Accessing the WAN – Chapter 7 Sandra Coleman, CCNA, CCAI • • • Configure DHCP in an enterprise branch network Configure NAT on a Cisco router Configure new generation RIP (RIPng) to use IPv6 Every device that connects to a network needs an IP address. Network administrators assign static IP addresses to routers, servers, and other network devices whose locations (physical and logical) are not likely to change. Administrators enter static IP addresses manually when they configure devices to join the network. Static addresses also enable administrators to manage those devices remotely. However, computers in an organization often change locations, physically and logically. Administrators are unable to keep up with having to assign new IP addresses every time an employee moves to a different office or cubicle. Desktop clients do not require a static address. Instead, a workstation can use any address within a range of addresses. This range is typically within an IP subnet DHCP assigns IP addresses and other important network configuration information dynamically. Because desktop clients typically make up the bulk of network nodes, DHCP is an extremely useful and timesaving tool for network administrators. RFC 2131 describes DHCP. Administrators typically prefer a network server to offer DHCP services, because these solutions are scalable and relatively easy to manage. However, in a small branch or SOHO location, a Cisco router can be configured to provide DHCP services without the need for an expensive dedicated server. A Cisco IOS feature set called Easy IP offers an optional, fullfeatured DHCP server. Providing IP addresses to clients is the most fundamental task performed by a DHCP server. DHCP includes three different address allocation mechanisms to provide flexibility when assigning IP addresses: Manual Allocation: The administrator assigns a pre-allocated IP address to the client and DHCP only communicates the IP address to the device. Automatic Allocation: DHCP automatically assigns a static IP address permanently to a device, selecting it from a pool of available addresses. There is no lease and the address is permanently assigned to a device. Dynamic Allocation: DHCP automatically dynamically assigns, or leases, an IP address from a pool of addresses for a limited period of time chosen by the server, or until the client tells the DHCP server that it no longer needs the address. The Bootstrap Protocol (BOOTP), defined in RFC 951, is the predecessor of DHCP and shares some operational characteristics. BOOTP is a way to download address and boot configurations for diskless workstations. A diskless workstation does not have a hard drive or an operating system. • For example, many automated cash register systems at your local supermarket are examples of diskless workstations Both DHCP and BOOTP are client/server based and use UDP ports 67 and 68. Those ports are still known as BOOTP ports. There are three primary differences between DHCP and BOOTP: The main difference is that BOOTP was designed for manual pre-configuration of the host information in a server database, while DHCP allows for dynamic allocation of network addresses and configurations to newly attached hosts. DHCP allows for recovery and reallocation of network addresses through a leasing mechanism. Specifically, DHCP defines mechanisms through which clients can be assigned an IP address for a finite lease period. This lease period allows for reassignment of the IP address to another client later, or for the client to get another assignment if the client moves to another subnet. Clients may also renew leases and keep the same IP address. BOOTP does not use leases. BOOTP provides a limited amount of information to a host. DHCP provides additional IP configuration parameters, such as WINS and domain name Cisco routers running Cisco IOS software provide full support for a router to act as a DHCP server. The Cisco IOS DHCP server assigns and manages IP addresses from specified address pools within the router to DHCP clients. These excluded addresses will probably be statically assigned to networking devices, i.e. routers, switches, printers, etc. You must have a default router/gateway assigned or you will NOT have internet connectivity! To verify the operation of DHCP, use the show ip dhcp binding command. This command displays a list of all IP address to MAC address bindings that have been provided by the DHCP service. To verify that messages are being received or sent by the router, use the show ip dhcp server statistics command. This command displays count information regarding the number of DHCP messages that have been sent and received. The number of DHCPACK that shows up, is the number of successfully assigned or renewed addresses. • Typically, small broadband routers for home use, such as Linksys routers, can be configured to connect to an ISP using a DSL or cable modem. In most cases, small home routers are set to acquire an IP address automatically from their ISPs. For example, the figure shows the default WAN setup page for a Linksys WRVS4400N router. Notice that the Internet connection type is set to Automatic Configuration - DHCP. This means that when the router is connected to a cable modem, for example, it is a DHCP client and requests an IP address from the ISP. Cisco routers in SOHO and branch sites have to be configured in a similar manner. The method used depends on the ISP. However, in its simplest configuration, the Ethernet interface is used to connect to a cable modem. To configure an Ethernet interface as a DHCP client, the ip address dhcp command must be configured. •In the figure, assume that an ISP has been configured to provide select customers with IP addresses from the 209.165.201.0 / 27 range. The ouput confirms the assigned address. In a complex hierarchical network, enterprise servers are usually contained in a server farm. These servers may provide DHCP, DNS, TFTP, and FTP services for the clients. The problem is that the network clients typically are not on the same subnet as those servers. Therefore, the clients must locate the servers to receive services and often these services are located using broadcast messages. In the figure, PC1 is attempting to acquire an IP address from the DHCP server located at 192.168.11.5. In this scenario router R1 is not configured as a DHCP server. A simpler solution is to configure the Cisco IOS helper address feature on intervening routers and switches. This solution enables routers to forward DHCP broadcasts to the DHCP servers. When a router forwards address assignment/parameter requests, it is acting as a DHCP relay agent. For example, PC1 would broadcast a request to locate a DHCP server. If router R1 were configured as a DHCP relay agent, it would intercept this request and forward it to the DHCP server located on subnet 192.168.11.0. To configure router R1 as a DHCP relay agent, you need to configure the nearest interface to the client with the ip helper-address interface configuration command. This command relays broadcast requests for key services to a configured address. Configure the IP helper address on the interface receiving the broadcast. Router R1 is now configured as a DHCP relay agent. It accepts broadcast requests for the DHCP service and then forwards them as a unicast to the IP address 192.168.11.5. Cisco routers can also be configured as a DHCP server using SDM. In this example, router R1 will be configured as the DHCP server on the Fa0/0 and Fa0/1interfaces. The DHCP server function is enabled under Additional Tasks in the Configure tab. From the list of tasks, click on the DHCP folder and then select DHCP Pools to add a new pool. Click Add to create the new DHCP pool. The Add DHCP Pool window contains the options you need to configure the DHCP IP address pool. The IP addresses that the DHCP server assigns are drawn from a common pool. To configure the pool, specify the starting and ending IP addresses of the range. This screen provides you with a summary of the pools configured on your router. In this example, there have been two pools configured, one for each of the Fast Ethernet interfaces on the R1 router. DHCP problems can arise for a multitude of reasons, such as software defects in operating systems, NIC drivers, or DHCP/BOOTP relay agents, but the most common are configuration issues. Because of the number of potentially problematic areas, a systematic approach to troubleshooting is required. show ip dhcp conflict Follow these steps to verify the router configuration: Step 1. Verify that the ip helper-address command is configured on the correct interface. It must be present on the inbound interface of the LAN containing the DHCP client workstations and must be directed to the correct DHCP server. In the figure, the output of the show running-config command verifies that the DHCP relay IP address is referencing the DHCP server address at 192.168.11.5. Step 2. Verify that the global configuration command no service dhcp has not been configured. This command disables all DHCP server and relay functionality on the router. The command service dhcp does not appear in the configuration, because it is the default configuration. All public Internet addresses must be registered with a Regional Internet Regiestry (RIR). Organizations can lease public addresses from an ISP. Only the registered holder of a public Internet address can assign that address to a network device. You may have noticed that all the examples in this course use a somewhat restricted number of IP addresses. You may also have noticed the similarity between these numbers and numbers you have used in a small network to view the setup web pages of many brands of printers, DSL and cable routers, and other peripherals. These are reserved private Internet addresses drawn from the three blocks shown in the figure. These addresses are for private, internal network use only. Packets containing these addresses are not routed over the Internet, and are referred to as non-routable addresses. RFC 1918 provides details. Unlike public IP addresses, private IP addresses are a reserved block of numbers that can be used by anyone. That means two networks, or two million networks, can each use the same private addresses. To prevent addressing conflicts, routers must never route private IP addresses. To protect the public Internet address structure, ISPs typically configure the border routers to prevent privately addressed traffic from being forwarded over the Internet. NAT has many uses, but its key use is to save IP addresses by allowing networks to use private IP addresses. NAT translates non-routable, private, internal addresses into routable, public addresses. NAT has an added benefit of adding a degree of privacy and security to a network because it hides internal IP addresses from outside networks. A NAT-enabled device typically operates at the border of a stub network. In our example, R2 is the border router. A stub network is a network that has a single connection to its neighbor network. As seen from the ISP, R2 forms a stub network. Inside local address - Usually not an IP address assigned by a RIR or service provider and is most likely an RFC 1918 private address. In the figure, the IP address 192.168.10.10 is assigned to the host PC1 on the inside network. Inside global address - Valid public address that the inside host is given when it exits the NAT router. When traffic from PC1 is destined for the web server at 209.165.201.1, router R2 must translate the address. In this case, IP address 209.165.200.226 is used as the inside global address for PC1. Outside global address - Valid public IP address assigned to a host on the Internet. For example, the web server is reachable at IP address 209.165.201.1. Outside local address - The local IP address assigned to a host on the outside network. In most situations, this address will be identical to the outside global address of that outside device. Dynamic Mapping and Static Mapping There are two types of NAT translation: dynamic and static. Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP address from the pool that is not already in use by another host. This is the mapping described so far. Static NAT uses a one-to-one mapping of local and global addresses, and these mappings remain constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices. Both static and dynamic NAT require that enough public addresses are available to satisfy the total number of simultaneous user sessions. NAT Overload NAT overloading (sometimes called Port Address Translation or PAT) maps multiple private IP addresses to a single public IP address or a few addresses. This is what most home routers do. With NAT overloading, multiple addresses can be mapped to one or to a few addresses because each private address is also tracked by a port number. When a client opens a TCP/IP session, the NAT router assigns a port number to its source address. NAT overload ensures that clients use a different TCP port number for each client session with a server on the Internet. NAT provides many benefits and advantages. However, there are some drawbacks to using NAT, including the lack of support for some types of traffic. Typically the IP header of the sending packet will have the serial interface address of the destination router. Configuring static NAT translations is a simple task. You need to define the addresses to translate and then configure NAT on the appropriate interfaces.Packets arriving on an inside interface from the identified IP address are subject to translation. Packets arriving on an outside interface addressed to the identified IP address are subject to translation • While static NAT provides a permanent mapping between an internal address and a specific public address, dynamic NAT maps private IP addresses to public addresses. These public IP addresses come from a NAT pool. • There are two possible ways to configure overloading, depending on how the ISP allocates public IP addresses. In the first instance, the ISP allocates one public IP address to the organization, and in the other, it allocates more than one public IP address. Verifying NAT and NAT Overload It is important to verify NAT operation. There are several useful router commands to view and clear NAT translations. One of the most useful commands when verifying NAT operation is the show ip nat translations command. Before using the show commands to verify NAT, you must clear any dynamic translation entries that might still be present, because by default, dynamic address translations time out from the NAT translation table after a period of non-use. The show ip nat statistics command displays information about the total number of active translations, NAT configuration parameters, how many addresses are in the pool, and how many have been allocated. In the figure, the hosts have initiated web traffic as well as ICMP traffic. Follow these steps to verify that NAT is operating as expected: Step 1. Based on the configuration, clearly define what NAT is supposed to achieve. This may reveal a problem with the configuration. Step 2. Verify that correct translations exist in the translation table using the show ip nat translations command. Step 3. Use the clear and debug commands to verify that NAT is operating as expected. Check to see if dynamic entries are recreated after they are cleared. Step 4. Review in detail what is happening to the packet, and verify that routers have the correct routing information to move the packet. Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. To comprehend the IP addressing issues facing network administrators today, consider that the IPv4 address space provides approximately 4,294,967,296 unique addresses. Of these, only 3.7 billion addresses are assignable because the IPv4 addressing system separates the addresses into classes and reserves addresses for multicasting, testing, and other specific uses. Based on figures as recent as January 2007, about 2.4 billion of the available IPv4 addresses are already assigned to end users or ISPs. That leaves roughly 1.3 billion addresses still available from the IPv4 address space. Despite this seemingly large number, IPv4 address space is running out. Movement to change from IPv4 to IPv6 has already begun, particularly in Europe, Japan, and the Asia-Pacific region. These areas are exhausting their allotted IPv4 addresses, which makes IPv6 all the more attractive and necessary. Japan officially started the move in 2000 when the Japanese government mandated the incorporation of IPv6 and set a deadline of 2005 to upgrade existing systems in every business and public sector. Korea, China, and Malaysia have launched similar initiatives. In 2002, the European Community IPv6 Task Force forged a strategic alliance to foster IPv6 adoption worldwide. The North American IPv6 Task Force has set out to engage the North American markets to adopt IPv6. The first significant North American advances are coming from the U.S. Department of Defense (DoD). Looking into the future and knowing the advantages of IP-enabled devices, DoD mandated, as early as 2003, that all new equipment purchased not only be IP-enabled, but also be IPv6-capable. In fact, all U.S. government agencies must start using IPv6 across their core networks by 2008, and the agencies are working to meet that deadline. IPv6 Address Representation You know the 32-bit IPv4 address as a series of four 8-bit fields, separated by dots. However, larger 128-bit IPv6 addresses need a different representation because of their size. IPv6 addresses use colons to separate entries in a series of 16-bit hexadecimal. Using the "::" notation greatly reduces the size of most addresses as shown. An address parser identifies the number of missing zeros by separating any two parts of an address and entering 0s until the 128 bits are complete. IPv6 has an address format that enables aggregation upward eventually to the ISP. Global unicast addresses typically consists of a 48-bit global routing prefix and a 16-bit subnet ID. Individual organizations can use a 16-bit subnet field to create their own local addressing hierarchy. This field allows an organization to use up to 65,535 individual subnets. IPv6 addresses use interface identifiers to identify interfaces on a link. Think of them as the host portion of an IPv6 address. Interface identifiers are required to be unique on a specific link. Interface identifiers are always 64 bits and can be dynamically derived from a Layer 2 address (MAC). You can assign an IPv6 address ID statically or dynamically: Static assignment using a manual interface ID Static assignment using an EUI-64 interface ID Stateless autoconfiguration DHCP for IPv6 (DHCPv6) To configure an IPv6 address on a Cisco router interface and enable IPv6 processing using EUI-64 on that interface, use the ipv6 address ipv6prefix/prefix-length eui-64 command in interface configuration mode. ipv6 address IPv6-address [/prefix length] interface command. RouterX(config-if)#ipv6 address 2001:DB8:2222:7272::/64 eui-64 The transition from IPv4 does not require upgrades on all nodes at the same time. Many transition mechanisms enable smooth integration of IPv4 and IPv6. Other mechanisms that allow IPv4 nodes to communicate with IPv6 nodes are available. Different situations demand different strategies. The figure illustrates the richness of available transition strategies. Recall the advice: "Dual stack where you can, tunnel where you must." These two methods are the most common techniques to transition from IPv4 to IPv6. Dual Stacking Dual stacking is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network. This is the recommended option and involves running IPv4 and IPv6 at the same time. Router and switches are configured to support both protocols, with IPv6 being the preferred protocol. Tunneling The second major transition technique is tunneling. There are several tunneling techniques available, including: Manual IPv6-over-IPv4 tunneling - An IPv6 packet is encapsulated within the IPv4 protocol. This method requires dual-stack routers. Dynamic 6to4 tunneling - Automatically establishes the connection of IPv6 islands through an IPv4 network, typically the Internet. It dynamically applies a valid, unique IPv6 prefix to each IPv6 island, which enables the fast deployment of IPv6 in a corporate network without address retrieval from the ISPs or registries Other less popular tunneling techniques that are beyond the scope of this course include: Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling - Automatic overlay tunneling mechanism that uses the underlying IPv4 network as a link layer for IPv6. ISATAP tunnels allow individual IPv4 or IPv6 dual-stack hosts within a site to communicate with other such hosts on a virtual link, creating an IPv6 network using the IPv4 infrastructure. Teredo tunneling - An IPv6 transition technology that provides host-to-host automatic tunneling instead of gateway tunneling. This approach passes unicast IPv6 traffic when dual-stacked hosts (hosts that are running both IPv6 and IPv4) are located behind one or multiple IPv4 NATs. NAT-Protocol Translation (NAT-PT) - Cisco IOS Release 12.3(2)T and later (with the appropriate feature set) also include NAT-PT between IPv6 and IPv4. This translation allows direct communication between hosts that use different versions of the IP protocol. These translations are more complex than IPv4 NAT. At this time, this translation technique is the least favorable option and should be used as a last resort. Dual Stacking Dual stacking is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network. This is the recommended option and involves running IPv4 and IPv6 at the same time. Router and switches are configured to support both protocols, with IPv6 being the preferred protocol. The concept of IPv6 tunneling • The second major transition technique is tunneling. There are several tunneling techniques available, including: • Manual IPv6-over-IPv4 tunneling - An IPv6 packet is encapsulated within the IPv4 protocol. This method requires dual-stack routers. • Dynamic 6to4 tunneling - Automatically establishes the connection of IPv6 islands through an IPv4 network, typically the Internet. It dynamically applies a valid, unique IPv6 prefix to each IPv6 island, which enables the fast deployment of IPv6 in a corporate network without address retrieval from the ISPs or registries. IPv6 routes use the same protocols and techniques as IPv4. Although the addresses are longer, the protocols used in routing IPv6 are simply logical extensions of the protocols used in IPv4. RFC 2080 defines Routing Information Protocol next generation (RIPng) as a simple routing protocol based on RIP. RIPng is no more or less powerful than RIP, however, it provides a simple way to bring up an IPv6 network without having to build a new routing protocol. RIPng is a distance vector routing protocol with a limit of 15 hops that uses split horizon and poison reverse updates to prevent routing loops. Its simplicity comes from the fact that it does not require any global knowledge of the network. Only neighboring routers exchange local messages. There are two basic steps to activate IPv6 on a router. First, you must activate IPv6 trafficforwarding on the router, and then you must configure each interface that requires IPv6. • Dynamic Host Control Protocol (DHCP) •This is a means of assigning IP address and other configuration information automatically. • DHCP operation –3 different allocation methods • Manual • Automatic • Dynamic –Steps to configure DHCP • Define range of addresses • Create DHCP pool • Configure DHCP pool specifics • DHCP Relay •Concept of using a router configured to listen for DHCP messages from DHCP clients and then forwards those messages to servers on different subnets • Troubleshooting DHCP –Most problems arise due to configuration errors –Commands to aid troubleshooting • Show ip dhcp • Show run • debug • Private IP addresses –Class A = 10.x.x.x –Class B = 172.16.x.x – 172.31.x.x –Class C = 192.168.x.x • Network Address Translation (NAT) –A means of translating private IP addresses to public IP addresses –Type s of NAT • Static • Dynamic –Some commands used for troubleshooting • Show ip nat translations • Show ip nat statistics • Debug ip nat • IPv6 –A 128 bit address that uses colons to separate entries –Normally written as 8 groups of 4 hexadecimal digits –/48 to /64 allows organizations to use a 16-bit subnet field to create their own local addressing hierarchy. • Cisco IOS Dual Stack –A way of permitting a node to have connectivity to an IPv4 & IP v6 network simultaneously • IPv6 Tunneling –An IPV6 packet is encapsulated within another protocol • Configuring RIPng with IPv6 •1st globally enable IPv6 •2nd enable IPv6 on interfaces on which IPv6 is to be enabled •3rd enable RIPng using either • ipv6 rotuer rip name • ipv6 router name enable • Study guide• Pg. 224 – Matching • Pg. 226 – Matching • Pg. 227-229 – Multiple choice • Labs: • Lab 7-1, pg. 231 • Online test – Take it by midnight Sunday, April 7, 2013 • Test: Tuesday, Thursday, April 11, 2013