IP address to the device. • Automatic Allocation: DHCP automatically assigns a static IP address permanently to a device, selecting it from a pool of available addresses. There is no lease and the address is permanently assigned to a device. • Dynamic Allocation: DHCP automatically dynamically assigns, or leases, an IP address from a pool of addresses for a limited period of time chosen by the server, or until the client tells the DHCP server that it no longer needs the address. Học viện mạng Bach Khoa - Website: www.bkacad.com 6 BOOTP and DHCP • Both DHCP and BOOTP are client/server based and use UDP ports 67 and 68. Those ports are still known as BOOTP ports. Học viện mạng Bach Khoa - Website: www.bkacad.com 7 DHCP Message Format Học viện mạng Bach Khoa - Website: www.bkacad.com 8 DHCP Discover Học viện mạng Bach Khoa - Website: www.bkacad.com 9 DHCP Offer Học viện mạng Bach Khoa - Website: www.bkacad.com 10 Configuring a DHCP Server Học viện mạng Bach Khoa - Website: www.bkacad.com 11 Configuring a DHCP Server Example • ip dhcp excluded-address 192.168.1.1 192.168.1.10 • ip dhcp pool Net1 • network 192.168.1.0 255.255.255.0 • default-router 192.168.1.1 • dns-server 8.8.8.8 • lease 3 4 5 • ip dhcp excluded-address 192.168.2.1 192.168.2.10 • ip dhcp pool Net2 • network 192.168.2.0 255.255.255.0 • default-router 192.168.2.1 • dns-server 8.8.8.8 • lease 3 4 5 Học viện mạng Bach Khoa - Website: www.bkacad.com 12 • ip dhcp excluded-address 172.16.1.1 172.16.1.10 • ip dhcp pool LAN172 • network 172.16.1.0 255.255.255.0 • default-router 172.16.1.1 • dns-server 8.8.8.8 Học viện mạng Bach Khoa - Website: www.bkacad.com 13 • R1(config)#int f0/0 • R1(config-if)#ip helper-address 192.168.4.252 Học viện mạng Bach Khoa - Website: www.bkacad.com 14 Học viện mạng Bach Khoa - Website: www.bkacad.com 15 Verifying DHCP PC1: ipconfig /all Học viện mạng Bach Khoa - Website: www.bkacad.com 16 Verifying DHCP PC2: ipconfig /all Học viện mạng Bach Khoa - Website: www.bkacad.com 17 Verifying DHCP Học viện mạng Bach Khoa - Website: www.bkacad.com 18 Configuring a DHCP Client Học viện mạng Bach Khoa - Website: www.bkacad.com 19 Configuring a DHCP Client Học viện mạng Bach Khoa - Website: www.bkacad.com 20 DHCP Relay Host Problem Học viện mạng Bach Khoa - Website: www.bkacad.com 21 DHCP Relay Host Renew Học viện mạng Bach Khoa - Website: www.bkacad.com 22 DHCP Relay • Helper address configuration that relays broadcasts to all servers on the segment. RTA(config)#interface e0 RTA(config-if)#ip helper-address 172.24.1.255 • But will RTA forward the broadcast? Broadcast Unicast Học viện mạng Bach Khoa - Website: www.bkacad.com 23 DHCP Relay • Notice that the RTA interface e3, which connects to the server farm, is not configured with helper addresses. • However, the output shows that for this interface, directed broadcast forwarding is disabled. This means that the router will not convert the logical broadcast 172.24.1.255 into a physical broadcast with a Layer 2 address of FF-FF-FF-FF-FF- FF. • To allow all the nodes in the server farm to receive the broadcasts at Layer 2, e3 will need to be configured to forward directed broadcasts with the following command: RTA(config)#interface e3 RTA(config-if)#ip directed-broadcast Học viện mạng Bach Khoa - Website: www.bkacad.com 24 DHCP Relay RTA(config)#interface e0 RTA(config-if)#ip helper-address 172.24.1.255 RTA(config)#interface e3 RTA(config-if)#ip directed-broadcast L3 Broadcast L2 Broadcast Học viện mạng Bach Khoa - Website: www.bkacad.com 25 Using helper addresses • By default, the ip helper-address command forwards the eight UDPs services. • The Cisco IOS provides the global configuration command ip forward- protocol to allow an administrator to forward any UDP port in addition to the default eight. Học viện mạng Bach Khoa - Website: www.bkacad.com 26 Configuring a DHCP Server Using SDM Học viện mạng Bach Khoa - Website: www.bkacad.com 27 Configuring a DHCP Server Using SDM Học viện mạng Bach Khoa - Website: www.bkacad.com 28 Verifying and Troubleshooting DHCP Học viện mạng Bach Khoa - Website: www.bkacad.com 29 Verifying and Troubleshooting DHCP Học viện mạng Bach Khoa - Website: www.bkacad.com 30 Scaling Networks with NAT Học viện mạng Bach Khoa - Website: www.bkacad.com 31 Private and Public IP Addressing Học viện mạng Bach Khoa - Website: www.bkacad.com 32 What is NAT ? Học viện mạng Bach Khoa - Website: www.bkacad.com 33 NAT Terminology • Inside local address - Usually not an IP address assigned by a RIR or service provider and is most likely an RFC 1918 private address. • Inside global address - Valid public address that the inside host is given when it exits the NAT router. – When traffic from PC1 is destined for the web server at 209.165.201.1, router R2 must translate the address. In this case, IP address 209.165.200.226 is used as the inside global address for PC1. • Outside global address - Reachable IP address assigned to a host on the Internet. – For example, the web server is reachable at IP address 209.165.201.1. • Outside local address - The local IP address assigned to a host on the outside network. In most situations, this address will be identical to the outside global address of that outside device. Học viện mạng Bach Khoa - Website: www.bkacad.com 34 The Forms of NAT • Static NAT – Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. Học viện mạng Bach Khoa - Website: www.bkacad.com 35 The Forms of NAT • Dynamic NAT – Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. Dynamic NAT also establishes a one-to-one mapping between unregistered and registered IP address, but the mapping could vary depending on the registered address available in the pool, at the time of communication. Học viện mạng Bach Khoa - Website: www.bkacad.com 36 The Forms of NAT • Overloading – A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one) by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT. Học viện mạng Bach Khoa - Website: www.bkacad.com 37 NAT Example • Inside local address – The IP address assigned to a host on the inside network. This address is likely to be an RFC 1918 private address. • Inside global address – A legitimate (Internet routable or public) IP address assigned the service provider that represents one or more inside local IP addresses to the outside world. • Outside local address – The IP address of an outside host as it is known to the hosts on the inside network. • Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address. • Inside local address – The IP address assigned to a host on the inside network. This address is likely to be an RFC 1918 private address. • Inside global address – A legitimate (Internet routable or public) IP address assigned the service provider that represents one or more inside local IP addresses to the outside world. • Outside local address – The IP address of an outside host as it is known to the hosts on the inside network. • Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address. Học viện mạng Bach Khoa - Website: www.bkacad.com 38 Học viện mạng Bach Khoa - Website: www.bkacad.com 39 NAT Example 128.23.2.2 10.0.0.3 .... Data DA SA IP Header 128.23.2.2 179.9.8.80 .... Data DA SA IP Header 1 2 1 2 Học viện mạng Bach Khoa - Website: www.bkacad.com 40 NAT overload Học viện mạng Bach Khoa - Website: www.bkacad.com 41 Next Available Port Học viện mạng Bach Khoa - Website: www.bkacad.com 42 Benefits and Drawbacks of Using NAT Học viện mạng Bach Khoa - Website: www.bkacad.com 43 Configure Static NAT on a Cisco Router Học viện mạng Bach Khoa - Website: www.bkacad.com 44 Example • ip nat inside source static 192.168.1.254 100.0.0.3 • ! • interface FastEthernet0/1 • description DMZ • ip nat inside • ! • interface Serial0/0/0 • description INTERNET • ip nat outside Học viện mạng Bach Khoa - Website: www.bkacad.com 45 Học viện mạng Bach Khoa - Website: www.bkacad.com 46 Configure Dynamic NAT on a Cisco Router Học viện mạng Bach Khoa - Website: www.bkacad.com 47 Configure Dynamic NAT on a Cisco Router Học viện mạng Bach Khoa - Website: www.bkacad.com 48 Example Translate to these outside addresses Học viện mạng Bach Khoa - Website: www.bkacad.com 49 Configuring NAT Overload for a Single Public IP Address Học viện mạng Bach Khoa - Website: www.bkacad.com 50 Configuring NAT Overload for a Single Public IP Address • access-list 1 permit 172.16.1.0 0.0.0.255 • ! • ip nat inside source list 1 interface Serial0/0/0 overload • interface Serial0/0/0 • ip nat outside • ! • interface FastEthernet0/0 • ip nat inside Học viện mạng Bach Khoa - Website: www.bkacad.com 51 Học viện mạng Bach Khoa - Website: www.bkacad.com 52 Configuring NAT Overload for a Pool of Public IP Addresses Học viện mạng Bach Khoa - Website: www.bkacad.com 53 Configuring NAT Overload for a Pool of Public IP Addresses Học viện mạng Bach Khoa - Website: www.bkacad.com 54 Port Forwarding • Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. • This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside through a NAT-enabled router. Học viện mạng Bach Khoa - Website: www.bkacad.com 55 Port Forwarding • R1(config)#ip nat inside source static tcp 192.168.1.253 21 100.0.0.1 21 • R1(config)#ip nat inside source static tcp 192.168.1.254 80 100.0.0.1 80 Học viện mạng Bach Khoa - Website: www.bkacad.com 56 Học viện mạng Bach Khoa - Website: www.bkacad.com 57 Verifying NAT and NAT Overload Học viện mạng Bach Khoa - Website: www.bkacad.com 58 Verifying NAT and NAT Overload Học viện mạng Bach Khoa - Website: www.bkacad.com 59 Troubleshooting NAT and NAT Overload Configuration • Step 1. Based on the configuration, clearly define what NAT is supposed to achieve. This may reveal a problem with the configuration. • Step 2. Verify that correct translations exist in the translation table using the show ip nat translations command. • Step 3. Use the clear and debug commands to verify that NAT is operating as expected. Check to see if dynamic entries are recreated after they are cleared. • Step 4. Review in detail what is happening to the packet, and verify that routers have the correct routing information to move the packet. Học viện mạng Bach Khoa - Website: www.bkacad.com 60 IPv6 Học viện mạng Bach Khoa - Website: www.bkacad.com 61 Reason for using IPv6 Reason for using IPv6 • The pool of numbers is shrinking for the following reasons: 1. Population growth 2. Mobile users 3. Transportation 4. Consumer electronics Học viện mạng Bach Khoa - Website: www.bkacad.com 62 Học viện mạng Bach Khoa - Website: www.bkacad.com 63 Address space Học viện mạng Bach Khoa - Website: www.bkacad.com 64 IPv6 Features Học viện mạng Bach Khoa - Website: www.bkacad.com 65 Comparing IPv4 and IPv6 Headers Học viện mạng Bach Khoa - Website: www.bkacad.com 66 Extension header Học viện mạng Bach Khoa - Website: www.bkacad.com 67 Extension header Học viện mạng Bach Khoa - Website: www.bkacad.com 68 IPv6 Extension Headers • Hop-by-hop options header: When used for the router alert (Resource Reservation Protocol [RSVP] and Multicast Listener Discovery version 1 [MLDv1]) and the jumbogram, this header (value = 0) is processed by all hops in the path of a packet. • Destination options header (when the routing header is used) • Routing header: Used for source routing and mobile IPv6 (value = 43). • Fragment header: Used when a source must fragment a packet that is larger than the MTU for the path between itself and a destination device. • Authentication Header and Encapsulating Security Payload header: Used within IPsec to provide authentication, integrity, and confidentiality of a packet. – The Authentication Header (value = 51) – The ESP header (value = 50) • Upper-layer header: Typical headers used inside a packet to transport the data. The two main transport protocols are TCP (value = 6) and UDP (value = 17). Học viện mạng Bach Khoa - Website: www.bkacad.com 69 Defining Address Representation Học viện mạng Bach Khoa - Website: www.bkacad.com 70 Defining Address Representation Học viện mạng Bach Khoa - Website: www.bkacad.com 71 Defining Address Representation Học viện mạng Bach Khoa - Website: www.bkacad.com 72 IPv6 Address Types Học viện mạng Bach Khoa - Website: www.bkacad.com 73 IPv6 Address Types 1. Unicast address – Link local (FE80::/10): Scope is configured to single link. The address is unique only on this link, and it is not routable off the link. (similar to 169.254.x.x private address) – Site local (FEC0::/10): similar to private address. – Global: Globally unique, so it can be routed globally with no modification. A global address has an unlimited scope on the worldwide Internet. Packets with global source and destination addresses are routed to their target destination by the routers on the Internet. Học viện mạng Bach Khoa - Website: www.bkacad.com 74 IPv6 Address Types 2. Multicast address (FF00::/8): • IPv6 does not have broadcast addresses. • The range of multicast addresses in IPv6 is larger than in IPv4. For the foreseeable future, allocation of multicast groups is not being limited. 3. Anycast address: • An anycast address identifies a list of devices or nodes; therefore, an anycast address identifies multiple interfaces. • A packet sent to an anycast address is delivered to the closest interface, as defined by the routing protocols in use. Addressing Model Học viện mạng Bach Khoa - Website: www.bkacad.com 75 Học viện mạng Bach Khoa - Website: www.bkacad.com 76 Special Address Học viện mạng Bach Khoa - Website: www.bkacad.com 77 IPv6 Global Unicast and Anycast address Hierarchical Addressing and Aggregation Học viện mạng Bach Khoa - Website: www.bkacad.com 78 Hierarchical Addressing and Aggregation Học viện mạng Bach Khoa - Website: www.bkacad.com 79 (only) Học viện mạng Bach Khoa - Website: www.bkacad.com 80 Assign IPv6 address Học viện mạng Bach Khoa - Website: www.bkacad.com 81 Stateless Autoconfiguration 1. Phase 1: MAC 00-0C-29-C2-52-FF -> 02-0C-29-FF-FE-C2-52-FF 2. Phase 2: well-known link-local prefix fe80::/64 is added -> fe80::20c:29ff:fec2:52ff 3. Phase 3: Verify the address’s uniqueness on the link, called duplicate address detection (DAD). Send ICMPv6. 4. Phase 4: Assigned Học viện mạng Bach Khoa - Website: www.bkacad.com 82 IPv6 to IPv4 Transition Mechanism Học viện mạng Bach Khoa - Website: www.bkacad.com 83 IPv6 to IPv4 Transition Mechanism • The 2 most common techniques to transition from IPv4 to IPv6 are as follows: 1. Dual stack 2. IPv6-over-IPv4 (6to4) tunnels • For communication between IPv4 and IPv6 networks, IPv4 addresses can be encapsulated in IPv6 addresses. Học viện mạng Bach Khoa - Website: www.bkacad.com 84 Cisco IOS Dual Stack • Dual stacking is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network. This is the recommended option and involves running IPv4 and IPv6 at the same time. • Using IPv6 on a Cisco IOS router requires that you use the global configuration command ipv6 unicast-routing. This command enables the forwarding of IPv6 datagrams. Học viện mạng Bach Khoa - Website: www.bkacad.com 85 • Tunneling is an integration method where an IPv6 packet is encapsulated within another protocol, such as IPv4. This method enables the connection of IPv6 islands without needing to convert the intermediary networks to IPv6. • When IPv4 is used to encapsulate the IPv6 packet, a protocol type of 41 is specified in the IPv4 header, and the packet includes a 20-byte IPv4 header with no options and an IPv6 header and payload. It also requires dual-stack routers. • Tunneling presents these issues: – The MTU is decreased by 20 octets (if the IPv4 header does not contain any optional field). – Difficult to troubleshoot. IPv6 Tunneling Học viện mạng Bach Khoa - Website: www.bkacad.com 86 IPv6 Tunneling Học viện mạng Bach Khoa - Website: www.bkacad.com 87 Routing consideration with IPv6 • Like IPv4 classless interdomain routing (CIDR), IPv6 uses longest prefix match routing. • IPv6 uses modified versions of most of the common routing protocols to handle longer IPv6 addresses and different header structures. Học viện mạng Bach Khoa - Website: www.bkacad.com 88 Routing consideration with IPv6 1. The control plane handles the interaction of the router with the other network elements, providing the information needed to make decisions and control the overall router operation. This plane runs processes such as routing protocols and network management. These functions are generally complex. 2. The data plane handles packet forwarding from one physical or logical interface to another. It involves different switching mechanisms such as process switching and Cisco Express Forwarding (CEF) on Cisco IOS software routers. 3. Enhanced services include advanced features applied when forwarding data, such as packet filtering, quality of service (QoS), encryption, translation, and accounting. Học viện mạng Bach Khoa - Website: www.bkacad.com 89 • Based on IPv4 RIP version 2 (RIPv2) and similar to RIPv2 , distance vector, split horizon, max hop 15, poison reverse • Uses IPv6 for transport • IPv6 prefix, next-hop IPv6 address • Uses the multicast group FF02::9, the all-RIP-routers multicast group, as the destination address for RIP updates • Updates sent on UDP port 521 • Is supported by Cisco IOS Release 12.2(2)T and later RIPNg routing protocol Học viện mạng Bach Khoa - Website: www.bkacad.com 90 Enabling IPv6 on Cisco Routers • There are two basic steps to activate IPv6 on a router. – First, you must activate IPv6 traffic-forwarding on the router, – and then you must configure each interface that requires IPv6. • By default, IPv6 traffic-forwarding is disabled on a Cisco router. To activate it between interfaces, you must configure the global command ipv6 unicast-routing. Học viện mạng Bach Khoa - Website: www.bkacad.com 91 IPv6 Address Configuration Example Học viện mạng Bach Khoa - Website: www.bkacad.com 92 Cisco IOS IPv6 Name Resolution Học viện mạng Bach Khoa - Website: www.bkacad.com 93 • To enable RIPng routing on the router, use the ipv6 router rip name global configuration command. – The name parameter identifies the RIP process. – This process name is used later when configuring RIPng on participating interfaces. • For RIPng, instead of using the network command to identify which interfaces should run RIPng, you use the command ipv6 rip name enable in interface configuration mode to enable RIPng on an interface. The name parameter must match the name parameter in the ipv6 router rip command. Configure RIPng with IPv6 Học viện mạng Bach Khoa - Website: www.bkacad.com 94 Configure RIPng with IPv6 Học viện mạng Bach Khoa - Website: www.bkacad.com 95 Troubleshooting Học viện mạng Bach Khoa - Website: www.bkacad.com 96 Troubleshooting Học viện mạng Bach Khoa - Website: www.bkacad.com 97 LAB – IPv6 RIP ipv6 unicast-routing ipv6 router rip bkacad interface lo0 ipv6 address 2003::1/64 ipv6 rip bkacad enable interface f0/0 ipv6 address 2fff::1/64 ipv6 rip bkacad enable interface s1/0 ipv6 address 2004::1/64 ipv6 rip bkacad enable R1 R2S1/0 S1/1F0/0 L0 L0 2004::1/64 2004::2/642003::1/64 2005::2/64 2fff::1/64 2fff::2/64 ipv6 unicast-routing ipv6 router rip bkacad ipv6 route ::/0 lo0 interface lo0 ipv6 address 2005::2/64 ipv6 rip bkacad enable interface s1/1 ipv6 address 2004::2/64 ipv6 rip bkacad enable ipv6 router rip bkacad redistribute static ipv6 install netsh interface ipv6 add address "Local Area Connection" 2fff::2 Học viện mạng Bach Khoa - Website: www.bkacad.com 98 Labs Học viện mạng Bach Khoa - Website: www.bkacad.com 99 Summary Example Học viện mạng Bach Khoa - Website: www.bkacad.com 100 Static NAT • Publish the HTTP server1 (outside users can access the server1) • 1. use the IP address: 200.0.0.3/29 • R1(config)#ip nat inside source static 192.168.1.254 200.0.0.3 • R1(config)#int f0/0 • R1(config-if)#ip nat inside • R1(config-if)#int s0/0/0 • R1(config-if)#ip nat outside Học viện mạng Bach Khoa - Website: www.bkacad.com 101 Static NAT • Publish the HTTP server1 (outside users can access the server1) • 2. Port Forwarding – R1(config)#ip nat inside source static tcp 192.168.1.254 80 200.0.0.1 80 – R1(config)#int f0/0 – R1(config-if)#ip nat inside – R1(config-if)#int s0/0/0 – R1(config-if)#ip nat outside • R1#show ip nat translations Học viện mạng Bach Khoa - Website: www.bkacad.com 102 Dynamic NAT • R1 • ip nat pool POOL200 200.0.0.3 200.0.0.6 netmask 255.255.255.248 • ip nat inside source list 1 pool POOL200 • access-list 1 permit 10.0.0.0 0.0.0.255 • Int f0/1 • ip nat inside • Int s0/0/0 • Ip nat outside Học viện mạng Bach Khoa - Website: www.bkacad.com 103 PAT (NAT Overload) for a single public IP address • 1. use the IP address of the outside interface • access-list 1 permit 10.0.0.0 0.0.0.255 • ip nat inside source list 1 interface Serial0/0/0 overload • Int f0/1 • Ip nat inside • Int s0/0/0 • Ip nat outside Học viện mạng Bach Khoa - Website: www.bkacad.com 104 PAT (NAT Overload) for a single public IP address • 2. use a pool has one IP address • access-list 1 permit 10.0.0.0 0.0.0.255 • ip nat pool POOL1 200.0.0.3 200.0.0.3 netmask 255.255.255.255 • ip nat inside source list 1 pool POOL1 overload • Int f0/1 • Ip nat inside • Int s0/0/0 • Ip nat outside Học viện mạng Bach Khoa - Website: www.bkacad.com 105 PAT (NAT Overload) for a pool public IP address • access-list 1 permit 10.0.0.0 0.0.0.255 • ip nat pool POOL200 200.0.0.3 200.0.0.6 netmask 255.255.255.248 • ip nat inside source list 1 pool POOL200 overload • Int f0/1 • Ip nat inside • Int s0/0/0 • Ip nat outside Học viện mạng Bach Khoa - Website: www.bkacad.com 106 Học viện mạng Bach Khoa - Website: www.bkacad.com 107