IP Services Notes.

IP Services Notes.


IP Services.

ARP: IP to MAC.
RARP: mac to IP.
Proxy ARP: IP to MAC.

ARP messages do not includes an IP header, even though it has a destination and source IP address. ARP request list a destination of 255.255.255.255.

ARP Ethertype is 0x0806.
IP Ethertype is 0x0800.

Proxy ARP uses the same message as ARP, but the ARP rquest is actually requesting a mac address that is not on the local subnet.

RARP-­BOOTP-­DHCP.

Both three works following this logic:

-Client broadcast.
-Server Responds.
-Server assigns IP.

RARP uses ARP messages, but the ARP request list a mac address target of its own mac address and a target IP address of 0.0.0.0.

A RARP server do a table lookup and assigns the IP mapped to that mac address.

BOOTP uses different messages encasulated on IP and UDP headers.

BOOTP also assigns:

-Subnet mask.
-Default gateway.
-DNS addresses.

Note: BOOTP requires static definitions on Server.

DHCP Is dynamic.

[ip helper­address 10.1.2.202], is used to forward DHCP messages over different subnets.

Steps for configuring a Cisco router as DHCP server:

-Configure a DHCP pool.
-Configure the router to exclude its own IP address from the pool.
-Disable conflict logging or configure a DHCP database agent.

DHCP pool includes:

-Subnet.
-Default Gateway.
-Lease time.
-DNS domain.
-DHCP options.

The command [ip dhcp excluded­address] is used to exclude addresses from the pool.

[no ip dhcp conflict­logging] is used to disable conflict logging.

ip dhcp database command is used to configure a dhcp database agent.

Sample DHCP configuration.

int f0/0
ip add 10.1.1.1 255.255.255.0
ip helper­address 10.1.2.202 ­-----­­> UDP broadcast will be forwarded as unicast to 10.1.2.202 source will be changed to 10.1.1.255
!
ip dhcp excluded­address 10.1.1.0 10.1.1.20
!
ip dhcp pool subnet1
network 10.1.1.0 255.255.255.0
dns-­server 10.1.2.203
default-­router 10.1.1.1
lease 0 0 20

NAT.

Defined on RFC 1631.

Translate Private IPs (RFC 1918) to public ip addresses (internet routable addresses).

Inside local: private ranges (inside enterprise addressing scheme).

Inside GLobal: Public IP , mapped to th inside local addresses.

Static NAT sample:

int f0/0

ip add 10.1.1.3 255.255.255.0 ­­­­­­­­­-----> Inside local

ip nat inside

!

int s0/0

ip add 200.1.1.251 255.255.255.0 -----­­­­­­­­­­­> Inside global.

ip nat outside 

!

ip nat inside source static 10.1.1.2 200.1.1.2

ip nat inside source static 10.1.1.1 200.1.1.1

Router examines each packet coming through the LAN interface and translate accordingly. Also examines packets coming through int s0/0.

When using static outside addresses the router also looks at the destination IP address. From inside to outside, and source from outside to inside.

Dynamic NAT.

Creates one to one mappings between inside local and inside global address, using a pool of defined address.

Dynamic NAT (Overloading/PAT).

PAT works by making large numbers of TCP and UDP flows from many Inside local nets to appear to be the same number of large flows from one hosts inside global addresses. With PAT, port numbers are also translated. Port numbers fields being 16 bits in length, 65,000 concurrent TCP/UDP flows can be supported.

Commands used to configure and verify dynamic NAT and dynamic NAT with PAT.

ip nat pool POOL1 200.1.1.1 200.1.1.2 netmask 255.255.255.252

ip nat inside source list 1 pool POOL1

access­list 1 permit 10.1.1.0 0.0.0.255

ip nat inside source list 1 pool POOL1 overload

Verification Commands.

­[show ip nat statistics].

­[show ip nat translations].

­[clear ip nat translations *].

­[debug ip nat].

HSRP,VRRP,GLBP.

HSRP allows multiple routers to share a virtual IP and MAC address.

HSRP features.

-Virtual IP (must be on the same subnet of the router lan interface) and MAC (active on active router).

-Standby router listens to hello messages from the active router (3­seconds hello, 10­seconds dead interval by default).

-Highest priority determines active router, with preemption disabled by default (IOS default priority 100, range 1­255).

-Supports object  tracking 

-255 HSRP groups per interface

-Virtual MAC of 0000.0C07.ACxx (xx ­­­> HSRP group in HEX).

-Clear­text and MD5 auth (by a key­chain).

Sample HSRP config.

track 13 interface s0/0.1 line­protocol

!

int f0/0

ip add 10.1.1.2 255.255.255.0

standby 21 ip 10.1.1.21 ­­­­­­­> (Virtual IP, group 21).

standby 21 priority 105 ­­­­­­­> (Priority for group 21).

standby 21 preempt ­­­­­> (enabling preemption).

standby 21 track 13 ­­­­> (group 21 association to track object 13).

standby 22 ip 10.1.1.22 ­­­­­> (virtual IP, group 22).

standby 22 track 13 ­­­­> (group 22 association to track object 13).

Second Router:

track 23 interface s0/0.1 line­protocol

!

int f0/0

ip add 10.1.1.1 255.255.255.0

standby 21 ip 10.1.1.21

standby 21 track 23

standby 22 ip 10.1.1.22

standby 22 priority 105

standby 22 track 23 decrement 9 ­­­­> (group 22 association to track object 23 ,

decrementing priority by 9 when the condition is met).

Verification commands.

[show standby f0/0].

[debug standby].

MHSRP (Multiple HSRP).

Two or more groups are configured on each HSRP LAN interface, where the configured priority determines which router will be active for each HSRP group.

VRRP (RFC 3768).

Cisco VRRP implementation features

-VRRP uses a multicast virtual mac (0000.5E00.01XX, where xx is the hex VRRP group number).

-VRRP supports object tracking (IOS mechanism).

-VRRP defaults to use preemption

-VRRP master is the same as HSRP active.

-VRRP group Ip address is the interface IP address of one of the VRRP routers.

GLBP.

-Cisco proprietary .

-Hosts points to a default gateway ip address but GLBP causes different hosts to send their traffic to one of up to four routers in a GLBP group.

-The AVG (Active virtual Gateway) assigns each router in the group a unique virtual mac address with the format 0007.B400.XXYY (xx is the GLBP group number , yy is a different number from each router [01,02,03,04].

-When clients ARP for the (virtual) IP of its default gateway, the GLBP AVG replies with one of the four possible virtual MACS.

-1024 GLBP groups four host per GLBP group.

NTP (RFC 1305).

Cisco routers and switches can be configured for the following modes:

-NTP client.

-NTP server.

-NTP symmetric active mode (router/switch mutally syncs with another NTP host).

Sample 4 router NTP config.

­R1 NTP server

­R2 NTP static client

­R3 NTP broadcast

­R4 NTP symmetric active mode

R1:

int f0/0

ntp broadcast --------­­­­­­> (Broadcast NTP updates on that interface).

ntp authentication­key 1 md5 1514190900 7

ntp authenticate

ntp trusted­key 1

ntp master 7

note" this is a show run output".

R2:

ntp authentication­key 1 md5 1545626723 7

ntp authenticate

ntp trusted­key 1

ntp clock­period 17208144 ---­­­­­> #added as part of sync proccess and should never be added manually#

ntp server 10.1.1.1

R3:

ntp broadcast client ----­­­­> #br client#

R4:

ntp authentication­key 1 md5 000201300 7

ntp authenticate

ntp trusted­key 1

ntp clock­period 1708233

ntp peer 10.1.1.1 -----­­­­­­­> #This commnads imply symmetric active mode.#

Verification commands:

­[show ntp associations].

­[show ntp status].

SNMP

SNMP Concepts.

-SNMP agent

-SNMP manager

-MIB

SNMP Versions.

SNMPv1

 ­-SMIv1.

 ­-Simple auth with communities.

 ­-MIB­I Originally.

­SNMPv2

 -­SMIv2.

 ­-Removed requirement for communities.

 ­-Added GetBulk and Inform messages.

 ­-Began with MIB­II.

­SNMPv2c (RFC 1905).

 -Allowed SNMPv1 style communities with SNMPv2 .

 ­-Equivalent to SNMPv2.

­SNMPv3.

 ­-Better security

 ­-Supports communities

 -­Uses MIB­II

SNMP protocol messages:

SNMPv1 and SNMPv2 protocol messages define how a manager and agent or two managers can communicate information.

­SNMP uses UDP. Response message (agent) is used to both ack receipt and supply information.

GET.

 -­Response message: response

 -Sent by: manager

 ­-Purpose: Request single variables value.

­GetNext.

 ­-RM: Response

 ­-SB: manager

 ­-P: Request for the next single MIB leaf in a MIB tree.

­GetBulk.

 ­-RM: Response

 ­-SB: Manager

 ­-P: Request multiple consecutive MIB variables with one Request.

­Response.

 ­-RM: none

 ­-SB: Agent

 ­-P: Responds GET and Set requests.

­Set.

 ­-RM: Response

 ­-SB: manager

 ­-P: Used to tell an agent to set a variable to a certain value.

­Trap.

 ­-RM: none

 ­-SB: agent

 ­-P: Used to send unsolicited information

­Inform.

 ­-RM: Response

 ­-SB: manager

 ­-P: Used between SNMP managers to allow MIB data to be exchanged.

MIB walk: Refers to the proccess of discovering an agent entire MIB structure.

MIBs

­MIB­I (RFC 1156).

­MIB­II (RFC 1213).

SNMPv3 sec features.

-MD5 and SHA for authentication

-DES for Encryption.

Sample SNMP config.

-Send traps to 192.168.1.100.

-Send traps for a variety of events to the snmp manager.

-Set optional information (router chassis, contact­info and location).

-RW access to 192.168.1.0/24.

access­list 33 permit 192.168.1.0 0.0.0.255

snmp­server community public rw 33

snmp­server location b1

snmp­server contact root.mike13@company.com

snmp­server chassis­id 2511_access_server

snmp­server enable traps snmp

snmp­server enable traps hsrp

snmp­server enable traps config

snmp­server enable traps entity

snmp­server enable traps bgp

snmp­server enable traps rsvp

snmp­server enable traps frame­relay

snmp­server enable traps rtr

snmp­server host 192.168.1.100 public

Syslog (RFC 5424).

Sends message (event log) to a syslog server. Uses UDP port 514(default). Sends by default all events that enter the event log. it uses clear­text messages.

Steps to configure syslog on a cisco router:

-Install syslog server with Fixed IP

-Configure logging proccess on router using the logging host command

 configure severity levels (0­7) using the logging trap command.

Web Cache communication protocol (WCCP).

­Host have no knowledge that the content engine is involved.

­WCCP allows edge routers to communicate with content engine and permits router to redirect traffic to the content engine as appropriate.

­WCCP uses UDP on port 2048

­Up to 32 content engines can communicate with a router using WCCPv1

­When more than one content engine is present the one with the lowest ip is elected as the lead engine.

­In WCCPv1 only one router redirect traffic to a content engine (or cluster).

­In WCCPv2 , multiple routers and multiple content engines can be configured as a wccp service group.

­WCCPv1 only supports HTTP traffic (TCP,80).

WCCPv2 features.

-TCP/UDP traffic. 

-TCP 80 .

-Ftp Caching. 

-FTP proxy .

-Real Audio. 

-Video .

-Telephony.

-Permits segmenting caching services.

-Supports multicast

-Up to 32 routers per cluster 

-MD5 security for WCCP communication

-Load distribution.

[ip wccp password] is used to configure authentication

default version on cisco routers is wccpv2.

Sample WCCP config.

[ip wccp web­cache group­address 239.128.1.100 password cisco] ­­­­--->Global config.

!

int f0/0

ip wccp web­cache redirect out ---­­­­­> (Traffic redirection).

int f0/0

ip wccp redirect exclude in ---­­­­­> (Excluding redirect)

WCCP filtering.

[ip wccp web­cache redirect­list <access­list>] ­­­­----> (global, filters traffic to certain clients).

[ip wccp web­cache group­list <access­list>] ­­­----> defines which type of redirect traffic the router  should accepts from content engines.

IOS IP SLA.

IP SLA is based on the concept of generating traffic at specified interval, with specific options and then measuring results. Source­-responder model.

IP SLA measures the following:

-Delay (one way and round­trip).

-Jitter (Directional).

-Packet loss (Directional).

-Packet sequencing.

-Path (Hop).

-Connectivity (UDP ECHO, ICMP ECHO, ICMP PATH ECHO, TCP CONNECT).

-Server/website download time.

-Voice­quality metris (mos).

IP SLA implementation steps.

-Configure SLA operation type.

-Configure threshold conditions.

-Configure responder.

-schedule/start/monitor results.

-review results (cli or snmp).

IP SLA basic config sample.

conf t

ip sla monitor 1

type udpEcho dest­ipaddr 200.1.200.9 dest­port 1330

frequency 5

exit

!

ip sla monitor schedule 1 life 86400 start­time now

­the command [ip sla key­chain] is used to configure md5 authentication

Verification commands.

­[show ip sla monitor statistic].

­[show ip sla monitor configuration].

Cisco Netflow.

Netflow components.

-Records (source ip address, destination ip , source port).

-Flow monitors (applied to an interface).

-Flow Exporters.

-Flow Samplers.

Sample netflow config:

flow exporter ipv4flowexport

destination 192.168.1.110

dscp 8

transport udp 1333

!

flow monitor ipv4flow

description monitors all ipv4 trafic

record netflow ipv4 original­input

cache timeout inactive 600

cache timeout entries 5000

statistics packet protocol

!

int f0/0

ip add 192.168.39.9 255.255.255.0

ip flow monitor ipv4flow input

Verification commands.

-[show flow record].

-[show flow monitor].

-[show flow exporter].

-[show flow interface].

RITE (Router IP Traffic Export).

RITE exports ip packets to a vlan or LAN interface for analisys. RITE does this only for traffic received on multiple WAN or LAN interfaces simultaneously (DoS attacks).

When RITE is enabled you configure it to direct copied packets to the MAC address of the IDS host or protocol analyzer.

You can filter inbound (default), outbound or both

You can filter the number of packets forwarded.

Filtering is performed with ACLs.

Sample RITE config:

conf t

ip traffic­export profile export­this

!

int f0/0

bidirectional  ---­­­­> (Bi­directional RITE)

mac­address 0018.0fad.df30 ­------­­­> (IDS mac addres).

incoming sample one­in­every 20

outgoing sample one­in­every 100

exit

!

int f0/0

ip traffic­export apply export­this

end

EEM.

EEM config sample:

event manager applet CLI­CP­NON­ST

event cli pattern "wr" sync yes

action 1.0 syslog msg "$_cli_msg command executed"

set 2.0_exit_status 1

end

RMON.

RMON sample config

[rmon event 1 log trap public description fa0.0RisingErrors Owner config]

RMON verification commands.

­[show rmon alarms].

­[show rmon event].

FTP.

Commands.

­[ip ftp].

­[ip ftp username].

­[ip ftp password].

­[ip ftp source­interface].

Sample ftp config.

 (sending an exeption dump).

ip ftp username joeadmin

ip ftp password cisco

!

exception protocol ftp

exception region­size 65536

exception dump 172.30.19.63

The command [ip ftp passive] set it to passive mode ftp connection.

TFTP server on cisco router.

Sample: 

[tftp­server flash:c1700­advipservicesk9­mz.124­24.bin alias supersecretfile.bin 11]

Secure Copy.

-Is enabled as a service.

-scp uses ssl (tcp 443).

-scp requires AAA.

-aaa authorization should be configured with the [exec] option.

-[ip scp server enable] turns scp server.

HTTP/HTTPS access.

­[ip http server] global config command is used to enable http access.

­http access defalt to tcp port 80.

­the commnad [ip http port], is used to change the port

­[ip http access­class] is used to restrict http access.

­[ip http client username] and [ip http client password] commands are used to set a unique user/pass combination.

­Different authentication methods can be configued with [ip http authentication aaa | local | enable | tacacs ]

­[http secure­server] is used to enable https

SSH

Steps to configure ssh:

-Configure a hostname

-Configure a domain name using [ip domain ­name <name>]

-Configure rsa keys using [crypto key generate rsa]

-Configure the terminal lines to permit ssh access using  [transport input ssh]   command.

OER and PfR.

PfR is also called Protocol­independet routing optimization (PIRO).

OER extends routers capabilities to more optimaly route traffic.

OER takes into account:

-Packet loss

-Response time

-Path availability

-Traffic load distribution

OER Five­Phase operation mode:

­Profile: Learns the flows of traffic that have high latency or high thoughput.

­Measure: Passive/Actively collects traffic performance metrics.

­Apply policy: Create low/high thresholds to define in­policy and out­of policy (OOP).

­Control: Influences traffic by manipulating routing or by routing in conjuction with PBR.

Verify: Measure OOP performance and adjust policy to bring performance in­policy

PfR learns about net performance using ip sla and netflow features.

PfR devices roles.

­MC (Master controller): Desicion maker on a cluster of PfR routers.

 ­Configured using [oer master] command

­BR (Border router): Subordinate to the MC

 ­Configured using [oer border] command.

A router can be configured as both

BR and MC routers mantain communication using keepalives.

PfR traffic classes are defined by:

-IP address

-Protocol

-Port Number

-DSCP

Active and Passive Mode.

Active MOde: PfR uses IP SLA feature. BR source probes to the MC for Dealy, jitter, reachability, or MOS (mean opinion score).

MOS = Calculates using voice­like packets generated using SLA, to measure jitter, latency, and 

packet loss)..

Passive mode: PfR uses netflow information on traffic classes to make decisions.

IP Addressing and IP Forwarding Notes.

IP addressing Core Facts:


-32bit binary number (/32).
-Dotted decimal notation (10.1.1.2)
-Addresses are assigned to network interfaces.
-Computer with an IP is an IP host.
-IP host not separated by a router are in the same grouping (Same net).
-Groupings are called, networks, subnets, prefixes.

 Network Classes.

Class: A
Network and Host Bits: 8/24.
Range: 1­-126.
Default Mask: 255.0.0.0 .
Identifying Bit : 0.

Class: B .
Network And Host Bits: 16/16.
Range: 128-­191.
Default Mask: 255.255.0.0
Identifying Bits: 10

Class: C.
Network And Hosts Bits: 24/8.
Range: 192­-223.
Default Mask: 255.255.255.0
Identifying Bits: 110

Class: D.
Network and Host Bits: N/A
Range: 224­-239
Default mask: N/A.
Identifying Bits: 1110

Class: E.
Network and Hosts Bits: N/A
Range: 240­-255.
Default Mask: N/A
Identifying Bits: 1111

Classless IP addressing.

Classless IP addressing is ignoring class A,B,C rules. Each address is viewed as a two part  address, called prefix and host part of the address.

Zero Subnet and Broadcast Subnet

The following subnets are recommended NOT to use:

-Zero Subnet.
-Broadcast Subnet.

By default cisco routers allows using both, to disable this behaviour use the global commnad [no ip subnet­zero] ­­.­

Note: only when using classful routing protocols the zero subnet causes trouble.

Classless Interdomain Routing.

CIDR defined at RFCs 1517 through 1520

CIDR itself refers to the administration assingment of large address blocks , and the related summarized routes, for the purpose of reducing the size of the internet routing tables.

Private Addressing

RFC 1918
­A: 10.0.0.0 to 10.255.255.255 (1 net).
­B: 172.16.0.0 to 172.31.255.255 (16 nets).
­C: 192.168.0.0 to 192.168.255.255 (256 nets).

This are non­-internet routable IP addresses (PRIVATE RANGES).

IP Forwarding.

IP Header fields

­Version ­­­­­­--------> (v4,v6)

­Header Length --------­­­­­­> (IP header only).

­DS field ­­­­­------------------­> (Used for QoS).

­Packet length ­­­­----------­> (Total length including DATA).

­Identification ­­­­­-----------> (Fragmentation related).

­Flags ­­­­­­---------------------> (3 bits, used for fragmentation proccess).

­Fragment offset ­­­­­-------> (Fragmentation related).

­TTL ­­­­­­­------------------------> (Time to Live).

­Protocol ­­­­­------------------> (Identifies protocol of the data portion of the header).

­Header Checksum ­­­­­-----> (FCS).

­Source IP address ­­­­­-----> (10.1.1.1).

­Destination IP address -----­­­­­> (10.1.1.100).

­Optional header fields and padding ------­­­­> (optional).

IP protocol fields value.

­ICMP = 1

­TCP = 6

­UDP = 17

­EIGRP = 88

­OSPF = 89

­PIM = 103

IP forwarding (IP Routing) is simply the proccess of receiving an IP packet , making a decision of where to send the packet next, and then forwarding the packet.

Fast Switching and CEF.

Cisco two optimization methods for the forwarding proccess are: Fast Switching and CEF.

With fast switching the first packet to a destination is proccess switched. The router then adds an entry to the fast ­switching cache (route cache). The route cache contains the destination IP address, next-­hop information and the data link header information. Future packets to the same destination match the cache entry, so it takes the router less time to process and forward the packet.

Drawbacks of Fast Switching.

-First packet must be proccess switched.

-Cache entries are timed out relatively quickly.

-Load balancing only occur per destination with fast switching.

CEF (Cisco Express forwarding).

CEF uses a FIB (Forwarding information base). The FIB contains information about all the known routes in the routing table.

CEF loads FIB entries as routes are added and removed from the routing table.

Cons of CEF vs Fast Switching.

-CEF loads FIB entries as routes are added and removed from the routing table.

-CEF does not timeout entries.

-Does not proccess­switch the first packet to a destination.

-Load balancing over equal cost routes.

When a new packet arrives the router first search the FIB.

The CEF FIB structure is a special kind of tree called mtrie. The matching FIB entry points to an  entry in the CEF adjacency table.

The adjacency table list the following:

-Outgoing interface.

-Information needed to build the data link header and trailer.

Type of switching methods Review.

Process switching.

 -­Table that holds forwarding Information: Routing table.

 ­-Load balancing method: Per packet.

­Fast Switching.

 ­-Table that holds forwarding information: Fast switching cache.

 ­-Load balancing method: Per Destination IP address.

­CEF.

 -­Table that holds forwarding information: FIB and Adjacency table

 -­Load balancing method: Per hash of the packet source and destination , or per packet.

Commands used to enable and disable CEF.

[ip cef] global command enables CEF for all interfaces on a cisco router.

[no ip route-­cache cef] interface command is used to selectively disable CEF on an interface.

Classless and Classful routing.

Classless and classful routing relates to the logic used to match the routing table. ( especially when the default route is used)

Statements about classless and classful routing.

Classless routing: When a default route exists, and no specific match is made when comparing the destination of the packet and the routing table, the default route is used.

Classfull routing: When a default route exist, and the class A,B,C network for the destination IP address does not exist at all in the routing table, the default route is used. If any part of that classful network exist in the routing table, but the packet does not match any of the existing subnet of the  classful network, the router does not use the default route and thus discards the packet.

[ip classless] global command is used to enable classless routing.

Multilayer Switching.

MLS steps to foward (route) a packet.

-MLS routing table entry list and outgoing interface and next­hop ip address

 Adjacency information (CEF).

-L2 logic to decide to which Physical interface to forward the packet.

Routed ports and Port-­channels.

A routed port is a switchport configured to work as a L3 port.

Routed port characteristics:

-Interface is not on any VLAN (Not even VLAN1).

-The switch does not feed any L2 switching table information for the interface

-L3 settings are configured under the physical interface

-Adjacency table lists the outgoing interface/port channel which means that L2 switching logic is not required.

-The [no switchport] command is used to turn a switchport into a routed port.

-For port­channels the physical interface must also be configured with the [no   switchport] command also port­-channel load balancing should be based on L3 addresses.

MLS L3 interfaces Types.

­Vlan Interface:

 ­-Forwarding to adjacent device: Uses L2 logic and L2 mac address table.

 ­-Config Requirements: Create VLAN interface; VLAN must exist.

­Physical routed interface.

 -­Forwarding to adjacent device: Forwards out the physical interface.

 ­-Configuration Requirements: Use [no switchport] command to create a routed       interface.

­Port­-channel (Switched interface).

 -Forwarding to adjacent device: Not applicable, just another L2 path

 ­-Config requirements: none

­Port­-channel (routed interface).

 -­Forwarding to adjacent device: Balances across links in Port-Channel.

 ­-Config Requirements: [no switchport] command.

Policy Routing.

Policy routing allows the router to make routing desicions based on information beside the destination IP address.

The [ip policy] command tells IOS to proccess incoming packets with different logic before normal  forwarding takes place.

IOS compares the received pakcet using a route­map reference in the IP policy command. route maps must match either based on referring to a acl or based on packet length. 

The routing instructions are specified using a set command.

Policy routing set commands.

-set ip next­hop ­­­­> must be in a connected subnet

-set ip default next­hop ­­­­-------> same as ip next­hop but uses Routing table logic.

-set interface

-set default interface -----­­­> do not use a lan or P2MP FR interface

-set ip precedence

-set ip tos

IP policy verification commands.

-show ip policy.

-debug ip policy.

DHCP Configuration Snippets and Notes.

Here are some configuration Snippets and commands related to most common DHCP features. This is a way for me to have a reference for configuration commands and scenarios.

Configuration Snippets and Commands.

-DHCP Server.
-DHCP Client.
-DHCP Relay.
-DHCP Host Pool.
-DHCP On-Demand Pool.
-DHCP Proxy.
-DHCP Information Option.
-DHCP Authorized ARP.

DHCP Server Configuration Commands:

Example:

{

ip dhcp excluded-address 10.1.1.100 10.1.1.254

ip dhcp pool TEST_POOL
network 10.1.1.0 /24
default-router 10.1.1.4 10.1.1.3
dns-server 10.1.1.6 10.1.1.7
lease 0 12

ip dhcp database flash:/bindings

}

DHCP Server Verification Commands:

Verify DHCP pool configuration:  show ip dhcp pool
Verifying DHCP database:            show ip dhcp database.

Example:

{

MinasTirith#show ip dhcp pool

Pool Voice-VLAN :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 1022
Leased addresses : 195
Excluded addresses : 33
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
10.0.2.78 10.0.0.1 - 10.0.3.254 195 / 33 / 1022

Pool Users :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 1022
Leased addresses : 340
Excluded addresses : 77
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
172.20.0.182 172.20.0.1 - 172.20.3.254 340 / 77 / 1022

}

{

Arnor#show ip dhcp database
URL : nvram:dhcp_data.txt
Read : Feb 06 2013 04:05 PM
Written : Feb 13 2013 01:15 PM
Status : Last write succeeded. Agent information is up-to-date.
Delay : 300 seconds
Timeout : 300 seconds
Failures : 0
Successes: 21

}

DHCP Client Configuration Commands:

Configuring an router interface to take an ip addres from a DHCP Server:
ip address dhcp 

How to configure an interface to use the BIA of a specific interface as client-id
ip address dhcp client-id

DHCP Client verification Commands:

Verifying an DHCP binding
show ip dhcp binding

Example:

MinasTirith#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.0.102            0100.21a0.2d46.7f     Feb 20 2013 06:35 PM  Automatic
10.0.0.127            0100.09e8.b4a9.fa     Feb 21 2013 10:33 AM  Automatic
10.0.0.208            0100.0ab7.c6b4.8c    Feb 21 2013 04:43 PM  Automatic
10.0.0.242            0100.0ab7.b145.bc    Feb 21 2013 09:46 AM  Automatic
10.0.0.252            0100.0a8a.5c66.ff      Feb 21 2013 12:39 PM  Automatic
10.0.1.63              0100.0a8a.5cc6.69    Feb 19 2013 11:28 AM  Automatic
10.0.1.64              0100.0a8a.5ccc.20    Feb 21 2013 09:46 AM  Automatic
10.0.1.73              0100.1da2.19fb.40    Feb 23 2013 12:02 PM  Automatic
10.0.1.86              0100.0ab7.ed8e.7f    Feb 23 2013 12:25 PM  Automatic

DHCP Relay.

To Configure a router as a relay agent: ip helper-address <ip address of DHCP Server>

DHCP on-demand Pool:

Sample Config:

{

ODAP_POOL router

int s0/0
encapsulation ppp
ip address negotiated    ------> Request IP via IPCP.
ppp ipcp mask request   -----> Requesting a subnet mask via IPCP.
ppp ipcp dns request     ------> DNS IP request via IPCP.
no peer neighbor-route

ip dhcp pool On_Demand_Pool
import all    -----> Import Command. 
origin ipcp   ----> From where is the DHCP pool importing (IPCP).

}

{

Peer

int s1/1
encapsulation ppp
ip add 10.1.13.1 255.255.255.0
peer default ip add 10.1.13.3  ------> Defining the Peer IP address.
ppp ipcp mask 255.255.255.0 -----> Subnet mask to be send via IPCP.
ppp ipcp dns 10.1.13.4 10.1.13.6  ----> DNS IPs to be send via IPCP.
no peer neighbor-route

}

Verification Commands:

show ip dhcp import

Sample:

{

R1#show ip dhcp import
Address Pool Name: On_Demand_Pool
Domain Name Server(s): 10.1.13.4 10.1.13.6

}

DHCP Proxy

Sample Configuration:

In this scenario R2 is requesting an ip address via IPCP and R3 is relaying to another router (R6).

{

R2:
int s0/1
encapsulation ppp
ip address negotiated
no peer neighbor-route

R3:
int s1/3
encapsulation ppp
ip address 10.1.23.3 255.255.255.0
peer default ip address dhcp -----> Defines address needs to be obtained via DHCP.
no peer neighbor-route

ip address-pool dhcp-proxy-client   ----> Specifying the DHCP-Proxy Feature.
ip dhcp-server 10.1.26.6  -----> DHCP server IP address.

R6:
ip dhcp pool R2_Serial
network 10.1.23.0 /24
!
ip dhcp excluded-address 10.1.23.1
ip dhcp excluded-address 10.1.23.3 10.1.23.254

}

DHCP Information Option.

Sample Config:

{

ip dhcp relay information option
!
int f0/0
ip dhcp relay information option subscriber-id vlan58

}

{

ip dhcp class TEST
relay agent information
relay-information hex
020c020a00009b013a05000000000606564c414e3538
!
ip dhcp pool VLAN58
class TEST
address range 10.1.58.8 10.1.58.8

}

DHCP Authorized ARP.

Sample Config:

{

R6:
ip dhcp pool VLAN146
update arp
!
ip dhcp pool R1_HOST
update arp
!
int f0/0.146
arp authorize

R6:

arp 10.1.146.4 0008.0e9c.dac2 arpa

}

Further Reading.

Cisco IOS DHCP Configuration Guide: http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/12-4t/dhcp-12-4t-book.html

DHCP Overview.

DHCP Overview Notes.

-Introduction.
-Format of a DHCP Message.
-DHCP Components.
-DHCP allocation Mechanisms and Allocation Process.
-Further Reading.

Introduction.

DHCP is an address allocation Protocol, it is used to assign devices an IP address and some other information . DHCP uses UDP as its transport Protocol. It uses a set of messages as a mechanism to request/assign addresses from Server to Client. 

DHCP messages from a client to a server are sent to the DHCP server port 67, and DHCP messages from a server to a client are sent to the DHCP Client Port 68.

Format of a DHCP Message.

DHCP Message Fields.

OP: Message OP Code  ( 1 = BOOTREQUEST , 2 = BOOTREPLY).

htype: Hardware Address Type ( Normally this refers to Ethernet). 

Hlen: Hardware address length ( In the case of Ethernet is 6 , referring to Ethernet MAC address 6 bytes).

hops: Optionally used by relay agents when booting via a relay agent. 

xid: Transaction ID.

secs: Filled in by client, seconds elapsed since client began address acquisition or renewal process.

flags: Flags ( this is used as a workaround for clients that cannot accept unicast datagrams before the TCP/IP stack is configured on the hosts).

ciaddr: Client IP address (this is only filled in if  client is in BOUND, RENEW, REBINDING state).

yiaddr: Client IP address , filled by the DHCP server in the address allocation process. 

siaddr: Ip of the next server to use on the allocation Process. 

giaddr: Relay agent IP address. 

chaddr: Client HW address (MAC).

sname: Optional server host name.

file: Boot file name.

options: options field.


DHCP Components.

DHCP Client:  This is the host trying to obtain an IP address.

DHCP Server: This is the server that responds to the clients Requests.

DHCP Relay Agent: This is a host or router that passes DHCP messages between different subnet/networks.

Binding: A binding is a collection of Configuration Parameters, including at least an IP address associated to a DHCP client.

DHCP Messages.

DHCPDISCOVER: Send by clients to locate available DHCP servers.

DHCPOFFER: Send by server to Client in response to DHCPDISCOVER, this includes the configuration parameters offered to the client.

DHCPREQUEST:  Send  by Client   to request the offered parameters from the server, offered in the DHCPOFFER message.

DHCPACK: Send by Server to client with the configuration parameters.

DHCPNAK: Send by Server to client indicating that the requested information ( by client) cannot be satisfied. 

DHCPDECLINE: Send by client to server indicating that the network address is in use.

DHCPRELEASE: Send by client to server to release the current address assigned by DHCP, cancelling remaining lease.

DHCPINFORM: Send by Client to server asking for local configuration parameters, client has already an Address configured.

DHCP allocation Mechanisms/Allocation Process.

Here is the process of how DHCP assigns network information to a Client.

• 1 - The client Broadcast a DHCPDISCOVER message on his local Subnet.

• 2 - Each Server responds with a DHCPOFFER Message, this includes the IP offerded (in the yiaddr field)  and any other configured parameter (options).

• 3 - The client Broadcast a DHCPREQUEST message that includes the server identifier of the elected DHCP Server.

• 4- The server Responds with a DHCPACK containing the configuration requested by the CLIENT on the DHCPREQUEST message.
•        4a - If a server can not assign the request IP (because it has already assigned it) it responds        with a DHCPNAK.
•       4b - If the client receives a DHCPNAK it restart the Proccess.

• 5 - The client Verifies that the information in the DHCPACK message is valid, through the use of ARP.
•  5a - In the case the IP address is already assigned, the client sends a DHCPDECLINE message.

Further Reading.

RFC 2131 : http://www.ietf.org/rfc/rfc2131.txt

DHCP Messages: http://technet.microsoft.com/en-us/library/cc977584.aspx

DHCP Options: http://technet.microsoft.com/en-us/library/cc977343.aspx

DHCP Pcap: http://wiki.wireshark.org/DHCP

DHCP Option 82: http://blog.ine.com/2009/07/22/understanding-dhcp-option-82/

DHCP Import Statement: http://blog.ine.com/2009/05/03/using-the-dhcp-import-statement/