Section 5 – Infrastructure Services (CCNA 200-125 Theory)

1. Troubleshoot client connectivity issues involving DNS

The IOS command ip name-server configures the DNS server IP address for a Cisco network device. All DNS queries are sent to the DNS server resolve the IP address from a hostname. That enables Telnet hopping that is based on a hostname between network devices.

DNS servers resolve a known IP address to an unknown hostname. In addition they can resolve a known hostname to an unknown IP address. Connecting to web servers for instance is based on a domain name.

The following techniques are used to verify the DNS server is reachable and hostname resolution is working properly.

  • ping www.google.com (returns a request timed out error message if unavailable)
  • nslookup www.google.com (verify IP address and domain name)
  • nslookup 127.0.0.0 [dns server ip address] (host loopback to test DNS server)

2. Configure and verify DHCP on a router

DHCP Server Configuration

router(config)# ip dhcp pool [name]
router(dhcp-config)# network [ip address range]
router(dhcp-config)# dns-server [ip address]
router(dhcp-config)# default-router [ip address]

The default lease time for an IP address assigned from a Cisco based DHCP server is 1 day. The routers and switches would renew the IP address after 24 hours when triggered by a host request.

The network address and broadcast address should not be included with the DHCP pool for dynamic assignment. The host assignment would include anything else unless it is statically assigned already.

The host IP address renewal is based on the lease time setting. The host will typically keep using the same IP address assigned. The lease renewal request is sent to the DHCP server when the lease time expires. The DHCP server will extend the lease again for the lease time interval setting.

DHCP Relay

The IOS commands configure the DHCP relay agent for hosts on VLAN 10. There is support for assigning physical interfaces as well. The ip helper-address command is configured with the IP address of the DHCP server. All DHCP requests arriving from hosts are forwarded to the DHCP server (172.16.3.1) on a remote subnet. The DHCP relay agent is the router configured with the ip helper-address command.

router> enable
router# configure terminal
router(config)# interface vlan 10
router(config-if)# ip helper-address 172.16.3.1

Verify DHCP Bindings

DHCP binding table is comprised of entries with host IP address and MAC (hardware) address. That could include any network devices and servers configured as DHCP client. Cisco routers and switches can provide DHCP services to enabled hosts. The following IOS command lists the bindings for all DHCP enabled hosts.

router# show ip dhcp binding
IP Address   Hardware Address    Lease Expire          Type
172.16.1.1   0000.000a.aaaa      Aug 16 2017 17:00 PM  Auto

Troubleshooting DHCP

Layer 3 connectivity is verified with a ping of the DHCP server IP address. The cause of DHCP address assignment is often configuration errors on the DHCP server. In addition configuring DHCP server with the wrong DHCP relay address will cause errors.

DHCP uses Ping or Gratuitous ARP to detect IP address conflicts. The DHCP server will ping the proposed IP address to confirm it is not assigned. The ICMP echo reply is sent from any network device or host if it is already in use. The DHCP server will log the conflict error with a Syslog server. That is enabled with the ip dhcp conflict logging feature as a default.

Gratuitous ARP (GARP) is sent by a router as well to detect IP addresses in use. The network device would reply with an ARP to confirm IP address is not available. The DHCP server removes any IP address from the DHCP pool until conflicts are resolved.

router# show ip dhcp conflict
IP Address    Detection Method    Detection Time
172.16.1.32   Ping                July 16 2017 9:30 AM
172.16.1.64   Gratuitous ARP      July 16 2017 10:30 AM

The following command lists current DHCP pool status on the router. That includes the range of assigned IP addresses, number of leased addresses and any pending events. Misconfigured DHCP server causes various Layer 3 connectivity issues. That includes incorrect host subnet mask, default gateway address and DNS server address.

router# show ip dhcp pool
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 142
Pending event : none
1 subnet is currently in the pool:
Current index   IP address range         Leased addresses
10.10.1.1       10.10.1.1 - 10.10.1.254    142

Verify Host DHCP Settings

The host command to list all IP addressing is ipconfig /all. It provides the current TCP/IP settings including IP address, DHCP server and DNS server address. In addition MAC address and default gateway address can be verified.

The Windows desktop command ipconfig /release /renew will release the current IP address and request a new IP address. The DHCP server would assign a random IP address from the pool along with additional settings.

3. Troubleshoot client and router-based DHCP connectivity issues

The DHCP server is responsible for dynamic configuration of host IP settings. In addition it manages the renewal of new IP addresses from an address pool. DHCP address pool is defined on the DHCP server along with the lease time period. The DHCP address pool is a range of IP addresses reserved for dynamic assignment for hosts. The host could receive default gateway and DNS server addresses as well.

Host DHCP Request

The DHCP request for an IP address starts with server discovery. The DHCP server replies with an IP address lease offer. The host replies with an IP lease request for the proposed IP address. The DHCP server confirms the IP address with a lease acknowledgement to the host. The DHCP server will send the lease time and any additional address settings as well. The following are standard DHCP message types.

Step 1: Server Discovery = DHCPDISCOVERY
Step 2: IP Lease Offer = DHCPOFFER
Step 3: IP Lease Request = DHCPREQUEST
Step 4: IP Lease Acknowledgement = DHCPACK

4. Configure, verify and troubleshoot basic HSRP

HSRP Operation

HSRP advertises a virtual IP address to enable seamless failover to a standby router. The virtual router is based on a shared virtual IP address and MAC address. That enables redundancy for fast failover to the standby router.

The active HSRP active router is assigned the virtual IP address and MAC address for packet forwarding. The standby router is assigned the virtual addressing when the active router isn’t available. HSRP virtual IP address is the default gateway for hosts on the common subnet. VRRP is the open standard equivalent FHRP to HSRP.

The virtual IP address assigned to the HSRP group is configured on both router members with the standby 1 ip command. The group number and virtual IP address are assigned to the HSRP routers.

HSRP is not a routing protocol and virtual IP address is not installed in the routing table. It is a default gateway address where packets are forwarded for routing services.

Hello packets are sent between active and standby router at 3 second intervals by default to detect neighbor state. In addition the hold timer is 10 seconds.

The default HSRP values include the following settings:

Hello timer = 3 seconds
Hold timer = 10 seconds
Standby priority = 100
HSRP version = HSRPv1
Enabled groups = none
Default group = 0

HSRP Groups

The virtual MAC address for version 1 is 0000.0c07.ac01. This is for the group 1. The rightmost 2 bits (01) indicate the group number. The default HSRP group 0 would be assigned virtual MAC address 0000.0c07.ac00 for version 1.

There is support for assigning a maximum 255 groups per physical interfaces or VLAN interfaces. Multiple groups across multiple routers enable configuration of load balancing. At least one HSRP group is associated with at least two routers.

Priority Setting

The default HSRP priority is 100. The active router is configured with a higher priority than standby router. The router with the highest IP address is elected the active router when all priorities are equal.

HSRP provides a tracking feature that detects when the active HSRP router is not available. That triggers a failover to the standby router. The priority of the active router is decremented by 10 as a default. The standby router has a higher priority and becomes the active router.

Preemption

The preempt command enables comparison of priority between routers to elect an active HSRP router. It is configured on all HSRP enabled routers so the router with highest priority becomes active. The following command configures a local interface as standby so that it becomes active when the current active router fails.

router(config-if)# standby 1 preempt

Version

The following are virtual MAC addresses based on the HSRP version.

  • HSRPv1 = 0000.0c07.acxx
  • HSRPv2 = 0000.0C9f.fxxx
  • HSRP for IPv6 = 0005.73a0.0000 through 0005.73a0.0fff

HSRP version 2 sends hello messages to multicast 224.0.0.102 address. There are additional features supported with HSRPv2. The number of groups available with HSRPv2 is 4096 (0-4095) and IPv6 addressing is supported as well.

HSRP Configuration

router-1(config)# interface gigabitethernet0/1
router-1(config-if)# ip address 172.16.1.1 255.255.255.0
router-1(config-if)# standby version 2 (enables HSRPv2)
router-1(config-if)# standby 1 preempt (compare router priorities for group 1)
router-1(config-if)# standby 1 priority 110 (active router)
router-1(config-if)# standby 1 ip 172.16.1.3 (virtual IP address)

Verify HSRP

The following IOS command displays the HSRP operational status for all groups. The status includes active router, standby IP address, virtual addressing and timers.

router# show standby

Troubleshooting HSRP

The virtual IP address must be assigned from the same subnet as the router interfaces. All timers must match between HSRP router peers. The HSRP version must match between routers as well. There are features enabled with HSRPv2 not supported with HSRPv1. The VTP modes for both routers must match. The active router configured as VTP server requires the same VTP mode for standby.

HSRP States

The valid HSRP states from the list include Standby, Init and Active. In addition there is Listen and Speak states.

1. Initial (Init): This is the start state indicating that HSRP isn’t running.
2. Learn: The virtual IP address is unassigned and no hello message was received from the active router yet.
3. Listen: The virtual IP address and MAC address is known by the router. The active and standby router is unassigned. It listens for hello messages from HSRP enabled routers.
4. Speak: The router sends hello messages to elect active and standby router.
5. Standby: The router is in standby mode and monitors hello packets sent from the active router. It becomes active when active router fails.
6. Active: The router forwards packets to the HSRP group. In addition the active router sends regular hello packets.

5. Configure, verify and troubleshoot inside source NAT

Network Address Translation (NAT) translates private IP addressing to a public routable IP address for outbound internet traffic. The inbound traffic from the internet is translated (mapped) to a private IP address.

The following are primary advantages of NAT

  • conceals private IP address assignments from the internet
  • eases management of internet connectivity

The disadvantage to NAT is the IP address renumbering when switching internet service providers (ISP). The public routable (internet) IP address is used to configure translation for any static or dynamic NAT configuration.

Static NAT

The static NAT translation is a 1:1 configured mapping between local and global addresses. The static translation manually assigns a private IP address to a public IP address. For instance, three public routable IP addresses will allow three static NAT translations. As a result they are a permanent entry in the NAT translation table. They enable a remote host connection from an outside (external) network.

Dynamic Pool

Dynamic NAT pool mapping translates each private IP address to an available public IP address (1:1) in the NAT pool. The dynamic NAT pool of public IP addresses is shared by all internal IP addresses on a first come first served basis. The maximum number of simultaneous internet connections available is limited to the number of public IP addresses in the NAT pool.

Port Address Translation

Port Address Translation (PAT) is an IP address translation technique that translates the most internal (private) IP addresses to a single or multiple public IP addresses. It is an enhancement to NAT that assigns a unique source port number to each translated IP address. The host IP address for instance could be identified with 200.200.1.1:10 as the translated source IP address. The 10 is the unique source port making the translated IP address unique. The 16 bit source port field allows for translating 65,535 private (internal) IP addresses to a public IP address. There is support for a pool of addresses or single interface.

192.168.1.1:10 -> 200.200.1.1:10
192.168.1.2:11 -> 200.200.1.1:11
192.168.1.3:12 -> 200.200.1.1:12

The following IOS command enables Port Address Translation. The source list 1 points to ACL 1 that permits a range of internal (private) IP addresses to be translated. The [pool name] refers to a NAT pool that has a single or multiple public routable IP addresses assigned. The overload keyword enables port address translation of multiple internal IP private addresses to a single public IP address.

router(config)# ip nat inside source list 1 pool [pool name] overload

NAT Addressing

Inside Local IP Address (172.16.1.1/24)
Private IP address assigned to a host on the inside network (RFC 1918).

Inside Global IP Address (172.33.1.1/24)
Public internet routable IP address assigned by the ISP.

Outside Global IP Address (200.200.1.2/24)
Public internet routable IP address assigned to outside (remote) host device.

Outside Local IP Address (200.200.1.2/24)
Public internet routable IP address of outside host as appears to inside network.

NAT Configuration

The following configuration creates a NAT public pool of 10 public addresses. That is assigned for translating a range of private host addresses. In addition the overload feature is enabled for port address translation. The alternate to netmask keyword is prefix-length 28 that assigns the same /28 subnet mask (255.255.255.240).

1. Assign NAT inside interface

R1(config)# interface fastethernet2/0
R1(config-if)# ip nat inside
R1(config-if)# exit

2. Assign NAT outside interface

R1(config)# interface fastethernet1/0
R1(config-if)# ip nat outside
R1(config-if)# exit

3. Create a NAT pool cisco and assign ten public addresses from the range 172.33.1.1 to 172.33.1.10 (subnetting rules apply here)

R1(config)# ip nat pool cisco 172.33.1.1 172.33.1.10 netmask 255.255.255.240

4. Create access-list 1 to permit private host range 192.168.1.10 to
192.168.1.40
(wildcard mask rules apply here).

R1(config)# access-list 1 permit 192.168.1.9 0.0.0.7

5. Assign access control list 1 to the NAT pool and enable the overload feature.

R1(config)# ip nat inside source list 1 pool cisco overload

Verify NAT

The following command verifies network address translation is working correctly.

R1# show ip nat translations

6. Configure and verify NTP operating in client/server mode

The following table matches time source on the left with description on the right.

Table 1: Cisco Network Device Time Sources

ntp peer backup time server
system calendar initializes software clock after restart
software clock initially set by hardware clock
ntp server external time server

The following are all correct statements concerning NTP network protocol.

  • provides time source for logging and time stamp transactions
  • N+1 server redundancy (NTP master + NTP failover server)
  • reference is UTC coordinated universal time
  • DNS is required for resolving time server IP address
  • stratum level is the distance from the NTP authoritative time source

The following statements correctly describe NTP operation:

  • server mode routers provide time source to client mode devices
  • time servers are hierarchical
  • server mode routers poll an external time server

The ntp master command configures a network device as an NTP reference clock source. That is an alternative to an external authoritative time source and not recommended.

Configure NTP

The following IOS command configures an external time server as authoritative time source for a router.

router(config)# ntp server 172.16.1.1

Verify NTP

The following IOS commands are used to verify NTP server synchronization status, time source activities and stratum level for a router.

router# show ntp status
router# show ntp associations

Related Articles

Leave a Reply

avatar