Nat

IP ADDRESING
SERVICES
DHCP
NAT
IPv6
DHCP
Dynamic Host Configuration Protocol
Automatic assignement of:
IP Address
Subnet mask
Default gateway
DNS servers
Administrators typically prefer that a network server offer DHCP
services, because these solutions are scalable and relatively
easy to manage.
However, in a small branch or SOHO location, a Cisco router
can be configured to provide DHCP services without the need for
an expensive dedicated server.

DHCP
DHCP works in a client/server mode and operates like
any other client/server relationship.
When a PC connects to a DHCP server, the server
assigns or leases an IP address to that PC.
The PC connects to the network with that leased IP
address until the lease expires.
The host must contact the DHCP server periodically to
extend the lease.
This lease mechanism ensures that hosts that move or
power off do not hold onto addresses that they do not
need.

DHCP SERVER ALLOCATION
First step: DHCPDISCOVER

Client broadcasts a DHCPDISCOVER message. The
DHCPDISCOVER message finds DHCP servers on the
network.
Because the host has no valid IP information at boot-up, it
uses Layer 2 and addresses to communicate with the
server.

Second step: DHCPOFFER

When the DHCP server receives a DHCPDISCOVER
message, it finds an available IP address to lease.
Then DHCP server creates an ARP entry consisting of the
MAC address of the requesting host and the leased IP
address.
Finally, it transmits a binding offer with a DHCPOFFER
message.
The DHCPOFFER message is sent as a unicast, using
the servers Layer 2 MAC address as the source address
and the clients Layer 2 address as the destination.

Third step: DHCPREQUEST

When the client receives the DHCPOFFER from the
server, it sends back a DHCPREQUEST message.
This message has two purposes: lease origination and
lease renewal and verification.
When used for lease origination, the clients
DHCPREQUEST requests that the IP information be
verified just after it has been assigned. The message
provides error checking to ensure that the assignment is
still valid.
The DHCPREQUEST also serves as a binding
acceptance notice to the selected server and an
implicit decline to any other servers that may have
given the host a binding offer.

Many enterprise networks use multiple DHCP servers.
The DHCPREQUEST message is sent in the form of a
broadcast to inform this DHCP server and any other
DHCP servers about the accepted offer.

Fourth step: DHCPACK

On receiving the DHCPREQUEST message, the server
verifies the lease information, creates a new ARP entry for
the client lease, and replies with a unicast DHCPACK
message.

When the client receives the DHCPACK message, it logs
the configuration information and performs an ARP lookup
for the assigned address. If it does not receive a reply, it
knows that the IP address is valid and starts using it as its
own.

DHCP
DHCP RELAY AGENT

If DHCP server is not located on the same subnet
(interface) as the client host, we need to configure Cisco
IOS helper address

This command relays broadcast requests for key services
to a configured address. Configure the IP helper address
on the interface receiving the broadcast.

DHCP
DHCP
NAT

These addresses are for private, internal network use
only.
Packets containing these addresses are not routed over
the Internet and are called non-routable addresses.

NAT
Therefore, networks need a mechanism to translate
private addresses into public addresses (at the edge of
their network) that works in both directions.

Network Address Translation (NAT) provides this
mechanism. Before NAT, a host with a private address
could not access the Internet.

NAT
NAT translates non-routable, private, internal addresses
into routable, public addresses.

NAT has the added benefit of adding a degree of privacy
and security to a network, because it hides internal IP
addresses from outside networks.

The inside and outside of NAT
When discussing NAT in IOS, there is always an inside
interface and an outside interface.

We define these on the interface with the ip nat inside or
ip nat outside commands.

Generally speaking, the real IP address of devices on the
inside of the network are translated to mapped IP
addresses on the outside of the network
Inside Local
Device on the inside network as viewed by the inside
network. This is the actual real IP address assigned to the
device

Inside Global
Device on the inside network as viewed by the outside
network. This is the mapped IP address the device on the
inside is being NATed to on the outside of the network.

Outside Local Device on the outside network as
viewed by the inside network. This is often the real IP
address of the device on the outside internet the device
on the inside is communicating with
(Public IP address of the web server, ftp server, anything
that we connect to outside the local network)

Outside Global Device on the outside network as
viewed by the outside network. This is always the real IP
address of the device on the outside, and is often the
same as the outside local address.
There are advanced situations where the outside local
and outside global could be different things.

Inside Local 10.10.10.100
Inside Global 12.3.4.100
Outside Local 112.10.10.32
Outside Global 112.10.10.32

Static NAT
Static NAT is a way to make a 1 to 1 mapping between a
real IP address on the inside of our network and a
mapped IP on the outside of the network.
Static NAT works bidirectional, meaning the inside host
can initiate communication outbound, or hosts on the
outside network can initiate a connection inbound to the
mapped IP address.
This is typically done for things like servers that are
on the inside of the network, but that we want
accessible from a public network like the public
internet.
Static NAT

All we care about is that when 10.10.10.100 sends
something to the internet, it is mapped to 12.3.4.100 and
when something on the internet sends data to 12.3.4.100,
the destination is mapped to 10.10.10.100.
Static NAT would accomplish this.
Static NAT
Note that static NATs are ALWAYS in the NAT table.
By their nature, they never time out or go away unless
you remove the static NAT configuration.
That means you always see static NATs in the output of
R1#show ip nat translation
Dynamic NAT
Dynamic NAT is a many to many type of NAT.

The idea is we take a whole RANGE of hosts on the
inside network, and we map them dynamically on an as
needed basis to a public IP address in a pool of public IP
addresses we setup.

When the user on the inside needs to access the internet,
he gets translated dynamically to a public address from
the pool. When the second user accesses the internet,
he is dynamically NATed to another address in the pool,
and so on.
Dynamic NAT
The great thing with dynamic NAT is that the NAT entries only
get added to the NAT table as needed.
After a certain amount of time, the dynamic translation times
out, and the public IP they were using goes back into the pool.
Dynamic NAT is a unidirectional type of NAT.
The inside user can initiate a connection to the outside, but
something on the internet cannot initiate a connection to that
user. Why?
Because the translation from the private to public IP address is
triggered by the inside user.

Dynamic NAT
Dynamic PAT
The translation is also dynamic, just like dynamic NAT, but
every inside address is mapped to one outside address.

Port numbers are used to identify the traffic

Only the inside user can initiate a connection.

The return flow will be allowed back based on that
dynamic NAT table entry, but something on the outside
will not be able to just initiate a flow to the inside device.

Basic firewall!
Dynamic PAT
Host 1 at 10.10.10.100 wants to access www.cisco.com which
resolves to the public IP of 192.185.16.166

HTTP utilizes TCP at layer 4 for transport.

10.10.10.100 initiates a connection to 192.185.16.166

The source TCP port will be completely random and
> 1024, lets say port 49150.

The destination TCP port will be 80 (http).
The flow looks like this:

10.10.10.100:49150 > 192.185.16.166:80
Dynamic PAT
Router gets this packet and does a dynamic NAT to the
single public IP we have.

But THIS time, when it writes the information in the NAT
table, it adds in the TCP port information as our sort of ID
tag, and it sends the packet off to internet towards
192.185.16.166.

When the packet leaves our router it looks like this:
12.3.4.254:49150 > 192.185.16.166:80.

Dynamic PAT
The NAT table now looks like this:
Dynamic PAT
The return packets: www.cisco.com has received our packet,
so it sends a reply back to 12.2.3.254.

The flow looks like this 192.185.16.166:80 >
12.3.4.254:49150

Router sees the packet to 12.3.4.254:49150 and looks it up in
the NAT table.
The NAT table reveals that should map back to
10.10.10.100:49150, so that is exactly what the router does.
It translates the destination IP address to 10.10.10.100 and
sends the packet to host 1.
Dynamic PAT

Because there are 65,536 port numbers for both UDP and
TCP it means we could potentially support over 130,000
different unique flows from the inside to the outside with a
single public IP address.

Dynamic PAT is a serious reason why IPv4 on the internet
has lasted as long as it has with so few available public
addresses.

Dynamic PAT
Static PAT
....is actually PORT FORWARDING!
IPv6
IPv4 addresses are 32-bit, repsresented as a series of
four 8-bit decimal values, separated by dots.

183.45.22.127

IPv6 address are 128-bit, represented as a series of
16-bit hexadecimal values separated by colons

2031:0000:130F:0000:0000:09C0:876A:130B

IPv6

IPv6 address, unlike IPv4 address, can be abbrievated
or shortened for easier reading:

Leading 0s in a field are optional
For example, the 0000 fields equal 0,
and the 09C0 equals 9C0

Successive fields of 0s can be represented as two
colons ::
(this method can be used only once in an address!!!)

IPv6
The IPv4 header has 20 octets (bytes) and 12 basic
header fields, followed by an Options field and a data
portion (usually the transport layer segment).

The IPv6 header has 40 octets (bytes), three IPv4 basic
header fields, and five additional header fields.

IPv6 header is larger but has less fields so it is easier for
proccessing
IPv6
Types of IPv6 communication

UNICAST (one-to-one)

MULTICAST (one-to-many)

ANYCAST (one-to-closest)
Anycast does not replace broadcast used in a similar
way as failover protocols HSRP, VRRP)

NO MORE BROADCAST, NO MORE ARP!!!
Broadcasts are replaced by multicast
Types of IPv6 addresses
Link Local Scope adresses

always begin with FE80::/64
(first 10-bits are 111 1110 10, rest are all zeros)

remaing 64-bits is the Interface ID in IEEE's 64-bit Extended
Unique Identifier (EUI-64) format
EUI-64 is auto-generated from an MAC address (which is 48-
bit) with FFFE inserted in the middle, and 7th bit inverted

Linl Local addresses are similar to the APIPA addressing and
the 169.254.X.X range of IP addresses
They are auto-assigned when an IPv6 host comes online

Global Unicast Address

Public address; IP address that is routable accross the internet

Easily recognized 2000::/3

Global adresses have first three bit set to 001

Therfore, public addresses can be anything that starts with
2XXX:: or 3XXX::

Current global unicast scope that is assigned by the IANA is
one-eighth of the total IPv6 address space

The next 45 bits are the so-called global routing prefix.
This is the part that is assigned to organizations.
The following 16 bits are for the subnet ID, which you can
use for hierarchical addressing in your network.
The last 64 bits indicate the interface ID, which is the
part that must be unique within a subnet.

IPv6 unique local addresses
have some similarity to RFC 1918 private addresses for
IPv4
These addressess are not routable in the global IPv6
Unique local addresses are in the range of FC00::/7
(to FDFF::/7)

The original IPv6 specification defined site-local
addresses for a similar purpose, using the prefix range
FEC0::/10
There were several ambiguities in the specification and
site-local addresses were deprecated by the IETF in favor
of unique local addresses.

Loopback address
The IPv6 loopback address is all-0s except for the last bit,
represented as ::1/128 or just ::1 in the compressed
format.

An unspecified address
is an all-0s address represented in the compressed
format as ::/128 or just :: in the compressed format.
(same as 0.0.0.0 in IPv4)
IPv6 Multicast
There are two types of IPv6 multicast addresses: assigned
and solicited node mlticast address

Common assigned multicast address:

FF02::1 multicast group for all nodes on a link, every IPv6
speaking device automatically joins it

FF02::2 multicast group for all routers on a shared
networks, the automatically join this group when IPv6
routing is enabled - Router(config)#ipv6 unicast-routing

IPv6 Multicast
Solicited-node multicast address

Solicited-node multicast addresses are used in IPv6
during address resolution of an IPv6 address to a MAC
address on a LAN segment Neighbor Discovery

NEIGHBOR DISCOVERY ISA REPLACEMENT FOR ARP
IPv6 Transition Technologies
Dual Stack

Dual stacking is an integration method in which a node
has implementation and connectivity to both an IPv4 and
IPv6 network.
This is the recommended option and involves running
IPv4 and IPv6 at the same time.
Routers and switches are configured to support both
protocols, with IPv6 being the preferred protocol.

Tunneling
Manual IPv6-over-IPv4 tunneling:
An IPv6 packet is encapsulated within the IPv4 protocol.
This method requires dual-stack routers.

Dynamic 6to4 tunneling:
Automatically establishes the connection of IPv6 islands
through an IPv4 network, typically the Internet. It
dynamically applies a valid, unique IPv6 prefix to each
IPv6 island, which enables the fast deployment of IPv6 in
a corpo-rate network without address retrieval from the
ISPs or registries.

Other, less popular tunneling techniques that are beyond the
scope of this course include the following:

Intrasite Automatic Tunnel Addressing Protocol (ISATAP)
tunneling:
An automatic overlay tunneling mechanism that uses the
underlying IPv4 network as a link layer for IPv6. ISATAP
tunnels allow individual IPv4 or IPv6 dual-stack hosts within a
site to communicate with other such hosts on a virtual link,
creating an IPv6 network using the IPv4 infrastructure.
Teredo tunneling: An IPv6 transition technology that provides
host-to-host automatic tunneling instead of gateway tunneling.
This approach passes unicast IPv6 traffic when dual-stacked
hosts (hosts that are running both IPv6 and IPv4) are located
behind one or multiple IPv4 NATs.

NAT-Protocol Translation (NAT-PT)
Cisco IOS Software Release 12.3(2)T and later (with the
appropriate feature set) also include NAT-PT between
IPv6 and IPv4.
This translation allows direct communication between
hosts that use different versions of the IP protocol.
These translations are more complex than IPv4 NAT.
At this time, this translation technique is the least
favorable option and should be used as a last resort.

Network Troubleshooting
To efficiently diagnose and correct network problems, a
network engineer needs to know how a network has been
designed and what the networks expected performance
should be under normal operating conditions.
Documenting Your Network

Network configuration documentation provides a logical diagram of
the network and detailed information about each component.
Information such as the networks physical and logical topologies,
device configuration, end-system configurations, and various network
baselines should be included.
A hard copy of the documentation should be stored in a central
location.
The information could also be available on a protected intranet
website.

Network documentation should include these components:
Network topology diagram
graphical representation of a network that illustrates how each device
in the network is connected and its logical architecture.
Network configuration table
contains accurate, up-to-date records of the hardware and software
used in a network.

End-system configuration table
contains baseline records of the hardware and software used in end-
system devices such as servers, network management consoles, and
desktop workstations

Network baseline

At a minimum, Network topology diagram should
include the following:

Symbols for all devices and how they are connected

Interface types, numbers, IP addresses, and subnet
masks

Primary WAN protocols

The information in Network Configuration Table may
include but is not limited to the following:

Type of device, model designation
IOS image name
Device network hostname
Location of the device (building, floor, room, rack, panel)
If it is a modular device, include all module types and in
which module slot they are located
Data link layer addresses
Network layer addresses

end-system network configuration documentation
should contain the following:

Device name (purpose)
Operating system and version
IP address
Subnet mask
Default gateway, DNS server, and WINS server
addresses
Any high-bandwidth network applications that the end
system runs

Why Is Establishing a Network Baseline Important?

Some network problems are not as easy to identify or
notice. Problems such as suboptimal routing, excessive
traffic, or excessive errors may not cause a network to fail,
but they would definitely be detrimental to its
performance.

How does the network perform during a normal or average
day?

Where are the underutilized and overutilized areas?

If errors are discovered, where are the most errors occurring?

What alert thresholds should be set for the devices that need to
be monitored?

Can the network deliver the service identified in the Network
Policy document?

Measuring the initial performance and availability of
critical network devices and links allows a network
administrator to determine the difference between
abnormal behavior and proper network performance as
the network grows or traffic patterns change.

Without a baseline, no standard exists to measure the
optimum nature of network traffic and congestion levels.

The recommended steps for planning the first baseline
are as follows:

Step 1 - Determine what types of data to collect.
If too many data points are selected, the amount of data
can be overwhelming, making analyzing the collected
data difficult. Generally, some good starting measures are
interface utilization and CPU utilization.

Step 2 - Identify devices and ports of interest
Network device ports that connect to other network
devices, Servers, Key users....


Step 3 - Determine the baseline duration
It is important that the length of time and the baseline
information being gathered are sufficient to establish a
typical picture of the network. This period should include
several days to capture any daily or weekly trends.

Troubleshooting Methodologies and Tools
Two extreme approaches to troubleshooting almost
always result in disappointment, delay, or failure. At one
extreme is the theorist, or rocket scientist, approach. At
the other extreme is the impractical, or caveman,
approach.

The three main methods of troubleshooting networks are

Bottom-up
Top-down
Divide-and-conquer

Bottom-up troubleshooting is a good approach to use
when the problem is suspected to be a physical one.

Use this approach for simpler problems or when you think
the problem is with a software application.

In divide-and-conquer troubleshooting, you start by
collecting users experiences with the problem and
document the symptoms.
Then, using that information, you decide at which OSI
layer to start your investigation.
After you verify that a layer is functioning properly, you
assume that the layers below it are functioning, and you
work up the OSI layers.
If an OSI layer is not functioning properly, you work your
way down the OSI layer model.

For example, if users cant access the web server and
you can ping the server, you know that the problem is
above Layer 3.
If ICMP error messages are generated and you cant ping
the server, you know that the problem is likely at a lower
OSI layer.

Nat

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nat

Uploaded by

Copyright:

Available Formats

IP ADDRESING

You might also like