10 nat_dhcp_v1.0
TRANSCRIPT
-
8/16/2019 10 NAT_DHCP_V1.0
1/39
TNE20002 / TNE70003
IP Addressing Services – DHCP and NAT
V1.0
-
8/16/2019 10 NAT_DHCP_V1.0
2/39
Dynamic Host Configuration Protocol (DHCP)
Almost every device that connects to a network needs an IP address.
Network administrators assign static IP addresses to routers,servers, and other network devices whose locations (physical and
logical) are not likely to change.
User computers in an organization often change locations, physically
and logically.
Desktop clients do not require a static address.
A workstation can use any address within a range of addresses.
This range is within an IP subnet.
2
-
8/16/2019 10 NAT_DHCP_V1.0
3/39
Configure DHCP in an Enterprise Branch Network
3
-
8/16/2019 10 NAT_DHCP_V1.0
4/39
DHCP Operation
Address Allocation Methods:
Manual:
The IP address for the client is pre-allocated by the administrator
and DHCP conveys the address to the client.
Automatic:
DHCP automatically assigns a permanent IP address to a client
with no lease period.
Dynamic:
DHCP assigns, or leases, an IP address to the client for a limitedperiod of time.
4
-
8/16/2019 10 NAT_DHCP_V1.0
5/39
5
DHCP Operation Overview
Server Port
Client Port
Broadcast
DHCP
DHCP
Client and Server on same Subnet
5
-
8/16/2019 10 NAT_DHCP_V1.0
6/39
6
Major DHCP features
DHCP Request
DHCP Reply
6
-
8/16/2019 10 NAT_DHCP_V1.0
7/397
DHCP Operation Detail
7
-
8/16/2019 10 NAT_DHCP_V1.0
8/398
DHCP Operation Detail - Two Servers
8
-
8/16/2019 10 NAT_DHCP_V1.0
9/399
Configuring DHCP
The network statement enables DHCP on any router interfaces belonging
to that network. The router will act as a DHCP server on that interface.
It is also the pool of addresses that the DHCP server will use.
Pool NaMe (vs nAmE) case sensitive
9
-
8/16/2019 10 NAT_DHCP_V1.0
10/3910
Configuring DHCP
The ip dhcp excluded-address command configures the router to exclude anindividual address or
range of addresses when assigning addresses to clients.
IP configuration values such as the default gateway can be set.
10
-
8/16/2019 10 NAT_DHCP_V1.0
11/39
Configuring a Cisco Router as a DHCP Server
The Enabling the DHCP service:
To enable the service:
Router(config)#service dhcp
To disable the service:
Router(config)#no service dhcp
11
-
8/16/2019 10 NAT_DHCP_V1.0
12/3912
Configuring DHCP - Options
12
-
8/16/2019 10 NAT_DHCP_V1.0
13/3913
Verifying and Troubleshooting DHCP
13
-
8/16/2019 10 NAT_DHCP_V1.0
14/39
DHCP Relay – DHCP Server in a different subnet
14
-
8/16/2019 10 NAT_DHCP_V1.0
15/39
DHCP Relay – DHCP Server in a different subnet
15
-
8/16/2019 10 NAT_DHCP_V1.0
16/39
16
DHCP Relay
DHCP clients use IP broadcasts to find the DHCP server on the subnet.
What happens when the server and the client are not on the same subnet ?
Routers do not forward these broadcasts.
Use the ip helper-address command to relay broadcast requests for these key UDPservices.
Fa0/0
Fa0/1
Fa0/2
DNS
16
-
8/16/2019 10 NAT_DHCP_V1.0
17/39
17
Using Helper Address
Fa0/0
Fa0/1
Fa0/2
DNS
17
-
8/16/2019 10 NAT_DHCP_V1.0
18/39
18
Configuring IP Helper Unicast Address
To configure RTA Fa0/0, the interface that receives the Host A broadcasts, to relay DHCPbroadcasts as a unicast to the DHCP server:
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.9
Broadcast Unicast
Specify the DHCP Server
Fa0/0
Fa0/0
Fa0/1
Fa0/2
DNS
18
-
8/16/2019 10 NAT_DHCP_V1.0
19/39
19
Configuring IP helper Directed Broadcast address
Helper address configuration that relays broadcast to all servers on the segment.
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.255
Will RTA forward the directed broadcast ?
Broadcast Directed broadcast
Fa0/0
Fa0/0
Fa0/1
Fa0/2
DNS
19
Di t d B d t
-
8/16/2019 10 NAT_DHCP_V1.0
20/39
20
Directed Broadcast
Fa0/0
Fa0/2
20
Di t d B d t
-
8/16/2019 10 NAT_DHCP_V1.0
21/39
21
Directed Broadcast
The RTA interface Fa 0/2, which connects to the server farm, is not configured with helperaddresses.
However, the output shows that for this interface, directed broadcast forwarding isdisabled.
This means that the router will not convert the logical broadcast 172.24.1.255 into a
physical broadcast with a Layer 2 address of FF-FF-FF-FF-FF-FF.
To allow all the nodes in the server farm to receive the broadcasts at Layer 2,Fa 0/2 will need to be configured to forward directed broadcasts:
RTA(config)#interface fa 0/2
RTA(config-if)#ip directed-broadcast
21
-
8/16/2019 10 NAT_DHCP_V1.0
22/39
22
Configuring IP helper Directed Broadcast ddress
Helper address configuration that relays broadcasts to all servers on the subnet.
RTA(config)#interface Fa 0/0RTA(config-if)#ip helper-address 172.24.1.255
RTA(config)#interface Fa 0/2
RTA(config-if)#ip directed-broadcast
DNS
Fa0/2Fa0/0
Fa0/1
22
-
8/16/2019 10 NAT_DHCP_V1.0
23/39
23
Network Address Translation
NAT (defined by RFC 1631) is designed to conserve IP addresses and
enable networks to use private IP addresses on internal networks.
These private, internal addresses are translated to routable, public
addresses for accessing the Internet.
NAT translations can occur dynamically or statically.
NAT (PAT) port address translation allows multiple inside addresses to
map to the same global address.
23
-
8/16/2019 10 NAT_DHCP_V1.0
24/39
24
Private addressing – Internal Networks
24
-
8/16/2019 10 NAT_DHCP_V1.0
25/39
25
NAT Example
Inside Local IP address – The IP private address assigned to a host on the inside
network.
Inside Global IP address –
A public IP address that represents one or more inside
local IP addresses to the outside world.
Outside Global IP address – The public IP address assigned to a destination host
on the outside network.
Private Public
NAT
Destination
-
8/16/2019 10 NAT_DHCP_V1.0
26/39
26
NAT Example – Private source to Public source
128.23.2.2 10.0.0.3 .... Data
DA SA
IP Header
128.23.2.2 179.9.8.80 .... Data
DA SA
IP Header
The translation from Private source IP address to Public source IP address.
1 2
1 2
NAT E l P bli d i i P i d i i
-
8/16/2019 10 NAT_DHCP_V1.0
27/39
27
NAT Example - Public destination to Private destination
Translation back, from Public destination IP address to Private destination IP address.
179.9.8.80 128.23.2.2 .... Data
DA SA
IP Header
10.0.0.3 128.23.2.2 .... Data
DA SA
IP Header
34
34
.79
-
8/16/2019 10 NAT_DHCP_V1.0
28/39
28
PAT – Port Address Translation
Allows you to use a single Public IP address and assign it up to 40000 inside hosts
Multiple private IP addresses can be translated by a single public address (many-to-one translation).
Tracks and translates SA, DA and SP (which uniquely identifies each connection) for each stream oftraffic.
10.0.0.3:1555
PAT E l
-
8/16/2019 10 NAT_DHCP_V1.0
29/39
29
PAT Example
128.23.2.2 10.0.0.3 80 1331 Data
DA SA
IP Header
DP SP
TCP/UDP
Header
128.23.2.2 10.0.0.2 80 1555 Data
DA SA
IP Header
DP SP
TCP/UDP
Header
128.23.2.2 179.9.8.80 80 3333 Data
DA SA
IP Header
DP SP
TCP/UDP
Header
128.23.2.2 179.9.8.80 80 2222 Data
DA SA
IP Header
DP SP
TCP/UDP
Header
NAT/PAT table maintains
translation of:
DA, SA, SP
1 2
1331
1555
PAT E l
-
8/16/2019 10 NAT_DHCP_V1.0
30/39
30
PAT Example
179.9.8.80 128.23.2.2 3333 80 Data
DA SA
IP Header
DP SP
TCP/UDPHeader
179.9.8.80 128.23.2.2 2222 80 Data
DA SA
IP Header
DP SP
TCP/UDP
Header
10.0.0.3 128.23.2.2 1331 80 Data
DA SA
IP Header
DP SP
TCP/UDPHeader
10.0.0.2 128.23.2.2 1555 80 Data
DA SA
IP Header
DP SP
TCP/UDP
Header
4 3
NAT/PAT table maintains
translation of:
SA (DA), DA (SA), DP (SP)
1331
1555
C fi i St ti NAT
-
8/16/2019 10 NAT_DHCP_V1.0
31/39
31
Configuring Static NAT
S0/0/0 outsideInside Fa0/0
Fa0/0
192.168.1.2
192.168.1.2
S0/0/0
C fi i D i NAT
-
8/16/2019 10 NAT_DHCP_V1.0
32/39
32
Configuring Dynamic NAT
Translate to these range of
outside addresses
Source subnet IP address
must match here
Binding to ACL
Inside Fa0/0 S0/0/0 outside
Fa0/0
S0/0/0
C fi i PAT O l d
-
8/16/2019 10 NAT_DHCP_V1.0
33/39
33
Configuring PAT – Overload
In this example a pool of Public IP addresses is used, using PAT, source ports, to
differentiate between connection streams.
Inside Fa0/0 S0/0/0 outside
C fi i PAT O l d
-
8/16/2019 10 NAT_DHCP_V1.0
34/39
34
Configuring PAT – Overload
This is a different
example, using the IP
address of the outside
interface instead of
specifying a pool of IP
addresses
NAT Cl C d
-
8/16/2019 10 NAT_DHCP_V1.0
35/39
35
NAT Clear Commands
V if i NAT
-
8/16/2019 10 NAT_DHCP_V1.0
36/39
36
Verifying NAT
T bl h ti NAT/PAT
-
8/16/2019 10 NAT_DHCP_V1.0
37/39
37
Troubleshooting NAT/PAT
Watch the NAT translations
Issues with NAT/PAT
-
8/16/2019 10 NAT_DHCP_V1.0
38/39
38
Issues with NAT/PAT
NAT also forces some applications that use IP addressing to stopfunctioning because it hides end-to-end IP addresses. .
Sometimes, this problem can be avoided by implementing static NATmappings.
-
8/16/2019 10 NAT_DHCP_V1.0
39/39
THE END