CNR 62 Slides PDF

Cisco CNR 6.
2 Training
Instructor: Bob Elliott
CNR Training 6.2
2005 Cisco Systems, Inc. All rights reserved.
Course Introduction
CNR Training 6.2
Instructor Introduction
CNR Training 6.2
Student Introduction
Please give the class:
Your name
Your company, position and responsibilities
Experience in networking and DNS and DHCP
Your experience with Cisco Network Registrar
Your objectives for attending this class
CNR Training 6.2
Administrivia
Class Rules
Start/Stop Times
Breaks/Breakroom
Restrooms
Telephones
Lunch
CNR Training 6.2
Class Structure
Lecture
Demo/Lab
Break
***Maybe a clock or watch?
CNR Training 6.2
Course Objectives
By the end of the course you should be able to:
Describe the feature set and functions of the local
cluster and regional cluster components of Cisco
Network Registrar (CNR)
Configure CNR to provide DHCP and DNS services,
including Dynamic DNS, HA DNS, DHCP failover
and Class of Service
Debug and troubleshoot various scenarios of DNS
and DHCP problems
CNR Training 6.2
Course Agenda Day One

Course Introduction
Introduction to CNR
DNS Protocol Overview
Fundamental DNS Configuration
High Availability DNS
Troubleshooting CNR DNS
CNR Training 6.2
CNR
Training
6.2
Course Agenda Day Two

DHCP Protocol Overview
Fundamental DHCP Configuration
Configuring Client-Class and Clients
DHCP Failover
Troubleshooting CNR DHCP
CNR
Training
6.2
CNR Training 6.2
Course Agenda Day Three

Introduction to the Regional Cluster
Address Space Management
Centralized DNS Management
Configuring DHCP Failover at the Regional Cluster
Managing Administrators, Groups, and Roles
Server and Database Maintenance
Configuring DHCPv6
CNR
Training
6.2
Local Cluster Advanced Features

Regional Cluster Advanced Features
CNR Training 6.2
10
CNR
Training
6.2
2001,
Cisco
Systems,
Inc. All rights reserved.
11
Introduction to Cisco Network Registrar 6.2
CNR Training 6.2
12
Section Objectives
Identify the key features of CNR 6.2
Identify the advanced features of CNR 6.2
Understand and identify the components of the CNR
architecture and the supported hardware platforms
Identify the user interfaces available in CNR 6.2
Install, start and troubleshoot CNR 6.2
CNR
Training
6.2
CNR Training 6.2
13
Introduction
CNR Training 6.2
14
Challenges of Managing an IP Network

Automating processes
Managing infrastructure data
Adding value to the network
CNR Training 6.2
15
Why are They So Challenging?

Manual configuration of network devices is
labor-intensive and error-prone
IP address assignment, user data and other
network-related information is typically
scattered across many different systems and
databases
System Administrators need to show the
value added to the business by the network
and their systems
CNR Training 6.2
16
Solving the Challenges of Network Management

Reduce the costs by automating IP address
assignment and configurations.
Enable policy-based IP address and parameter
assignment to ensure appropriate network access
(i.e. guest vs. employee access).
Dynamically map IP and name assignments.
Give administrators greater control and visibility of
their networks.
CNR Training 6.2
17
Automating Processes
Manual
Manual
Processes
Processes
Public
Public
Domain
Domain
Software
Software
Policies
Policies
Based
Based on
on
IP
IP Addresses
Addresses
Intelligent
Network
Users
User
User
Provisioning
Provisioning
CNR Training 6.2
Scalable
Scalable
DNS
DNS and
and
DHCP
DHCP
Services
Services
Applications
Automated
Automated
Network
Network
Addressing
Addressing
User-Based
User-Based
Policy
Policy
Networking
Networking
18
Base Functions of CNR

IP address management and provisioning
Dynamic Host Configuration (DHCP) Server
Domain Name Server (DNS)
Trivial File Transfer (TFTP) Server
CNR Training 6.2
19
CNR DNS Functionality

Normal DNS name server functions
primary, secondary and/or caching server
Incremental Zone Transfer (IXFR)

Notification (NTFY)
Dynamic DNS
TSIG Security
DNSv6
High-Availability DNS
BIND Interoperability
CNR Training 6.2
20
CNR DHCP Functionality

DHCP Protocol Services
BOOTP Service
DHCP Failover and Load Balancing
LDAP Interoperability
DHCPv6
Client-Class
CNR Training 6.2
21
Additional Features of CNR

Extensions and Expressions
CNR SDK
Centralized Management with granular
administrative controls
Multithreaded software design
CNR Training 6.2
22
Network Registrar Components and

Architecture
CNR Training 6.2
23
Major Components of CNR

CNR Regional Cluster
CNR Local Cluster
Local Cluster
CNR Training 6.2
Local Cluster
Regional Cluster
Local Cluster
24
CNR Components and Interfaces
Regional CNR Cluster

Server
Agent
CLI
Tomcat
Local CNR Clusters

HTTP/HTTPS
HTTP/HTTPS
Tomcat
CCM DB
Replica
Server
Agent
DHCP
CCM
Server
SCP
CCM
Server
Subnet Util
DNS
CLI
DHCP DB
DNS DBs
TFTP
IP Lease
History
RIC
Server
Platforms
Solaris
Solaris Linux
LinuxWindows
Windows
Telnet/SSH
CNR Training 6.2
CCM DB
Legacy Interface
External Interface
Internal SCP Interface
Embedded Database
MCD DB
Platforms
Solaris
Solaris Linux
Linux Windows
Windows
25
Underlying Processes
CNR Server Agent:
Auto restart capability
Independent of user interface
Embedded Data Manager:

Reliable storage of configuration parameters
Minimizes admin overhead
Provides speed and reliability
Not based on BIND or ISC implementations
CNR Training 6.2
26
Supported Standards and RFCs

Implements DNS standards
RFCs 974, 1034, 1035, 2181, 2308
RFC 1995 (incremental zone transfer)
RFC 1996 (notify)
RFC 2136 (DNS update)
RFC 2782 (SRV records)
RFC 2845 (TSIG; DNS updates only)
Fully interoperable with BIND

Zone transfers: CNR primary to BIND secondary or vice versa
Import/export BIND configuration files
CNR Training 6.2
27
Supported Standards and RFCs (Cont.)

Implements DHCP standards.
DHCP RFCs 2131, 2132
BOOTP RFCs 951, 1497
DNS dynamic update RFCs 2136, 2845
DHCP safe failover (draft rev 3)
Dynamic DNS update for DHCP and BOOTP
Class of service
Expressions
Directory integration (LDAP)
Extension points
CNR Training 6.2
28
Supported Platforms
Windows XP or 2003
Solaris 8 or 9
Linux Redhat Enterprise Server 3.0
CNR Training 6.2
29
CNR Regional Cluster Architecture

CNR Local Cluster2
DNS
DHCP
Regional Cluster Management

System for Local Clusters
TFTP
Core Services
Thread
Manager
HTTP
Server
Server Agent (SA)

CCM Server
SCP
Tomcat Web Server
Integrated Databases
Servlet Engine
Solaris Linux Windows
Central Configuration
Manager (CCM) Server
Router Interface
Configuration (RIC) Server
CNR Local Cluster2

DNS
DHCP
TFTP
HTTP
Server
SCP
CNR SDK
SCP
CLI
Telnet/
SSH
Solaris
Windows
Solaris Linux
Linux Windows
SCP
Core Services
Thread
Manager
HTTP/HTTPS
uBR Router
CCM Server

CNR Training 6.2
30
Regional Cluster
Aggregate management system for up to 100 local
clusters.
Regional Cluster Components:
Server Agent
Tomcat Web Server
Servlet Engine
Central Configuration Management (CCM) Server
Router Interface Configuration (RIC) Server
CNR Training 6.2
31
Installing CNR 6.2 Prerequisites
CNR Training 6.2
32
Sample Deployment Scenario

DHCP
client
Regional Server
DHCP
Failover
DHCP
Primary DNS
10.10.10.2
Central
Management
CNR Training 6.2
DHCP Lease
Secondary DNS
10.10.10.3
DNS Updates
Zone
Transfers
33
Installation Pre-Requisites
JRE 1.4.2
Compatible Web Browser:
Microsoft Internet Explorer 6.0 (Service Pack 2),
Netscape 7.0, or Firefox 1.0.
Windows and account in the Administrators group.

Solaris and Linux, root, or superuser privileges on
the server system.
The appropriate license keys for your installation.
CNR Training 6.2
34
Installation Facts
Installation Modes:
Solaris: pkgadd
Windows: installshield
Linux: install_cnr wrapper script for rpm
Local and Regional versions must be installed

separately but can be installed on the same
machine
CNR Training 6.2
35
Installing CNR on Windows
CNR Training 6.2
36
Java Installation on Windows
Security Warning is posted to begin the installation.
CNR Training 6.2
37
Java Installation on Windows (Cont.)

Follow the prompts to install Java
CNR Training 6.2
38

Install all the Java components
Be sure to install the IE Plugin
CNR Training 6.2
39
CNR Training 6.2
40

The Java installation is complete
CNR Training 6.2
41
Generate Local Certificates
CNR Training 6.2
42
CNR 6.2 Windows Installation

Un-Zip Archived File
CNR Training 6.2
43
CNR 6.2 Windows Installation (Cont.)

Splash Screen and Install Setup
CNR Training 6.2
44

Pre-Installation
CNR Training 6.2
45
Local or Regional Installation

Local
CNR Training 6.2
Regional
46

Local
CNR Training 6.2
Regional
47

Local
CNR Training 6.2
Regional
48

Local
CNR Training 6.2
Regional
49

Local
CNR Training 6.2
Regional
50

Local
CNR Training 6.2
Regional
51

Local
Install the Server and client
CNR Training 6.2
52

Local
CNR Training 6.2
Regional
53

Select the Java installation for the Local or Regional
Cluster to use
CNR Training 6.2
54

Choose whether to install the secure Web UI
CNR Training 6.2
55

Local
CNR Training 6.2
Regional
56

Select the Java installation for the Local or Regional
Cluster Secure Web UI (SSL) to use
CNR Training 6.2
57

Select the location of the keyfile for the Local or Regional Cluster to
use
CNR Training 6.2
58

Local
CNR Training 6.2
Regional
59

Local
CNR Training 6.2
Regional
60

Restart your system after the installation is complete
CNR Training 6.2
61
Verifying Status of Processes

Windows:
Service Manager Application
Network Registrar Local Server Agent Started
Network Registrar Regional Server Agent - Started
View the Windows Task Manager
Processes Tab
Look for cnrservagt.exe
CNR Training 6.2
62
Verifying CNRs Status Local

Status from Windows Service Manager Local
CNR Training 6.2
63
Verifying Status of Processes Local

Check whether Network Registrar processes are
running:
Windows:
Processes Tab
CNR Training 6.2
64
Verifying CNRs Status Regional

Status from Windows Service Manager Regional
CNR Training 6.2
65
Verifying Status of Processes Regional

Windows:
Processes Tab
CNR Training 6.2
66
Installing CNR on Solaris
CNR Training 6.2
67
Solaris Java Installation

From the CLI type:
bash-2.05# sh ./j2sdk-1_4_2_10-solaris-sparc.sh
The standard Sun output displays:
Sun Microsystems, Inc.
Binary Code License Agreement
for the
JAVATM 2 SOFTWARE DEVELOPMENT KIT (J2SDK), STANDARD EDITION,
VERSION 1.4.2_X
Note: Output deleted for brevity.
Do you agree to the above license terms? [yes or no]
yes
CNR Training 6.2
68

bash-2.05# /usr/java/bin/keytool -genkey -alias tomcat -keyalg
RSA -validity 365 -keystore /etc/local.keys
Enter keystore password:
cisco1
What is your first and last name?

[Unknown]:
CNR User
What is the name of your organizational unit?

[Unknown]:
CNR Organization
What is the name of your organization?

[Unknown]:
CNR Training 6.2
Cisco Systems
69
Generate Local Certificates (Cont.)

What is the name of your City or Locality?
[Unknown]:
San Jose
What is the name of your State or Province?

[Unknown]:
CA
What is the two-letter country code for this unit?

[Unknown]:
US
Is CN=CNR User, OU=CNR Organization, O=Cisco Systems, L=San

Jose, ST=CA, C=US correct?
[no]:
Enter key password for <tomcat>

(RETURN if same as keystore password):
CNR Training 6.2
70
Solaris CNR Local Cluster Installation

bash-2.05# pkgadd -d ./solaris
The following packages are available:
1
nwreg2
Network Registrar
(sparc) 6.2
Select package(s) you wish to process (or 'all' to process

all packages). (default: all) [?,??,q]: 1
Processing package instance <nwreg2> from
</var/tmp/cnr_6_2/solaris>
Network Registrar
(sparc) 6.2
Copyright (C) 1994-2005 by Cisco Systems, Inc.
This program contains proprietary and confidential information.
All rights reserved except as may be permitted by prior written
consent.
CNR Training 6.2
71
Solaris Local Installation (Cont.)

Specify the mode for this Network Registrar installation:
1.
Local mode (default)
2.
Regional mode
Select the Network Registrar mode [1,2]: 1

Where do you want to install the Network Registrar Local Server
Agent executable files? [/opt/nwreg2/local]
Where do you want to put the Network Registrar Local Server
Agent data files? [/var/nwreg2/local/data]
Agent log files? [/var/nwreg2/local/logs]
Agent temporary files? [/var/nwreg2/local/temp]
CNR Training 6.2
72

License file '/opt/nwreg2/local/conf/product.licenses' does not
exist
The installer did not locate a valid Network Registrar Local
Server Agent license key. Administration of the cluster will
not be possible without a valid license key.
Please enter your Network Registrar Local Server Agent license
key, or press the Return key to continue the installation
without entering a valid license key at this point:
Administration of the cluster will not be possible without a
valid license key. Are you sure you wish to continue? [n]
[y,n,?,q] y
CNR Training 6.2
73

If upgrading, Cisco Systems recommends that you archive the
existing Network Registrar Local Server Agent binaries and
database to recover in the event that the current
installation is unsuccessful.
Would you like to save an archive of your current Network
Registrar Local
Server Agent database files? [y]
[y,n,?,q] n
Specify whether you would like to perform a complete

installation of Network Registrar or whether you only want
the client utilities.
1.
Both server and client (default)
2.
Client only
Select your installation type [1,2]: 1
CNR Training 6.2
74

Network Registrar uses the CCM management SCP port for internal
communications between servers.
Enter the CCM SCP port number [1234]:
Network Registrar Local Server Agent 6.2 requires Java version
1.4.2 (or later) to run.
Where is your Java software installed? [/usr/java]
Specify whether you would like to configure security for the
browser connection to the Network Registrar web server using
a pre-configured JSSE installation.
1.
Non-secure/HTTP (default)
2.
Secure/HTTPS (requires JSSE)
3.
Both HTTP and HTTPS
Select your installation type [1-3]: 3
CNR Training 6.2
75

Network Registrar uses the Web UI port to provide the Web user
interface service to clients.
is 8080.
The product default port number
Enter the Web UI port number [8080]:

Network Registrar Local Server Agent 6.2 requires JSSE version
1.0.2 or Java 1.4.2 (or greater) to provide HTTPS support.
Where is your JSSE (or Java 1.4.2+) software installed?
[/usr/java]
Provide the fully qualified path to the keystore file that
contains the certificate(s) to be used for the secure
connection to the Network Registrar web server.
Do not remove
this file or Network Registrar HTTPS connection requests will

fail.
CNR Training 6.2
76

Where is your keystore file located? /etc/cnrlocal.keys
Network Registrar requires the password that was provided when
creating the JSSE keystore file to provide the secure Web user
changeit.
The default password is
What is your keystore password? cisco1

Network Registrar uses the secure Web UI port to provide the
Web user interface service to clients. The product default
secure port number is 8443.
Enter the secure Web UI port number [8443]:
CNR Training 6.2
77

## Executing checkinstall script.
The selected base directory </opt/nwreg2/local> must exist
before installation is attempted.
Do you want this directory created now [y,n,?,q] y
Using </opt/nwreg2/local> as the package base directory.
## Processing package information.
## Processing system information.
CNR Training 6.2
78

## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with
super-user
permission during the process of installing this package.
Do you want to continue with the installation of <nwreg2>
[y,n,?] y
Installing Network Registrar as <nwreg2>
## Installing part 1 of 1.
/opt/nwreg2/local/aiclockmgr
/opt/nwreg2/local/cnrImage.tar.gz
/opt/nwreg2/local/cnrdb_recover3
...OUTPUT DELETED FOR BREVITY...
CNR Training 6.2
79

/opt/nwreg2/local/aiclockmgr
Network Registrar local mode installation completed
successfully.
Installation of <nwreg2> was successful.
1
nwreg2
Network Registrar
(sparc) 6.2

all packages). (default: all) [?,??,q]: q
bash-2.05#
CNR Training 6.2
80
Solaris Regional Installation

bash-2.05# pkgadd -d ./solaris/
1
nwreg2
Network Registrar
(sparc) 6.2

Network Registrar
(sparc) 6.2
consent.
CNR Training 6.2
81
Solaris Regional Installation (Cont.)

1.
2.
Regional mode

Where do you want to install the Network Registrar Regional
Server Agent executable files? [/opt/nwreg2/regional]
Where do you want to put the Network Registrar Regional Server
Agent data files? [/var/nwreg2/regional/data]
Agent log files? [/var/nwreg2/regional/logs]
Agent temporary files? [/var/nwreg2/regional/temp]
CNR Training 6.2
82

License file '/opt/nwreg2/regional/conf/product.licenses'
does not exist
The installer did not locate a valid Network Registrar Regional
Please enter your Network Registrar Regional Server Agent
license key, or press the Return key to continue the
installation without entering a valid license key at this
point:
[y,n,?,q] y
CNR Training 6.2
83

existing Network Registrar Regional Server Agent binaries and
Registrar Regional
[y,n,?,q] n
Network Registrar Regional Server Agent 6.2 requires Java
version 1.4.2 (or later) to run.
CNR Training 6.2
84

1.
2.
3.
Both HTTP and HTTPS

is 8090.
CNR Training 6.2
85

Network Registrar Regional Server Agent 6.2 requires JSSE
version 1.0.2 or Java 1.4.2 (or greater) to provide HTTPS
support.
[/usr/java]
Do not remove

fail.
CNR Training 6.2
86

Where is your keystore file located? /etc/cnrreginoal
onal.keys
changeit.
What is your keystore password? Cisco1

Web user
number is 8453.
The product default secure port
CNR Training 6.2
87

The selected base directory </opt/nwreg2/regional> must exist
before
installation is attempted.
Using </opt/nwreg2/regional> as the package base directory.
CNR Training 6.2
88

super-user
[y,n,?] y
/opt/nwreg2/regional/aiclockmgr
/opt/nwreg2/regional/cnrImage.tar.gz
CNR Training 6.2
89

Network Registrar regional mode installation completed
successfully.
1
nwreg2
Network Registrar
(sparc) 6.2

bash-2.05#
CNR Training 6.2
90

running:
Solaris and Linux:
# /opt/nwreg2/local/usrbin/cnr_status
# /opt/nwreg2/regional/usrbin/cnr_status
CNR Training 6.2
91
CNR 6.2 Product Licensing

Each Network Registrar software license key
addresses a separate functional area. You enter
these license keys during installation or in the Webbased user interface (Web UI) or CLI.
During an upgrade, you are prompted for a license
key only if no valid license keys are found in the
existing license file.
CNR Training 6.2
92
Licensing CNR 6.2 (Cont.)

Upgrading from a release before 6.0You must add
a new license key. License keys that were valid
before 6.0 do not work.
DHCPv6 functionality requires a new ipv6 license
key.
The router license can now be applied to the local
cluster.
CNR Training 6.2
93
Product Licensing Local

Local
CNR Training 6.2
94
Viewing Licensing Local
CNR Training 6.2
95
Product Licensing Regional

Regional
CNR Training 6.2
96
Viewing Licensing Regional

Regional
CNR Training 6.2
97
The CNR 6.2 User Interface
CNR Training 6.2
98
Cisco Network Registrar User Interfaces

Web User Interface (Web UI)
for access to Regional Cluster
for access to Local Clusters
Command Line Interface (CLI) for Regional and

Local Clusters
CNR API to interface with other applications
CNR Training 6.2
99
Log In to Web Interface

Accept the self-signed certificate when accessing
the secure Web UI
CNR Training 6.2
100
Local Login
Login to the Web UI the default login and password is admin/changeme
CNR Training 6.2
101
Local Main Menu
CNR Training 6.2
102
Local Cluster Web UI

Provides concurrent access to Network Registrar user and
protocol server administration and configuration.
It provides granular administration across servers with
permissions you can set on a per element or feature basis.
Administration - Used to manage licenses, administrators,
administrator groups and roles, encryption keys and access control
lists, owners and regions, and to view the datastore change logs.
Servers - Used to manage protocol servers on this cluster.
Clusters - Used to manage remote clusters.
Routers Used to add and manage routers.
CNR Training 6.2
103
Local Cluster Web UI (cont.)

DHCP - Used to manage the Network Registrar DHCP server. This
includes managing scopes and associated ranges, reservations
and leases, policies and associated options, and client and clientclass entries.
DNS - Used to manage the lists of zones, reverse zones and
secondary zones, and their resource records. Also manage zone
templates, secondary servers, and zone distribution.
Host - Used to manage hosts, assigning them a DNS name and
one or more IP addresses.
Address Space - Used to view the unified address space tree,
and to manage address blocks, subnets and static IP ranges.
CNR Training 6.2
104
Regional Main Menu
CNR Training 6.2
105
Regional Cluster Web UI

The regional cluster Web UI provides concurrent
access to Network Registrar regional and central
administration tasks.
Like the local cluster Web UI, it provides granular
administration across servers with permissions you
can set on a per element or feature basis.
The regional cluster consists of:
Central Configuration Management (CCM) server
Router Interface Configuration (RIC) server
Tomcat web server, servlet engine, and server agent
CNR Training 6.2
106
Regional Cluster Web UI (Cont.)

Administration - Used to manage licenses,
administrators, administrator groups and roles,
encryption keys and access control lists, owners and
regions, and to view the datastore change logs.
Servers - Used to manage protocol servers on this
cluster.
Clusters - Used to manage remote clusters.
Routers - Used to manage routers and router
interfaces.
Replica Data - Use to manage replica data of local
clusters.
CNR Training 6.2
107
Regional Cluster Web UI (Cont.)

DHCP - Used to manage virtual private networks
(VPNs), DHCP scope templates, policies, clientclasses, networks, dynamic DNS, and failover server
pairs.
DNS - Used to manage DNS zone templates, forward
and reverse zones, update policies, ACLs, keys, HA
pairs, update maps, and zone distributions.
Address Space - Used to manage the address space,
address blocks, subnets, address types, address
destinations; and to check subnet utilization, lease
history, and consistency rules.
Reports Used to create the required ARIN utilization
and SWIP reports
CNR Training 6.2
108
Navigating the CNR 6.2 Web UI
CNR Training 6.2
109
Connect Between Regional and Local Cluster
CNR Training 6.2
110
Warning!
Use the CNR Screen Navigation
Controls and not the Web browser
controls:
CNR Training 6.2
111
The CNR Command Line Interface (CLI)

You can use the Network Registrar Command Line
(nrcmd) Interface (CLI) from either the local or
regional server to :
Configure and manage the DNS, DHCP, and TFTP servers
Write scripts to automate tasks.
CNR Training 6.2
112
Windows CNR Command Line Interface (CLI)

By default, the nrcmd command is located in:
C:\Program Files\Network Registrar\Local(Regional)\bin
From the Windows Start Menu:

Start > Programs > Network Registrar 6.2 > Network
Registrar 6.2 CLI
From the Command Prompt:

nrcmd [general-options] [command] [options]
CNR Training 6.2
113
Solaris and Linux CNR Command Line Interface

(CLI)
Start by using the following syntax:
nrcmd [general options] [command] [options]
CNR Training 6.2
114
General Options to nrcmd Command

C cluster - Cluster (cluster is the name of the machine on which
the Network Registrar servers are running). If not specified, the
cluster name defaults to localhost.
N user - Network Registrar user name (user).
P password - Network Registrar user password (password).
h Prints help text.
L - Accesses the local cluster CLI.
R - Accesses the regional cluster CLI.
b < file.txt Batch file - (file.txt is the file of nrcmd commands that
run in batch mode, read a line at a time and with a new line printed
after the prompt).
CNR Training 6.2
115
CNR 6.2 CLI Examples

The next examples show how to stop/start DHCP server.
nrcmd> dhcp stop
nrcmd> dhcp start
Display lease info:

nrcmd>lease list show all leases
nrcmd>lease [IP address] show show properties
This example specifies the list of IP addresses for zone

transfers for a zone:
nrcmd> zone example.com. set auth-servers=192.168.50.1,10.0.0.1
100 Ok
auth-servers=192.168.50.1,10.0.0.1
For a comprehensive list of commands see the CNR 6.2

Command Line Reference Guide.
CNR Training 6.2
116
Exercise
Getting Started with CNR
CNR Training 6.2
117
Exercise
CNR Training 6.2
118
Review and Q&A
CNR Training 6.2
119
Review and Q&A
CNR Training 6.2
120
Introduction to the Domain Name Service
CNR Training 6.2
121
DNS Objectives
Upon completion of this section, you should understand:
What is DNS and its Purpose?
Key DNS Terms
How DNS is Organized
Zones, Subzones, Domains and Subdomains
What Do Name Servers Do?
Types of Name Servers
Resource Records
CNR
Training
6.2
Forward and Reverse Zones

How is a DNS Query Completed?
IPv6 and CNR DNS
CNR Training 6.2
122
What is DNS and its Purpose?
CNR Training 6.2
123
Where Would you Like to go Today?

Id like to go
to Ciscos
Web page
CNR Training 6.2
2104.253.96.2
124
What is the Domain Name System (DNS)?

DNS is a distributed database of mappings between Internet
names and their corresponding IP Addresses.
In other words DNS:
Translates Internet domain names into IP numbers.
Translates IP Addresses into Internet Domain Names.
A DNS server performs this kind of translation.
CNR Training 6.2
125
What is the Domain Name System (DNS)?
The Internet really works with IP Addresses:

Example:
The phone book in your cell phone
You select Freds name on the display, but the phone

actually dials Freds telephone number.
When a Client wishes to connect to a Web Server:

The browser sends the URL to the local DNS server to
resolve the FQDN and retrieve an IP Address.
If the local DNS server does not have the answer, it asks
the next DNS server in line for the answer.
CNR Training 6.2
126
How DNS Works

DNS Server
John at Work
21
9.
2
Web Server
(www.cisco.com)
.1
33
.
19
8
w
w
s
ci
.
w
m
co
.
o
Internet
198.133.219.25
CNR Training 6.2
127
Key DNS Terms
CNR Training 6.2
128
DNS Terms
Name Server:
Heart of the Domain Name System
Each DNS server maintains a list of Root Name Servers
Internal resolvers know to query that list to resolve names
CNR Training 6.2
129
DNS Terms (Cont.)

Domain - A branch of the DNS naming hierarchy tree that refers to
general groupings of networks based on organization type or
geography
Subdomain - Also called a Child Domain, it is a domain that
is part of a larger domain name in DNS the hierarchy
Zone Administrative delegation point in the DNS tree hierarchy
that contains all the names from a certain point downward, except
for those names that were delegated to other zones
Subzone - A partition of a delegated domain, represented as
a child of the parent node
CNR Training 6.2
130
CNR Training 6.2
131

The Hierarchy
Domains and Subdomains
Zones and Subzones
The Root Domain and Root Zone
CNR Training 6.2
132
The Hierarchy
DNS is a hierarchical database, meaning the data is structured
in a tree, much like the directory structure of a UNIX or
Windows file system.
The root domain, ".", is at the top, and various subdomains
branch out from the root (much like an upside down tree).
CNR Training 6.2
133
The Domain Name System

DNS is hierarchical, similar to UNIX/DOS file systems
Domain Name Space

CNR Training 6.2
Unix
134
Zones, Subzones,
Domains, and Subdomains
CNR Training 6.2
135
Domains and Subdomains

A domain is a section of the DNS naming hierarchy
A subdomain is contained within a domain
Example: www.sales.cisco.com.
www is the host name label
sales is the subdomain label
cisco is the second-level domain label
com is the top-level domain label
. is the root-level domain
CNR Training 6.2
136
What is a Zone?
A Delegation Point in the DNS tree hierarchy that
contains all the names from a certain point downward:
except those names that were delegated to other zones
It defines the contents of a contiguous section of the

domain space, usually bounded by administrative
boundaries.
Each zone has configuration data composed of entries
called Resource Records (RR).
A zone can map exactly to a single domain, but it can
also include only part of a domain, with the remainder
delegated to another subzone.
CNR Training 6.2
137
Zones and Subzones

Zones:
Define the contents of a contiguous section of the domain
space
Contain configuration data composed of entries called
Resource Records (RR)
Subzones:
Are partitions of delegated domains
Always end with the name of its parent
CNR Training 6.2
138
Zone versus Domain
CNR Training 6.2
139
The Root Domain and Root Zone
The zone '.' is shorthand for the root domain
dot '.' translates to any domain not defined as

either a master or slave and is at the top of the
hierarchy
The DNS is arranged as a hierarchy:
From the perspective of the structure of the names

maintained within the DNS
In terms of the delegation of naming authorities
The root domain '.' is administered by the Internet

Assigned Numbers Authority (IANA)
CNR Training 6.2
IANA has the authority to allocate domains beneath the root
140
What Do Name Servers Do?
CNR Training 6.2
141
What is a Name Server?

A name server is a program that resides on a
specified server:
Maintains zone databases that contain specified
information about its branch of the tree in the form of
Resource Records (RR)
CNR Training 6.2
142
What is a Name Server?
CNR Training 6.2
143
Name Server Distribution Example

USA-West (Primary)
Administrator
USA-East (Secondary)
CNR Training 6.2
Asia (Secondary)
Client
Europe (Secondary)
144
CNR Training 6.2
145

Root Name Servers
Caching Servers
Forwarding Servers
Primary and Secondary Servers
Master and Slave Servers
Authoritative versus Non-Authoritative Servers
CNR Training 6.2
146
Root Name Servers

Heart of the Domain Name System
Each DNS server maintains a list of Root Name Servers
Internal resolvers query these lists to resolve names
CNR Training 6.2
147
Caching Servers
A type of DNS server that:
Caches information learned from other name servers
Answers requests quickly because information is local
Does not have to query other servers for each transaction
CNR Training 6.2
148
Example: Caching
2. Cache data
for cisco.com.
from previous
query
3
5
7. Answer
1. Query
Local
Name
Server
Root Name Server
com.
Answer for
sales.cisco.com.
cisco.com.
Answer for
Query for
6
www.sales.cisco.com.
Resolver www.sales.cisco.com.
sales.cisco.com.
CNR Training 6.2
149
Forwarding Servers
DNS servers designated to handle all offsite queries
Relieves other DNS servers from having to send

packets offsite
Reduces the amount of bandwidth used for offsite

DNS queries
CNR Training 6.2
150
Primary and Secondary Servers
Primary (Master)
DNS server that contains the master database for a zone.
Authoritative DNS name server that transfers zone data to

secondary servers through zone transfers.
Secondary (Slave)
DNS name server that gets it zone data from another name
server (the primary server).
DNS server that always forwards queries it cannot answer from

its cache to a fixed list of forwarding servers instead of querying
the root name servers for answers.
When a secondary server starts up, it contacts the

primary server to retrieve the most current zone data.
CNR Training 6.2
151
Types of DNS Servers
Master = Primary
Slave = Secondary
CNR Training 6.2
152
Example - Name Server Distribution
CNR Training 6.2
153
Authoritative vs. Non-Authoritative Servers
Authoritative A DNS name server that possesses

complete information about a zone.
Non-Authoritative A DNS name server that possesses

incomplete information about a zone.
CNR Training 6.2
154
Resource Records
CNR Training 6.2
155
What is a Resource Record?
Resource Records define data types in the

Domain Name System (DNS)
Stored in binary format internally for use by DNS
software
However, resource records are sent across a network in
text format while they perform zone transfers
CNR Training 6.2
156
Resource Record Structure

Owner Name
Class
TTL
Type
Data
cisco.com.
IN
86400
SOA
NS, e-mail, serial

number, etc.
cisco.com
IN
NS
ns.cisco.com
ns.cisco.com.
IN
10.100.200.2
student
IN
10.100.200.3
200.100.10.inaddr.arpa.
IN
SOA
NS, e-mail, serial

number, etc.
200.100.10.inaddr.arpa.
IN
NS
ns.cisco.com.
IN
PTR
ns.cisco.com.
CNR Training 6.2
157
Record Types
SOA Start of Authority for a Zone *
A Hostname to IP Address Mapping *
PTR IP Address to Hostname Mapping *
NS Name Server for a Zone *
MX DNS Mail Exchanger *
CNAME Canonical Name (alias)
HINFO DNS Host Information
TXT Text Strings used for descriptive purposes
SRV Use several servers for a single host domain
CNR Training 6.2
158
Resource Records and Key Types
Start of Authority (SOA) - designates the start of a

zone
Name Server (NS) Designates the authoritative

server for a zone
A - DNS Address resource record
CNR Training 6.2
159
Resource Records and Types (Cont.)

Canonical Name (CNAME) - Used for nicknames or
aliases
Host Information (HIFO) - Provides information about
the hardware and software of the host machine
Mail Exchanger (MX) - Specifies where mail for a
domain name should be delivered
CNR Training 6.2
160
Resource Records and Types (Cont.)

Pointer Resource (PTR) - used to enable special
names to point to some other location in the domain
tree
Text Character (TXT) - one or more text character
strings that can contain any type of information
SRV - allows administrators to specify the location of a
specific service type on the network
CNR Training 6.2
161
Start of Authority (SOA)

Designates the start of a Zone
Defines the domain name
Defines necessary parameters for the Zone
cisco.com.
CNR Training 6.2
IN SOA ns1.cisco.com. root.ns1.cisco.com. (

2006010200
; Serial
10800
; Refresh after 3 hours
3600
; Retry after 1 hour
604800
; Expire after 1 week
14400 )
; Minimum TTL of 4 hours
162
Name server (NS)

Defines the Name Server ns1 for the Zone
FQDN of the host name must end with a dot .
cisco.com.
CNR Training 6.2
IN
NS
ns1.cisco.com.
163
Address (A)
Maps host names to IP Address for the Zone
Also known as Forward Records
CNR Training 6.2
stargate
IN
172.16.2.1
matrix
IN
172.16.2.2
netprint
IN
172.16.2.3
rotor
IN
172.16.2.4
ldap
IN
172.16.2.5
164
Pointer (PTR)
Maps IP Addresses to host names for the Zone
Also known as Reverse Records
FQDN of the host name must end with a dot .
CNR Training 6.2
1.2
IN
PTR
stargate.cisco.com.
2.2
IN
PTR
matrix.cisco.com.
3.2
IN
PTR
netprint.cisco.com.
4.2
IN
PTR
rotor.cisco.com.
5.2
IN
PTR
ldap.cisco.com.
165
Glue Records
A Record that is created as part of a delegation
If a zone is delegated to a name server whose hostname is a

Descendant of that particular zone, then a glue record for
that hostname must be included in the delegation
Pointers to subzone name servers
Specifies the address of the authoritative name

server for a subdomain
Required only for the server delegating a domain
Not required for the domain itself
CNR Training 6.2
166
CNR Training 6.2
167
Forward Zones
Maps the Host Name to the IP Address
They contain:
SOA
NS
A
Possibly MX records
CNR Training 6.2
168
Reverse Zones
Reverse zones allow resolution of IP addresses to
names.
They contain:
SOA
NS
PTR records
CNR Training 6.2
169
in-addr.arpa Domain
CNR Training 6.2
170
How is a DNS Query Completed?
CNR Training 6.2
171
How DNS Resolution Works

Query for
Root Name Server
Local
name
server
com.
Answer
Query
Referral to
com.
name servers
cisco.com.
Resolver
Referral to
cisco.com.
name servers
Referral to
sales.cisco.com.
name servers
Answer for
sales.cisco.com.
CNR Training 6.2
172
Components of a DNS Query

Resolver
Recursive
Iterative
CNR Training 6.2
173
Resolver
Client part of the DNS client/server mechanism that:

Creates queries sent across a network to a name server
Interprets responses, and returns information to the
requesting programs
CNR Training 6.2
174
Recursive
Type of query where the name server asks other

DNS server for any non-authoritative data not in its
own cache
Recursive queries continue to query all name

servers until receiving an answer or an error
CNR Training 6.2
175
Recursive Query
Answer
Query
Local
Name
Server
Query for
Resolver
CNR Training 6.2
176
Iterative
Type of query whereby the name server returns the

closest answer to the querying server.
CNR Training 6.2
177
Iterative Queries
Query for
Referral to
com.
Name Servers
Root Name Server
Local
Name
Server
com.
Referral to
cisco.com.
Name Servers
Referral to
sales.cisco.com.
Name Servers
cisco.com.
Answer for
sales.cisco.com.
CNR Training 6.2
178
Total Query Process

Query for
Root Name Server
Local
Name
Server
us.
Referral to
cisco.com.
Name Servers
Referral to
sales.cisco.com.
Name Servers
Answer
Query
Referral to
com.
Name Servers
ma.us.
Answer for
Resolver
sales.cisco.com.
CNR Training 6.2
179
IPv6 and CNR DNS
CNR Training 6.2
180
CNR 6.2 and IPv6 Support

Network Registrar 6.2 provides a DNS server that
supports IPv6
This includes:
Direct queries and updates by IPv6 clients
This support impacts server and zone configuration

attributes, such as for ACLs and update policies,
that use IP addresses to control server behavior
CNR Training 6.2
181
IPv6 Support
Full support of AAAA and PTR RRs for IPv6 addresses,

and the ip6.arpa reverse zone (RFC 3152)
First-hop query support for clients over IPv6 for (UDP

and TCP)
Allows IPv6-only clients to use the DNS server to resolve DNS

queries
Update policy and ACL support for IPv6 addresses
CNR Training 6.2
182
IPv6 Support for Forward Records

IPv6 AAAA Records are equivalent to IPv4 A Records
Hostname to IPv4 Address DNS Forward Lookups
A Record Example:
sales.cisco.com
IN
192.168.23.18
Hostname to IPv6 Address DNS Forward Lookups

AAAA Record Example:
sales.cisco.com
CNR Training 6.2
IN
AAAA 2001:660:3006:1::1:1
183
IPv6 Support for Reverse Records

IPv6 PTR Records are equivalent to IPv4 PTR Records
IPv4 Address to Hostname DNS Reverse Lookups
PTR Record Example:
$ORIGIN
168.192.in-addr.arpa.
18.23
IN
PTR
sales.cisco.com.
IPv6 Address to Hostname DNS Reverse Lookups

PTR Record Example:
$ORIGIN
0.0.0.0.8.b.d.0.1.0.0.2.ipv6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0
CNR Training 6.2
IN PTR sales.cisco.com.
184
IPv6 Non-Supported
Zone transfers over IPv6
However, IXFR requests coming in on IPv6 interfaces, for
example, are replied to on the same interface
Resolving and forwarding queries by contacting

other DNS servers over IPv6 transports
CNR Training 6.2
185
Review and Q&A
CNR Training 6.2
186
Questions and Answers
CNR Training 6.2
187
DNS Configuration
CNR Training 6.2
188
DNS Configuration Objectives

Understand key DNS terms
Create Primary Forward and Reverse zones using the Web UI
Create Secondary Forward and Reverse zones using the Web UI
Add and edit Forward and Reverse zone resource record lists
Understand the difference between Staged and Synchronous mode
Update a remote server with the Secondary zone configuration
Configure Forwarding and Caching DNS servers
Configure CNR Zones to accept Dynamic DNS Updates
Start, Stop, and Reload the DNS Server
CNR Training 6.2
CNR
Training
6.2
189
Key Terms
CNR Training 6.2
190
Key Terms
Start of Authority (SOA) - a DNS resource record that designates

the start of a zone
Owner - Owners can be created as distinguishing factors for

address blocks, subnets, and zones. In the context or DNS RRs, an
owner is the name of the RR
Region - Regions can be created as distinguishing factors for

address blocks, subnets, and zones. A region is distinct from the
regional cluster
Resource Record - DNS configuration record, such as SOA, NS,

A, CNAME, HINFO, WKS, MX and PTR that comprises the data
within a DNS zone. Mostly abbreviated as RR
CNR Training 6.2
191
Configuring Primary Zones
CNR Training 6.2
192
Configuring Forward Zone

From the Web UI, click DNS and then Forward
Zones to open the List/Add Zones:
CNR Training 6.2
193
Configuring Forward Zone (Cont.)

Add Zone Page:
CNR Training 6.2
194
Configuring Reverse Zones

From the Web UI, click DNS and then Reverse
Zones to open the List/Add Zones:
CNR Training 6.2
195
Configuring Reverse Zones (Cont.)

Add Zone Page:
CNR Training 6.2
196
Adding Resource Records
CNR Training 6.2
197
Adding Resource Records (RRs)

From the Web UI, click DNS, then Forward Zones to
open the List/Add Zones page:
Type a Name for your Forward Zone into the Name box and click Add Zone
CNR Training 6.2
198
! " !##$
Adding Resource Records (RRs) (Cont.)

Here, we add an HINFO Resource Record
A typical use of an HINFO RR would be to describe the
hardware platform of the associated host
CNR Training 6.2
199
Adding Resource Records (RRs) (Cont.)

Resource Record Added:
CNR Training 6.2
200
Protect/Unprotect RR
Protect (Static):
Unprotected (Dynamic)
CNR Training 6.2
201
Configuring Secondary Zones
CNR Training 6.2
202
Why Add a Secondary Zone?

A secondary server splits the load with the primary
server or handles the total load if the primary server
is unavailable
You can configure a secondary server to be
responsible for a secondary zone which makes the
server a secondary for that zone
CNR Training 6.2
203
Configuring Secondary Forward Zone

From the Web UI, click DNS, then Secondary Zones
to open the List Secondary Zones page:
CNR Training 6.2
204
Configuring Secondary Forward Zone (Cont.)
CNR Training 6.2
205
Configuring Secondary Forward Zone (Cont.)

The Secondary Zone is added to the list:
CNR Training 6.2
206
Configuring Secondary Reverse Zone

From the List Secondary Zones page click Add
Secondary Zone:
CNR Training 6.2
207
Configuring Secondary Reverse Zone (Cont.)
CNR Training 6.2
208
Understanding Staged vs Synchronous

Staged - Changes to zones are written to the CCM
database, but not immediately propagated to the DNS
server until the server is reloaded
Synchronous Changes to zones are active in the
DNS server immediately after the records are written to
CCM database
CNR Training 6.2
209
How to Set DNS for Staged or Synchronous Mode

Click Main Menu to open this page to change mode:
CNR Training 6.2
210
What are Dynamic DNS Updates
CNR Training 6.2
211
What are Dynamic DNS Updates?

When you use DHCP with DNS update, this configures a host
automatically for network access whenever it attaches to the
IP network
You can locate and reach the host using its permanent,
unique DNS host name
For example, mobile hosts, can move freely without user or
administrator intervention
CNR Training 6.2
212
Configuring DNS to Accept Dynamic Updates
CNR Training 6.2
213
Managing the DNS Server (Start,

Stop, and Reload)
CNR Training 6.2
214
Managing the DNS Server

You can manage the DNS server to:
View its health
View statistics, and logs
Start
Stop
Reload
CNR Training 6.2
215
Manage Servers from Web UI

From the Web UI, click DNS, then Servers to open
the Manage Servers page:
CNR Training 6.2
216
Zone Delegation
CNR Training 6.2
217
What is Zone Delegation?

Delegations means making someone else responsible
for the subdomain
This delegation property is why DNS is often called a
distributed database
You can delegate administrative authority for subzones:

Can be managed by people within those zones
Served by separate servers
CNR Training 6.2
218
Configuring Zone Delegation

Go to Local Cluster, DNS , click List Add Zones:
CNR Training 6.2
219
Configuring Zone Delegation (Cont.)
CNR Training 6.2
220

List Add Zones Page:
CNR Training 6.2
221

List/Add DNS Server RRs for Zone Page:
CNR Training 6.2
222

From the menu click Zone Distribution to open the
Synchronize Zone Distribution:
CNR Training 6.2
223
CNR Training 6.2
224
Configure a DNS Forwarder
CNR Training 6.2
225
Why Use a Forwarder?

DNS server designated to handle all offsite queries
Using forwarders relieves other DNS servers from
having to send packets offsite
CNR Training 6.2
226
Configuring a DNS Forwarder
From the local cluster Web UI Manage Servers page click the
Server Name to open the Edit DNS Server page:
CNR Training 6.2
227
Configuring a DNS Forwarder (Cont.)
CNR Training 6.2
228
Configure a Caching Server
CNR Training 6.2
229
Configuring a Caching Server
When you first install Network Registrar, the DNS server

automatically becomes a non-authoritative, caching-only server
until you configure zones for it
If you keep the DNS server as a caching-only server, you must

have another primary or secondary DNS server somewhere that is
authoritative and to which the caching-only server can refer
The caching-only server should never be listed as an authoritative

server for a zone
CNR Training 6.2
230
Configuring a Caching Server
From the Main Menu click DNS and DNS Servers to

open the DNS Manage Servers page:
CNR Training 6.2
231
Configuring a Caching Server (Cont.)
CNR Training 6.2
232
Exercise Configuring CNR DNS
CNR Training 6.2
233
Exercise -
CNR Training 6.2
234
Review and Q&A
CNR Training 6.2
235
Review Questions and Answers
CNR Training 6.2
236
High Availability DNS
CNR Training 6.2
237
High Availability (HA) DNS Objectives

Be familiar with the Traditional Model of High
Availability DNS
Know the limitations of the traditional model and
how to solve them
Understand CNR 6.2 and HA
CNR
Trainin
g 6.2
Learn how HA DNS Synchronizes Data between

member clusters
See how HA DNS Works in a Failure Scenario
Learn how to design, configure, and check the
status of HA DNS
CNR Training 6.2
238
Traditional Model of DNS HighAvailability
CNR Training 6.2
239
DNS is Designed to Have

One primary server
Multiple secondaries as authoritative for a zone
CNR Training 6.2
240
Problems with the Traditional Model
There exists a single point of failure in that DNS

updates cannot succeed if the primary goes down
Traditional DNS management required manual

editing of text files called Zone files which were
prone to errors:
CNR Training 6.2
Examples:
The administrator used a hash mark # for a

comment marker instead of a semicolon
The administrator forgot to add the PTR record in the

reverse file
The trailing . was missing on an entry in the reverse

file
241
Solving the Limitations of the Traditional Model

A Second primary server can be made available as
a hot standby to shadow the main primary server
The server pair is responsible for detecting
communication failures
Administration is performed via the CNR Web UI or
the CLI whereby strong error checking is enforced
CNR Training 6.2
242
CNRs High Availability DNS
CNR Training 6.2
243
What is CNRs HA DNS?

Provides High-Availability (HA) DNS main and backup
(standby) server configurations
The HA DNS solution introduces a primary DNS standby
server that shadows the primary active server
This solution provides failover redundancy for DNS updates if
there is a server outage or a disruption in communication
Only one standby server is supported

The local and regional Web UIs support configuring HA DNS
pairs, which require a name and the cluster names for the
main and backup servers
The CLI provides the ha-dns-pair command
You can manage the HA DNS server relationships from the

local and regional clusters
CNR Training 6.2
244
How does HA DNS Synchronize Data between

member clusters?
Both the main and backup can traverse the
following states:
Startup
Normal
Communication Interrupted
Partner-Down
Synchronization
CNR Training 6.2
245
How does HA DNS Work in a Failure Scenario?
In Normal State both the main and backup primary

server are up and running:
The main server processes all DNS updates from clients

and sends all accepted updates to the hot standby backup
The backup server refuses any DNS updates during normal

times when the main is running and communicating with
the backup
Both servers respond to nonupdate queries and zone

transfers
The main and backup partners exchange heartbeat

messages to detect if the other is not available
CNR Training 6.2
246

(Cont.)
Hot Standby Backup Goes Down:

The main waits a short time then records the updates
that the partner did not acknowledge
When the backup server comes back up, the main
sends the recorded updates to the backup
If the backup has been down for an extended period, the
main sends its entire zone data to the backup,
essentially a full zone transfer
CNR Training 6.2
247

(Cont.)
Main Goes Down:

Backup waits a short time, then begins servicing the
DNS updates from clients that the main would normally
service and records the updates
When the main returns, the backup sends it the
updates, and the main synchronizes with the backup
any unsent updates it had before it went down
During the short synchronization period, neither server
accepts DNS updates
CNR Training 6.2
248
Designing a HA DNS Pair

Attributes Needed:
ha-dnsEnabled or disabled. The default is disabled, so that
this attribute must be set explicitly
ha-dns-main-serverIP address of the main primary DNS
server
ha-dns-backup-serverIP address of the backup primary DNS
server
CNR Training 6.2
249
Designing a HA DNS Pair (Cont.)

simulate-zone-top-dynupdate - Enabled or disabled (the
default)
Enable this only for Windows 2000 Domain Controller
compatibility
update-relax-zone-name - Enabled or disabled (the
default)
Enable this only if you want DNS
Updates to specify any zone name in the authoritative
zone rather than the exact zone name
CNR Training 6.2
250
Configuring HA DNS
From the Regional Web UI, click DNS, then HA

Pairs to open the List HA DNS Server Pair Page:
CNR Training 6.2
251
Configuring HA DNS (Cont.)
CNR Training 6.2
252
CNR Training 6.2
253
CNR Training 6.2
254
CNR Training 6.2
255
Checking the Status of HA DNS From Web UI
From either of the local DNS Server Statistics page click the
Statistics icon ( ) on the Manage DNS Server page:
CNR Training 6.2
256
Checking the Status of HA DNS From CLI

From the CLI, you can use:
dns getStats ha [total]
to view the HA DNS Total counters statistics
dns getStats ha sample
to view the Sampled counters statistics
CNR Training 6.2
257
Exercise Configure HA DNS
CNR Training 6.2
258
Exercise -
CNR Training 6.2
259
Review Q&A
CNR Training 6.2
260
CNR Training 6.2
261
Troubleshooting CNR DNS
CNR Training 6.2
262
Troubleshooting CNR DNS Objectives

Find DNS server status and statistics
Use and search the DNS server log files to find
potential problems
Configure debug settings on the DNS server
Identify and understand the most common errors
Use nslookup and dig to test DNS operations
CNR
Training
6.2
CNR Training 6.2
263
DNS Server Status Monitoring
CNR Training 6.2
264
DNS Server Status Monitoring

Involves checking its:
State
Health
Statistics
Log messages
Related servers (DNS)
CNR Training 6.2
265
Server States
Loaded - First step after the server agent starts the server
(transitional).
Initialized - Server was stopped or fails to configure.
Unconfigured - Server is not operational because of a
configuration failure (transitional).
Stopped - Server was administratively stopped and is not running
(transitional).
Running - Server is running successfully.
CNR Training 6.2
266
Items to Monitor for a Servers Health

The following items can decrement the servers health, so you
should monitor their status periodically:
DNS server (local cluster)
Configuration errors
Memory
Disk space usage
Inability to contact its root servers
CNR Training 6.2
267
How to Display the Servers Health from CLI

From the CLI, use the [server] type getHealth command:
The number 10 indicates the highest level of health
0 indicates that the server is not running.
To see if your local cluster server is running on Solaris and Linux run:
cnr_status command, in the install-path/usrbin/ directory
bash-2.05# ./cnr_status
DNS server running
DHCP server running
Server Agent running
MCD lock manager running
CCM Server running
WEB Server running
CNRSNMP server running
CNR Training 6.2
(pid:
(pid:
(pid:
(pid:
(pid:
(pid:
(pid:
195)
196)
135)
161)
159)
199)
201)
268
Monitor Server Health from the Web UI
From both the local and regional cluster Web UIs:

1. Click Administration, then Servers.
2. Check the Manage Servers page for the state and health
of each server.
CNR Training 6.2
269
Web UI Administration
Click the Statistics icon (
) to view statistics for the server.
Click the Log icon ( ) in the View Log column to view the log
messages for the server.
Click the Start icon (
) to start the server.
Click the Stop icon (
) to stop the server.
Click the Reload icon (
CNR Training 6.2
) to reload the server.
270
Web UI Administration (Cont.)

Regional administrators can check the state and
health of the:
Regional CCM server
Server Agent
Router Interface Configuration (RIC) server.
CNR Training 6.2
271
Using the CLI Statistics Command

nrcmd> dns getStats
100 Ok
{Cisco Systems, Inc. DNS Server, Release 6.2 build
#6.2.0512141343, Dec 14 2005 13:57:57} 3 1211296 1211275 4 0 0 0 0
0 0 0 0 0 0 0
Displays the DNS server statistics generated by the total counters since the last
server restart.
dns getStats [all | {[performance] [query] [security] [errors]
[maxcounters]} [sample]]
CNR Training 6.2
272
Using the CLI Statistics Command (Cont.)

You can request four categories of statistics, with
one qualifying keyword:
All - Displays all statistics available for all DNS servers.
Cannot be used with any other category.
Performance - Displays performance statistics available for
the DNS server. Can be combined with the other categories.
Query - Displays query statistics available for the DNS server.
Can be combined with the other categories.
Security - Displays security statistics for the DNS server. Can
be combined with the other categories.
CNR Training 6.2
273
Using the CLI Statistics Command (Cont.)

Errors - Displays error statistics for the DNS server. Can be combined
with the other categories.
Maxcounters - Displays the maximum counter statistics for the DNS
server. Can be combined with the other categories.
Sample - If this keyword is used with one or more categories, displays the
last snapshot taken of the counter values. **
CNR Training 6.2
274
CNR SNMP
The Network Registrar Simple Network Management
Protocol (SNMP) notification support allows you to
be:
Warned of error conditions and possible problems with the
DNS servers.
Monitor threshold conditions that may indicate failure or
impending failure conditions.
Network Registrar implements SNMP Trap Protocol

Data Units (PDUs) according to the SNMPv1
standard.
CNR Training 6.2
275
CNR SNMP (Cont.)

Each trap PDU contains:
Generic-notification code, if enterprise-specific.
Specific-notification field that contains a code indicating the
event or threshold crossing that has occurred.
Variable-bindings field that contains additional information
about certain events.
CNR Training 6.2
276
DNS Server Logs
CNR Training 6.2
277
DNS Server Logs

Log Files
Log Settings
Viewing and Searching the Logs from the WebUI
Viewing and Searching the Logs from the CLI
Log Messages:
syslog
Windows Event Viewer
CNR Training 6.2
278
Log Files
When you start Network Registrar, it automatically starts logging
Network Registrar system activity.
Network Registrar maintains all the logs by default on:
Windows <CNR_ROOT>\logs
Solaris and Linux:
<CNR_VAR>/local/logs
(local cluster)
<CNR_VAR>/regional/logs (regional server)

To view these logs, use the tail -f command in Unix
The file: name_dns_1_log contains Local Cluster DNS
activity entries.
CNR Training 6.2
279
Log Settings From Web UI

Choosing from the DNS log settings gives you
greater control over existing log messages.
From the Web UI use the Log settings attribute on the

Edit DNS Server page.
CNR Training 6.2
280
Log Settings From CLI

When you suspect a problem exists, to view the
logs you must use the next command:
dns set log-settings with one or more keywords or
numeric values, separated by commas.
Restart the server if you make any changes to the log
settings.
To return to default state use the next command:

dns unset log-settings
CNR Training 6.2
281
Log Settings
Logging Server Events:
The DNS, DHCP, and TFTP servers have log settings that can
severely restrict what is logged, and thereby improve server
performance.
These log settings are available using the dns set log-settings,
dhcp set log-settings, and tftp set log-settings commands in the
CLI, respectively.
Caution: To avoid filling up the Windows Event Viewer and
preventing Network Registrar from running:
In the Event Log Settings, check the Overwrite Events as Needed
box.
CNR Training 6.2
282
Viewing and Searching the Logs from the Web UI

The Web UI provides a convenient way to search for
entries in the activity and startup log files.
You can locate:
Specific message text
Log message IDs
Message timestamps (using a regular expression string entry.
CNR Training 6.2
283
Log Message Format Web UI
In the Web UI, you can affect which events to log.
For example, to set the logging for the local cluster DNS
server:
1. Click DNS
2. Click DNS Server to open the Manage DNS Server page.
3. Click the name of the server to open the Edit DNS Server page.
4. Expand the Logging attributes section to view the log settings
5. Make changes to these settings as desired
6. Click Modify Server
7. Reload the server
CNR Training 6.2
284
How to View and Search the Logs from the WebUI

When you click the Log icon ( ) in the View Log or View Startup
column on the Manage Servers page (or one of the specific server
pages), this opens a Log for Server page:
CNR Training 6.2
285

(Cont.)
In the text field next to the Search icon ( ) at the
top of the page, enter the search string in the
regular expression syntax.
For example, entering Warning searches for all
instances of log entries containing a warning.
CNR Training 6.2
286

(Cont.)
Clicking the Search icon opens a Log Search Result page in a
separate browser window.
The page shows the file name, Match Line Number of the match,
and the Log Number.
CNR Training 6.2
287
How to View and Search Logs from the CLI

The "dns" command sets and enables or disables DNS server
attributes.
Executing a dns command via nrcmd:

dns getStats [all | {[performance] [query] [security]
[errors] [maxcounters]} [sample]]
dns serverLogs show
dns serverLogs nlogs=value logsize=value
CNR Training 6.2
288
How to View and Search Logs from the CLI (Cont.)

To display the server maximums settings:
Use the [server] type serverLogs show command
View the number (nlogs) and size (logsize) parameters
Change these parameters if necessary:

nrcmd> dns serverLogs show
nrcmd> dns serverlogs nlogs=6 logsize=200000
CNR Training 6.2
289
Viewing Log Messages - Messages

There may be descriptive entries for CNR DNS in the Unix log file
messages
This file is located:

Solaris: /var/adm/messages
Linux: /var/log/messages
CNR log files for local cluster:

/var/nwreg2/local/logs/
CNR log files for regional cluster:

/var/nwreg2/regional/logs
CNR Training 6.2
290
Viewing Log Messages - Windows Event Viewer

From Start Settings - Control Panel Administrative Tools Event Viewer selection Applications to view the logs:
CNR Training 6.2
291
Log Messages
CNR Training 6.2
292
Log Message Categories

Server log entries include the following categories:
ActivityLogs the activity of your servers.
InfoLogs standard operations of the servers, such as starting
up and shutting down.
WarningLogs warnings, such as invalid packets, user
miscommunication, or an error in a script while processing a
request.
ErrorLogs events that prevent the server from operating
properly, such as out of memory, unable to acquire resources, or
errors in configuration.
CNR Training 6.2
293
Common Log Messages between Windows and

Unix
Typical messages in the CNR DNS startup log file:
[root@sunburst logs]# tail dns_startup_log
10/26/2005 11:17:58 dns_startup Info Server 0 02183 DNS information loaded.
10/26/2005 11:17:58 dns_startup Info Server 0 02172 server configuration completed.
10/26/2005 11:17:58 dns_startup Info System 0 02218 Listening for UDP pkts on
[127.0.0.1].53
10/26/2005 11:17:58
[172.16.2.16].53
10/26/2005 11:17:58
[0.0.0.0].53
10/26/2005 11:17:58
[0.0.0.0].53
10/26/2005 11:17:58
[0.0.0.0].53
dns_startup Info System 0 02218 Listening for UDP pkts on

dns_startup Info System 0 02927 Query source address is
dns_startup Info System 0 20079 Notify source address is
dns_startup Info System 0 20082 Transfer source address is
10/26/2005 11:17:58 dns_startup Info Server 0 02956 timer thread starts...

10/26/2005 11:17:58 dns_startup Info Server 0 02172 server start completed.
CNR Training 6.2
294
Common Log Messages between Windows and

Unix (Cont.)
Typical messages in the CNR DNS run-time log file:
[root@sunburst logs]# grep -i warn name_dns_1_log
10/26/2005 11:17:58 name/dns/1 Warning Configuration 0 20588 Zone Blob
missing 'NS TTL' for zone "127.in-addr.arpa", assuming default TTL value of
86400.
10/26/2005 11:17:54 name/dns/1 Warning Configuration 0 20633 Config DB
directory var/nwreg2/local/data/dns/configdb does not exist. Shall create
it.
10/26/2005 11:17:57 name/dns/1 Warning Configuration AX_ENOENT 20321 Could
not get version numbers from CCM DB. Assuming out-of-sync. Purging CCMDB
for reconfiguration.
10/26/2005 11:17:58 name/dns/1 Warning Configuration 0 20584 Zone Blob
missing 'SOA TTL' for zone "127.in-addr.arpa", assuming default TTL
value of 86400.
CNR Training 6.2
295
Common Problems
CNR Training 6.2
296
Common Problems With Data

Inconsistent, missing or bad data.
SOA Records - various timers have been set (far) too low.
Glue (A) - unnecessary glue (A) records in their zone files.
MX Records - nameserver managers enter MX records in their zone
files that point to external hosts, without first asking or even informing
the systems managers of those external hosts.
Name Extension Surprise - caused by forgetting to terminate a
name with a dot: names in zone files that don't end with a dot are
always expanded with the name of the current zone (the domain that
the zone file stands for or the last $ORIGIN).
Incorrect Hostname Hostnames should strictly conform to the
syntax given in STD 13, RFC.
CNR Training 6.2
297
Problems With Data (Cont.)

Old BIND versions - ("native" 4.8.3 and older versions) showed the problem
that wrong glue records could enter secondary servers in a zone transfer.
Mismatched PTR and A Records - Make sure your PTR and A

records match.
Serial Numbers dont forget to change the serial number when the
data changes.
CNR Training 6.2
298
Immediate Troubleshooting Actions

When facing a problem, it is crucial not to cause further harm
while isolating and fixing the initial problem.

Things to do (or avoid doing) in particular:
Have 512 MB or more of memory and 2.5 GB or more of a data partition.

Do not reboot a cable modem termination system (CMTS).
Enable DHCP failover.
Do not reload, restart, or disrupt Network Registrar with failover
resynchronization in progress.
CNR Training 6.2
299
Using nslookup and dig to

Troubleshoot DNS
CNR Training 6.2
300
Using DIG to Troubleshoot DNS

Domain Information Groper (dig) - is a flexible
command line tool which can be used to gather
information from the Domain Name System servers.
dig has two modes:
Simple interactive mode which makes a single query
Batch which executes a query for each in a list of several
query lines
All query options are accessible from the

command line.
CNR Training 6.2
301
Using Nslookup Troubleshoot DNS

Nslookup:
Available on most OS's
To follow the resolution trail
Used in course labs
A simple resolver that sends queries to Internet
nameservers
CNR Training 6.2
302
Nslookup Facts to Troubleshoot DNS

Use only fully qualified names with a trailing dot to ensure that
the lookup is the intended one.
Begins with a reverse query for the nameserver itself, which may
fail if the server cannot resolve this due to its configuration
Use the server command, or specify the server on the command
line, to ensure that you query the proper server.
Use the debug, or better yet, the d2, flag to dump the
responses and (with d2) the queries being sent.
CNR Training 6.2
303
Exercise Troubleshooting CNR

DNS
CNR Training 6.2
304
Exercise Trouble shooting with dig and

Nslookup
CNR Training 6.2
305
Review and Q&A
CNR Training 6.2
306
Review and Q&A
CNR Training 6.2
307
DHCP Protocol Review
CNR Training 6.2
308
Section Objectives
Explain the major advantages and limitations of the
DHCP protocol
Identify the messages exchanged between the
DHCP client and server in the process of DHCP
address leasing
Explain the DHCP client states as it acquires and
maintains its lease
Explain the factors to consider when determining
DHCP lease time
CNR
Traini
ng 6.2
CNR Training 6.2
309
The DHCP Protocol
CNR Training 6.2
310
Requirements for Operation on the IP Network

The host must have the
following:
IP Address and Subnet
Mask
Gateway (router)
DNS server(s)
Host name
Domain name
Others
CNR Training 6.2
311
Dynamic Host Control Protocol Definitions

Client Host using a protocol to get parameters
Server Host that returns parameters to clients
Relay Agent Host or router that passes messages
between clients and servers
Lease - Period over which a network address is
allocated to a client
Option Tagged parameter defined by a number
which identifies the parameter purpose
CNR Training 6.2
312
What are the Methods to Configure the Device?

Manual Configuration
Automatic Configuration
RARP (Reverse Address Resolution Protocol)
BOOTP (Bootstrap Protocol)
DHCP (Dynamic Host Configuration Protocol)
CNR Training 6.2
313
Manual Configuration
For every device on the network the administrator
must do the following:
Choose a legal IP address.
Assign the IP address to the individual workstation.
Define workstation configuration parameters.
Update the DNS database, mapping the workstation name
to the IP address.
These activities are time consuming and error

prone
CNR Training 6.2
314
Reverse Address Resolution Protocol (RARP)

Client/Server protocol
Central server has ASCII RARP table
MAC address/IP address pair
Only sends IP address

No other parameter information
CNR Training 6.2
315
Bootstrap Protocol (BOOTP)

Client/Server
IP Address
Default Gateway
Name and address of server holding boot file
Additional configuration in boot file
CNR Training 6.2
316
What is Dynamic Host Configuration Protocol

(DHCP)?
Internet standard protocol that allows IP addresses
to be pooled and assigned as needed to clients.
Available with many operating systems and automatically
issues IP addresses within a specified range to devices on
a network.
The device retains the assigned address for a specific
lease period.
Computers that receive their configuration this way are
said to have a dynamic IP.
It allows the addresses to be re-used when no longer
needed.
CNR Training 6.2
317
DHCP: Benefits and Drawbacks

DHCPs benefits
Ease of administration
Efficient allocation of IP address space
Automatic configuration
Dynamic DNS keeps DNS up to date efficiently
DHCPs drawbacks
Security no authentication
Routing issues
Not the way to assign permanent IP addresses
CNR designed to address drawbacks
CNR Training 6.2
318
DHC Protocol Operation

Primary Standards that govern DHCPs Operation:
RFC 2131 (DHCP)
RFC 2132 (DHCP Options and BOOTP Vendor Extensions)
RFCs 951, 1497 (BOOTP)
CNR Training 6.2
319
IP Address Allocation Methods in DHCP

Manual DHCP is only a communication
mechanism used to convey an administratively
assigned IP address
Automatic The DHCP server is allowed to allocate
the IP address, but the address is assigned
permanently
Dynamic The DHCP server allocates IP addresses
to clients for a temporary period of time.
CNR Training 6.2
320
What is a Lease?
Lease the period over which a network address is
allocated to a client
Lease times are as long or short as desired.
Many factors to consider
Both server and client keep track of lease once

issued:
Leases are renegotiated
Lease can be terminated by client.

Expired leases are re-allocated.
CNR Training 6.2
321
Factors in setting lease times

Frequency of changes to DHCP options and default
values.
Number of available addresses compared to clients
requesting them.
Number of network interface failures.
Frequency at which computers are added to and
removed from the network.
Frequency of subnet changes by users.
CNR Training 6.2
322
DHCP Packet
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
op (operation)
hardware type hardwr length

hops
xid (transaction ID)
secs (seconds)
flags
ciaddr (client IP address)
yiaddr (your IP address (client))
siaddr (server IP address)
giaddr (gateway IP address)
chaddr client hardware address (16Bytes))
sname (server name (64Bytes))
file (boot file name (128Bytes))
options (variable size) (was Vender Extensions in BOOTP)
CNR Training 6.2
323
Text Overflow
CNR Training 6.2
324
DHCP Messages
DHCPDISCOVER Client broadcast to locate
available servers.
DHCPOFFER Servers response to a clients
DHCPDISCOVER.
DHCPREQUEST Client message to servers either:
Requesting offered parameters
Confirming correctness of a previously allocated address
Extending the lease on a particular network address.
CNR Training 6.2
325
DHCP Messages (cont.)

DHCPACK Server to client committing requested
parameters for use
DHCPNAK Server to client indicating clients
network address is incorrect or clients lease has
expired.
DHCPDECLINE - Client to server indicating the
network address is already in use.
CNR Training 6.2
326
DHCP Messages (Cont.)

DHCPRELEASE - Client to server relinquishing
network address and canceling remaining lease.
DHCPINFORM - Client to server, asking only for
local configuration parameters; client already has
externally configured network address.
CNR Training 6.2
327
How Does a Client Acquire a Lease Using DHCP?

4
2
DHCP Servers
5
1
3
Client
1 DHCPDISCOVER
2 DHCPOFFER
3 DHCPREQUEST
4 DHCPACK or DHCPNAK
5 DHCPDECLINE or DHCPRELEASE
CNR Training 6.2
328
Renewing the Lease
DHCP Servers
Client
1 DHCPREQUEST (Renewal)
2 DHCPACK (Normal response)
3 DHCPREQUEST (Rebind if no normal response)
4 DHCPACK (From other server)
CNR Training 6.2
329
What Happens When I Reboot?
DHCP Servers
Client
1 DHCPREQUEST (On reboot, if capable
of storing IP address between reboots)
2 DHCPACK (If no change)
CNR Training 6.2
330
What Happens When I Move My Laptop?

2
1 DHCPREQUEST (Broadcast)
2 DHCPNAK
Subnet 2
CNR Training 6.2
DHCP Servers
Subnet 1
3 DHCPDISCOVER
4 DHCPOFFER
1
3
Client
331
DHCP Client States During Lease

BOUND State Valid lease, normal condition
RENEWING State - Unicast requests starting at 50%
of lease time or renewal time T1.
REBINDING State - Broadcast sent at 87.5% of lease
time or rebinding time T2, after an unanswered
Request in the RENEWING state.
Bound
Renewing
T1
CNR Training 6.2
Rebinding
T2
Lease
Expiration
Time
332
DHCP Finite State Machine

Init
Init
Init-Reboot
Init-Reboot
Send DHCPDISCOVER
Send DHCPREQUEST
Selecting
Selecting
Receive DHCPPACK;
IP Address Is Taken;
Send DHCPDECLINE
Rebooting
Receive DHCPPACK;
IP Address Is Free;
Start Lease, Set Timers
Reallocation Process
Receive DHCPOFFER;
Select Offer;
Send DHCPREQUEST
Requesting
Requesting
Receive
DHCPNAK
Bound
Receive DHCPPACK;
IP Address Is Free;
Start Lease, Set Timers
Receive DHCPPACK;
IP Address Is Taken;
Send DHCPDECLINE
Renewing
Reallocation Process
T2 Expires; Broadcast DHCPREQUEST;

To Current Lease Server
Rebinding
Rebinding Process
Allocation Process
Terminate Lease;
Send DHCPRELEASE
T1 Expires;
Send DHCPREQUEST;
To Current Lease Server
Receive DHCPPACK;
Restart Lease;
and Timers
CNR Training 6.2
Receive
DHCPNAK
Receive DHCPPACK;
Start New Lease;
and Set Timers
Receive
DHCPNAK
Receive
DHCPNAK
Lease Expiration
333
DHCP Servers
What If the DHCP Server Is On a Different

Subnet ?
8a
4
1100..2
2..33..00
BOOTP relay agent
7
2
8b
0
.
2
.
.
1
2
.
1100.1. 0
CNR Training 6.2
Client
334
DHCP Myths & Realities

1. Myth 1: Server has total control over what IP
address a client has.
Its actually the client that chooses the lease
2. Myth 2: DHCP means that IP addresses of network

devices must vary over time.
As long as server is available, client will renew lease and

maintain address
Can use reserved leases to ensure address allocation to

the same user
CNR Training 6.2
335
VPNs and Subnets
CNR Training 6.2
336
The Role of VPNs and Subnet Allocations

CNRs DHCP server can be configured to support
virtual private networks (VPNs) and subnet
allocation for on-demand address pools.
Subnet allocation is a way of offering entire
subnets (ranges of addresses) to relay agents so
that remote access devices can provision IP
addresses to DHCP client hosts.
CNR Training 6.2
337
The Role of VPNs and Subnet Allocations (Cont.)

Subnet allocation vastly improve:
IP address provisioning
Aggregation
Characterization
Distribution by relying on the DHCP infrastructure to
dynamically manage subnets.
Note: Subnet allocation through DHCP is currently

only supported by Cisco IOS, the newest versions
of which incorporate the on-demand address pools
feature.
CNR Training 6.2
338
VPN Support
172.27.181.1
172.27.181.73
192.168.1.0/24
DHCP Server 1
Blue VPN
192.168.1.0/24
172.27.180.231
DHCP Server 2
Red VPN
CNR Training 6.2
339
On-Demand Pools & Subnet Allocation

Conventionally DHCP allocates addresses one at a time. Subnet
allocation is a proposed extension to the RFC standard.
With On-Demand Pools, CNR can allocate a group of addresses
at one time. Group called an Address-Block.
Network Access Servers may request groups of addresses from
CNR, then allocate them to clients.
VPN aware routers may request groups of addresses, then
allocate to clients in a VPN.
Address-blocks must be identified by namespace.
CNR Training 6.2
340
DHCP Review
Advantages:
Ease of administration
User friendly
Adds convenient access
DHCP is tailored to client
Dynamic DNS keeps DNS up to date
Disadvantages:
Difficult to track
Security no authentication
CNR addresses these disadvantages.
CNR Training 6.2
341
Blank Slide for Text Overflow
CNR Training 6.2
342
CNR Training 6.2
343
Configuring DHCP
CNR Training 6.2
344
Section Objectives
Define: cluster, policy, scope.
Configure DHCP policies.
Configure DHCP scopes.
Identify four limitations of the DHCP protocol
CNR
Training
6.2
CNR Training 6.2
345
Key Terms
CNR Training 6.2
346
Key CNR DHCP Definitions

CLUSTER Physical host machine running Network
Registrar.
POLICY A group of DHCP attributes applied to a
single client, scope, or group of scopes.
SCOPE Administrative grouping of TCP/IP
addresses. Leases are managed within a scope.
LEASE Agreement by a DHCP server to temporarily
assign an IP address to a specific client. The client
owns the lease for its lifetime.
CNR Training 6.2
347
Configuring a Policy
CNR Training 6.2
348
CNR Configuration Order

Policies
Collection of common options for groups of clients
Scopes
Address space divided up by subnets and ranges
Reservations
Addresses or Leases reserved for specific clients,
usually identified by their MAC address
Server
Global DHCP server configuration
CNR Training 6.2
349
Why Policies First?

All Scopes require some
Policy.
Doing Policies first prevents
having to revisit a Scope to
add a Policy after it has
been defined.
Create a hierarchy of
policies according to needs.
CNR Training 6.2
350
Policy Types
Embedded Policy - Embedded in the definition of a
Scope.
Named Policy - Explicitly defined objects that can be
attached to a Scope. There will usually be a policy
called default which will be automatically assigned to
a scope.
System-Default-Policy - Options defined here are
applied to all objects that do not have the option
defined in a more specific policy.
CNR Training 6.2
351
Policy Search Order

1. Embedded
2. Named
3. System-default-policy
CNR Training 6.2
352
Adding a Named Policy From the Web UI

From the Web UI Main Menu, click DHCP, and then Policies to
open the List DHCP Policies page:
CNR Training 6.2
353
Adding a Named Policy From the Web UI (Cont.)
CNR Training 6.2
354
Adding a Named Policy From the Web UI (Cont.)
CNR Training 6.2
355
Configuring a Scope
CNR Training 6.2
356
What is a Scope?
SCOPE Administrative grouping of TCP/IP
addresses.
Leases are managed within a scope.
CNR Training 6.2
357
Facts About Scopes

Creating scopes is a local cluster function.
Each scope needs to have the following:
Name
Policy that defines the lease times, grace
period, and options.
Network address and subnet mask.
Range or ranges of addresses.
CNR Training 6.2
358
Adding a DHCP Scope

From the Web UI Main Menu, click DHCP, and then
Scopes to open the List/Add DHCP Scopes page:
CNR Training 6.2
359
Adding a DHCP Scope (Cont.)
CNR Training 6.2
360
Adding an Embedded Policy

To create the Embedded Policy click the Create New
Embedded Policy button:
CNR Training 6.2
361
Adding an Embedded Policy (Cont.)
CNR Training 6.2
362

Staged - Changes to scopes are written to the CCM
database, but not immediately propagated to the DHCP
server until the server is reloaded.
Synchronous Changes to scopes are active in the
DHCP server immediately after the records are written
to CCM database.
CNR Training 6.2
363
How to Set DHCP for Staged or Synchronous

Mode
CNR Training 6.2
364
Scope Templates
CNR Training 6.2
365
Scope Templates
Where common scope attributes are pre-defined so
new scopes are easily created.
Common scope attributes:
Name based on expression
Policies
Address ranges
Embedded policy options based on an expression
CNR Training 6.2
366
Creating a Scope Template

Click DHCP and then Scope Templates to open the
List DHCP Scope Templates page:
CNR Training 6.2
367
Creating a Scope Template (Cont.)
CNR Training 6.2
368
Scope Template Expressions

Expressions Section from the Add DHCP Scope
Template page:
CNR Training 6.2
369
Scope Template Expressions (Cont.)

Expressions follow a syntax much like LISP:
(function argument-0 ... argument-n)
Defined as functional language:

Emphasizing definition and evaluation of functions.
Consist of the following:

Functions
Variables
Literals
CNR Training 6.2
370
Understanding Scope Template Expressions

Scope Expression Example using simple addition:
Addition:
CNR Training 6.2
Functional Language:
3+1
3+1+4
3+1+4+10
(+ 3 1)
(+ (+ 3 1) 4 )
(+ (+ (+ 3 1) 4) 10)
3*4+1
3*(4+1)
(+ (* 3 4) 1)
(* 3 (+ 4 1))
371
Understanding Scope Template Expressions (Cont.)
Scope Name based on Subnet-number and the String cm-scope
(concat cm-scope- subnet addr)
(concat cm-scope- subne-addr) =>

192.168.1.0
(concat cm-scope- 192.168.1.0) => cm-scope-192.168.1.0
CNR Training 6.2
372
Using Scope Templates

From the Local Cluster click DHCP and then Scopes
to open the List/Add DHCP Scopes page:
CNR Training 6.2
373
Modifying Scope Templates

From the Local Cluster click DHCP and then Scopes
to open the List/Add DHCP Scopes page:
CNR Training 6.2
374
Modifying Scope Templates (Cont.)

Bottom section of the Edit DHCP Scopes page:
CNR Training 6.2
375
Understanding Scope/Address
Selection
CNR Training 6.2
376
How does CNR select IP addresses?

DHCPDISCOVER
Select IP address
Find network based on giaddr.

Build DHCPOFFER
packet with selected IP
Address
DHCPOFFER
No
Choose scope via
round robin.
DHCPREQUEST
DHCPACK
No
CNR Training 6.2
377
How does CNR Select Options?

Options selected from policies in following order
Scope Embedded Policy
Scope Named Policy
System-Default-Policy
Once a option is selected, it is NOT modified by a

lower priority policy setting.
CNR then returns the selected options in its reply
packet.
CNR Training 6.2
378
Configuring a Reservation
CNR Training 6.2
379
What is a Reservation?
Some clients need a fixed IP address for various
reasons
Printers
Servers
Static BOOTP clients
Clients without dynamic configurable IP address
Factory floor devices on a switch port irregardless of
MAC
You can use reservations for these clients
CNR Training 6.2
380
Configuring Reservations
From the Web UI Main Menu, click DHCP, and then Scopes to
open the List/Add DHCP page, then click the Scope Name to
edit:
CNR Training 6.2
381
Problems that can be Encountered With

Reserved Addresses
DHCP Servers
Not the reserved

Problem: What happens if
address!
one DHCP server has
reserved addresses and
Received
another does not?
10.2.3.6
5
2
Client
3
1
CNR Training 6.2
00:01:02:03:04:05
Solution:
Configure all DHCP
servers with the
identical list of
reserved addresses.
Reserve 10.2.3.4 for

00:01:02:03:04:05
382
Viewing and Managing Leases
CNR Training 6.2
383
Lease Status
Available Can be given to a DHCP client.
Unavailable Cant be given to a DHCP client.
Leased IP address currently being used by a client.
Offered Lease has been offered to the client.
Expired - lease is expired.
Deactivated Administratively made unavailable.
Pending available - Failover-related.
CNR Training 6.2
384
Why View a Lease?

To find out whether or not a lease has been offered
and/or leased to a client by your server:
If a lease has been offered, but not accepted, you would
see a full mac address in the MAC Address field, but the
state would be listed as available.
If a lease has been offered and accepted, then the state
would be seen as leased.
CNR Training 6.2
385
Viewing Lease List Information from the Web UI

From the Web UI Main Menu, click DHCP, and then
CNR Training 6.2
386
Viewing Lease List Information from the Web UI

(Cont.)
From the List DHCP Leases for Scope page click Address
link to open the Manage DHCP Lease page :
CNR Training 6.2
387
Managing a DHCP Lease
CNR Training 6.2
388
Configure DHCP for DDNS
CNR Training 6.2
389
Using Dynamic DNS

Allows administrators to always have a live record
of what user is assigned to what IP address.
By utilizing Dynamic DNS, the host name will
always be unique and will identify the system which
is using a particular IP address at any given time.
CNR Training 6.2
390
Configuring DHCP for DNS Update

From the Web UI click DHCP and then DNS to open
the List DNS Update Configuration page
CNR Training 6.2
391
Configuring DHCP for DNS Update (Cont.)
CNR Training 6.2
392

Next, from the Web UI click DHCP, and then
Policies to open the List DHCP Policies page:
CNR Training 6.2
393
CNR Training 6.2
394
Editing Global DNS Update Settings

From the Web UI click DHCP DHCP Servers to
open the Manage DHCP Server page, then click the
DHCP Server name:
CNR Training 6.2
395
Editing Global DNS Update Settings (Cont.)

Click to expand DNS Update to view the Attributes:
CNR Training 6.2
396
Controlling the DHCP Server
CNR Training 6.2
397
DHCP Server Management

From the Web UI click DHCP and then DHCP
Servers to open the Manage DHCP Server page:
CNR Training 6.2
398
Exercise
CNR Training 6.2
399
Exercise -
CNR Training 6.2
400
Review and Q & A
CNR Training 6.2
401
CNR Training 6.2
402
CNR
Training
6.2
2001,
Cisco
Systems,
Inc. All rights reserved.
403
Configuring Client Class and Clients
CNR Training 6.2
404
Section Objectives
Explain the function and purpose of the client class
feature.
Define clients, client classes, scope selection tags,
inclusion and exclusion criteria and the default
client
List the steps in the configuration of class of
service.
Identify the levels of the policy hierarchy.
CNR Training 6.2
CNR
Training
6.2
405
Section Objectives (Cont.)

Explain the factors that affect scope, policy, and
options selection and how they relate to client class
Configure clients and client classes
Configure the DHCP server to use client class to
distinguish between different client types
Understand features using expressions and the
relay agent DHCP option 82
CNR Training 6.2
406
What is Class of Service?
CNR Training 6.2
407
What is Class of Service?

Class of Service COS - Mechanism to provide
differentiated services to users on a common network.
CNR Training 6.2
408
Examples of Class of Service

Address leases - How long a set of clients should
keep its addresses.
IP address ranges - From which lease pool to
assign clients addresses.
DNS server addresses - Where clients should direct
their DNS queries.
DNS hostnames - What name to assign clients.
Denial of service - Whether unauthorized clients
should be offered leases.
CNR Training 6.2
409
Key Terms for CNR Class of Service

Client - Specific DHCP clients and the defined class they
belong to.
Client class - Defines a class that represents a group of
clients.
Scope selection tags - These are text strings that are used to
mark a scope for use by a given class of service.
Selection-criteria tags assigned to clients to include
scopes with the same scope selection tag in the scope
selection process.
Selection-criteria-excluded - tags assigned to clients to
exclude scopes with the same scope selection tag in the
scope selection process.
CNR Training 6.2
410
CNR Training 6.2
411
CNR Training 6.2
412
What Does Client-Class Processing

Do?
CNR Training 6.2
413
What Does Client-Class-Processing Do?

Adds a database lookup to the leasing process:
CNR Internal database or LDAP.
Database contains attributes of clients.

Client is defined as a known lookup key in database.
CNR Training 6.2
414
Database Lookup
Client datastore
Internal CNR Database
External LDAP Database
Lookup-key
Normally MAC address 1,6,aa:bb:cc:dd:ee:ff
Validate-client-name-as-mac
Default disabled
If enabled and set to false allows any name to be used
as key
CNR Training 6.2
415
Client Properties
Name - lookup key (usually MAC address).
Selection-criteria (selection tag).
Selection-criteria-excluded (exclusion tag).
Name of named-policy.
Embedded-policy.
Client-class-name - often the only attribute that is
defined in the client database entry.
Others (e.g. hostname, domain, etc.).
CNR Training 6.2
416
Client-Class Properties
Name usually a meaningful name associated with
a group of clients.
Selection-criteria ( selection tag).
Selection-criteria-excluded (exclusion tag).
Name of named-policy.
Embedded-policy.
Others (e.g. hostname, domain, etc.).
CNR Training 6.2
417
Client-Class Processing Modifies Scope/Address

Selection Process
1. Selection Tag(s) are assigned to each scope.
2. Selection criteria are assigned to each client or
client class.
3. Database lookup on the MAC address to
determine inclusion and exclusion criteria.
4. giaddr is used to find valid scopes based on
network topology.
5. Scopes are searched to match the clients
selection criteria (tags).
6. IP address is assigned from the selected scope(s).
CNR Training 6.2
418
Client Class Flow

DHCPDISCOVER
Find network based on giaddr.
Check DB of known
clients.
Choose scope based on

selection criteria.
No
Choose scope via round

robin.
Select IP address.
DB
DHCPOFFER
DHCPACK
DHCP
DHCPREQUEST
CNR Training 6.2
419
Client-Class Processing Modifies Option Selection

Process
1. Policies are assigned to each client and/or client
class.
2. Database lookup on the MAC address retrieves
policy for client and/or client class.
3. Policy hierarchy is used to choose DHCP options
and attributes to be assigned to the client.
CNR Training 6.2
420
Policy Search Order

1. Client embedded-policy
2. Client named-policy
3. Client-class embedded-policy
4. Client class named-policy
5. Scope embedded-policy
6. Scope named-policy
7. System-default-policy
CNR Training 6.2
421
Client-Class Processing Enabled Modified

Option Selection
Scope Selected based on
giaddr and client class, scope
selection tag or None.
Does the
client or a
default
Exist?
Yes
Yes
Is there an
associated
policy with
the client?
Yes
Is there a
scope
selection tag?
Send options in
DHCPOFFER from Scope
Policy that were not
previously defined in client
or client class.
Send options from this

policy in DHCPOFFER.
do not override options
sent for Client.
Are any
options left
undefined?
Build DHCPOFFER with

options from this policy.
Is there an
associated
client class?
CNR Training 6.2
Yes
Yes
Is there an
associated
Policy with
the client
class?
Yes
Check
System_Default_Policy
for remaining options.
422
The Policy/Option Selection Hierarchy

Look up an arbitrary key in a
database
Create arbitrary classifications
Classify using the selected scope
Classify using a catch-all
CNR Training 6.2
423
Hierarchical Grouping
Items in the center groups have higher
precedence than those in the outer groups.
The By Lookup group has the highest.
The Default group has the lowest.
CNR Training 6.2
424
Mapping the General Concepts to

Concrete CNR Configuration Objects
CNR Training 6.2
425
Configuring Client Class
CNR Training 6.2
426
Configuring Client-Class Processing

Enable client class processing on DHCP server
Create and configure client classes
Modify scopes to include selection tags
Assign clients to client classes and individually
configure if needed
Create and configure the default client
CNR Training 6.2
427
Enable Client-Class Processing

From the Web UI click DHCP then DHCP Servers to open the Manage
DHCP Server page to see a list of the DHCP Servers.
CNR Training 6.2
428
Enable Client-Class Processing from the Web UI

(Cont.)
CNR Training 6.2
429
Adding a Client-Class
From the Web UI click DHCP and then Client Classes to open
the List DHCP Client-Classes page:
CNR Training 6.2
430
Adding a Client-Class (Cont.)
CNR Training 6.2
431
Editing a Client-Class
Click the Client-Class name to edit:
CNR Training 6.2
432
Editing a Client-Class (Cont.)
CNR Training 6.2
433
Configuring a Client
From the Web UI click DHCP and then Clients to
open the List/Add DHCP Clients page:
CNR Training 6.2
434
Configuring a Client (No Client Class Selected)
CNR Training 6.2
435
Edit Client Embedded Policy
CNR Training 6.2
436
What is the Default Client?

Special client entry to match the MAC addresses
that are not specifically defined in the database.
Uses the special name default as a name.
Note: the name is lower case sensitive.
CNR Training 6.2
437
Add a Default Client

From the Web UI click DHCP and then Client to open the
List/Add DHCP Client-Classes page:
CNR Training 6.2
438
Add a Default Client (Cont)
CNR Training 6.2
439
Other Features of Client Class
CNR Training 6.2
440
DHCP Expressions
Can be used to assign a client class without a client
entry lookup
Enabled by defining DHCP property on the server
client-class-lookup-id
i.e. putting expression in the box
Client class processing need not be enabled, saving
significant performance
Expressions are calculated rather than executed
Read only cant modify a packet
Run in protected memory, prevents crashing
CNR Training 6.2
441
Expression examples
Similar to LISP lots of parentheses everything is a function
(request option 82 remote-id) - returns the remote-id or
null if no option 82 is present null is bad
(try (request option 82 remote-id) no option 82)
returns the remote-id or the string if no option 82 is present a
much better expression
Another expression used in the lab
(if (starts-with (request get chaddr) 01:02:03)
VoIP PC)
CNR Training 6.2
442
Setting Client-Class from an Expression

Assign a client-class on-the-fly
Result of expression defines client-class-lookup-id
No need to setup client lookup or enable client-class
Expression
A series of IF statements that assign client-class based on
contents of packet
Example:
(try
(or
(if (equal (request get option "relay-agent-info" "remote-id")

(request get "chaddr")) "cm-class")
(if (equal (substring (request get option "vendor-class-id") 1 6)
"docsis") "docsis-cm-class")
)
null)
CNR Training 6.2
443
Expression Lookup
DHCPDISCOVER
Client-class
lookup ID
defined?
Yes
Client
class
enabled?
No
Choose
Expression
client class
Yes
No
Use Client
lookup ID as
client key
Client class
enabled?
Yes
Use MAC
address as client
key
Found
Client
Entry?
Yes
Choose
Client Entry
client class
No
Choose
Expression
or default
client class
CNR Training 6.2
444
Lease Limitations
Use expression to define limitation-id in client-class
Expression is evaluated from incoming packet
Creates a grouping (by limitation ID) for clients whose
evaluated expression results in the same answer
Set limitation-count in policy

When limitation-count is set, the count is checked before
offering a lease
Use over-limit-client-class-name in client-class to catch

clients that exceed limitation count
Default is simply to drop client requests
CNR Training 6.2
445
Client Class lease limitation settings
CNR Training 6.2
446
Viewing Leases With Limitation IDs
CNR Training 6.2
447
Expression and Limitation IDs Example Uses

A mechanism to use Windows 2003 and XP command
ipconfig /setclassID to set a client-class or selection
tag
A mechanism to use the information provided by DHCP
option 82 to set various variables in CNR
subscriber-id suboption
radius-attribute suboption
A mechanism to limit the number of clients behind a relay

agent using DHCP option 82
Ability to use expressions to bypass the database lookup
CNR Training 6.2
448
Exercise Configuring Client Class
CNR Training 6.2
449
Exercise Configuring Client Class
CNR Training 6.2
450
Review Q & A
CNR Training 6.2
451
CNR DHCP Extensions
CNR Training 6.2
452
CNR Extensions
Purpose of CNR Extensions
To affect how Cisco CNS Network Registrar
handles and responds to DHCP requests, and to
change the behavior of a DHCP server that you
cannot normally do using the user interfaces.
CNR Training 6.2
453
Difference between Expressions and Extensions
Expressions are commonly used to create client identities or

look up clients. Extensions are used to modify request or
response packets.
Expressions are self contained within CNR and can be fully
modified within the WebUI or CLI. Extensions are external
programs that may require recompiling to make
modifications.
Expressions provide limited functionality. Extensions are
only limited by the limitations of the language (C++ or TCL)
used to write the extension
CNR Training 6.2
454
Extension Points
What are Extension Points?
Extensions are external programs or scripts that affect how Cisco

Network Registrar handles and responds to DHCP requests, and
to change the behavior of a DHCP server that you cannot
normally configure using CNRs user interfaces.
Extension Points are points in time during the DHCP transaction.

They indicate the point in time when extensions are executed.
CNR Training 6.2
455
CNR Extension Points

Extensions are called or executed at a certain point during the DHCP process.
These points are called extension points. The ten extension points are :
(Continued) :
1. init-entryExtension point that the DHCP server calls when it configures or
unconfigures the extension. This occurs when starting, stopping, or reloading the
server. This entry point has the same signature as the others for the extension.
Dictionaries used: environment only.
2. post-packet-decodeUsed to rewrite the input packet. Dictionaries used:
request and environment.
3. post-class-lookupUsed to evaluate the result of a client-class-lookup-id
operation on the client-class. Dictionaries used: request and environment.
*4. pre-client-lookupUsed to affect the client being looked up, possibly by
preventing the lookup or supplying data that overrides the existing data.
Dictionaries used: request and environment.
5. post-client-lookupUsed to review the operation of the client-class lookup
process, such as examining the internal server data structures filled in from the
client-class processing. You can also use it to change any data before the DHCP
server does additional processing. Dictionaries used: request and environment.
CNR Training 6.2
456
CNR Extensions
Extensions are called or executed at a certain point during the DHCP process.
These points are called extension points. The ten extension points are :
(Continued) :
6. check-lease-acceptableUsed to change the results of the lease acceptability
test. Do this only with extreme care. Dictionaries used: request, response, and
environment.
7. lease-state-changeUsed to determine when the lease state changes this only
with extreme care. Dictionaries used: response and environment.
*8. pre-packet-encodeUsed to change the data sent back to the DHCP client in
the response, or change the address to which to send the DHCP response.
Dictionaries used: request, response, and environment.
9. pre-dns-add-forwardUsed to alter the name used for the DNS forward (A
record) request. Dictionaries used: environment only.
10. post-send-packetUsed after sending a packet for processing that you want
to perform outside of the serious time constraints of the DHCP request-response
cycle. Dictionaries used: request, response, and environment.
CNR Training 6.2
457
Programming Languages
Extensions can be written in TCL or C/C++
TCLMakes it a bit easier and quicker to write an extension. If the extension

is short, the interpreted nature of TCL does not have a serious effect on
performance. When you write an extension in TCL, you are less likely to
introduce a bug that can crash the server.
C/C++Provides the maximum possible performance and flexibility, including

communicating with external processes. However, the complexity of the C/C++
API is greater and the possibility of a bug in the extension crashing the server is
more likely than with TCL.
CNR Training 6.2
458
Compiling Dex Extensions

The proper Solaris user environment must be setup
prior to compiling Dex Extensions. :
Use Gnu C Compiler version 2.95. Newer versions
may appear to compile properly but result in extension
failure with an unable to load library error message.
Solaris server compiling the code must have
Developer Solaris Installation. Use with extreme
care. Dictionaries used: response and environment.
CNR Training 6.2
459
Location of Files
Installation directories:
UNIX:
Tcl/opt/nwreg2/local/extensions/DHCP/tcl
C or C++/opt/nwreg2/local/extensions/DHCP/dex
Windows:
For Tcl\program files\Network Registrar\extensions\dhcp\tcl
C or C++\program files\Network Registrar\extensions\dhcp\dex
CNR Training 6.2
460
Review and Q&A
CNR Training 6.2
461
DHCP Failover
CNR Training 6.2
462
Section Objectives
Identify the purpose, advantages and limitations of
DHCP Failover
Identify and describe and configure the three types
of failover configurations
Understand failover protocol operation and the
various transition states of partner servers
Configure and synchronize failover server pairs
Configure load-balancing
CNR
Check the status of and troubleshoot failover Training
6.2
configurations
Detect and handle network failures.
CNR Training 6.2
463
Introduction to DHCP Failover
CNR Training 6.2
464
The Need for the DHCP Failover Protocol

Backup DHCP Server
Single point of failure

Main DHCP Server
Main Address Pool

172.16.18.101-200
CNR Training 6.2
DHCP
Backup Address Pool

172.16.18.191-200
465
CNR Training 6.2
466
DHCP Redundancy
Generic DHCP specification does not include
Cooperative redundancy.
Cooperation between DHCP servers has been
implemented in CNR under the name Safe
Failover.
There is an IETF draft specification that reflects
Ciscos implementation.
CNR Training 6.2
467
Requirements for the DHCP Failover Protocol

Requirements:
Goals:
Compatible with RFC2131

clients.
Client keeps existing

address if communicating
with either server.
Provide for coordination

between servers not
located on the same
subnet.
Client can get new address

from either available server.
No duplicate IP address
assignment when one
server fails.
CNR Training 6.2
Server can recover lost

database from other server.
468
Key Terms for Failover

Main server - the server with responsibility for
DHCP service on a network segment; also called
primary server in protocol specification.
Backup server- the server that takes over DHCP
service if the main server fails; also called
secondary server.
Binding - Collection of configuration parameters,
associated with a DHCP client.
Binding database - The collection of bindings
managed by a main and backup DHCP server.
CNR Training 6.2
469
Key Terms for Failover (Cont.)

Subnet address pool - Set of IP addresses
associated with a network number and subnet
mask, including secondary subnets
Backup pool - Range of addresses that the main
server assigns to the backup server for use in case
of network communications interrupt.
Stable storage - Used to hold information
concerning IP address bindings so that the
information is not lost in the event of a server
failure which requires a restart.
CNR Training 6.2
470
Failover Operation
CNR Training 6.2
471
Roles of Servers
MAIN - the server with responsibility for DHCP service on a
network segment; also called primary server in protocol
specification.
BACKUP - the server that takes over DHCP service if the main
server fails; it is also called secondary server.
CNR Training 6.2
472
Address Pool Allocation

Need more addresses than needed for one server
Percentage allocated to backup server
Backup pool unavailable to main server
Used by backup server in case of need
Dynamically modified as main pool is used
No standard percentage for all circumstances
Default 10%
CNR Training 6.2
473
Normal (Non-Failure) Operation
1
6
Backup
Backup Pool:
231-254
2
4
Main
Address Pool:
10.10.10.2-230
CNR Training 6.2
Client
1. DHCPDISCOVER
2. DHCPOFFER
any address from 2-230
3. DHCPREQUEST
4. DHCPACK
5. DHCPBNDUPD
6. DHCPBNDACK
474
Main Server Failure

Communication
Interrupted State
DHCPPOLL
Client
2
3
Backup
Backup Pool: 231-254
1
1. DHCPDISCOVER
2. DHCPOFFER any address
from 231-254
Main
3. DHCPREQUEST
4. DHCPACK
Address Pool:
10.10.10.2-230
CNR Training 6.2
475
A Potential Problem with Failover

Main server gives a 7 day new lease to a new client.
Main server crashes before updating the backup.
Backup server is placed into Partner Down state,
assuming control of entire address pool.
Backup server unwittingly gives out that same IP
address within 7 day period of the original lease to
new/different client.
NOW A DUPLICATE ADDRESS SITUATION Exists!!!
CNR Training 6.2
476
Solution - Maximum Client Lead Time

Maximum Client Lead Time (MCLT) - a time value
used in a technique to guarantee that the backup
data base will be out of sync for no more than a
known amount of time:
Normally no need to change default (one hour).
The first time a new client gets a lease, lease period will
be MCLT.
Allows time for backup partner to obtain existing
unknown active lease information from clients.
On first client renew, configured lease period is used.
After setPartnerDown or Safe Period expires, backup
waits this long before giving out address from mains
allocation .
CNR Training 6.2
477
New Scenario with MCLT

Main server gives a 1 hour new lease to a new client.
Main server crashes before updating the backup.
Client attempts to renew with the main server which
fails.
Client broadcasts a rebind which the backup server
receives.
Backup now realizes that there is a lease which it
didnt know about and updates its database and
renews the clients lease.
THIS PREVENTED A DUPLICATE ADDRESS
SITUATION!!!
CNR Training 6.2
478
Server States and Transitions

STARTUP
NORMAL
COMMUNICATIONSINTERRUPTED
PARTNER-DOWN
Startup State.
Normal State.
Servers are unable to
communicate (safe).
Partner Server is known to be
down (possibly unsafe).
POTENTIAL-CONFLICT
Servers are Synchronizing

Lease Information.
RECOVER
Recovering Bindings from

partner.
Shutting Down for Short Time
PAUSED
SHUTDOWN
RECOVER-DONE
CNR Training 6.2
Shutting Down for Extended

Time.
Interlock state prior to
NORMAL.
479
CNR Training 6.2
480
Failover States and IP Pool Use

In COMMUNICATIONS-INTERRUPTED, the
possibility exists that both servers are active.
In PARTNER-DOWN, only one server is assumed to
be active.
Transition from COMMUNICATIONS-INTERRUPTED
state to PARTNER-DOWN state can be done
manually or automatically after a configurable time
called Safe Period
CNR Training 6.2
481
DHCP Load Balancing
CNR Training 6.2
482
DHCP Load Balancing

RFC 3074 method of allocating responsibility for
servicing clients.
Hash value between 0 and 255 calculated on
clients identifier option or hardware address.
Each server allocated 50% of hash values and
available addresses and normally responds to
DHCPDISCOVER for its half of the hash values.
When failover occurs, each server responds to all
requests using its pool of addresses until
PARTNER-DOWN + MCLT.
CNR Training 6.2
483
Failover Configurations
CNR Training 6.2
484
In previous versions of CNR there are three basic
Failover configurations:
Simple
Symmetric
Back Office
Symmetric and Back Office modes are difficult to

configure and maintain
DHCP Load Balancing further reduces the
desirability of symmetric or back office modes
CNR Training 6.2
485
Simple Failover Configuration
DHCP Server 1
DHCP Server 2
Main for subnets
Backup for subnets
172.168.21.0/24
172.168.22.0/24
172.168.23.0/24
172.168.21.0/24
172.168.22.0/24
172.168.23.0/24
Corporate
WAN
172.168.23.0/24
172.168.21.0/24
172.168.22.0/24
CNR Training 6.2
486
Symmetric Failover Configuration
DHCP Server 1
Main for subnets
172.168.21.0/24
172.168.22.0/24
DHCP Server 2
Backup for subnets
172.168.21.0/24
172.168.22.0/24
Backup for subnet

172.168.23.0/24
Main for subnet

172.168.23.0/24
Corporate
WAN
172.168.23.0/24
172.168.21.0/24
172.168.22.0/24
CNR Training 6.2
487
Back Office Failover Configuration
DHCP Server 1
Main for subnets
172.168.21.0/24
172.168.22.0/24
DHCP Server 2
Main for subnets
172.168.23.0/24
172.168.24.0/24
DHCP Server 3
Backup for subnets
172.168.21.0/24
172.168.22.0/24
172.168.23.0/24
172.168.24.0/24
CNR Training 6.2
488
Key Points for Failover Configuration

Simple failover with DHCP load balancing is the
recommended failover configuration
Upgrading a previous implementation will not
automatically enable the load balancing feature.
Enabling load balancing will override any backup
percentage set on an individual server
CNR Training 6.2
489
Configuring Failover
CNR Training 6.2
490
Configuring Failover
Configure the main server as required for your network.
Use the Failover Configuration page to configure the failover
pair and synchronize the configurations
Automates copying of:
DHCP server properties
Policy properties & DHCP options
Scopes, scope properties and ranges
Reservations
Clients, client-classes & scope selection tags
Extensions
When synchronized and reloaded, the servers will be same
CNR Training 6.2
491
Adding a Cluster From the Web UI

From the Web UI click DHCP, then Cluster to open
the List Server Clusters page:
CNR Training 6.2
492
Adding a Cluster From the Web UI (Cont.)
CNR Training 6.2
493
Create Failover Pair Break Out

From the Web UI click DHCP, then Failover to open the List DHCP
Failover Pairs page:
CNR Training 6.2
494
Create Failover Pair Break Out (Cont.)
CNR Training 6.2
495
Synchronizing Failover Pair Configurations

From the Web UI List DHCP Failover Pairs page, click the Report icon:
CNR Training 6.2
496
Synchronizing Failover Pair Configurations (Cont.)
CNR Training 6.2
497
Synchronizing Failover Pair Configurations (Cont.)
CNR Training 6.2
498
Configuring Failover - Reload Servers
CNR Training 6.2
499
Check List for Failover Configurations

Duplicate on both servers
Scopes, including ensuring identical scope-selection tags
Policies
IP addresses
Reservations
Clients
Client-classes
Dynamic DNS updates
Dynamic BOOTP
Virtual private networks (VPNs)
DHCP extensions
CNR Training 6.2
500
Configure Load Balancing

CNR Training 6.2
501
Configure Load Balancing (Cont.)
CNR Training 6.2
502
Monitoring Failover Status

CNR Training 6.2
503
Monitoring Failover Status (Cont.)
CNR Training 6.2
504
Monitoring Failover
If a server enters Communications Interrupted:
If condition understood and expected to clear quickly,
continue to monitor status, no other actions.
If either server is down and the other is running out of

leases in backup pool, verify one is down, then use
setPartnerDown on the other so it can use all the leases.
When the server comes back up, it will notify partner its
up and enter Recovery. Let Recovery proceed. Monitor with
getRelatedServers.
CNR Training 6.2
505
setPartnerDown Command
Backup server does not automatically assume that
the other server is down.
Set partnerdown is used to tell a failover partner
that the other server is down. Can be done from
Web UI or CLI
Does NOT cause the other server to shut down.
Will wait MCLT to actually use the other pool
addresses unless a time is specified
CNR Training 6.2
506
Safe Period
Safe Period
Normally disabled.
If enabled, backup will wait this period, then automatically
move to the partner down state.
If enabled, duplicate address assignment is possible if
the other server is not really down.
CNR Training 6.2
507
Exercise - Configure DHCP

Failover
CNR Training 6.2
508
Configure DHCP Failover
CNR Training 6.2
509
Review Q & A
CNR Training 6.2
510
Review and Q&A
CNR Training 6.2
511
Troubleshooting CNR DHCP
CNR Training 6.2
512
Troubleshooting CNR DHCP Objectives

Find DHCP server status and statistics
Identify the conditions that decrement the health
status for the DHCP server
Use and search the DHCP server log files to find
potential problems
Understand and configure debug settings on the
DHCP server
Identify and understand the most common errors
CNR Training 6.2
CNR
Training
6.2
513
DHCP Server Status Monitoring
CNR Training 6.2
514
DHCP Server Status Monitoring

Involves checking its:
State
Health
Statistics
Log messages
Related servers (DHCP)
CNR Training 6.2
515
Server States
Loaded - First step after the server agent starts the server
(transitional).
Stopped - Server was administratively stopped and is not running
(transitional).
CNR Training 6.2
516
Items to Monitor for a Servers Health

The following items can decrement the servers health, so you
should monitor their status periodically:
DHCP server (local cluster)
Configuration errors
Memory
Disk space usage
CNR Training 6.2
517
How to Display the Servers Health from CLI

From the CLI, use the [server] type getHealth command:
The number 10 indicates the highest level of health
0 indicates that the server is not running.
To see if your local cluster server is running on Solaris and Linux run:
cnr_status command, in the install-path/usrbin/ directory
bash-2.05# ./cnr_status
DNS server running
DHCP server running
Server Agent running
MCD lock manager running
CCM Server running
WEB Server running
CNRSNMP server running
CNR Training 6.2
(pid:
(pid:
(pid:
(pid:
(pid:
(pid:
(pid:
195)
196)
135)
161)
159)
199)
201)
518
Monitor Server Health from the Web UI
From both the local and regional cluster Web UIs:

1. Click Administration, then Servers.
2. Check the Manage Servers page for the state and health
of each server.
CNR Training 6.2
519
Web UI Administration
Click the Statistics icon (
) to view statistics for the server.
Click the Log icon ( ) in the View Log column to view the log
messages for the server.
Click the Start icon (
) to start the server.
Click the Stop icon (
) to stop the server.
Click the Reload icon (
CNR Training 6.2
) to reload the server.
520
CNR SNMP
The Network Registrar Simple Network Management
Protocol (SNMP) notification support allows you to
be:
Warned of error conditions and possible problems with the
DHCP servers.
Monitor threshold conditions that may indicate address
depletion on particular scopes.
Network Registrar implements SNMP Trap Protocol

Data Units (PDUs) according to the SNMPv1
standard.
CNR Training 6.2
521
CNR SNMP (Cont.)

Each trap PDU contains:
Generic-notification code, if enterprise-specific.
Specific-notification field that contains a code indicating the
event or threshold crossing that has occurred.
Variable-bindings field that contains additional information
about certain events.
CNR Training 6.2
522
DHCP Server Logs
CNR Training 6.2
523
DHCP Server Logs

Log Files
Log Settings
Viewing and Searching the Logs from the WebUI
Viewing and Searching the Logs from the CLI
Log Messages:
syslog
Windows Event Viewer
CNR Training 6.2
524
Log Files
When you start Network Registrar, it automatically starts logging
Network Registrar system activity.
Network Registrar maintains all the logs by default:
Windows <CNR_ROOT>\logs
Solaris and Linux:
<CNR_VAR>/local/logs
(local cluster)
<CNR_VAR>/regional/logs (regional server)

To view these logs, use the tail -f command in Unix
The file: name_dhcp_1_log contains Local Cluster DHCP
activity entries.
CNR Training 6.2
525
Log Settings From Web UI

Choosing from the DHCP log settings gives you
greater control over the log messages.
From the Web UI use the Log settings attribute on the

Edit DHCP Server page.
CNR Training 6.2
526
Log Settings From CLI

When you suspect a problem exists, to view the
logs you must use the next command:
dhcp set log-settings with one or more keywords or
numeric values, separated by commas.
Restart the server if you make any changes to the log
settings.
To return to default state use the next command:

dhcp unset log-settings
CNR Training 6.2
527
Log Settings
Logging Server Events:
The DNS, DHCP, and TFTP servers have log settings that can
restrict what is logged, and thereby improve server performance.
These log settings are available using the dns set log-settings,
dhcp set log-settings, and tftp set log-settings commands in the
CLI, respectively.
Caution: To avoid filling up the Windows Event Viewer and
preventing Network Registrar from running:
In the Event Log Settings, check the Overwrite Events as Needed
box.
CNR Training 6.2
528
Viewing and Searching the Logs from the Web UI

The Web UI provides a convenient way to search for
entries in the activity and startup log files.
You can locate:
Specific message text
Log message IDs
Message timestamps (using a regular expression string entry).
CNR Training 6.2
529

When you click the Log icon ( ) in the View Log or View Startup
column on the Manage Servers page (or one of the specific server
pages), this opens a Log for Server page:
CNR Training 6.2
530

(Cont.)
In the text field next to the Search icon ( ) at the
top of the page, enter the search string in the
regular expression syntax.
For example, entering Warning searches for all
instances of log entries containing a warning.
CNR Training 6.2
531

(Cont.)
Clicking the Search icon opens a Log Search Result page in a
separate browser window.
The page shows the file name, Match Line Number of the match,
and the Log Number.
CNR Training 6.2
532
Viewing Log Messages - Messages

There may be descriptive entries for CNR DHCP in the Unix log
file messages
This file is located:

Solaris: /var/adm/messages
Linux: /var/log/messages
CNR log files for local cluster:

/var/nwreg2/local/logs/
CNR log files for regional cluster:

/var/nwreg2/regional/logs
CNR Training 6.2
533
Viewing Log Messages - Windows Event Viewer

From Start Settings - Control Panel Administrative Tools Event Viewer selection Applications to view the logs:
CNR Training 6.2
534
Log Messages
CNR Training 6.2
535
Log Message Categories

Server log entries include the following categories:
Activity - Logs the activity of your servers.
Info - Logs standard operations of the servers, such as starting
up and shutting down.
Warning - Logs warnings, such as invalid packets, user
miscommunication, or an error in a script while processing a
request.
Error - Logs events that prevent the server from operating
properly, such as out of memory, unable to acquire resources, or
errors in configuration.
CNR Training 6.2
536
Common Log Messages

Typical messages in the CNR DHCP startup log file:
bash-2.05# cat dhcp_startup_log
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 18028 Loading configured dhcp-interfaces ...
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 04496 Configuring Interfaces...
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 04502 Configured IPv4 network interface
10.250.27.20/255.255.255.0, device 'hme0', hostname cnrlocal, ppa 0, DHCP server port 67, DHCP client port 68.
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 04414 Adding Scope: ny-10.1.1.0/24 with network address:
10.1.1.0 and subnet mask: 255.255.255.0 (with computed dns-host-bytes 1) to Network: 10.1.1.0-255.255.255.0.
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 04414 Adding Scope: ScopeA with network address: 10.0.1.0 and
subnet mask: 255.255.255.0 (with computed dns-host-bytes 1) to Network: 10.0.1.0-255.255.255.0.
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 04414 Adding Scope: test-scope with network address: 172.16.1.0
and subnet mask: 255.255.255.0 (with computed dns-host-bytes 1) to Network: 172.16.1.0-255.255.255.0.
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 04424 Server successfully configured 3 Scopes containing 11
Leases and 0 Reservations in 1 bulk database read.
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 04557 Configuring Extensions...
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 04560 Configuring Extension Points ...
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 05352 Initiating cache refresh operation.
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 05353 Cache refresh operation complete, 2 v4 leases and 0 v6
leases read .
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 05512 Opening subnet state database.
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 05513 Subnet state database read successfully: 0 subnets read.
01/31/2006 14:30:54 dhcp_startup Info Configuration 0 04568 Current State will be set to State '8'
01/31/2006 14:30:55 dhcp_startup Info Configuration 0 04348 Configuration Complete.
01/31/2006 14:30:55 dhcp_startup Info Server 0 04353 Starting Server
CNR Training 6.2
537
Common Log Messages (Cont.)

Typical messages in the CNR DHCP run-time log file:
bash-2.05# grep Warning name_dhcp_1_log
01/24/2006 10:12:18 name/dhcp/1 Warning Protocol 0 04663 Received DHCPINFORM packet but found no Scopes
for source network '10.250.0.5'. Dropping packet.
01/24/2006 10:12:33 name/dhcp/1 Warning Protocol 0 04663 Received DHCPINFORM packet but found no Scopes
for source network '10.250.0.5'. Dropping packet.
01/31/2006 14:30:56 name/dhcp/1 Info Failover 0 04220 The startup period for failover is beginning.
DHCP server will be unavailable for DHCP client operations while it attempts to connect with other
failover servers.
The
01/31/2006 14:30:56 name/dhcp/1 Info Failover 0 04140 Failover: example failover pair, as main for
10.250.26.15 (re)established contact with its partner while in communications-interrupted state while the
partner was in communications-interrupted state. Performing automatic resynchronization.
10.250.26.15: was given a new state. Old state was communications-interrupted, new state is normal.
10.250.26.15 allocated 0 IP addresses to backup server: 10.250.26.15 and withdrew 0 IP addresses from
that backup server.
01/31/2006 14:30:58 name/dhcp/1 Info Server 0 05279 Accepted a new SCP client connection from client at
127.0.0.1:33355
01/31/2006 14:31:06 name/dhcp/1 Info Failover 0 04221 The startup period for failover is complete where
it was not already terminated by communications being restored with a partner server. The DHCP server
may be available for DHCP client operations depending on the role of this server (main or backup), its
state, and its connection to other failover servers.
CNR Training 6.2
538
Common Problems
CNR Training 6.2
539
Routing and Firewall Configurations

CNR Host routing
BOOTP relay agent
BOOTP forwarding
IP helper-address in Cisco IOS
Firewall ports to open:

DHCPports 67 and 68
DHCP failoverPort 647
DNSport 53
TFTPport 69
CNR Training 6.2
540
Configuration Errors
Missing Client or Client Class
Missing or Incorrect Scope Selection Tags
Missing or Incorrect Selection-Criteria
Missing or Incorrect Options on Policies or
Embedded Policies
Options placed in Wrong Policies (policy search
order)
CNR Training 6.2
541
Configuration Errors
Scopes with no ranges assigned
Addresses depleted from scope
Incorrect or Missing Primary-Subnet setting for
multi-netted networks
CNR Host missing route to destination network
CNR Training 6.2
542
Solving Problems
Use the log files and additional log-settings!
With correct log-settings, CNR will tell you exactly
what is wrong.
CNR Training 6.2
543
Exercise Troubleshooting DHCP
CNR Training 6.2
544
Exercise -
CNR Training 6.2
545
Review and Q&A
CNR Training 6.2
546
Review Q & A
CNR Training 6.2
547
Introduction to the Regional Cluster
CNR Training 6.2
548
Section Objectives
Understand the difference between Local and
Regional Cluster
Identify functions performed by Regional Cluster
Install and configure a Regional Cluster
Configure local clusters and single-sign-on
CNR Training 6.2
CNR
Training
6.2
549
What is a Regional Cluster?
CNR Training 6.2
550
Regional Cluster
Aggregate management system for up to 100 local
clusters.
Does not provide DNS, DHCP or TFTP services to
clients
Does provide management tools for monitoring,
managing local clusters as well as integrated
management of IP address management and
routers
CNR Training 6.2
551
Regional and Local Clusters

CNR Local Cluster
Local Cluster
CNR Training 6.2
Local Cluster
Regional Cluster
Local Cluster
552

CNR Local Cluster2
DNS
DHCP

TFTP
Core Services
Thread
Manager
HTTP
Server
Server Agent (SA)

CCM Server
SCP
Tomcat Web Server
Servlet Engine
Router Interface
CNR Local Cluster2

DNS
DHCP
TFTP
HTTP
Server
SCP
CNR SDK
SCP
CLI
Telnet/
SSH
Solaris
Windows
Solaris Linux
Linux Windows
SCP
Core Services
Thread
Manager
HTTP/HTTPS
uBR Router
CCM Server

CNR Training 6.2
553
Regional Cluster Components

Server Agent
Tomcat Web Server
Servlet Engine
Central Configuration Management (CCM) Server
Router Interface Configuration (RIC) Server
CNR Training 6.2
554

Server
Agent
CLI
Tomcat
Local CNR Clusters

HTTP/HTTPS
HTTP/HTTPS
Tomcat
CCM DB
Replica
Server
Agent
DHCP
CCM
Server
SCP
CCM
Server
Subnet Util
DNS
CLI
DHCP DB
DNS DBs
TFTP
IP Lease
History
RIC
Server
Platforms
Solaris
Solaris Linux
LinuxWindows
Windows
Telnet/SSH
CNR Training 6.2
CCM DB
Legacy Interface
External Interface
Embedded Database
MCD DB
Platforms
Solaris
Solaris Linux
Linux Windows
Windows
555
What is CCM?
CCM = Central Configuration Management
Augments the legacy MCD databases used in
earlier versions of CNR
Tracks incremental changes to the various servers
and allows replication and logging
CNR Training 6.2
556
Regional and Local Clusters

CNR Local Cluster
Local Cluster
CNR Training 6.2
Local Cluster
Regional Cluster
Local Cluster
557
RIC Server Architecture

CCM Server
Router
Router
Telnet/SSH
Router
Interface
Configuration
Server
Router
Regional Cluster
CNR Training 6.2
558
Sample Deployment Scenario

DHCP
client
Regional Server
DHCP
Failover
DHCP
Primary DNS
10.10.10.2
Central
Management
CNR Training 6.2
DHCP Lease
Secondary DNS
10.10.10.3
DNS Updates
Zone
Transfers
559
Key Functions of a Regional Cluster
CNR Training 6.2
560
Key Regional Server Tasks

DHCP Administration
DNS Administration
User/Group Administration
Failover Pair and DNS Master/Slave Configuration
Configuration and Communications Options
Address Space Management and Utilization
Router Interface Configuration
CNR Training 6.2
561

Provides access to centralized administrative tasks.
Administration privileges can be granular.
Regional cluster consists of:
CNR Training 6.2
562
Centralized Address Space Management and

Reporting
Used to manage:
Address space
Address blocks
Subnets
Address types
Address destinations
Used to check:
Subnet utilization
Lease history.
CNR Training 6.2
563
Centralized DNS Management and Configuration

Used to manage:
DNS zone templates
Forward and reverse zones
Used to update:
Policies
ACLs
Keys
HA pairs
Update maps
Zone distributions.
CNR Training 6.2
564
Central Management of CNR Administrators

Regional CCM Administrator can:
Create and modify local and regional cluster
administrators, groups, and roles.
Designate specific Administrator accounts to perform
limited functions via use of groups and roles.
Push admins, groups, roles and region information down
to Local Clusters
CNR Training 6.2
565
Installing a CNR Regional Cluster
CNR Training 6.2
566
Java Installation on Windows
Security Warning is posted to begin the installation.
CNR Training 6.2
567

Follow the prompts to install Java
CNR Training 6.2
568

Install all the Java components
Be sure to install the IE Plugin
CNR Training 6.2
569
CNR Training 6.2
570

The Java installation is complete
CNR Training 6.2
571
CNR Training 6.2
572
CNR 6.2 Windows Installation

Un-Zip Archived File
CNR Training 6.2
573

Splash Screen and Install Setup
CNR Training 6.2
574

Pre-Installation
CNR Training 6.2
575
Regional Installation
CNR Training 6.2
576
CNR Training 6.2
577
CNR Training 6.2
578

Select the Java installation for the Regional Cluster
to use
CNR Training 6.2
579

Choose whether to install the secure Web UI
CNR Training 6.2
580
CNR Training 6.2
581

Select the Java installation for the Regional Cluster
Secure Web UI (SSL) to use
CNR Training 6.2
582

Select
the location of the keyfile for the Regional

Cluster to use
CNR Training 6.2
583
CNR Training 6.2
584
CNR Training 6.2
585

Restart your system after the installation is complete
CNR
CNR Training 6.2
586

Windows:
Service Manager Application
Network Registrar Local Server Agent Started
Network Registrar Regional Server Agent - Started
Processes Tab
CNR Training 6.2
587
Verifying CNRs Status Regional

Status from Windows Service Manager Regional
CNR Training 6.2
588
Verifying Status of Processes Regional

Windows:
Processes Tab
CNR Training 6.2
589
Installing CNR on Solaris
CNR Training 6.2
590
Solaris Java Installation

From the CLI type:
bash-2.05# sh ./j2sdk-1_4_2_10-solaris-sparc.sh
The standard Sun output displays:
Sun Microsystems, Inc.
Binary Code License Agreement
for the
JAVATM 2 SOFTWARE DEVELOPMENT KIT (J2SDK), STANDARD EDITION,
VERSION 1.4.2_X
Note: Output deleted for brevity.
Do you agree to the above license terms? [yes or no]
yes
CNR Training 6.2
591
Solaris Regional Installation

bash-2.05# pkgadd -d ./solaris/
1
nwreg2
Network Registrar
(sparc) 6.2

Network Registrar
(sparc) 6.2
consent.
CNR Training 6.2
592

1.
2.
Regional mode

Where do you want to install the Network Registrar Regional
Server Agent executable files? [/opt/nwreg2/regional]
Agent data files? [/var/nwreg2/regional/data]
Agent log files? [/var/nwreg2/regional/logs]
Agent temporary files? [/var/nwreg2/regional/temp]
CNR Training 6.2
593

License file '/opt/nwreg2/regional/conf/product.licenses'
does not exist
The installer did not locate a valid Network Registrar Regional
Please enter your Network Registrar Regional Server Agent
license key, or press the Return key to continue the
installation without entering a valid license key at this
point:
[y,n,?,q] y
CNR Training 6.2
594

existing Network Registrar Regional Server Agent binaries and
Registrar Regional
[y,n,?,q] n
Network Registrar Regional Server Agent 6.2 requires Java
version 1.4.2 (or later) to run.
CNR Training 6.2
595

1.
2.
3.
Both HTTP and HTTPS

is 8090.
CNR Training 6.2
596

Network Registrar Regional Server Agent 6.2 requires JSSE
version 1.0.2 or Java 1.4.2 (or greater) to provide HTTPS
support.
[/usr/java]
Do not remove

fail.
CNR Training 6.2
597

Where is your keystore file located? /etc/cnrreginoal
onal.keys
changeit.
What is your keystore password? Cisco1

Web user
number is 8453.
The product default secure port
CNR Training 6.2
598

The selected base directory </opt/nwreg2/regional> must exist
before
installation is attempted.
Using </opt/nwreg2/regional> as the package base directory.
CNR Training 6.2
599

super-user
[y,n,?] y
/opt/nwreg2/regional/cnrImage.tar.gz
CNR Training 6.2
600

Network Registrar regional mode installation completed
successfully.
1
nwreg2
Network Registrar
(sparc) 6.2

bash-2.05#
CNR Training 6.2
601

running:
Solaris and Linux:
# /opt/nwreg2/local/usrbin/cnr_status
# /opt/nwreg2/regional/usrbin/cnr_status
CNR Training 6.2
602
CNR 6.2 Product Licensing

Each Network Registrar software license key
addresses a separate functional area. You enter
these license keys during installation or in the Webbased user interface (Web UI) or CLI.
During an upgrade, you are prompted for a license
key only if no valid license keys are found in the
existing license file.
CNR Training 6.2
603
Licensing CNR 6.2 (Cont.)

Upgrading from a release before 6.0You must add
a new license key. License keys that were valid
before 6.0 do not work.
DHCPv6 functionality requires a new ipv6 license
key.
The router license can now be applied to the local
cluster.
CNR Training 6.2
604
Product Licensing Regional

Regional
CNR Training 6.2
605
Viewing Licensing Regional
CNR Training 6.2
606
Configuring the Regional CNR Clusters

Administrators are responsible at each cluster for
adding and managing:
Users
Zone data
DHCP data
Address space data
Servers in general.
Management is done from the Regional Web UI

Pushed to the local clusters
Then navigate to the local cluster for local operations.
CNR Training 6.2
607
View Tree of Clusters

From the Regional Web UI click Clusters, then Cluster
Tree to open the View Tree of Server Clusters page:
CNR Training 6.2
608
Adding Local Clusters to the Regional

Configuration
From the Regional Web UI click Clusters, then Cluster
List to open the List Server Clusters page:
CNR Training 6.2
609
Adding Local Clusters to the Regional

Configuration (Cont.)
CNR Training 6.2
610
Creating a Regional Working Environment

No local knowledge or initialization of Regional
Cluster.
Multiple Regional Clusters possible which can have
some of the same Local Clusters.
Create a Regional Cluster by defining Local
Clusters attached to it.
Upon initial creation on Regional Cluster,
synchronization with Local Cluster occurs which
copies local data to regional replica data base.
Regional Cluster uses Push and Pull to move data.
CNR Training 6.2
611
Push and Pull

Push - When data needs transferred from the
Regional Cluster to the Local Cluster, the Regional
Cluster PUSHes the data.
Pull - When data needs transferred from the Local
Cluster to the Regional Cluster, the Regional
Cluster PULLs the data.
Note: This allows central management and
replication of Cisco Network Registrar data objects
even in large enterprises.
CNR Training 6.2
612
Replicating Local Cluster Data

Replication is copying the configuration data from a
local server to the regional servers replica
database.
Replication must occur before you can pull data
into the regional servers database.
CNR Training 6.2
613

Server
Agent
CLI
Tomcat
Local CNR Clusters

HTTP/HTTPS
HTTP/HTTPS
Tomcat
CCM DB
PULL
Replica
DHCP
CCM
Server
SCP
CCM
Server
Replica
Subnet Util
IP Lease
History
RIC
Server
Platforms
Solaris
Solaris Linux
LinuxWindows
Windows
Telnet/SSH
CNR Training 6.2
Server
Agent
DHCP DB
DNS DBs
TFTP
CCM DB
Legacy Interface
External Interface
Embedded Database
DNS
CLI
MCD DB
Platforms
Solaris
Solaris Linux
Linux Windows
Windows
614
Replicated Objects
DHCP Scopes
Address Block
Subnets and Policies
Scope Templates
Client-Classes
VPNs
DNS zones
Zone Templates
CNR Training 6.2
615
Replication
Replication Occurs:
When you first synchronize the clusters.
At a configured time interval.
When manually initiated.
During synchronization and time interval replication

all objects are replicated.
During a manual replication you can control which
objects are replicated.
CNR Training 6.2
616
Notable Points for Replication on a Time

Interval
Default is 4 hours.
Can be configured when adding a cluster on the
Add Server Cluster page.
Can be adjusted on the Edit Server Cluster page,
using the poll-replica-interval attribute.
Can be a different value for each cluster.
CNR Training 6.2
617
Configuring Single-Sign-On
Single sign-on enables seamless navigation
between the Regional and Local cluster.
Many of the Web UI pages have an icon that allows
you to do this.
If you have single sign-in privileges the connection takes
you to the related local management page (or a related
page for failover pair configurations).
If you dont have privileges the connection takes you to
the login page for the local cluster.
CNR Training 6.2
618
Using Single Sign-On from the Web UI
CNR Training 6.2
619
Exercise Install and Configure the

Regional Cluster
CNR Training 6.2
620
Exercise: Install & Configure

Regional Cluster
CNR Training 6.2
621
Review and Q&A
CNR Training 6.2
622
CNR Training 6.2
623
Address Space Management
CNR Training 6.2
624
Section Objectives
Define the key terms used in address space
management
Configure and manage address blocks
Delegate address space to local clusters
Configure and manage subnets
Push subnets to local clusters and routers
Configure and run subnet utilization reporting
CNR
Training
6.2
Configure and run lease history reporting
CNR Training 6.2
625
Introduction
CNR Training 6.2
626
Key Terms
Address block - An aggregate of IP addresses based
on a power-of-two address space that can be delegated
to an authority.
Child Address block - An address block (shown as a
branch in the address allocation hierarchy) that has
been subdivided from a parent address block.
Subnet - The leaf node of the address space and
cannot be further subdivided
Address Range - A range of addresses assigned to an
subnet.
CNR Training 6.2
627
Key Terms (Cont.)

Delegation - Address block delegation is the
coordinated actions of marking the local cluster
responsible for an address.
Address Utilization - The number of addresses that
are currently allocated from a given subnet or address
block.
Lease History - Past allocation information for a given
IP address. CNR can keep a database of past
allocation information for a given IP address.
CNR Training 6.2
628
Router Interface Configuration
CNR Training 6.2
629
RIC Server Architecture

CCM Server
Router
Router
Telnet/SSH
Router
Interface
Configuration
Server
Router
Regional Cluster
CNR Training 6.2
630
Router Interface Management

Router Configuration Hierarchy:
Routers
Router interfaces
Child interfaces
The hierarchy is viewable from the View Tree of

Routers page.
Only available when routers are created in the system
and synchronized.
CNR Training 6.2
631
Managed Versus Virtual Routers

Managed Routers:
Updated in the database and physically updated and
synchronized.
Virtual Routers:
Updated in the Network Registrar database only.
Defined by omitting the router type or connection
credentials on the Add Router or Edit Router pages.
You can create, push, and reclaim subnets from

both router types.
CNR Training 6.2
632
Adding a Router
From
the Web UI, click Routers, then Router List to

open the Add Router page:
CNR Training 6.2
633
Adding a Router (Cont.)
CNR Training 6.2
634
Resynchronizing a Router
CNR Training 6.2
635
Using SSH to Connect to Routers

The RIC server can use SSH to connect to the
routers:
CNR Training 6.2
636
Viewing Router Interfaces

From
the List Routers page click the Interfaces Icon

to open the List Router Interfaces page:
CNR Training 6.2
637
Edit Router Interfaces

From
the List Router Interfaces page click the router

name to edit:
CNR Training 6.2
638
Address Management Tasks
CNR Training 6.2
639
What is Address Space?

A hierarchical tree of address blocks and subnets,
sorted in IP address order.
Address blocks provide an organizational structure
for addresses used across the network.
CNR Training 6.2
640
Viewing Address Space from the Web UI

You can choose the level of depth at which to
display the tree.
You can also expand and contract nodes, which
recursively expands or contracts all child nodes.
If you pick a new level, this overrides the previous
expansion or contraction.
This page is available from both the local cluster
and regional cluster.
CNR Training 6.2
641
Viewing Address Space from the Web UI

(Cont.)
From
the Web UI click Address Space and then

Address Space again to open the View Address
Space page:
CNR Training 6.2
642
Adding an Address Block
Administrator notes that an address block is

nearing a high threshold.
The administrator submits a request for more address
space and they receive a new address block.
CNR Training 6.2
The administrator now needs to add the address

block to the address space management.
643
Address Blocks and Subnets Example

192.168.0.0/16
Child Address Block
Address Block
192.168.0.0/18
Cannot be subdivided.
Subnet Typically is delegated to
a DHCP server.
192.168.50.0/24
Child Address Block
192.168.32.0/20
Can be subdivided
Child Address Block
192.168.64.0/18
Child Address Block
192.168.128.0/18
Child Address Block
192.168.192.0/18
CNR Training 6.2
644
Adding Address Block from Web UI

From

Address Blocks to open the List/Add Address Space
page:
CNR Training 6.2
645
Creating Child Address Blocks

From
the List/Add Address Blocks page click the

name of an address block not marked as delegated
to open the Edit Address Block page:
CNR Training 6.2
646
Delegating Address Blocks

Delegation - Address block delegation is the
coordinated actions of marking the local cluster
responsible for an address.
To delegate an address block to a local cluster, the
address block cannot have child address blocks or
subnets.
The delegated address block created at the local server must
have the same address size as the one at the regional cluster.
You can delegate only one address block to one

local cluster at a time:
You cannot delegate it to multiple local clusters.
You can also delegate an address block to an owner.
CNR Training 6.2
647
Pre-requisites for Delegating an Address

Block
1. The central configuration administrator needs to
create a local cluster to which to delegate the
address block.
2. The central configuration administrator must
synchronize the regional cluster with the local
cluster.
The local cluster will have address source references to
the regional cluster through the synchronization
process.
3. Delegate the address block to the cluster or an

owner.
CNR Training 6.2
648
Delegating from the Web UI
CNR Training 6.2
649
Reasons to Create a Subnet for Delegation

Typically you will create a subnet to be delegated to
a Local Cluster or Router in order to create a new
scope.
CNR Training 6.2
650
Pushing Subnets to Local Clusters

From

Subnets to open the List/Add Subnets page:
CNR Training 6.2
651
Pushing Subnets to Local Clusters (Cont.)
CNR Training 6.2
652
Pushing Subnets to Local Clusters (Cont.)
CNR Training 6.2
653
Viewing Subnet From Local Cluster

From
the Regional Cluster, click DHCP and then

CNR Training 6.2
654
Why Reclaim a Subnet

To renumber the network.
Or to resize the network to handle address
utilization issues.
CNR Training 6.2
655
Reclaiming Subnets
From

Subnets to open the List/Add Subnets page:
CNR Training 6.2
656
Reclaiming Subnets (Cont.)
CNR Training 6.2
657
Reclaiming Subnets (Cont.)
CNR Training 6.2
658
Why Pull Address Space Data?

When there is a need to collect configuration
information from a local cluster and view it in the
Regional Cluster.
This is accomplished when you pull address space from
the replica data of the local clusters instead of explicitly
creating them.
CNR Training 6.2
659
Pulling Address Space Data

From

Address Space again to open the List/Add Subnets
page:
CNR Training 6.2
660
Pulling Address Space Data (Cont.)
CNR Training 6.2
661

From
the Report Pull Replica Address Space page

click Run:
CNR Training 6.2
662

From
the Report Pull Replica Address Space page

click OK:
CNR Training 6.2
663
Address Space Utilization

Reporting
CNR Training 6.2
664
Address Space Reports

Utilization CNR can collect address utilization data
so that you can determine how much address space is
available or used on your network.
Lease History - Past allocation information for a given
IP address. CNR can keep a database of past
CNR Training 6.2
665
Enabling Utilization Reports

1. Enable utilization collection on the local cluster.
2. Enable utilization data aggregation on the regional
cluster.
3. View utilization and run reports.
CNR Training 6.2
666
Enabling Subnet Utilization History Collection at

the Local Cluster
From
the Local Cluster, click DHCP then DHCP

Server and on the Manage DHCP page click the Local
DHCP server link to open the Edit DHCP Server page:
CNR Training 6.2
667
Enabling Subnet Utilization History

Collection at the Local Cluster (Cont.)
CNR Training 6.2
668

the Regional Cluster
CNR Training 6.2
669

the Regional Cluster (Cont.)
CNR Training 6.2
670
Viewing Address Space Utilization

Current address utilization can be viewed from both
the Regional and Local servers for:
Address Blocks
Subnets
Scopes
CNR Training 6.2
671
Viewing Address Space Utilization (Cont.)
CNR Training 6.2
672
CNR Training 6.2
673
CNR Training 6.2
674
Viewing Utilization History

From
the Regional Cluster, click Address Space

then Subnet Utilization to open the Query Subnet
Utilization page:
CNR Training 6.2
675
Viewing Utilization History (Cont.)
CNR Training 6.2
676
Viewing Utilization History (Cont.)
CNR Training 6.2
677
Address Space Reports

American Registry of Internet Numbers (ARIN)
Allocation
CNR Training 6.2
678
Running Address Space Reports

From
the Regional Cluster, click Reports then

Address Space to open the Select Address Space
Report page:
CNR Training 6.2
679
Running Address Space Reports (Cont.)
CNR Training 6.2
680
Lease History Reporting
CNR Training 6.2
681
Lease History Data Collection

IP Lease history can be extracted to determine past
CNR provides a client to control querying IP history
data.
CNR Training 6.2
682
Configuring Lease History Data Collection

Abbreviated
CNR Training 6.2
section of the Edit DHCP Server page:
683
Configuring Lease History Data Collection

Abbreviated
CNR Training 6.2
section of the Edit Server Cluster page:
684
Running Lease History Reports
CNR Training 6.2
685
Running Lease History Reports (Cont.)
CNR Training 6.2
686
Exercise Address Space Management
CNR Training 6.2
687
Exercise -
CNR Training 6.2
688
Review and Q&A
CNR Training 6.2
689
Review and Q&A
CNR Training 6.2
690
Centralized DNS Management
CNR Training 6.2
691
Centralized DNS Management Objectives

Know about Regional Cluster DNS Management
Features
Be able to configure the Regional Server for DNS
Management
Know how to Add Forward Zones
Know how to Add Reverse Zones
CNR
Training
6.2
Know how to create Zone Distributions
CNR Training 6.2
692
Regional Cluster DNS Management

Features
CNR Training 6.2
693

The regional cluster Web UI provides concurrent
access to Network Registrar regional and central
administration tasks.
Like the local cluster Web UI, it provides granular
administration across servers with permissions you
can set on a per element or feature basis.
The regional cluster consists of:
CNR Training 6.2
694
Regional Cluster DNS Management Features

Used to Manage:
DNS Zone Templates
Used to Update:
Policies
ACLs Keys
Maps and Zone Distributions
CNR Training 6.2
695

CNR Local Cluster2
DNS
DHCP

TFTP
Core Services
Thread
Manager
HTTP
Server
Server Agent (SA)

CCM Server
SCP
Tomcat Web Server
Servlet Engine
Router Interface
CNR Local Cluster2

DNS
DHCP
TFTP
HTTP
Server
SCP
CNR SDK
SCP
CLI
Telnet/
SSH
Solaris
Windows
Solaris Linux
Linux Windows
SCP
Core Services
Thread
Manager
HTTP/HTTPS
uBR Router
CCM Server

CNR Training 6.2
696
Major Components of CNR

CNR Local Cluster
Local Cluster
CNR Training 6.2
Local Cluster
Regional Cluster
Local Cluster
697
Configuring the Regional Server for

DNS Management
CNR Training 6.2
698
Configuring the Regional Server for DNS

Management
Create Zones:
Forward
Reverse
Create a Zone Template

Distribute Zones to local clusters
CNR Training 6.2
699
Adding Forward Zones
CNR Training 6.2
700
Key Points When Adding Zones

Names in Zones must be domain name, e.g.:
example.co.abc.net.
1.153.24.in-addr.arpa.
Trailing dots:
Required on all FQDNs (example.co.abc.net.)
Unqualified names always append zone name (Within
example.co.abc.net zone, ns.example.co.abc.net becomes
ns.example.co.abc.net.example.co.abc.net.)
CNR Training 6.2
701
Forward Zones
They contain:
SOA
NS
A
Possibly MX records.
CNR Training 6.2
702
Configuring Forward Zone

From the Regional Web UI, click DNS and then
Forward Zones to open the List/Add Zones:
CNR Training 6.2
703
CNR Training 6.2
704

Forward Zone added to the List Forward Zones
Page:
CNR Training 6.2
705
Adding Reverse Zones
CNR Training 6.2
706
Reverse Zones
They contain:
SOA
NS
PTR
CNR Training 6.2
707
in-addr.arpa Domain
CNR Training 6.2
708
Configuring Reverse Zones

From the Regional Web UI, click DNS and then
Reverse Zones to open the List/Add Reverse Zones
page:
CNR Training 6.2
709
Configuring Reverse Zones (Cont.)
CNR Training 6.2
710

Staged - Changes to zones are written to the CCM
database, but not immediately propagated to the DNS
server until the server is reloaded.
Synchronous Changes to zones are active in the
DNS server immediately after the records are written to
CCM database.
CNR Training 6.2
711
How to Set DNS for Staged or Synchronous

Mode
CNR Training 6.2
712
Zone Templates
CNR Training 6.2
713
Why use Zone Templates?

Its a convenient way to create a boilerplate for
primary zones that share many of the same
attributes.
CNR Training 6.2
714
Creating a Zone Template

From the Regional Web UI, click DNS and then Zone
Templates to open the List Zone Templates page, then
click Add Zone Template:
CNR Training 6.2
715
Creating a Zone Template (Cont.)
CNR Training 6.2
716
Pushing Zone Template to Local Clusters
CNR Training 6.2
717

(Cont.)
CNR Training 6.2
718

(Cont.)
Using Push all Zone Templates :
See Notes
CNR Training 6.2
719

(Cont.)
CNR Training 6.2
720
Zone Distributions
CNR Training 6.2
721
Zone Distribution Facts

The distribution must be in a star topology, that is,
one primary server and multiple secondary servers.
The authoritative (master) server can only be the
local primary server where the zone distribution
default is defined.
Zone distributions can be managed:
At the local cluster
Multiple distributions at the regional clusters
CNR Training 6.2
722
Zone Distribution Map Diagram
CNR Training 6.2
723
Creating a Zone Distribution

From the Regional Web UI, click DNS and then Zone
Distributions to open the List/Add Zone Distributions
page, then click Add Zone Distribution:
CNR Training 6.2
724
Creating a Zone Distribution (Cont.)
CNR Training 6.2
725
Adding Secondary Server
CNR Training 6.2
726
Adding Forward and Reverse Zones
CNR Training 6.2
727
Synchronizing Distributions
CNR Training 6.2
728
Synchronization Modes
Update - Adds new zones, RR sets, and hosts;
replaces existing hosts if there are conflicts; and
creates new secondary zones.
Complete - Like Ensure mode, except that it always
replaces existing RR sets and hosts, and modifies the
master server list on existing secondary zones.
Exact - Like Complete mode, except that it deletes
extra zones, RR sets, hosts, and secondary zones no
longer on the primary.
CNR Training 6.2
729
Synchronizing Distributions (Cont.)
CNR Training 6.2
730
CNR Training 6.2
731
CNR Training 6.2
732
Exercise Configuring DNS on the

Regional Cluster
CNR Training 6.2
733
Exercise Configure DNS on the Regional Cluster
CNR Training 6.2
734
Review and Q & A
CNR Training 6.2
735
CNR Training 6.2
736
Configuring Failover from the Regional Cluster
CNR Training 6.2
737
Section Objectives
Configure local clusters for failover from the

regional cluster UI
Check the status of failover from the regional

cluster UI
CNR
Training
6.2
CNR Training 6.2
738
Review of Failover Operation
CNR Training 6.2
739
The Need for the DHCP Failover Protocol

Backup DHCP Server
Single point of failure

Main DHCP Server
Main Address Pool

172.16.18.101-200
CNR Training 6.2
DHCP
Backup Address Pool

172.16.18.191-200
740
CNR Training 6.2
741
DHCP Redundancy
Generic DHCP specification does not include
Cooperative redundancy.
Cooperation between DHCP servers has been
implemented in CNR under the name Safe
Failover.
There is an IETF draft specification that reflects
Ciscos implementation.
CNR Training 6.2
742
Requirements for the DHCP Failover Protocol

Requirements:
Goals:
Compatible with RFC2131

clients.
Client keeps existing

address if communicating
with either server.
Provide for coordination

between servers not
located on the same
subnet.
Client can get new address

from either available server.
No duplicate IP address
assignment when one
server fails.
CNR Training 6.2
Server can recover lost

database from other server.
743
Roles of Servers
MAIN - the server with responsibility for DHCP service on a
network segment; also called primary server in protocol
specification.
BACKUP - the server that takes over DHCP service if the main
server fails; it is also called secondary server.
CNR Training 6.2
744
Normal (Non-Failure) Operation
1
6
Backup
Backup Pool:
231-254
2
4
Main
Address Pool:
10.10.10.2-230
CNR Training 6.2
Client
1. DHCPDISCOVER
2. DHCPOFFER
3. DHCPREQUEST
4. DHCPACK
5. DHCPBNDUPD
6. DHCPBNDACK
745
Main Server Failure

Communication
Interrupted State
DHCPPOLL
Client
2
3
Backup
Backup Pool: 231-254
1
1. DHCPDISCOVER
2. DHCPOFFER any address
from 231-254
Main
3. DHCPREQUEST
4. DHCPACK
Address Pool:
10.10.10.2-230
CNR Training 6.2
746
In previous versions of CNR there are three basic
Failover configurations:
Simple
Symmetric
Back Office
Symmetric and Back Office modes are difficult to

configure and maintain
DHCP Load Balancing further reduces the
desirability of symmetric or back office modes
CNR Training 6.2
747
Simple Failover Configuration
DHCP Server 1
DHCP Server 2
Main for subnets
Backup for subnets
172.168.21.0/24
172.168.22.0/24
172.168.23.0/24
172.168.21.0/24
172.168.22.0/24
172.168.23.0/24
Corporate
WAN
172.168.23.0/24
172.168.21.0/24
172.168.22.0/24
CNR Training 6.2
748
Key Points for Failover Configuration

Simple failover with DHCP load balancing is the
recommended failover configuration
Simple Failover is the only failover configuration
supported from the Regional Cluster
CNR Training 6.2
749
Viewing Available Clusters at the Regional

Cluster
From
the Web UI click Cluster then Cluster List to

open the List Server Clusters page:
CNR Training 6.2
750
Configure Failover Pairs
CNR Training 6.2
751
Configuring Failover from the Web UI

From
the Web UI click DHCP then Failover to open

the List DHCP Failover Pairs page:
CNR Training 6.2
752
Configuring Failover from the Web UI (Cont.)
CNR Training 6.2
753
Advanced Settings for Failover

The following can only be configured from the
Local Clusters even if you use the Regional to
create the Failover Pair:
Backup percentage
MCLT
Enable Safe Period
Safe Period Duration
CNR Training 6.2
754
Synchronizing the Failover Pairs

From
the List DHCP Failover Pairs page click the ( )

Report icon to open the Report Synchronize Failover
Pair page:
CNR Training 6.2
755
Synchronizing the Failover Pairs (Cont.)
CNR Training 6.2
756
Synchronizing the Failover Pairs (Cont.)
CNR Training 6.2
757
Restarting the Failover Pairs
CNR Training 6.2
758
Confirming Failover from Web UI
CNR Training 6.2
759
Confirming Failover from Web UI (Cont.)
CNR Training 6.2
760
Exercise Configuring Failover From

the Regional Cluster
CNR Training 6.2
761
Exercise -
CNR Training 6.2
762
Review and Q&A
CNR Training 6.2
763
Review and Q&A
CNR Training 6.2
764
Managing Administrators, Groups and Roles
CNR Training 6.2
765
Managing Administrators/Groups/Roles
Objectives
Identify administrative roles in CNR
Describe access controls for the web User Interface

(UI) and command-line interface (CLI)
Configure administrative users and assign roles
Create constrained administrative roles

CNR
Training
6.2
CNR Training 6.2
766
Administrators, Groups and Roles
CNR Training 6.2
767
Key Terms
Administrator A login account that performs
functions based on assigned roles.
Group - A grouping of roles.
A group must be assigned at least one role to be usable.
Role - Defines the network objects that an

administrator can manage and the functions that an
administrator can perform.
CNR Training 6.2
768
Constraints
Constraints are used to limit functionality of a role
Examples include:
Limiting a host role to managing the hosts on a single
subnet or a single zone
Read-only access to information
CNR Training 6.2
769
Administrators
The types of functions that network administrators
can perform in Network Registrar are based on the
roles that they are assigned.
The Web UI administrators can define these roles,
which lends granularity to the network
administration functions.
CNR Training 6.2
770
CNR Groups
Grouping of roles.
An administrator must be associated with one or
more groups.
A group must be assigned to one or more roles.
CNRs predefined groups map each role to a unique
group.
CNR Training 6.2
771
CNR Roles
Defines the network objects that an administrator
can manage.
Defines the functions that an administrator can
perform.
Predefined roles are created at installation.
Additional roles can be defined.
Some roles include sub-roles that provide further
functional constraints.
Roles typically are limited to read and/or write
access.
CNR Training 6.2
772
Superuser vs. Specialized Administrators

Superuser:
Unrestricted access to all features
Uses default login admin
Should be restricted to very few individuals
Specialized Administrators:
Created to fulfill specialized functions (e.g., DHCP
scopes)
Must be assigned to administrator group that defines
roles
CNR Training 6.2
773
Owners and Regions
CNR Training 6.2
774
Owners and Regions

Owners represent a person or an organization
Associated with address blocks, subnets and zones
Regions represent a logical (typically geographical)

service area
Also associated with address blocks, subnets and zones.
Creating an owner involves defining a:

Tag name
Full name
Contact Name
CNR Training 6.2
775
How are they Used?

Delegation of address space management via
Owner Tags.
Delegation of geographical locations via Region
Tags.
Simplifies identification of subnets and
geographical locations.
Required for report generation.
CNR Training 6.2
776
Configuring Administrators,
Groups and Roles
CNR Training 6.2
777
Owners
Create owners to associate with:
Address blocks
Subnets
Zones
You can list and add owners on a single page.
CNR Training 6.2
778
Owners (Cont.)
From the Web UI click Administration and then
Owners to open the List/Add Owners page:
CNR Training 6.2
779
Regions
Are created to associate them with:
Address blocks
Subnets
Zones
CNR Training 6.2
780
Regions (Cont.)
Regions to open the List/Add Regions page:
CNR Training 6.2
781
Roles
From the Web UI click Administration and then Roles
to open the List/Add Roles page:
CNR Training 6.2
782
Groups
Groups to open the List/Add Groups page:
CNR Training 6.2
783
Administrators
Determine:
If the administrator should have full or limited access to the
CLI.
If the administrator should have superuser privileges.
Usually assigned on an extremely limited basis.
The group or groups to which the administrator

should belong.
These groups should have the appropriate role (and possibly
subrole) assignments, thereby setting the proper constraints.
CNR Training 6.2
784
Administrators (Cont.)
Administrators to open the List/Add Administrators
page:
CNR Training 6.2
785
Managing Local Cluster Administrators
CNR Training 6.2
786
Managing Local Clusters Administrators from the

Web UI
To simplify management the Regional Cluster is
used to:
Control Administrators
Groups
Roles
On any number of Local Clusters
CNR Training 6.2
787
Managing Administrators from the Regional

Cluster
Regional Administrator can create Administrators with
local and/or regional roles
For existing administrators groups and roles can be
pulled from an existing local cluster and replicated
across new clusters
New administrators, groups, and roles, can be created
at the Regional Cluster and pushed to local clusters
CNR Training 6.2
788
Create an Administrator
CNR Training 6.2
789
Pushing Administrators to Local Clusters
CNR Training 6.2
790
CNR Training 6.2
791
CNR Training 6.2
792
Pulling Administrators from the Replica

Database
CNR Training 6.2
793
Administrative Change Logs
CNR Training 6.2
794
Administrative Change Log

From the Web UI, you can view the change logs and
tasks associated with configurations you make.
To view the change log and tasks, you must be
assigned the database subrole of the ccm-admin or
regional-admin role.
CNR Training 6.2
795
Administrative Change Log (Cont.)

Change Log to open the View Change Log page:
CNR Training 6.2
796
Administrative Change Log
CNR Training 6.2
797
Exercise: Configuring Administrators
CNR Training 6.2
798
Exercise Configuring Administrators
CNR Training 6.2
799
Review and Q&A
CNR Training 6.2
800
Review and Q&A
CNR Training 6.2
801
CNR Server and Database Maintenance
CNR Training 6.2
802
Section Objectives
Identify and configure mechanisms through which
CNR system status can be reported
Identify and configure the methods through which
CNR can report problems with system operations
Explain the purpose and use of the CNR TAC Tool
Explain the process by which the CNR database(s)
can be backed up and restored
CNR
Training
6.2
CNR Training 6.2
803
Monitoring CNR Server Status
CNR Training 6.2
804
CNR Server Status

Monitoring the status of a server involves checking its:
State
Health
Statistics
Log messages
Address usage
Related servers (DNS and DHCP)
Leases (DHCP)
CNR Training 6.2
805
Server States
Loaded - First step after the server agent starts the
server (transitional).
Stopped - Server was administratively stopped and is not
running (transitional).
CNR Training 6.2
806
Server Status
CNR Training 6.2
807
Server Logs
CNR Training 6.2
808
Server Health/Status from CLI

Server status: cnr_status command
Server health (and stats): nrcmd command
- Health: [server] type getHealth
- Stats: [server] type getStats
CNR Training 6.2
809
Monitoring CNR Server Statistics
CNR Training 6.2
810
Local Server Statistics
CNR Training 6.2
811
Local Server Statistics
CNR Training 6.2
812
Using SNMP to Monitor CNR
CNR Training 6.2
813
Simple Network Management Protocol

(SNMP) Background
IETF Standards-based (RFCs)
Protocol to address the problem of communication
between different types of networks.
SNMP managers use MIBs to understand
information collected from agents in network
CNR Training 6.2
814
CNR Management Information Base (MIB)

CNR has a specific MIB
CISCO-NETWORK-REGISTRAR-MIB
CNR also requires other MIBs to be compiled on the

SNMP management station to operate correctly
CNR Training 6.2
815
SNMP Traps in CNR

Monitor DNS and DHCP Servers.
Sends Warnings for:
Error Conditions
Threshold Points
Impending Limits
Notification is transmitted to all recipients.

All traps are enabled by default.
No traps are sent until recipients are added.
CNR Training 6.2
816
SNMP Trap Recipients

From the Web UI click Servers and Manage Servers to
open the Manage Servers page, then select the SNMP
Server link:
CNR Training 6.2
817
SNMP Trap Recipients (Cont.)

Click List Trap Recipients to open the List/Add Trap
Recipients page:
CNR Training 6.2
818
SNMP Trap Recipients (Cont.)

Enter the Name and IP Address of the trap recipient and
click Add Trap Recipient:
CNR Training 6.2
819
DHCP-Specific Traps
Click Add Trap Configuration to open the Add Trap
Configuration page:
CNR Training 6.2
820
SNMP Trap Configuration

On this screen, we change the low-threshold setting to
12% and the high-threshold setting to 20% and click Add
Trap Configuration:
CNR Training 6.2
821
CNR Database Maintenance
CNR Training 6.2
822
CNR Database Structure
CNR uses three distinct databases, located in the

data directory
MCD database (data/db)
CNRDB databases (...data/dhcp/ndb, ...data/dns/ndb,
...data/dns/zchk, data/mcd/ndb, ...data/cnrsnmp/ndb,
...data/leasehist, ...data/subnetutil, and ...data/replica)
CCM database (data/mcd/ndb and data/ccm/ndb)
CNR Training 6.2
823
CNR Database Backups
Backups are performed using specific tools

provided with CNR (i.e. mcdshadow) for both
Local and Regional clusters.
Daily backups are automatically performed as part

of standard installation.
Manual backups can also be performed using

mcdshadow from command line.
Avoid using third-party backups on open

database files.
CNR Training 6.2
824
Daily Backups CNR Local
CNR Training 6.2
825
Daily Backups CNR Regional
CNR Training 6.2
826
Manual Backups
Use the mcdshadow command to manually initiate a

backup whenever necessary on any/all cluster(s)
Note that this will overwrite previous backup

versions unless they are renamed.
CNR Training 6.2
827
Database Recovery
Databases are restored individually, not as a

group (unlike backups)
There are eight separate databases between CNR

Local and CNR Regional.
First attempt to restore integrity of existing

database before restoring from backup
CNR Training 6.2
828
Database Recovery
Each data recovery option (repair or restoration)

follows the same general approach:
1. Stop the CNR server agent.
2. Restore or repair the data.
3. Restart the server agent.
4. Monitor the server for errors.
CNR Training 6.2
829
How to Start and Stop the Servers

To start or stop the CNR server, use:
Solaris
# /etc/init.d/nwreglocal [start | stop]
Windows: in the start run window:
net start/stop nwreglocal/nwregregion
CNR Training 6.2
830
MCD Database Recovery
The operational database that the mcdshadow utility

uses is in .../data/db (shadow copy is in
/data/db.bak)
Use dbcheck utility to verify MCD database integrity
Use keybuild utility to repair database where data is

still intact.
Restore files by copying from .bak locations, then

running keybuild and dbcheck.
Always rebuild CCM database in parallel with MCD as

the data needs to stay in sync
CNR Training 6.2
831
MCD Data Files
mcddb.dbd
mcddb.k01-k03
mcddb.d01-d03
mcdConfig.txt
mcdschema.txt
vista.taf, tcf, tjf
CNR Training 6.2
832
CNRDB Database Files
On all CNR Clusters:

CCM database
On CNR Regional Clusters:

Lease History, Subnet Utilization & Replica databases
On CNR Local Clusters:

DNS, DHCP & SNMP databases (plus MCD, which is
NOT the same as the db database!)
CNR Training 6.2
833
CNRDB Database Recovery
Use cnrdb_recover to repair existing database files

(use v option!)
Use cnrdb_verify verification utility to confirm

integrity of database files
Use cnrdb_archive tool from recovery directory to list

all log files (-l option)
Always rebuild CCM database in parallel with MCD as

data needs to stay in sync
DO NOT MIX recovered files with files from other

sources (e.g., operational or shadow backups!)
CNR Training 6.2
834
Rebuilding CNR Local Cluster
Replica data can be used to rebuild a CNR Local

Cluster from scratch:
Give new server same IP/hostname as cluster to be
restored
Install CNR Local and apply licence key info
Restore config file data (from backups or manually)
Push replicated data down to new cluster
Advantage is in being able to replace faulty server

hardware, etc. in a failover environment.
CNR Training 6.2
835
CNR Training 6.2
836
CNR Training 6.2
837
Using the TAC Tool with CNR
CNR Training 6.2
838
CNR TAC Tool

Used to assemble troubleshooting information to
send to Cisco Technical Assistance Center (TAC)
Run from bin directory in Windows, or usrbin
directory (UNIX/Linux):
> cnr_tactool -N username -P password [-d output-directory]
Output is a packaged tar file ready to send to Cisco,

e.g.: '/var/tmp/cnr_tac-1-30-2006-01.tar'
CNR Training 6.2
839
Exercise
CNR Training 6.2
840
Exercise -
CNR Training 6.2
841
Review and Q&A
CNR Training 6.2
842
Review and Q&A
CNR Training 6.2
843
Introduction to DHCPv6
CNR Training 6.2
844
Section Objectives
Identify and Understand key IPv6 terms
Understand the concepts of IPv6 Addressing
Understand the operation of the DHCPv6 Protocol
Identify the changes in CNR's Policy Hierarchy for
DHCPv6
Configure DHCPv6 operations in CNR
CNR Training 6.2
845
Introduction to IPv6
CNR Training 6.2
846
IPv6 Address Notation

IPv6 addresses are 128 bits long and written as a
set of hexadecimal values separated by colons (:)
Ex:
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
Mixed IPv4 and IP v6 addressing is more

conveniently represented as:
0:0:0:0:0:FFFF:129.144.52.38
Writing IPv6 addresses with prefixes, uses a similar

notation as in IPv4 address blocks.
12AB:0:0:CD30::/60
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210/128
CNR Training 6.2
847
IPv6 Address Types

Types are identified by the high-order bits of the
address as follows:
CNR Training 6.2
Type
Prefix
Unspecified
::/128
Loopback
::1/128
Multicast
FF00::/8
Link-Local unicast
FF80::/10
Site-Local unicast
FEC0::/10
Global unicast
(everything else)
848
IPv6 Interface Addresses

IPv6 unicast addresses are used to identity
interfaces on a link:
They must be unique within a subnet prefix.
They must also be unique over a broader scope.
In some instances an interfaces identifier is

derived directly from that interfaces link-layer
address.
The same interface identifier may be used on
multiple interfaces on a single node:
As long as they are attached to different subnets.
CNR Training 6.2
849
Methods of Assigning IPv6 Addresses

Stateless
Host
Stateful
Router - Solicitation
Router - Advertisement
Router
Solicit
DHCP
Server
Assigned Address
Create IPv6 address

for additional prefix for
interface ID
CNR Training 6.2
850
Introduction to DHCPv6
CNR Training 6.2
851
Key Terms for DHCPv6

Link - A communication facility or medium over
which nodes can communicate at the link layer
Prefix - The initial bits of an address, or a set of IP
addresses that share the same initial bits
DHCP domain - A set of links managed by DHCP
and operated by a single administrative entity.
DUID - A DHCP Unique IDentifier for a DHCP
participant; each DHCP client and server has
exactly one DUID and it is unique to the node
Identity association (IA) - A collection of addresses
assigned to a client.
CNR Training 6.2
852
Key Terms for DHCPv6 (Cont.)

Identity association identifier (IAID) - An identifier
for an IA; chosen by the client.
Identity association for non-temporary addresses
(IA_NA) - An IA that carries assigned addresses
that are not temporary addresses.
Identity association for temporary addresses
(IA_TA) - An IA that carries temporary addresses.
CNR Training 6.2
853
DHCPv6 Communications
Clients listen for DHCP messages on UDP port 546.
Servers and relay agents listen for DHCP messages
on UDP port 547.
CNR Training 6.2
854
DHCPv6 Message Types

SOLICIT Sent by a client to locate servers
ADVERTISE Sent by a server to indicate that it is
available for DHCP service
REQUEST Sent by a client to request
configuration parameters, including IP addresses,
from a specific server
REPLY Sent by a server with assigned addresses
and configuration parameters in response to a
Solicit, Request, Renew, or Rebind message
received from a client
CNR Training 6.2
855
How Does a Client Acquire a Lease Using

DHCPv6?
DHCP Servers
4
2
1
3
Client
1 SOLICIT
2 ADVERTISE
3 REQUEST
4 REPLY
CNR Training 6.2
856
DHCPv6 Clients and Leases

DHCPv6 server supports clients and leases that are
similar to those for DHCPv4.
Leases can be for:
Nontemporary addresses
Temporary addresses
Delegated prefixes
Preferred lifetime
Valid lifetime
CNR Training 6.2
857
DHCPv6 Lease Life Cycle

8
Affinity Period Expires
Advertise
OFFERED
AVAILABLE
Offer - Timeout
DELETED
Solicit
3
3
Reply
6
RELEASED
Release
5
LEASED
Grace
Period
Expires
Lease
Expires
EXPIRED
4
Renew
Rebind
Request
CNR Training 6.2
858
Prefix Delegation
Prefix Delegation - Allows a router to request a
prefix (/48 - /64) to be assigned to its interface in
order for it to assign addresses independent of the
DHCPv6 server.
Prefix delegation is specified in RFC 3633, RFC
2640, and RFC 3769.
CNR Training 6.2
859
Configuring CNRs DHCPv6
CNR Training 6.2
860
CNRs DHCPv6 Support

Stateless Auto-configuration (RFC 3736) the
DHCPv6 server does not assign addresses, instead
it provides configuration parameters:
Ex. DNS Server Data to clients
Stateful Auto-configuration (RFC 3315) the

DHCPv6 server assigns non-temporary or
temporary address and provides configuration
parameters to clients.
Prefix Delegation - (RFC 3633) the DHCPv6 server
does not prefix delegation to clients (routers).
CNR Training 6.2
861
Limitations of CNRs DHCPv6 Implementation

Supported:
Not Supported
LDAP with DHCPv6 enabled
DHCP Extensions
DNS Updates
CNR Training 6.2
862
Link and Prefix Selection in CNR

1. Finds the source address
2. Locates the prefix for the source address.
3. Locates the link for the prefix.
CNR Training 6.2
863
Why Create a Link in CNR?

If more than one prefix object with a different IPv6
prefix exists on a link.
When the server loads the configuration, if a prefix has
no explicit link, the server searches for or creates an
implicit link with the name Link-[vpn.name/]prefix.
All prefix objects with the same IPv6 prefix must either
not specify a link or explicitly specify the same link.
CNR Training 6.2
864
Host Address Selection

IPv6 addresses are 128-bit addresses.
Typically, DHCPv6 servers assign at least 64 bits:
Consequently addresses are generated using the clients
64-bit interface-identifier (when possible)
Or through a random number generator.
Interface-identifier emulates how stateless autoconfiguration assigns addresses to the client:

Privacy concerns with auto-configuration.
Will not work if client requests multiple addresses on
same prefix.
CNR Training 6.2
865
DHCPv6 Policy Hierarchy

1. Client embedded policy.
2. Client named policy
3. Client-class embedded policy
4. Client-class named policy
5. Prefix embedded policy
6. Prefix named policy
7. Link embedded policy
8. Link named policy
9. system_default_policy
CNR Training 6.2
866
Configuring DHCPv6 Policies in the Web UI

From
the Web UI click DHCP then Policies to open

the List Policies page:
CNR Training 6.2
867
Configuring DHCPv6 Policies in the Web UI (Cont.)

From
the Add DHCP Policy page, click to expand

and see the DHCPv6 options:
CNR Training 6.2
868

From
the List DHCP Policies page click the policy

that you just added to edit and open the Edit DHCP
policy page :
CNR Training 6.2
869
CNR Training 6.2
870
Create Link in the Web UI

From
the Web UI click DHCP then Links to open the

List DHCPv6 Links page:
CNR Training 6.2
871
Create Link in the Web UI (Cont.)
CNR Training 6.2
872
Create Prefixes in the Web UI

From
the Web UI click DHCP then Prefixes to open

the List DHCPv6 Prefixes page:
CNR Training 6.2
873
Create Prefixes in the Web UI (Cont.)
CNR Training 6.2
874
CNR Training 6.2
875
CNR Training 6.2
876
Configuring Client Classes from the Web UI

From
the Web UI click DHCP then Client-Classes to

open the List DHCP Client-Class page:
CNR Training 6.2
877
Configuring Client Classes from the Web UI

(Cont.)
CNR Training 6.2
878
Configuring Clients from the Web UI

From
the Web UI click DHCP then Client to open the

List/Add DHCP Clients page:
CNR Training 6.2
879
Configuring Clients from the Web UI (Cont.)
CNR Training 6.2
880
Setting DHCPv6 and Vendor Options from the Web

UI
From
the Web UI click DHCP then DHCP Server to

open the Manage DHCP Server page:
CNR Training 6.2
881
Configuring DHCPv6 Server Attributes from Web

UI
Scroll
to the bottom of the page and look for the

DHCPv6 section as shown below:
CNR Training 6.2
882
Exercise
Configuring DHCPv6
CNR Training 6.2
883
Review and Q&A
CNR Training 6.2
884
Review and Q&A
CNR Training 6.2
885

CNR 62 Slides PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CNR 62 Slides PDF

Uploaded by

Copyright:

Available Formats

Cisco CNR 6.

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

***Maybe a clock or watch?

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

Course Agenda Day One

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Course Agenda Day Two

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Course Agenda Day Three

Local Cluster Advanced Features

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Introduction to Cisco Network Registrar 6.2

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Challenges of Managing an IP Network

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Why are They So Challenging?

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Solving the Challenges of Network Management

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Base Functions of CNR

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

CNR DNS Functionality

Incremental Zone Transfer (IXFR)

2005 Cisco Systems, Inc. All rights reserved.

CNR DHCP Functionality

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Additional Features of CNR

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Network Registrar Components and

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

Major Components of CNR

CNR Training 6.2

2005 Cisco Systems, Inc. All rights reserved.

CNR Components and Interfaces

Regional CNR Cluster