Pages

Ex4 Chapter 7 - IP Addressing Services

NAT Terminology
before translation:
inside local (SRC-from-LAN) -> outside local  (DST-from-LAN)  [ROUTER-NAT]

after tranlation;
inside global (SRC-from-WAN) -> outside global (DST-from-WAN)


ip nat pool NAT-POOL 11.12.13.0 11.12.13.3 prefix-length N
Влияет:
маска НЕ ДАЕТ выдать адреса, которые получаются как адрес сети или адрес броадкаста данной подсети.

Пример: если есть кусочек под НАТ:
ip nat pool 1.1.1.7 1.1.1.8
то если написать /24, то все будет выдано, а если /29, то ничего не будет выдано


Key Points

* Configure DHCP in an Enterprise branch network. This includes being able to explain DHCP features and benefits, the differences between BOOTP and DHCP, DHCP operation: and configuring, verifying, and troubleshooting DHCP.

* Configure NAT on a Cisco router. This includes explaining key features and operation of NAT and NAT Overload, explaining advantages and disadvantages of NAT, configuring NAT and NAT Overload to conserve IP address space in a network, configuring port forwarding, and verifying and troubleshooting NAT configurations.

* Configure new generation RIP (RIPng) to use IPv6. This includes explaining how IPv6 solves any problem of IP address deletion, explaining how to assign IPv6 addresses, describing transition strategies for implementing IPv6 and configuring, verifying and troubleshooting RIPng for IPv6.

DHCP DHCP includes three different address allocation mechanism when assigning IP addresses:
 - Manual Allocation: The administrator assigns a pre-allocated IP address to the client and DHCP only communicates the IP address to the device.
 - Automatic Allocation: DHCP automatically assigns a static IP address permanently to a device, selecting it from a pool of available addresses. There is no lease and the address is permanently assigned to a device.
 - Dynamic Allocation: DHCP automatically dynamically assigns, or leases, an IP address from a pool of addresses for a limited period of time chosen by the server, or until the client tells the DHCP server that it no longer needs the address.

DHCP works in a client/server mode and operates like any other client/server relationship:
 1) Client - DHCP DISCOVER L2/L3 broadcast -> Server
 2) Server - DHCP OFFER unicast (L2) -> Client
 3) Client - DHCP REQUEST  (for lease origination and lease renewal) broadcast -> Server
 4) Server - DHCP ACK unicast  -> Client

Both DHCP and BOOTP (predecessor of DHCP) are client/server based and use UDP ports 67 and 68. Those ports are still known as BOOTP ports.
Cisco routers running Cisco IOS software provide full support for a router to act as a DHCP server.
(config)# ip dhcp exlcuded-addresses low-address [high address]
(
[high address] - (Optional) The last IP address in the excluded address range. )
(config)# ip dhcp pool poolname
(config-dhcp)# network network-number [mask | /prefix-length]
(config-dhcp)# default-router address [address2...address8]
(config-dhcp)# dns-server address [address2...address8]
(config-dhcp)# domain-name domain
(config-dhcp)# lease {days [hours] [minutes] | infinite}
(config-dhcp)# netbios-name-server address [address2...address8]
Verify:
show ip dhcp binding
show ip dhcp pool
show ip dhcp server statistics
show ip dhcp conflict
DHCP Relay - enables routers to forward DHCP broadcasts to the DHCP servers. When a router forwards address assignment/parameter requests, it is acting as a DHCP relay agent.
ip helper-address dhcp-ip-address
UDP ports forwarded: 37, 49, 53, 67, 68, 69, 137, 138
ip forward-protocol additional ports
Certain Windows clients have a feature called Automatic Private IP Addressing (APIPA). With this feature, a Windows computer can automatically assign itself an IP address in the 169.254.x.x range in the event that a DHCP server is not available or does not exist on the network.

Private and Public IP addressing
All public Internet addresses must be registered with a Regional Internet Registry (RIR):
 - ARIN - North America
 - RIPE NCC - Europe and middle East
 - APNIC - Asia and Oceania
 - LACNIC - Latin America
 - AfriNIC - Africa

RFC 1918 specifies that private addresses are not to be routed over the Internet ( "non-routable" ):
- class A 10.0.0.0/8  (10.0.0.0 - 10.255.255.255)
- class B 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
- class C 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

Cisco NAT

NAT - save IP addresses by allowing networks to use private IP addresses:
 - Inside local address - Usually not an IP address assigned by a RIR or service provider and is most likely an RFC 1918 private address (192.168.10.10).
 - Inside global address - Valid public address that the inside host is given when it exits the NAT router. (209.165.200.226).
 - Outside global address - Valid public IP address assigned to a host on the Internet ( all other addresses  209.165.201.1) .
 - Outside local address - The local IP address assigned to a host on the outside network. In most situations, this address will be identical to the outside global address of that outside device.

When you are trying to figure out the name for an IP address, Inside Local / Inside Global / Outside Local / Outside Global, just keep this in mind :
1:  Local or Global refers to the current location of the packet.
2:  Inside or Outside refers to the location of the device.
https://supportforums.cisco.com/docs/DOC-8526

NAT overloading (sometimes called Port Address Translation or PAT) maps multiple private IP addresses to a single public IP address or a few addresses. This is what most home routers do. Each private address is also tracked by a port number.

NAT generally only translates IP addresses on a 1:1 correspondence between publicly exposed IP addresses and privately held IP addresses. NAT overload modifies both the private IP address and port number of the sender. NAT overload chooses the port numbers seen by hosts on the public network.

NAT Benefits
Conserves the legally registered addressing scheme
Increases the flexibility of connections to the public network
Provides consistency for internal network addressing schemes.
Provides network security

NAT Drawbacks
Performance is degraded
End-to-end functionality is degraded
End-to-end IP traceability is lost
Tunneling is more complicated
Initiating TCP connections can be disrupted
Architectures need to be rebuilt to accommodate changes

Configure static NAT:
Router(config)#ip nat inside source static local-ip global-ip
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config)#interface type number
Router(config-if)#ip nat outside
Configure dynamic NAT:
Router(config)#ip nat pool name start-ip end-ip {netmask netmask|prefix-length prefix-length}
! The netmask or prefix-length keyword indicates which address bits belong to the network and which bits belong to the host for the range of addresses.
Router(config)#access-list access-list-number permit source [source-wildcard]

(defines which addresses can be translated)

Router(config)#ip nat inside source list access-list-number pool name
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config)#interface type number
Router(config-if)#ip nat outside
Example:
ip nat pool NAT-POOL1    209.165.20.226   209.165.200.240    netmask 255.255.255.224
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool NAT-POOL1
int ser 0/0
  ip nat outside
int fa 0/0
  in nat inside

Port Forwarding 
Ssometimes referred to as tunneling, is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside through a NAT-enabled router. www.portforward.com
ip nat inside source { static {tcp|udp local-ip local-port   global-ip global-port}   [extendable]
! extendable keywork - is applied automaticcaly. (allow users to configure several ambigous static translations - samelocal or global address.)
Example
ip nat inside source statci tcp 192.168.10.254 80   209.165.200.225 8080
int ser 0/0
  ip nat out
int fa 0/0
   ip nat in

Example config NAT overload
!
ROUTER1(config)#interface fa0/0
ROUTER1(config-if)#ip nat inside
!
ROUTER1(config)#interface s0/0
ROUTER1(config-if)#ip nat outside
!
ROUTER1(config)#access-list 1 permit 192.168.6.64 0.0.0.63
ROUTER1(config)#ip nat pool myip 198.18.32.65 198.18.32.70 netmask 255.255.255.248
ROUTER1(config)#ip nat insi source list 1 pool myip overload
!
ROUTER1(config)#do sh ip nat tran
Pro  Inside global     Inside local       Outside local      Outside global
icmp 198.18.32.65:1    192.168.6.66:1     192.0.2.114:1      192.0.2.114:1
icmp 198.18.32.65:2    192.168.6.66:2     192.0.2.114:2      192.0.2.114:2
icmp 198.18.32.65:3    192.168.6.66:3     192.0.2.114:3      192.0.2.114:3
icmp 198.18.32.65:4    192.168.6.66:4     192.0.2.114:4      192.0.2.114:4
icmp 198.18.32.65:10   192.168.6.67:10    192.0.2.114:10     192.0.2.114:10
icmp 198.18.32.65:11   192.168.6.67:11    192.0.2.114:11     192.0.2.114:11
icmp 198.18.32.65:12   192.168.6.67:12    192.0.2.114:12     192.0.2.114:12
!
ROUTER1(config)#do sh ip nat  statistics
Total translations: 87 (0 static, 87 dynamic, 87 extended)
Outside Interfaces: Serial0/1/0
Inside Interfaces: FastEthernet0/0

Hits: 440  Misses: 440
Expired translations: 353
Dynamic mappings:
-- Inside Source
access-list 1 pool myip refCount 87
 pool myip: netmask 255.255.255.248
       start 198.18.32.65 end 198.18.32.70

       type generic, total addresses 6 , allocated 1 (16%), misses 0
!

Verify NAT commands
show ip nat translations
show ip nat translations verbose
show ip nat statistics
clear ip nat translation *

Other NAT Info
NAT Quick Facts (POSTER)
https://dl-web.dropbox.com/get/Public/CCNA/NAT.pdf?w=AACNJWKeJCTblLn1lVrSUeeH_0N7lPyZ9tJ1_q1Hex38Wg

NAT Lab in Packet Tracer
http://dl.dropbox.com/u/61785248/CCNA/LAB-CCNA-NAT-Sim.zip

The trouble with NAT @ cisco.com
 - http://www.cisco.com/web/about/ac123/ac147/ac174/ac182/about_cisco_ipj_archive_article09186a00800c83ec.html

- http://en.wikipedia.org/wiki/Network_Address_and_Port_Translation

NAT main issue:
- Internet hosts may not initiate connections to hosts in NAT if there are no translation rule creted in NAT table.

NAT and FAST PATH:



IPv6

IPv6 basics + testing with Windows7 - http://sclabs.blogspot.com/2011/05/ipv6-basics.html

IPv4 address space provides approximately 4,294,967,296 unique addresses. Of these, only 3.7 billion addresses are assignable because the IPv4 addressing system separates the addresses into classes and reserves addresses for multicasting, testing, and other specific uses.

IPv4: 4 octets
11000000.10101000.00001010.01100101
192.168.10.101
4,294,467,295 (2^32) IP addresses

IPv6: 16 octets
11010001.11011100.11001001.01110001.11011100.11001100.01110001.11010001.11011100.11001001. 11010001.11011100.11001001.01110001.00000010.11011110
A524:72D3:2C80:DD02:0029:EC7A:002B:EA73
3.4 x 10^38 IP addresses


IPv6 address is a 128-bit binary value, which can be displayed as 32 hexadecimal digits,
organized into 8 quartets if 4 hex digit separated by a colon ":"

IP prefix - a range of block of consecutive IPv6 addresses.

IPv6 features
Enhanced IP addressing
 - Global reachability and  flexibility
 - Aggregation
 - Multihoming
 - Autoconfiguration
 - Plug-and-play
 - End-to-end without NAT
 - Renumbering

Mobility and security
 - Mobile IP RFC-compliant
 - IPsec mandatory (or native) for IPv6

Simple header
 - Routing efficiency
 - Performance and forwarding rate scalability
 - No broadcasts
 - No checksums
 - Extension headers
 - Flow labels

Transition richness
 - Dual-stack
 - 6to4 and manual tunnels
 - Translation

IPv6 Address Representation
- Leading zeros in a field are optional. For example, the field 09C0 equals 9C0, and the field 0000 equals 0. So 2031:0000:130F:0000:0000:09C0:876A:130B can be written as 2031:0:130F:0000:0000:9C0:876A:130B.
- Successive fields of zeros can be represented as two colons "::". However, this shorthand method can only be used once in an address. For example 2031:0:130F:0000:0000:9C0:876A:130B can be written as 2031:0:130F::9C0:876A:130B.
- An unspecified address is written as "::" because it contains only zeros.

IPv6 Global Unicast Address -IPv6 addrress globally unique
The current global unicast address that is assigned by the IANA uses the range of addresses that start with binary value 001 (2000::/3), which is 1/8 of the total IPv6 address space and is the largest block of assigned addresses.

Reserved Addresses
The IETF reserves a portion of the IPv6 address space for various uses, both present and future. Reserved addresses represent 1/256th of the total IPv6 address space.

Private Addresses - never routed outside of a particular company network:
 1) Site-local addresses, are addresses similar to the RFC 1918In hexadecimal, site-local addresses begin with "FE" and then "C" to "F" for the third hexadecimal digit.
 
2) Link-local addresses - have a smaller scope than site-local addresses; they refer only to a particular physical link (physical network). Routers do not forward datagrams using link-local addresses at all, not even within the organization; they are only for local communication on a particular physical network segment. They are used for link communications such as automatic address configuration, neighbor discovery, and router discovery. Many IPv6 routing protocols also use link-local addresses. Link-local addresses begin with "FE" and then have a value from "8" to "B" for the third hexadecimal digit.

Loopback Address
- in IPv6 there is just one address ( 0:0:0:0:0:0:0:1  or "::1" )
Every IPv6 interface contains at least 1 loopback address

Unspecified Address - it refers to the host itself, and is used when a device does not know its own address.
(0:0:0:0:0:0:0:0 or "::" )

0:0:0:0:0:0:0:0 (OR ::) src address then using stateful config (DHCP), equiv IPv4 0.0.0.0
0:0:0:0:0:0:0:1 (OR ::1) localhost, equiv IPv4 127.0.0.1
0:0:0:0:0:0:0:192.168.0.1 IPv4 add written in IPv4/IPv6 mixed netw enviroment
2000::/3 Global unicast range
FC00::/7 Unique local unicast range
FE80::/10 Link-local unicast range
FF00::/8 Multicast range
3FFF:FFFF::/32 Examples and documentation
2001:0DB8::/32 Examples and documentation
2002::/16 For 6to4 transition

IPv6 addresses use interface identifiers to identify interfaces on a link. Think of them as the host portion of an IPv6 address. Interface identifiers are required to be unique on a specific link. Interface identifiers are always 64 bits and can be dynamically derived from a Layer 2 address (MAC).

You can assign an IPv6 address ID statically or dynamically:
Static assignment using a manual interface ID
ipv6 address ipv6-address/prefix-length
RouterX(config-if)#ipv6 address 2001:DB8:2222:7272::72/64
Static assignment using an EUI-64 interface ID - configure the prefix (network) portion of the IPv6 address and derive the interface ID (host) portion from the Layer 2 MAC address of the device, which is known as the EUI-64 (Extended Universal Identifier) interface ID. (inserted FFFE between OUI and unique serial number of MAC address)
RouterX(config-if)# ipv6 address ipv6-prefix/prefix-length eui-64
RouterX(config-if)# ipv6 address 2001:DB8:2222:7272::/64 eui-64
Stateless autoconfiguration - Autoconfiguration automatically configures the IPv6 address.
Enable plug-and-play networking of devices to help reduce administration overhead.

DHCP for IPv6 (DHCPv6) - DHCPv6 enables DHCP servers to pass configuration parameters, such as IPv6 network addresses, to IPv6 nodes.

IPv6 Transition Strategies
Dual Stack - node has implementation and connectivity to both an IPv4 and IPv6 network.
Tunneling - is an integration method in which an IPv6 packet is encapsulated within another protocol, such as IPv4. This method of encapsulation is IPv4 (Includes a 20-byte IPv4 header with no options and an IPv6 header and payload).
a) Manual IPv6-over-IPv4 tunneling - An IPv6 packet is encapsulated within the IPv4 protocol. This method requires dual-stack routers.
b) Dynamic 6to4 tunneling - Automatically establishes the connection of IPv6 islands through an IPv4 network, typically the Internet.
c) Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) - Automatic overlay tunneling mechanism that uses the underlying IPv4 network as a link layer for IPv6.
d) Teredo tunneling - An IPv6 transition technology that provides host-to-host automatic tunneling instead of gateway tunneling.
e) NAT-Protocol Translation (NAT-PT)


Configure IPv6
RouterX(config)#ipv6 unicast-routing
RouterX(config-if)#ipv6 address ipv6prefix/prefix-length eui-64
Cisco IOS IPv6 Name Resolution: - static - Define a static name for an IPv6 address
RouterX(config)#ipv6 host name [port] ipv6addr [{ipv6addr} ...]
RouterX(config)#ipv6 host router1 3ffe:b00:ffff:b::1
 - dinamic - Specify the DNS server used by the router
RouterX(config)#ip name-server address
RouterX(config)#ip name-server 3ffe:b00:ffff:1::10
Configure RIPng with IPv6
RouterX(config)#ipv6 router rip name
RouterX(config-if)#ipv6 rip name enable

Multicast IPv6 
IPv6 Multicast Address Space Registry link

Node-Local Scope Multicast Addresses
FF01:0:0:0:0:0:0:1    All Nodes Address
FF01:0:0:0:0:0:0:2   All Routers Address

Link-Local Scope Multicast Addresses
FF02:0:0:0:0:0:0:1   All Nodes Address
FF02:0:0:0:0:0:0:2   All Routers Address
FF02:0:0:0:0:0:0:5   OSPF IGP 
FF02:0:0:0:0:0:0:6   OSPF IGP Designated Routers
FF02:0:0:0:0:0:0:8   IS-IS for IPv6
FF02:0:0:0:0:0:0:9   RIP Routers
FF02:0:0:0:0:0:0:A  EIGRP Routers

IPv6 Routing Protocols
* RIPng is enabled on each interface separately


Data link layers are supported by Cisco IOS for IPv6
- PPP
- Frame Relay PVC