Section V: Infrastructure Services – Test Online

Hint

The command “show ip dhcp conflict” is used to display address conflicts found by a Cisco IOS DHCP Server when addresses are offered to the client. An example of the output of this command is shown below:

Hint

In the DHCP pool we need to configure a default gateway (via the “default-route …” command) for the DHCP clients to communicate with outside subnets.

Hint

An Authoritative NTP Server can distribute time even when it is not synchronized to an existing time server. To configure a Cisco device as an Authoritative NTP Server, use the ntp master [stratum] command.

Hint

By adding the keyword “overload” at the end of a NAT statement, NAT becomes PAT (Port Address Translation). This is also a kind of dynamic NAT that maps multiple private IP addresses to a single public IP address (many-to-one) by using different ports.

Hint

Both HSRP version 1 & version 2 support preempt command -> Answer D is not correct. In HSRP version 1, group numbers are restricted to the range from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095 -> A is correct.

Hint

The command “show ip dhcp pool” is used to display information about the DHCP address pools. There are some information we can use to check the failure of address assignment. For example we can see how many IP addresses have been leased for a specific pool. If some IP addresses have been assigned from a pool but a client of that pool has not received the assignment then maybe the issue belongs to the client itself. R1#show ip dhcp pool

R1#show ip dhcp pool
Pool SERVER :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 1
 Leased addresses               : 1
 Pending event                  : none
 0 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 172.16.200.100       172.16.200.100   - 172.16.200.100    1

Hint

From this paragraph: “A set of routers that run HSRP works in concert to present the illusion of a single default gateway router to the hosts on the LAN. This set of routers is known as an HSRP group or standby group. A single router that is elected from the group is responsible for the forwarding of the packets that hosts send to the virtual router. This router is known as the active router. Another router is elected as the standby router. If the active router fails, the standby assumes the packet forwarding duties. Although an arbitrary number of routers may run HSRP, only the active router forwards the packets that are sent to the virtual router IP address. In order to minimize network traffic, only the active and the standby routers send periodic HSRP messages after the protocol has completed the election process. Additional routers in the HSRP group remain in the Listen state. If the active router fails, the standby router takes over as the active router. If the standby router fails or becomes the active router, another router is elected as the standby router.” Reference: https://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/10583-62.html#anc6 -> There is exactly one active router and one standby router in an HSRP group. Answer A is surely a correct but other answers are not correct. Answers C, D and E are wrong terminologies so they are surely not correct. Therefore answer B is a best choice left (although it is not totally correct).

Hint

Virtual Router Redundancy Protocol (VRRP) is one of the First Hop Redundancy Protocols that is supported by Cisco. Unlike HSRP and GLBP (which are Cisco proprietary protocols), VRRP is an industry standard protocol.

Hint

By not reveal the internal IP addresses, NAT adds some security to the inside network -> A is correct. NAT has to modify the source IP addresses in the packets -> B is not correct. Connection from the outside to a network through “NAT” is more difficult than a normal network because IP addresses of inside hosts are hidden -> C is not correct. In order for IPsec to work with NAT we need to allow additional protocols, including Internet Key Exchange (IKE), Encapsulating Security Payload (ESP) and Authentication Header (AH) -> more complex -> D is not correct. By allocating specific public IP addresses to inside hosts, NAT eliminates the need to re-address the inside hosts -> E is correct. NAT does conserve addresses but not through host MAC-level multiplexing. It conserves addresses by allowing many private IP addresses to use the same public IP address to go to the Internet -> F is not correct.

Hint

An address conflict occurs when two hosts use the same IP address. During address assignment, DHCP checks for conflicts using ping and gratuitous ARP. If a conflict is detected, the address is removed from the pool. The address will not be assigned until the administrator resolves the conflict. (Reference: http://www.cisco.com/en/US/docs/ios/12_1/iproute/configuration/guide/1cddhcp.html)

Hint

HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group. If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router. Below is an example of assigning HSRP priority of 200 to R1:

R1(config-if)# standby 1 priority 200

Hint

The “preempt” command enables the HSRP router with the highest priority to immediately become the active router. For example if we have a new router joining an HSRP of 1 and we want this router becomes the active router immediately (provided it had the highest HSRP priority) then we will need this additional command:

New_Router(config-if)#standby 1 preempt

Hint

The following example shows how to configure a DHCP Server on a Cisco router: Note: We checked with both Cisco IOS v12.4 and v15.4 but found no “ip dhcp-server pool” command: Therefore the answer “ip dhcp-server pool …” is not correct.

Hint

Quick review of DHCP Spoofing and DHCP snooping: DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”. The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response. DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down -> Answer D is correct. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes -> C is correct.

Hint

An Authoritative NTP Server can distribute time even when it is not synchronized to an existing time server. To configure a Cisco device as an Authoritative NTP Server, use the ntp master [stratum] command.

Hint

When all other routers in the group fail, the local router will not receive any HSRP Hello messages so it will become “active”. Notice that in this case the “preempt” command is not necessary. The “preempt” command is only useful when the local router receives a HSRP Hello message from the active HSRP router with a lower priority (then the local router will decide to take over the active role).

Hint

Hint

Using permit any can result in NAT consuming too many router resources, which can cause network problems. You should only limit the NAT access list to a specific range of IP addresses.

Hint

The DHCP lifecycle consists of the following: Release: The client may decide at any time that it no longer wishes to use the IP address it was assigned, and may terminate the lease, releasing the IP address.

Hint

http://www.aubrett.com/InformationTechnology/RoutingandSwitching/Cisco/CiscoRouters/ DHCPBindings.aspx “Router#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type 10.16.173.0 24d9.2141.0ddd Jan 12 2013 03:42 AM Automatic”

Hint

Maybe the “current time sources” here mention about the status of the clock source. In the below output, the “show ntp associations” command reveals the IP address of the clock source (which is 209.65.200.226), the stratum (st) of this reference clock…

R1#show ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.1.2.1         209.65.200.226    9   509    64  200    32.2   15.44  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Below is the output of the “show ntp status” command. From this output we learn that R1 has a stratum of 10 and it is getting clock from 10.1.2.1.

R1#show ntp status
Clock is synchronized, stratum 10, reference is 10.1.2.1
nominal freq is 250.0000 Hz, actual freq is 249.9987 Hz, precision is 2**18
reference time is D5E492E9.98ACB4CF (13:00:25.596 CST Wed Sep 18 2013)
clock offset is 15.4356 msec, root delay is 52.17 msec
root dispersion is 67.61 msec, peer dispersion is 28.12 msec

For more information about these two commands, please read at: http://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/116161-trouble-ntp-00.html In fact this question is unclear, but other answers are surely not correct.

Hint

By default, each IP address assigned by a DHCP Server comes with a one- day lease, which is the amount of time that the address is valid. To change the lease value for an IP address, use the following command in DHCP pool configuration mode:

Hint

There are two types of NAT translation: dynamic and static. Static NAT: Designed to allow one-to-one mapping between local and global addresses. This flavor requires you to have one real Internet IP address for every host on your network Dynamic NAT: Designed to map an unregistered IP address to a registered IP address from a pool of registered IP addresses. You don’t have to statically configure your router to map an inside to an outside address as in static NAT, but you do have to have enough real IP addresses for everyone who wants to send packets through the Internet. With dynamic NAT, you can configure the NAT router with more IP addresses in the inside local address list than in the inside global address pool. When being defined in the inside global address pool, the router allocates registered public IP addresses from the pool until all are allocated. If all the public IP addresses are already allocated, the router discards the packet that requires a public IP address. In this question we only want to translate a single inside address to a single outside address so static NAT should be used.

Hint

http://www.firewall.cx/networking-topics/network-address-translation-nat/233-nat-overload-part-1.html

Hint

When we specify a NAT “inside” interface (via the “ip nat inside” command under interface mode), we are specifying the source IP addresses. Later in the “ip nat” command under global configuration mode, we will specify the access or route map for these source addresses. For example the command: Router(config)# ip nat inside source list 1 pool PoolforNAT after the keyword “source” we need to specify one of the three keywords: + list: specify access list describing local addresses (but this command does not require an “inside” interface to be configured) + route-map: specify route-map + static: specify static local -> global mapping

Hint

From a Cisco perspective, getting the clock from an Internet time source and/or from a local timing device both require the same command (ntp server). To have a specific network device consider itself as a reference clock source, another command is used (ntp master) For example, the command Router(config)#ntp server 192.168.1.1 configures the local device to use a remote NTP clock source from 192.168.1.1 while the command: Router(config)#ntp master 1 configures the local device as a NTP reference clock source with stratum of 1. Reference: http://www.pearsonitcertification.com/articles/article.aspx?p=2141272

Hint

An address conflict occurs when two hosts use the same IP address. During address assignment, DHCP checks for conflicts using ping and gratuitous ARP. If a conflict is detected, the address is removed from the pool. The address will not be assigned until the administrator resolves the conflict.

Hint

The syntax to create a NAT pool is: Router(config)#ip nat pool pool_name start_ip end_ip { netmask netmask | prefix-length prefix-length } Therefore answer A is surely correct. Answer B is not correct as it creates many addresses (from 12.69 to 12.255 then to 13.74). Answer C and D are not correct as we cannot use prefix-length of 8 (/8) for a class B subnet.

Hint

In this case the printer is statically assigned an IP address so we have to make sure DHCP server does not assign the same IP address to another device. We can configure the DHCP server with the command “ip dhcp excluded-address ” (suppose it is a Cisco device).

Hint

+ The “ntp authenticate” command is used to enable the NTP authentication feature (NTP authentication is disabled by default). + The “ntp trusted-key” command specifies one or more keys that a time source must provide in its NTP packets in order for the device to synchronize to it. This command provides protection against accidentally synchronizing the device to a time source that is not trusted. + The “ntp authentication-key” defines the authentication keys. The device does not synchronize to a time source unless the source has one of these authentication keys and the key number is specified by the “ntp trusted-key number” command.

Hint

DNS spoofing is designed to allow a router to act as a proxy DNS server and “spoof” replies to any DNS queries using either the configured IP address in the ip dns spoofing ip-address command or the IP address of the incoming interface for the query. This feature is useful for devices where the interface toward the Internet service provider (ISP) is not up. Once the interface to the ISP is up, the router forwards DNS queries to the real DNS servers. This feature turns on DNS spoofing and is functional if any of the following conditions are true: The no ip domain lookup command is configured. IP name server addresses are not configured. There are no valid interfaces or routes for sending to the configured name server addresses.

Hint

NAT use four types of addresses: * Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address. * Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world. * Outside local address – The IP address of an outside host as it is known to the hosts on the inside network. * Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.

Hint

The DHCP lifecycle consists of the following: Release: The client may decide at any time that it no longer wishes to use the IP address it was assigned, and may terminate the lease, releasing the IP address.

Hint

The “list 1 refers to the access-list number 1.

Hint

Network or subnetwork IP address (for example 11.0.0.0/8 or 13.1.0.0/16) and broadcast address (for example 23.2.1.255/24) should never be assignable to hosts. When try to assign these addresses to hosts, you will receive an error message saying that they can’t be assignable.

Hint

Static NAT is to map a single outside IP address to a single inside IP address. This is typically done to allow incoming connections from the outside (Internet) to the inside. Since these are static, they are always present in the NAT table even if they are not actively in use

Hint

One disadvantage of HSRP and VRRP is that only one router is in use, other routers must wait for the primary to fail because they can be used. However, Gateway Load Balancing Protocol (GLBP) can use of up to four routers simultaneously. In GLBP, there is still only one virtual IP address but each router has a different virtual MAC address. First a GLBP group must elect an Active Virtual Gateway (AVG). The AVG is responsible for replying ARP requests from hosts/clients. It replies with different virtual MAC addresses that correspond to different routers (known as Active Virtual Forwarders – AVFs) so that clients can send traffic to different routers in that GLBP group (load sharing).

Hint

Object tracking is the process of tracking the state of a configured object and uses that state to determine the priority of the VRRP router in a VRRP group

Hint

http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/10583-62.html#topic5 “The active router sources hello packets from its configured IP address and the HSRP virtual MAC address. The standby router sources hellos from its configured IP address and the burned-in MAC address (BIA).” http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/10583-62.html#topic14 “By default, these timers are set to 3 and 10 seconds, respectively…” http://www.cisco.com/c/en/us/support/docs/switches catalyst-6000-series-switches/29545-168.html#q1 Load Sharing with HSRP http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/13781-7.html#conf “…has a 256 unique HSRP group ID limit.” “…the allowed group ID range (0-255). … MSFC2A (Supervisor Engine 32) can use any number of group IDs from that range.

Hint

Virtual Router Redundancy Protocol (VRRP) is one of the First Hop Redundancy Protocols that is supported by Cisco. Unlike HSRP and GLBP (which are Cisco proprietary protocols), VRRP is an industry standard protocol.

Hint

By adding the keyword “overload” at the end of a NAT statement, NAT becomes PAT (Port Address Translation). This is also a kind of dynamic NAT that maps multiple private IP addresses to a single public IP address (many-to-one) by using different ports.

Hint

HSRP consists of 6 states: Please notice that not all routers in a HSRP group go through all states above. In a HSRP group, only one router reaches active state and one router reaches standby state. Other routers will stop at listen state.

Hint

DHCPv6 Technology Overview IPv6 Internet Address Assignment Overview IPv6 has been developed with Internet Address assignment dynamics in mind. Being aware that IPv6 Internet addresses are 128 bits in length and written in hexadecimals makes automation of address- assignment an important aspect within network design. These attributes make it inconvenient for a user to manually assign IPv6 addresses, as the format is not naturally intuitive to the human eye. To facilitate address assignment with little or no human intervention, several methods and technologies have been developed to automate the process of address and configuration parameter assignment to IPv6 hosts. The various IPv6 address assignment methods are as follows: 1. Manual Assignment An IPv6 address can be statically configured by a human operator. However, manual assignment is quite open to errors and operational overhead due to the 128 bit length and hexadecimal attributes of the addresses, although for router interfaces and static network elements and resources this can be an appropriate solution. 2. Stateless Address Autoconfiguration (RFC2462) Stateless Address Autoconfiguration (SLAAC) is one of the most convenient methods to assign Internet addresses to IPv6 nodes. This method does not require any human intervention at all from an IPv6 user. If one wants to use IPv6 SLAAC on an IPv6 node, it is important that this IPv6 node is connected to a network with at least one IPv6 router connected. This router is configured by the network administrator and sends out Router Advertisement announcements onto the link. These announcements can allow the on-link connected IPv6 nodes to configure themselves with IPv6 address and routing parameters, as specified in RFC2462, without further human intervention. 3. Stateful DHCPv6 The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) has been standardized by the IETF through RFC3315. DHCPv6 enables DHCP servers to pass configuration parameters, such as IPv6 network addresses, to IPv6 nodes. It offers the capability of automatic allocation of reusable network addresses and additional configuration flexibility. This protocol is a stateful counterpart to “IPv6 Stateless Address Autoconfiguration” (RFC 2462), and can be used separately, or in addition to the stateless autoconfiguration to obtain configuration parameters. 4. DHCPv6-PD DHCPv6 Prefix Delegation (DHCPv6-PD) is an extension to DHCPv6, and is specified in RFC3633. Classical DHCPv6 is typically focused upon parameter assignment from a DHCPv6 server to an IPv6 host running a DHCPv6 protocol stack. A practical example would be the stateful address assignment of “2001:db8::1” from a DHCPv6 server to a DHCPv6 client. DHCPv6-PD however is aimed at assigning complete subnets and other network and interface parameters from a DHCPv6-PD server to a DHCPv6-PD client. This means that instead of a single address assignment, DHCPv6-PD will assign a set of IPv6 “subnets”. An example could be the assignment of “2001:db8::/60” from a DHCPv6-PD server to a DHCPv6-PD client. This will allow the DHCPv6-PD client (often a CPE device) to segment the received address IPv6 address space, and assign it dynamically to its IPv6 enabled interfaces. 5. Stateless DHCPv6 Stateless DHCPv6 is a combination of “stateless Address Autoconfiguration” and “Dynamic Host Configuration Protocol for IPv6” and is specified by RFC3736. When using stateless-DHCPv6, a device will use Stateless Address Auto-Configuration (SLAAC) to assign one or more IPv6 addresses to an interface, while it utilizes DHCPv6 to receive “additional parameters” which may not be available through SLAAC. For example, additional parameters could include information such as DNS or NTP server addresses, and are provided in a stateless manner by DHCPv6. Using stateless DHCPv6 means that the DHCPv6 server does not need to keep track of any state of assigned IPv6 addresses, and there is no need for state refreshment as result. On network media supporting a large number of hosts associated to a single DHCPv6 server, this could mean a significant reduction in DHCPv6 messages due to the reduced need for address state refreshments. From Cisco IOS 12.4(15)T onwards the client can also receive timing information, in addition to the “additional parameters” through DHCPv6. This timing information provides an indication to a host when it should refresh its DHCPv6 configuration data. This behavior (RFC4242) is particularly useful in unstable environments where changes are likely to occur.

Hint

The command “show ip dhcp pool” is used to display information about the DHCP address pools. There are some information we can use to check the failure of address assignment. For example we can see how many IP addresses have been leased for a specific pool. If some IP addresses have been assigned from a pool but a client of that pool has not received the assignment then maybe the issue belongs to the client itself.

R1#show ip dhcp pool
Pool SERVER :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 1
 Leased addresses               : 1
 Pending event                  : none
 0 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 172.16.200.100       172.16.200.100   - 172.16.200.100    1

Hint

In the below output, the “show ntp associations” command reveals the IP address of the clock source (which is 209.65.200.226), the stratum (st) of this reference clock and if a router is synced with the configured time source (in this case R1 is synchronized with 10.1.2.1, presented by a “*”).

R1#show ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.1.2.1         209.65.200.226    9   509    64  200    32.2   15.44  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Hint

Frames received from users in the administratively-defined VLANs are classified or tagged for transmission to other devices. Based on rules that you define, a unique identifier (the tag) is inserted in each frame header before it is forwarded. The tag is examined and understood by each device before any broadcasts or transmissions to other switches, routers, or end stations. When the frame reaches the last switch or router, the tag is removed before the frame is sent to the target end station. VLANs that are assigned on trunk or access ports without identification or a tag are called native or untagged frames. For IEEE 802.1Q frames with tag information, the priority value from the header frame is used. For native frames, the default priority of the input port is used. Each port on the switch has a single receive queue buffer (the ingress port) for incoming traffic. When an untagged frame arrives, it is assigned the value of the port as its port default priority. You assign this value by using the CLI or CMS. A tagged frame continues to use its assigned CoS value when it passes through the ingress port.

Hint

With HSRP, two or more devices support a virtual router with a fictitious MAC address and unique IP address. There are two version of HSRP. + With HSRP version 1, the virtual router’s MAC address is 0000.0c07.ACxx , in which xx is the HSRP group. Therefore C is correct. + With HSRP version 2, the virtual MAC address is 0000.0C9F.Fxxx, in which xxx is the HSRP group. Note: Another case is HSRP for IPv6, in which the MAC address range from 0005.73A0.0000 through 0005.73A0.0FFF. (Good resource for HSRP: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_hsrp.html)

Hint

An address binding is a mapping between the IP address and MAC address of a client. The IP address of a client can be assigned manually by an administrator or assigned automatically from a pool by a DHCP server. Manual bindings are IP addresses that have been manually mapped to the MAC addresses of hoststhat are found in the DHCP database. All DHCP clients send a client identifier (DHCP option 61) in the DHCP packet. To configure manual bindings, you must enter the client-identifier DHCP pool configuration command with the appropriate hexadecimal values identifying the DHCP client. For example:

ip dhcp pool SERVER
host 172.16.200.100 255.255.255.0
client-identifier 01aa.bbcc.0003.00
default-router 172.16.200.1 
!

Therefore two requirements for DHCP binding is the IP address and the hardware address (MAC address) of the client. Notice that in the above example “aabb.cc00.0300” is the MAC address of the client while prefix “01” represents the Ethernet media type. Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfdhcp.html In fact the “DHCP pool” option is also correct but two above choices are better.