Author Archives: ccnablog

Distance Learning and The Increased Importance of Home Labs

As we all work together through COVID-19, schools slowly start to reopen and progress is made to get things back to being as close to normal as possible, the classroom environments will unquestionably be adapting as well.  Some institutions are setting distance learning in place until we can all safely come directly back to the classroom, at full capacity.  This poses a unique challenge for CCNA and all Cisco Certification candidates who greatly benefit from the real world, hands-on approach in their classrooms.  While we already know that having a home lab is the best thing you can do to give yourself the best learning experience, more than ever before, will having a home lab be an extremely beneficial and necessary component to your progression as a network engineer.

  1. Watching lectures through zoom meetings or other virtual classrooms works just great and covers the theory end of the curriculum. However, this does not work when it comes time to the configuration and hands-on component (the most important part) of your Cisco training.  The configuration end of the certification is what sets Cisco Certifications apart.  This element PROVES that you know what you are doing and that you can do it!   Watching a demo simply does not make the mental connection necessary to actually learn and repeat a successful configuration.  Can you learn to play the guitar by watching YouTube Videos and strumming your air guitar?  You might look really cool while air jamming out to Bohemian Rhapsody and wearing a Wayne’s World Baseball Cap, but you would look a lot cooler if you were masterfully playing a reall guitar when it comes time for the show.
  2. Working with virtual environments such as Packet Tracer have never been able to fully simulate or encompass a real networking environment. These may work ok for the most basic and bottom foundation or networking, but your exam will be much more complex than this and your learning tools should match that.  Clicking the “auto-connect” button just doesn’t make you think through cabling a network or recreate any of those “happy mistakes” that you would see in the field.  Another problem here is that there are major limitations and capability issues.  Running a virtualized ASA, if you can even battle through the frustration of getting it to virtualize in the first place, is still a complete nightmare scenario.  Don’t even get us started on voice.  We have already had professors calling us with their stories of the impossibility of effectively teaching a voice class from a distance.  In short, these virtualizations have always been and always will be half-recreations of what is really involved and happens in a physical network.
  3. For schools looking for remote options for their students, we also offer many options of NetLabs compatible kits! This is one of our favorite ways to encourage a hands-on solution inside the classroom while still maintaining social distancing guidelines.  Please reach out to us and we can absolutely help with that!
  4. Many students are dependent on outside of class lab time to crank down on topics they need more time with or complete labs that couldn’t be done with the lab time during a class period. If a class offers additional lab hours, they were already usually limited and will likely be even more limited than they were before (or entirely unavailable).  This all becomes double or triple as important when your exam is scheduled and that last minute cram session time becomes crucial.   The other issue here is that every time you leave a classroom or those extra lab hours, once you are done for the day or out of time, your configuration gets erased so the next student can work.  That lab you spent 3 hours on and didn’t finish may have to be started all over from the beginning.  With a home lab you can work on what you want, when you want and at your leisure.  Many of our customers, even when not in a class, subscribe to the, “Lab Everyday”ideology.  With your home lab only a mouse click away, even if you only have an hour at the end of the night, you can always keep your skills sharp or explore a new topic.
  5. Just because distance learning will be a new obstacle in the learning environment, doesn’t mean that the physical networks of the real world have also turned into a distance model.  The real world still runs on physical hardware, still has data centers and companies still demand that you have hands-on experience with these devices.  Trust us, HR representatives are screening to make sure you have hands-on experience and may even ask you what your home lab looks like.
  6. We encourage the idea that the purchase of a home lab kit is an investment that will benefit you through your certification and for many, many years past that as you grow and learn in the field.  Our lab kits are built with the student in mind all the way up to the experienced professional.  Our recommended kits are built with the best equipment, matched at various price points across the board to make affordable solutions for anyone.  We did all the work for you!  We are also the only company out there that offers a generous trade-up program that ensures that you will always have the option to upgrade as you want more capability, options or even if you simply want to stay current.  Everything is fully tested to the port level by Cisco Certified Engineers, guaranteed to work and fully backed by our awesome warranty!
  7. Our fully rounded training package that has guided 1000s of CCNA candidates to success comes with every kit that we sell. We have been offering only the best study materials on the market for nearly 25 years and counting.  This includes our famous lab workbook that is about 450 pages of user-friendly, easy to understand labs that you can’t get anywhere else!  What is even better is that all of primary content is now in digital form and fully mobile and tablet compatible!
  8. If you do not see a home lab that looks like a perfect match for you, our team of qualified representatives is here to help practically around the clock! Just shoot us an email at Sales@CertificationKits.com and we will be more than happy to walk you through any questions you may have or even build you a custom kit!
  9. The last bit we want to mention here is that once we all do get back to normal, we know that the demand for Certified Network Engineers will be greater than ever before. One of the biggest things that have held us all together through all of the distancing is the internet and the networks that build it.  Network Engineers are the backbone that keeps us able to communicate, no matter what happens and no matter the distance. If this doesn’t reinforce their necessity, importance and increase their demand, we don’t know what does.
  10. Stay safe and healthy everyone!

Do I Need a CCENT or CCNA Lab for Cisco Certification?

A common question many students have as they start their Cisco journey is whether or not they need to have a home lab.  This is actually a great question and if you ask 10 different people you will probably get 10 different answers.  But I will try to give you my perspective on it as a veteran of the IT field and also as a hiring manager at a Fortune 500 company.

First you can never go wrong in investing in yourself and your career.  Second, if you really want to be proficient at routing and switching you are going to have to get your hands dirty actually doing what you are learning through reading your CCNA Study Guide or watching CCENT or CCNA based CBT videos.  So the answer to the question should you have your own Cisco home lab for your certification studies?  Absolutely!

CCNA Lab in a Rack

CCNA Lab in a Rack

Continue reading

Cisco CCENT & CCNA STP Exam Question

As you prepare for your CCNA certification exam, you will be called upon to merge multiple concepts you learned into one exam question.  This is one of the things that really sets the CCENT (Cisco Certified Entry Networking Technician) and CCNA (Cisco Certified Network Administrator) certifications a step above A+, Net+ or Microsoft certifications which are a dime a dozen.

Refer to the exhibit. A problem with network connectivity has been observed. It is suspected that the cable connected to switch port Fa0/1 on SwitchD is disconnected. What would be an effect of this cable being disconnected?

CCENT CCNA STP Exam Question

In the sample question above, you have to really understand how switching works, the impacts that one switch can have on another and what happens when an entire network reconverges in a sense after a Fast Ethernet link bounces between switches.  This is where an understanding of STP (Spanning Tree Protocol) comes into play.  Furthermore, Cisco loves to give you really complex topologies like the one we created above to just overwhelm you on the exam.  This is where taking a systematic approach to the switching question will help you ace your certification exam.  So let’s take a minute to review the possible answers and then dig through the theory to determine the correct answer.

  1. PC 1 would not be able to access the server in VLAN 30 until the cable is reconnected.
  2. Communication between VLAN30 and the other VLANs would be disabled.
  3. For less than a minute, PC 3 would not be able to access the server in VLAN30. Then normal network function would resume.
  4. The transfer of files from PC 2 to the server in VLAN 20 would be significantly slower.

EXPLANATION

Spanning Tree Protocol (STP) is a loop prevention in a redundant switched network by ensuring that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. The switch sends BPDUs (Bridge Protocol Data Units) out every active port once every 2 seconds so as to find a redundant link. Redundant links are found when the switch receives its own BPDU. When a switch discovers a link is down, a redundant link or a blocked link that is available to that network is unblocked and traffic resumes to normal.

In this scenario, STP would unblock redundant links and the affected VLANs would resume normal functionality.

Answer A is incorrect as there are redundant paths for PC 1 to reach VLAN 30 and it is more than likely the direct connection from DS A to Switch D.  So this answer is incorrect as at worst case, an alternate path can be realized.

Answer B is incorrect as again there are multiple paths that can be utilized from VLAN 30 to the other VLANs so this answer does not really make any sense.

The speed would not be reduced and there is really nothing that could definitively prove that as suggested by answer D which is incorrect.

So that leaves us with the correct answer being C.  PC 3’s most direct path is from Switch C to Switch D.  If that link was to go down, while convergence happened, an alternate path would be realized in about a minute and then network communication between PC 3 and the server in VLAN30.

So is this a bit confusing and you think you could really understand this better with your own CCENT/CCNA lab?   Check out some of the CCNA Lab Kits that are here so you can really see how this works by recreating topologies like this in your very own home lab!

CertificationKits CCENT & CCNA Lab Certification Kits

CCENT & CCNA Lab Kits

CCENT & CCNA Lab Kits

Cisco CCENT & CCNA Subnetting Exam Question!

As you prepare for your Cisco CCENT (Cisco Certified Entry Networking Technician) or CCNA (Cisco Certified Network Administrator) exam you will definitely hear time and time again that you have to know subnetting inside and out to be able to pass the exam.  Not only do you need to be able to answer the straight forward questions like how many hosts can you have with a mask of /26 on a subnet; but you have to be able to do that and marry up your subnetting skills with your Cisco routing and switching knowledge to figure out what subnet a particular host will reside on and what the default gateway address will be for that host.  That is because Cisco is going to ask you scenario based questions that make it much harder than just understanding the basics of subnetting.  They want you to be able to put together two concepts and sharpen your network troubleshooting skills for the real world.  There are many different type of scenario questions that you may see on the exam.  Below you will see one which you have to use your CCNA subnetting skills to pick the most efficient subnet masks to conserve IP addresses.  So let’s take a look at the exam question below.

Company D is redesigning the network that connects its three locations. The administrator gave the networking team 10.10.1.0/24 to use for addressing the entire network. After subnetting the address, the team is ready to assign the addresses. As a member of the networking team, you must address the network and at the same time conserve unused addresses for future growth. With those goals in mind, drag the host addresses on the left to the correct router interface.

CCNA Subnetting

So let’s take a minute to walk through the way to solve this question on your exam.  In this question, the main subnet is 10.10.1.0/ 24. The table below shows the subnets in this ip address range.

 

CCNA Subnet Chart

However, not all the IP addresses can be used. In this question, 10.10.1.2/26 is correct and fits for the subnet that needs 44 hosts, 10.10.1.129/29 is used on the subnet requiring 4 hosts. 10.10.1.137/30 is used on the serial interface between R2 and R3, 10.10.1.66/27 is used for the link requiring 26 hosts on router R3 and 10.10.1.114/28 on R4 which requires 13 hosts.

10.10.1.14/25 and 10.10.1.20/24 would waste too many host ip addresses.

10.10.1.63/27 is not a valid host address in this subnet.

So the correct answer for this question would be as follows:

R1 FA0/1 – 10.10.1.2/26

R2 FA0/1 – 10.10.1.129/29

R3 S0/0/0 – 10.10.1.137/30

R4 FA0/0 – 10.10.1.66/27

R5 FA1/1 – 10.10.1.114/28

For more information refer to the topic on subnetting here.

Are you interested in really getting your hands dirty with a real Cisco routers and real Cisco switches like that you will see in the real world?  Do you want to be able to replicate a topology like the one above and really see if your subnetting skills are tight and routing will really work?  If so, check out some of the CCNA lab kits that are available here! www.CertificationKits.com

IPv6 (Internet Protocol version 6)

Overview

Ipv6 is one of the most emerging technologies in networks. IPv4 addresses are almost exhausted and as such there is need for a new and better solution. In this chapter on IPv6, which is the last chapter of this CCNA training course we will look at the concepts behind this protocol, we will learn why there is need for IPv6 which will be followed by configuration of IPv6 addresses based on the network requirements. We will finish off by looking at IPv6 routing using OSPF and see how it differs from OSPFv2.

What is IPv6 and why is it important

In the chapter on NAT, we discussed the use of IPv4 and we said that the IPv4 address space provides approximately 4,294,967,296 unique addresses. Of these, only 3.7 billion addresses are assignable because the IPv4 addressing system separates the addresses into classes and reserves addresses for multicasting, testing, and other specific uses.

IPv4 addresses are almost exhausted and this is occasioned by the increase in internet use; the number of devices that one can use the internet on these days are many; smartphones, tablets, laptops and other devices can now access the internet. Even with NAT, the rapid growth of the internet is leading to the depletion of IPv4 addresses.

The world now is moving to IPv6 addresses. The figure below shows the difference in number of ip addresses.

Advantages of IPv6

As you can see from the table below, the use of IPv6 brings so many features and possibilities that were previously not available in IPv4.

IPv6 addressing

IPv6 Address Representation

All throughout this course, we have seen that IPv4 address is made up of 32 bits which are divided into four groups of 8bits each and separated by dots. With IPv6 addresses, the 128 bits are too many to be divided into octets, therefore, IPv6 uses hexadecimal units to represent the bits which are grouped into 8 groups of 16 bits each.

The figure below, shows how you can represent an IPv6 address as well as how to shorten it using the rules shown below it.

When the router gets an IPv6 address with the two colons “::“, it can be able to calculate the number of missing 0’s by filling the address with 0’s until the address is complete by making it 128bits. However, if you were to put the two colons twice, the router would not be able to know how many 0’s are in which group.

IPv6 Global Unicast Address

These addresses that can are assigned by ISPs, these first 48 bits of these IPv6 addresses is usually a global prefix for routing. An organization can then use a 16 bit subnet they have been assigned to address the hosts in their networks.

Link-local addresses

These addresses are used only in a particular network. When routers receive link-local addresses, they do not route them even if it is internally. These are used to communicate within a particular network segment. The link local addresses are the replacement to broadcast addresses.

IPv6 Address Management

With IPv6, the hosts do not need to be configured with the entire address, they only need to be given a certain address portion, they can then use the MAC address to derive the full IPv6 address.

With IPv6, you can assign addresses in either of the following ways:


Manual assignment

With manual assignment, you can configure an interface with an IPv6 address as you would an IPv4 address. However, with IPv6, we can use the “slash” notation to specify the prefix length that denotes the network. The command used in the interface configuration mode to manually assign an IPv6 address is:

An example of this is:


NOTE: one major difference in IPv6 address from IPv4 is that the subnet mask or prefix mask can be entered in slash (/) notation.

EUI-64 Interface ID Assignment

In this type of configuration, the network administrator, assigns an interface with the network portion of the IPv6 address and tells the interface to derive the rest of the IPv6 address from its MAC address.

The command needed to configure this type of IPv6 address assignment is:


An example of this is:


Stateless Autoconfiguration

with this type of configuration, the router assumes that the user nodes need access to the network, therefore, it allows these devices to automatically derive an IPv6 address from the router without additional configuration.

DHCPv6 (Stateful)

With this configuration, we assign IPv6 addressing information from a configured pool of addresses as we would with DHCP for IPv4.

IPv6 Transition Strategies

When an organization wants to move from IPv4 to IPv6, there are several ways that they can do this without changing old equipment or changing the operation of the network drastically. Some of the ways that this can be achieved are shown below:

Dual Stacking

With dual stack, you can use both IPv4 and IPv6, this involves activating both protocols on the network devices. With this mode however, IPv6 will always be preferred over IPv4.

Tunneling

With tunneling, we can encapsulate an IPv6 packet inside an IPv4 packet, this is so as to make the IPv6 packet traverse a network that may still be using IPv4. This is shown below.

There are several ways that tunneling can be done:

In manual tunneling, an IPv6 packet is usually encapsulated inside an IPv4 packets.

With dynamic 6to4 tunneling, the router establishes connections to IPv6 islands which are located on an IPv4 network. With this method, the organization must be assigned an IPv6 addressing space for it to work.

IPv6 transition mechanisms


NOTE: the IPv6 transition mechnaasims are often asked in the CCNA exams, therefore you should know these mechanisms as well as how they work. Teredo and ISATAP are beyond the scope of this course.

In the next section, we will look at IPv6 routing using OSPF, OSPFv3. We will also do configurations in IPv6, dual stack.

IPv6 routing (OSPFv3)

In this first part, we are going to configure IPv6 in dual stack mode and also configure static routes. The topology shown below will be our Lab for this section.

In this lab the IPv4 addresses have been assigned as well as static routing in IPv4, our task is to configure IPv6.

Dual stack

Step 1. Assign IPv6 addresses to the gigabit and serial interfaces.

The command we will use in this case is:

The following are the commands that have been used to assign IPv6 addresses to the interfaces in the network.

Now that we have assigned IPv6 addresses to the interfaces, we can verify that they are operational. For this we will use the:

Show ipv6 interface brief and ping ipv6 <ipv6address> commands and this output is shown below for R1.

As you can see from the output above, the “show ipv6 interface brief” command is slightly different from the show ip interface brief command we use for IPv4, however, the output shows the status of the various interfaces, as well as their IPv6 address information.

NOTE, we have two ipv6 addresses for each link. One is the link local address and the other one is the global address that we assigned to the interface. The link local is highlighted in red while the global is highlighted in yellow.

The ping ipv6 command output is shown below.

As you can see from the output, the pings are successful.

NOTE: when using dual stack, IPv6 addresses will be preferred over IPv4 addresses.

In the next section, we will configure static routes.

Static routing in IPv6

To configure static routes and default static routes in IPv6, the command structure is the same as that for IPv4.

For example, to configure a static route for the two LANs, the commands we use are:

The static default route is probably the easiest route you can configure: the command used is:

To verify these routes, we can use the “show ipv6 route” command, as shown in the output below for R1.

As you can see from the output above, the output is slightly different from that of IPv4 show ip route command. However, the routes are shown as either statically configured, local or connected.

OSPFv3

OSPFv3 is the implementation of OSPF in IPV6. In this section, we will configure both single area and multiple area OSPFv3.

OSPFv3 single area

In this topology, we have 3 routers, and four hosts. There are 6 networks and the network between R2 and R3 is a shared Ethernet link. We will be configuring OSPFv3 in this topology.

Step 1. Configure IPv6 addresses according to the network diagram above.

The table below shows the ipv6 addressing commands on all the routers in the diagram.

Now that we have assigned IPv6 addresses, on all the devices including the hosts, we can configure the OSPFv3.

Step 2

The first command we will use is the command to activate IPv6 routing.

REMEMBER: IPv6 routing is not enabled on CISCO routers by default therefore we have to issue the command: “ipv6 unicast-routing” in the global configuration mode to enable routing in IPv6.

The second command which we will issue in the global configuration mode is “ipv6 router ospf <process_ID>”

In OSPFv3, the link local are used to carry OSPF messages. OSPF runs in the interfaces and we do not configure the network statements.

In OSPFv3, we still use the IPv4 router-ID which we configure in the router ospf configuration mode.

Router(config-rtr)#router-id <ipv4_router_ID>

NOTE: for OSPFv3 to work, this series of command must be configured first.

The commands we have just discussed below are shown below for the three routers.

Step 3

The third step is to configure the network statements.

Unlike in OSPFv2, which is OSPF for IPv4, in OSPFv3, we configure the network statements in the interfaces. This is an important new feature, in essence, we no longer need passive interfaces.

To advertise networks in OSPFv3, we need to go into the interface configuration mode and enter this command.

Router(config-if)#ipv6 ospf <process_ID> <area> <area_ID>

In this case, this is the only command we need to advertise networks in OSPFv3. The commands we use in our scenario are shown below.

With this we have configured OSPFv3 in a single area. This we can verify using the show command shown below.

Show ipv6 ospf neighbor

This command can be used to view the neighbor relationships in OSPFv3. As shown above, R1 has formed two neighbors as expected.

Show ipv6 ospf database

This command will show the “map” that OSPF has and all the routes that it knows.

The last command we will look at is the show ip route command.

Show ipv6 route

As in IPv4 this command will show us all the routes that a router knows of.

As you can see from the output below for R3, all the OSPF routes are marked as well as all other routes on this router.

In the next section we will configure OSPFv3 in a multi-area scenario.

OSPFv3 multi-area

In this scenario, we are going to configure multi-area OSPFv3 according to the topology diagram shown above.

In this scenario, the configuration options are almost similar to those of single area OSPF, the only difference is that we will be advertising the interfaces in different areas. This is shown in the table below for the three routers.

REMEMBER: when implementing OSPF multi-area at least 1 router must have an interface in Area 0.

To verify the routes, we will use the show ipv6 route command on R3 as shown below.

As you can see from the output above, OSPF routes are in the routing table, including the inter area routes shown by “OI

With the configuration of OSPFv3, we have come to the end of this chapter on IPv6.

Summary

In this chapter, we have looked at IPv6 concepts, we started by discussing why we need IPv6, we then looked at the IPv6 addressing concepts, we then configured dual stack and saw that it is when we run both IPv4 and IPv6. Next we configured IPv6 static routes and static default route. This was followed by configuring OSPFv3 which is the IPv6 version of OSPF.

In this course, we have looked at all the areas that you as a CCNA should know. This course is meant to help you in your journey towards gaining the CCNA certification. To be better prepared, study this material repetitively, follow along as I do the lab configurations, and where you go wrong, take a moment and review where you may have gone wrong.

Along this course material, you will be provided with labs on all the chapters in the CCNA curriculum. Good luck.

IP Services

Overview

In the previous chapter, we learnt how NAT is important in helping devices in a network access the internet, we also looked at DHCP and how it helps in automatic ip configuration on hosts as well as the use of ACLs in filtering traffic in our networks. In this chapter, we will look at other ip services that you need to know as a CCNA. We will look at high availability using HSRP, VRRP and GLBP, NTP, SYSLOG, and finally we will look at CDP and how it can be used in a network.

High availability (HSRP, VRRP, GLBP)

Introduction

First hop redundancy protocols (FHRPs) will be the first ip service that we will discuss in this chapter. We will discuss and configure HSRP (Hot Standby Routing Protocol) which will help us learn about the two other FHRPs which are:

Picture the scenario shown below. In this network topology, PC A has been connected to the switch. There are two routers that access the internet. In this case, the PC has been configured with a default gateway that helps access the WAN which is the LAN interface on R1. The problem is, what if the interface on R1 goes down. Does this mean that this PC will not access the internet?

FHRPs are the solution to these problems. These protocols allow PC A to switch over to the other gateway when a gateway goes down. There are several questions that can be asked when it comes to redundancy as shown below.

  • The speed at which this can happen
  • How do clients respond to this
  • Any ARP issues

The list shown below shows the characteristics of the three protocols.

HSRP

This was the first gateway redundancy protocol and it is cisco proprietary. HSRP has two timers; Hello timer which is usually sent out every 3 seconds and a hold timer 10 seconds

VRRP

This protocol was introduced in 1999 by the IETF, and it is the industry standard. VRRP has improved timers which are; 1 second for the hello timer and three seconds for the hold timer.

GLBP

In 2005, CISCO introduced GLBP, other than faster timers, it improved on HSRP by allowing load balancing across up to 4 gateway routers.

In the next section we will discuss and configure each of the three protocols using the topology we had as our example.

HSRP

When using HSRP, the router’s interfaces in this scenario are configured with different ip addresses as shown in the diagram.

The HSRP configuration, involves putting the two gateways into a standby group, and once this is done; a Virtual IP address and MAC address can be created.

The virtual IP address and MAC address, is then assigned to the interface of PC A.

In this case, the virtual IP address and MAC address will be used by both routers, this means that if R1 is the active gateway, PC A will send data to the virtual ip address and then this will be forwarded by the router. However, if R1 goes down, the administrator does not have to change the configuration on PC A by changing its gateway, rather, the routers will change the active router from R1 to R2 and the virtual ip and MAC address will still be in use.

Configuring HSRP

In this section we will configure HSRP and verify whether redundancy will occur when a router goes down.

The first step we need to do is to assign ip addresses to the router’s fast Ethernet interfaces that are connected to the switch. This is done using the ip address command as shown below.

On the PC, we have used the ip address 192.168.1.100/24 with the default gateway as 192.168.1.1

NOTE: the default gateway is not active and therefore we cannot ping devices on remote networks.

The second step is to define the virtual router options.

Virtual router

A virtual router in an HSRP group has a virtual IP address and a virtual MAC address.

The HSRP MAC address has only one variable piece in it. The first 24 bits still identifythe vendor who manufactured the device (the organizationally unique identifier, or OUI).The next 16 bits in the address tell us that the MAC address is a well-known HSRP MAC address. Finally, the last 8 bits of the address are the hexadecimal representation of the HSRP group number.

The figure below shows this values:

0000.0c07.ac01

To configure HSRP, we use the command “standby” in the interface configuration mode. The command structure is shown below:


In this case, we will use the ip 192.168.1.1 as the gateway ip and this will be the one we will include in the standby configuration as shown below for R1 and R2.

These are all the commands that are needed to configure HSRP. To verify it, we will use the extended ping command on PC A as well as the various show commands on the two routers.

The extended ping command on a PC should show how many pings are missed when you disconnect one of the interfaces.

I.e. to verify HSRP operation using extended ping take the following steps.

1. Run the command “ping <ip address> -t” on a Windows™ PC, this will show ping statistics continuously.

2. Disconnect the interface on R1 that is connected to the switch.

3. Observe how many pings are missed between this time.

The command “show standby” can be used to verify the operation of HSRP, as you can see from the output below, this command will show the interface that has HSRP, the changes, the virtual ip address, as well as other statistics for HSRP.

NOTE: there are many other commands that can be used to configure and modify HSRP however, these commands will be covered in CCNP level.

VRRP

VRRP (Virtual Router Redundancy protocol) was introduced by the IETF in 1999. It is the industry standard. The timers were improved to 1 second hello.

In this course we will not configure VRRP, since it is discussed in more detail in the CCNP level.

GLBP

Cisco designed a proprietary load-balancing protocol, Gateway Load Balancing Protocol

(GLBP), to allow automatic selection and simultaneous use of multiple available gateways,

As well as permit automatic failover between those gateways.

NOTE: Configuring GLBP is not in the scope of CCNA and it is covered extensively in CCNP, however, you need to understand how it works for real world situations and as such you are advised to read more on GLBP.

NTP

NTP (Network Time Protocol), is a protocol that synchronizes clocks of your network devices.

Correct network time within the network is important:

  • Correct time allows the tracking of events in the network in the correct order.
  • Clock synchronization is critical for the correct interpretation of events within the syslog data.
  • Clock synchronization is critical for digital certificates.

To make sure all devices are synchronized with the same time information, we’ll configure our devices to receive the accurate time information from a centralized server.

NTP configuration

In CCNA, you are only expected to configure NTP in the client mode, to do this, we need to specify the location of the NTP server as shown below in our scenario.

There is only one command needed to configure NTP on the client. We need to specify the ip address of the NTP server using the command:

The show clock command on R1 before and after we configure this command is shown below.

To verify that we are receiving the correct time, we use the command: show ntp status as shown below.

SYSLOG

You may have noticed that there are messages that appear in the CLI after execiting certain commands. An example is the output shown below.

This is the function of SYSLOG. SYSLOG allows you to view, save, search and even filter these messages which helps when troubleshooting.

The system message format can be broken down in this way:

The severity of the message ranges from 0 to 7 and the table below shows the meaning of each number.

NOTE: the importance or severity decreases, i.e. 0 is the most severe while 7 is the least severe. You must understand these codes for not only your CCNA certification exams but also when troubleshooting in real world scenarios.

In this course, we will configure syslog option for traps.

This option will allow us to filter the logging information that is shown by syslog. This means that the level we configure is the highest level that will be shown.

To configure trap, we use the command “logging trap <severity>” in the global configuration mode. This is shown below.


In this example, when we configure the trap as error, we will only view error messages and more severe messages. i.e emergency, alert, critical and error messages only.

CDP

The final protocol we will look at is CDP.

CDP (Cisco Discovery Protocol) is a proprietary protocol that is enabled by default on CISCO devices and is used to discover other directly connected devices in the network.

With CDP, you can get information about hardware capabilities, interface and other information that is crucial in troubleshooting.

CDP works at layer 2 and therefore, the only thing needed for CDP to work is an enabled interface on a CISCO device.

In the figure shown below, we will use CDP to identify the various devices in the network as well as their capabilities and ports. From this information, we will be able to draw the network topology.

To demonstrate CDP effectively, we will mainly use the “show CDP neighbors” command. The output of this command will then help us to figure out the location and type of connection as well as the port number for each of the devices.

Show CDP neighbors

The show CDP neighbors command can be used to verify various things on a CISCO device. As shown in the output below, it can establish

  • the device ID or the hostname of the connected device
  • the local interface or the interface that this device is using
  • the capability or the device type at the other end ; R is router and S is switch
  • the platform, which is the version of the remote device
  • The port ID which is the interface on the other end of the link.

The first device we will check is R1. The show cdp command of this device is shown in the output below.

Based on this output, this is what we can gather:

  1. R1 is connected to R2 via a serial interface 0/2/2, R2 is a C2800 series router and it is using serial 0/0/0 to connect to this router
  2. R1 is connected to R4 via a serial interface 0/2/0, R4 is a C2900 series router and it is using serial 0/3/0 to connect to this router
  3. R1 is connected to R3 via a gigabit interface 0/0, R3 is a C1841 series router and it is using fast Ethernet 0/0 to connect to this router

Next we can view the output on R2

From this, we can tell that:

R1 is a C2900 router,

We also know that S5 connects to fa0/0 on this router and we know it is a 3560 switch.

The output on R3 shows the following.

From this output, we know that this switch also connects to R1 and S5. To S5 using port fa0/1 and to R1 using port fa0/0.

Based on these commands, we now know the platforms for all the 4 routers as well as the ports they interconnect using this is shown in the table below.

From this information we can begin visualizing the connections and draw them out. This is shown below.

We can now continue this process on the switches.

First we use this command on S5.

From the output, we can tell that:

  • S5 is connected to R2 using fa0/1 to R2’s fa0/0
  • S5 is connected to R3 using fa0/2 to R3’s fa0/
  • S5 is connected to a 2950 switch (S4) on its fa0/3 interface and on S4 the interface connecting to S5 is fa0/1
  • S5 is connected to a 2960 switch (S2) on its fa0/24 interface and on S2 the interface connecting to S5 is gig1/1
  • S5 is connected to a 2960 switch (S3) on its gig0/1 interface and on S3 the interface connecting to S5 is gig1/1

We next view the output of show cdp neighbors on S1

From this output, we can tell:

  • S1 is connected to S4 via fa0/2 to S4’s fa0/2
  • S1 is connected to S3 via fa0/3 to S3’s fa0/1

The output on S2 shows:

From this output, we can tell:

  • S2 is connected to S5 via gig1/1 to S5’s fa0/24
  • S2 is connected to S3 via fa0/1 to S3’s fa0/2

The output on S3 shows:

From this output, we can tell:

  • S3 is connected to S5 via gig1/1 to S5’s gig0/1
  • S3 is connected to S1 via fa0/1 to S1’s fa0/3
  • S3 is connected to S2 via fa0/2 to S2’s fa0/1

The output on S4 shows:

From this output, we can tell:

  • S4 is connected to S5 via fa0/1 to S5’s fa0/3
  • S5 is connected to S1 via fa0/2 to S1’s fa0/2

Now that we have the full picture, we know the following.

Based on this information we can now complete our topology as shown in the diagram below.

The lab we just finished shows how we can use CDP, to know about the devices that are directly connected on our networks.

REMEMBER: CDP is CISCO proprietary, and it is on by default. You only need to enable the interfaces using the “no shutdown command”

NOTE: CDP is a very important protocol, in the CCNA exams, you may be asked to determine the devices based on the output of this command, therefore be sure to understand how it works as well as how to interpret the show cdp neighbors command.

Summary

In this chapter, we have looked at other IP services and IOS protocols that we can use in our networks. We looked at first hop redundancy and discussed how HSRP, VRRP, and GLBP can be used to give our hosts gateway redundancy, we then looked at NTP and SYSLOG, finally we learnt how to use CDP to determine the various CISCO devices in our networks.

In the next chapter, we will look at IPv6.

NAT (Network Address Translation)

Overview

In the previous chapter, we saw how DHCP is useful in assigning ip addresses to hosts in a network. In this chapter, we will look at another important ip service that helps hosts access the internet. We will learn about, NAT operation and IPv4, and configure and troubleshoot NAT.

NAT in today’s networks

In previous topics, we learnt about IPv4 addressing and how we can address network devices. We also learnt that there are different types of IPv4 addresses: such as the RFC 1918 addresses.

There are 2^32 ip addresses which is: 4 294 967 296 (four billion) however, not all these can be used and the number of remaining ip addresses is reducing.

The table below shows the ranges of private addresses as defined by RFC 1918:

These IPv4 addresses are reserved for private network communication and cannot be used to communicate on the internet.

The need to connect to the internet presents us with a major problem. We cannot use private IPv4 addresses to access the internet and at the same time, the number of public IPv4 addresses is limited. Therefore, we need a way in which hosts in our network that have been assigned private IPv4 addresses can access the internet.

NAT (Network Address Translation) is our solution to the internet connectivity problem. With NAT, an enterprise can use a few number of public IPv4 addresses to access the internet even if they have many hosts who have been assigned private IPv4 addresses.

What is NAT?

Take the analogy of an office receptionist. In company ABC, we have 10 employees, including the secretary. Each employee has a desk and a phone that serves in internal communication between employees, this phone system is routed through a PBX system. The receptionist has a phone line that is used to communicate with different people externally.

However, in this scenario, there are times an employee may want to make a call to a client or a partner organization, for this, the call is routed through the receptionist’s desk and forwarded. It is highly unlikely that all the employees will want to make external calls and therefore this solution is efficient and it saves the company money.

NAT, works like the receptionist. The figure below shows NAT operation.

In this scenario, there are two networks that are connected by the stub router.

The network in which PC 1 is in is a stub network and devices in this network can only access outside resources using the stub router.

When PC 1 wants to access a website, – shown by the red arrow, it sends the packet to the stub router. When the router receives this packet, NAT translates it to a form that can be routed to the internet – shown by a magenta arrow. The packet is then forwarded to the internet.

When the reply comes back, NAT on the stub router, NAT knows where the packet came from and it forwards it to PC 1.

NOTE: NAT works by translating the RFC 1918 private IPv4 addresses we use in our internal networks into public IPv4 addresses that can be routed over the internet. This also enhances security because users in external public networks cannot access information on private networks, however, this does not mean that NAT is a replacement for firewalls.

NAT terminology

The figure shown below demonstrates the terminologies used when we configure NAT. in this scenario, R1 is configured for NAT. this means that it has public IPv4 addresses that it can give to PC1 and other hosts for accessing the internet.

Inside local address – these are the private IPv4 addresses as defined by RFC 1918 that are used to address hosts in the private networks.

Inside global address – this is an IP address that can be used by a host in the internal network to access the internet. In our scenario, the IP address that PC1 can use to access the internet is the 14.132.1.3 IP address.

Outside global address – this is any public IPv4 address that has been configured on a device on the internet. In this scenario, the IP address that is configured on the web server is an example of an outside global address.

Outside local address – this is similar to the outside global addresses and they are local IP addresses configured on any external network.

Dynamic Mapping and Static Mapping

There are two types of NAT translation: dynamic and static.

  • In dynamic NAT, the router is usually configured with a pool of IPv4 addresses. Hosts who want to access the internet request the router to assign them with an available public IPv4 address which they can use to access the internet with.
  • Static NAT is the mapping used in most web servers where the IPv4 address is rarely changed. In static NAT, a public IPv4 address is usually mapped to a single host in an internal network.

NAT Overload

NAT overloading, which is also known as PAT (Port Address Translation), is a way to map many private IPv4 addresses to significantly fewer public IPv4 addresses. We may have 100 private IPv4 addresses mapped to 2 public IPv4 addresses.

In NAT overload, the router usually maintains different TCP/IP sessions and assigns a port to each of the devices that are connected to it. In this case, when addresses are translated, they are given the same public IPv4 address but with a different port that identifies the source device. When the router gets the reply from the internet, it matches each conversation to the correct device using the port number.

The diagram below shows how this works.

From the figure, PC 1 and PC 2 both want to use the internet, PC 1 has a HTTP message, for the ip address 100.89.33.61, while PC 2 sends a message to the HTTPS server located on 32.156.1.3, when the router receives these messages, NAT adds the source port information so that it can distinguish the communication streams from the two PCs. The two packets are then given the same global ip address and tagged with the port number.

When the reply is sent by the HTTP and HTTPS servers, they retain the port information. Once the message is received by R1, it knows the destination of each packet based on the port that the packet is addressed to.

Benefits and drawbacks

Some of the benefits of NAT include:

  • With NAT, the exhaustion of IPv4 addresses has been reduced by using private addressing and allocating few IPv4 addresses to companies that want to use the internet.
  • NAT has made it possible to address inside local networks with enhanced flexibility. This is because there is a structure in private IPv4 addressing that can be implemented in any organization.
  • With NAT, we have enhanced network security, this is due to the fact that private IPv4 cannot be used in the internet, and therefore, information in private networks cannot be viewed unless an attacker has access to the private network.

Although NAT is beneficial and is responsible for the survival of IPv4, there are some drawbacks.

However, NAT does have some drawbacks.

  • With NAT, the network performance is reduced, this is because there may be switching delays as a result of translation of the IPv4 addresses in the packet headers.
  • NAT reduces creativity and innovation in the internet age. For example connections that need external global addresses initiating the connection to inside networks can be disconnected.
  • The use of VPNs is made difficult since NAT can modify values that are needed by these protocols to work.

NAT configuration

Static

With Static NAT, external devices can initiate communication to internal network or inside local addresses. For example, if you had a web server in your internal network, static NAT would allow hosts located on the internet to access web resources on your web server by allowing mapping of the web server’s internal IPv4 address to a public IPv4 address permanently.

For example, in the scenario shown below, the web server is located in our local network. Users in external networks may want to access websites that are on this web server. Static NAT would be used in this case.

The configuration of static NAT is not complicated. The only thing that a network administrator needs to do is; specify the inside local address that should be translated and then mapping it to the outside global IPv4 address. Then we need to specify the inside network interface and the outside global interface.

The commands needed to accomplish this are shown below.

Step 1. Mapping of the inside IPv4 address to the public IPv4 address:


In this scenario:


Step 2. Identifying the inside interface and the outside global interface by using the command “ip nat <inside/outside>” on the appropriate interfaces. The inside interface in this case is the fa0/0 interface connected to the HTTP server, while the outside global address is the s0/0/0 interface on R1.

This is shown below.


In this scenario, the router will translate the packets from the private address of 192.168.1.2 into the outside address of 14.100.12.1, the host who is located on the internet will not forward web requests to the private IP but to the public IP address. The router connected to the web server will then forward the web traffic to the web server on 192.168.1.2

The commands “show ip nat statistics” and “show ip nat translation”, will show the specific NAT Statistics and translation that have occurred for the configured NAT mapping. The output of these two commands is shown below.

As you can see from the output above for both commands, the total translations are shown as 5, and the specific translations are shown in the show ip nat translation command. We will discuss the use of this command in more detail at a later stage.

Dynamic NAT

With static NAT, we usually map an internal local address to a global address so that hosts on public networks can be able to access a device in the internal network. With dynamic NAT on the other hand, we map inside local addresses which are internal network to global addresses so that they can access resources on the internet.

In dynamic NAT, we need to specify which IP addresses should be translated using an ACL. In the scenario shown below, we are supposed to translate only the network A connected to PC 1 and ignore network B.

The steps involved in dynamic NAT configuration include:

  1. Create a pool of public ip addresses that we will map private ip addresses to.
  2. Create an access list to permit the ip addresses that we want to be translated
  3. Bind the nat pool to the access list
  4. Apply the NAT configuration to the interfaces.

Step 1. Create a pool

The nat pool is created with the command “Ip nat pool” the structure of this command is shown below followed by the command used on our internet gateway router.



Step 2. Access list

This access list will specify the ip addresses in the internal networks that should be translated by NAT.


Step 3. Bind the access list to NAT

This command is used to bind the access list that we just created to the NAT pool. The command structure is shown below.

On our router this is shown below.


Step 4. Apply NAT to the inside and outside interfaces.

These commands are used to specify the inside and outside interfaces.

NOTE: configuring NAT is one of the most important aspects in CCNA simulation exams as well as in real world examinations so you should practice NAT often so as to fully understand it. It would be wise to have an internet connection in the lab and use of real devices.

NAT overload

As you may have noticed, in the above scenario, we have used a NAT pool that consists of many ip addresses. However, the ISP may not always give you a range of ip addresses. Therefore you may need to configure NAT overload.

The configuration commands needed to configure NAT overload are almost similar and as such we have shown the different commands that are used to specify overload.

The command that is used to define the NAT pool may only consist a few ip addresses or even 1, therefore you may leave out the netmask command. As shown below.

The above example shows a NAT pool named NAT_OVERLOAD that has only 4 public ip addresses.

The final step in configuring NAT overload is when you bind the access list to the NAT pool, in this scenario, you will have to add the “overload” keyword at the end of the command as shown below.


NOTE: You should be very careful when configuring NAT overload. And following this guide as well as more labs will help.

Verifying and troubleshooting NAT

It is important to verify NAT operation. There are several useful router commands to view and clear NAT translations.

Show ip nat translations

In the output shown below, the number of NAT translation is shown. In our scenario, NAT has translated four inside local addresses to outside global addresses. This command can be used to verify the operation of NAT by confirming whether NAT is actually mapping private IPv4 addresses to public IPv4 addresses.

As you can see from the output above, the inside local addresses are being translated to outside local ip addresses that can traverse the internet.

This command can be useful when you want to verify that the NAT configuration is working and inside local ip addresses are being translated.

Show ip nat statistics

This command is used to verify the number of translation that NAT has carried out. It also shows information on the inside and outside addresses that have been used, the status of translations, such as expired translations, the number of addresses in a NAT pool, as you can see from the output above, only one IPv4 address from the NAT pool has been allocated to an inside host.

Troubleshooting NAT using debug

In some cases, you may have trouble connecting to the internet from your internal network. This may be as a result of problems with NAT. therefore, the troubleshooting of NAT is usually very critical to restoring internet connectivity in our networks. as such, the steps shown below are used to troubleshoot and verify NAT operation towards restoring internet connectivity or ruling it out as the cause of the problem.

Step 1. Identify and define the purpose of NAT in your network. This is meant to review whether NAT accomplishes the tasks it has been configured for.

Step 2. Verification of NAT translations can help identify if the correct IPv4 inside local addresses are being translated into global addresses.

Step 3. Clear the NAT process and used the debug ip nat command to see if the problems are fixed.

Step 4. This step entails verification of the translations that are occurring on a router actively by using the “debug ip nat” command.

In the second and third line of the output – highlighted in red you can see that the user located on the IPv4 address of 192.168.1.2 sent traffic to a host located on the internet with the public IPv4 address of 14.100.12.2 and his inside local address has been translated to address 14.100.12.3. The host 14.100.12.2 replied to the 14.100.12.3 ip address which is then translated to the address 192.168.1.2, this shows successful NAT translation.

The meaning of the various status messages and values is shown below.


NOTE: troubleshooting NAT is an important element in figuring out whether the internet connection is working. Following these steps will help you successfully verify and troubleshoot NAT. however, always turn off debugging when you are done troubleshooting since debug commands may use up the router’s resources unnecessarily.

Summary

In this chapter, we have looked at the role of NAT in the network. We have discussed the private and public IPv4 addresses and we saw that private IPv4 addresses cannot be used in the internet. Then we discussed what NAT is and looked at the various terminology. We then looked at the ways we can Implement NAT and configured static and dynamic NAT. we finished off with the verification and troubleshooting of NAT.

In the next chapter, we will look at other ip services and cisco IOS services that are important in the network. We will consider the role of high availability in hosts by discussing VRRP, HSRP and GLBP, we will then look at syslog, NTP, and CDP.

DHCP (Dynamic Host Configuration Protocol)

Overview

Ip addressing is a very important job network administrators have to accomplish, configuring ip addresses on routers, and other devices can be a challenge especially when the number of devices is many. In this chapter, we will discuss a solution to ip addressing of hosts which is DHCP. We will look at the concepts of DHCP such as its operation, and then configure and troubleshoot DHCP.

DHCP

In our networks, all end user devices need an IP address to access the network. Static IP addresses are usually assigned to routers, management interfaces on switches, servers and other devices in the network which do not change location either physically or logically. Static IP addresses are also used to access and manage these devices remotely.

On the other hand, user devices such as computers, smartphones, IP phones and others are likely to change their locations either physically or logically. This means that assigning them static IP addresses would be an unviable solution.

DHCP is a protocol that was invented to address these problems. With DHCP, we can assign IP address information to user nodes automatically which saves on the administrative overhead that would be involved in assigning IP addressing information to clients statically.

Consider the network topology shown below.

In this network, there are two routers, 2 LANs and 100 user PCs in each network. Configuring IP addresses for the router interfaces would not be a daunting task, but can you imagine what it would be like to configure static IP addresses on each of the PCs. This would definitely be a daunting task.

The enormity of configuring all these IP addresses is increased by the possibility that these users could be in different locations. DHCP is a solution to these problems.

DHCP Operation

Assigning IP addressing information to user devices is one the most important task that is performed by the DHCP servers in our networks. It accomplishes these tasks in one of three ways:

  • Manual IP allocation – in this type of DHCP allocation, the network administrator assigns users with IP addresses from the DHCP server and then the DHCP server communicates this information to the clients.
  • Automatic IP allocation – in this mode, the DHCP server assigns static IP addresses to clients from a pool. These addresses do not change unless the administrator configures it differently.
  • Dynamic IP allocation – in this mode, the administrator configures a pool of addresses which can be assigned to clients. The clients then request the IP addressing information from the DHCP server and they are given an IP address and other addressing information for a particular time period, when the time expires, the IP address is returned to the DHCP pool and the client has to request another IP address.

In the CCNA course, we will learn about dynamic allocation of ip addresses, you will learn more on the other ways DHCP can assign ip addresses in more advanced courses.

When a PC is connected to a DHCP server, the DHCP server usually gives it IP addressing information. The PC can use the IP addressing information it has been assigned until the specified lease period expires.

The figure below demonstrates the DHCP process between a client and a DHCP server.

  1. DHCPdiscover

When the clients boots up, it first sends a broadcast message to try and discover if there are any DHCP servers. Because the client does not have a configured IP address at this time, it uses the global broadcast address to communicate.

  1. DHCPoffer

When the DHCP server gets the message from the client, it looks in its pool to find an IP address it can lease out to the client. It then adds the MAC address information of the client and the IP address it will lease out to the ARP table. When this is done, the server sends this information to the client as a DHCPOFFER message. This message is usually a unicast since the server already knows the MAC address of the client.

  1. DHCPrequest

When the DHCPOFFER message is received by the client, it sends a message back to the DHCP server requesting more information on the IP address lease time, and verification. The message that is sent is a DHCPREQUEST, this message tells the server that it will accept the IP addressing that was sent, as well as to check if the IP address that was sent by the server is still valid.

  1. DHCPACK

When the DHCP server gets the DHCPREQUEST from the client, it confirms the lease and creates a new ARP mapping with the IP address it assigned to the client and the client’s MAC address. It then sends this message as a unicast to the client as a DHCPACK message.

When this message is received by the client, it adds the addressing information and maps the IP address to the MAC address in an ARP lookup.

When configuring DHCP, there are four parameters that are needed by clients before they can communicate fully on the network. These are:

The DHCP server usually assigns all this information to the client for a specific period of time.

In the next section, we will configure a DHCP server using a CISCO router and a few client PCs.

Configuring DHCP

In this configuration lab, we will configure a DHCP server using a CISCO router and see how it assigns addresses to clients as we discussed in the previous section.

The router’s interfaces as well as the HTTP server will be configured with static ip addresses. The HTTP server is also acting as the DNS server.

The topology shown below, consists of a single router, a switch, and a couple of host devices. In this lab, we will have 5 hosts which are PCs and a web server.

NOTE: in case you do not have all the devices that are needed, you may do with one or two hosts, or you may simulate this lab in a program such as packet tracer.

Configuration tasks

Step 1. Write down a range of IP addresses that should not be allocated by the DHCP server. In most cases these are the statically assigned IP addresses that have been configured.

Step 2. Create a pool of assignable IP addresses using the command “ip dhcp pool” in the global configuration mode.

Step 3. Configure the information that is needed in the pool, such as the default gateway, subnet mask, domain name.

In this lab, the ip addresses that have been statically assigned are shown in the table below. The router and the web server have also been configured with all other options and our task is to configure the tasks shown above.

The server is connected to the FastEthernet 0/1 interface on the switch and it has been configured with an ip address as shown above.

The first thing we need to do is verify whether the hosts have ip addresses and can ping the server. To verify ip address configuration, we use the command “ipconfig” on the PCs and as you can see from the output below, PC 1 does not have an ip address, subnet mask or default gateway.

This means that pings to the server will be unsuccessful as shown in the output below.

Step 1. Exclude ip addresses configured on the router’s interfaces, switch management interface and server from DHCP.

The devices we will exclude from participation in DHCP have been configured with static ip addresses. It is highly unlikely that these devices will be moved any time soon and also statically configured ip addresses on these devices helps in troubleshooting when there is a problem.

When configuring the DHCP pool, we need to specify addresses that should not be leased out to clients in the network. These are the addresses that have been statically assigned to network devices such as router interfaces, switch management interfaces, among others. to exclude the statically configured IP addresses, we use the command shown below.

In this case:


This will ensure that the ip addresses shown above will not be in the DHCP pool.

NOTE: when excluding IP addresses, we should also account for expansion in the future.

Step 2.
Create the DHCP pool

The DHCP pool contains all the addresses that can be assigned to hosts. In this case, we use the command:

When this command is executed, the prompt changes to the DHCP configuration mode which is denoted by the prompt shown below. In this mode, we can configure the DHCP parameters that we need:

In our scenario, this is shown below:

In this mode, we can configure more DHCP options such as defining the pool ip addresses, lease time and other options.

Step 3. Configure the specifics of the pool

The tasks we will configure in this lab are:


DHCP pool

The DHCP pool is the range of ip addresses that the hosts in the network can request, the command needed to configure the DHCP pool ip addresses is shown below.

In our scenario, this command is shown below.


Default gateway/default routers

The default gateway is used by hosts for delivery to remote networks, in this case the default gateway is the ip address that is configured on the router’s LAN interface. The command needed to configure the default routers in DHCP is:

In our lab this will be:


DNS server

The DNS server, is used to resolve ip addresses to hostnames. The command needed to configure DNS server is:

In our scenario, we have used the web server as the DNS server and the command we use is:

Lease time

The lease time specifies how long a client can have an ip address before it has to make a new request. The lease time is configured using the command:


In our scenario, this command will be as shown below

This specifies that the clients will have to renew the DHCP configuration once every three days.

The commands we will use in our scenario to configure DHCP are shown below.

Configuring DHCP on a client

On a DHCP client, we need to specify that the ip configuration will be obtained using DHCP. This is accomplished in the interface configuration on the client. This is the default operation of many PC’s however, you may need to verify it.

Verifying DHCP configuration

To verify the operation of DHCP on a router, use the “show ip dhcp binding” command. This command displays a list of all IP address to MAC address bindings that have been provided by the DHCP service as shown below.

To verify that messages are being received or sent by the router, use the “show ip dhcp server statistics” command. This command displays count information regarding the number of DHCP messages that have been sent and received. The output of this command on our router is shown below.

The command “show ip dhcp pool” will show the configured DHCP pools on the router as shown below.

Another good way to verify DHCP operation is by checking whether the clients in the network have obtained ip addresses and other configuration options in DHCP. The output of the “ipconfig” on PC 1 which did not have any ip address at the start of this lab is shown below.

As you can see from the output above, PC 1 now has ip configuration information. On windows PCs, using the command “ipconfig/all” will show the other configuration items.

DHCP relay

In many enterprises, the DHCP server will most likely not be the router and it will be located on a server farm. This may be a problem for clients who want to get IP addresses.

An IP helper address is a solution that enables routers in the network to forward DHCP broadcast messages from the local network to a DHCP server that may be in a different network. In this situation, the router usually relays requests to the DHCP server which then can communicate IP addressing information to the user devices.

The commands needed to configure the router as a DHCP relay is shown below.

In this case, the interface that the command is used in is the interface connected to the LAN.

Troubleshooting DHCP operation

To troubleshoot DHCP, a number of steps should be followed.

Verify the running configuration

This should be done so as to make sure that the DHCP pool configuration is correct as it was designed. All commands should be checked.

Verify physical connectivity

This can be overlooked, verifying that the client as well as the router’s LAN interfaces are operational would help determine the problem.

Configure static ip on client

When the client is not receiving ip address configuration from the DHCP server, you may want to configure it with a static ip address and then try to ping the DHCP server. This would establish whether the client or the server has the problem.

You may also want to renew the DHCP on the client so as to see whether it will receive ip addressing information from the server.

NOTE: configuring DHCP is a very important task network administrators should know. Careful configuration would lead to correctly assigned ip addresses on clients.

Summary

In this chapter, we have discussed the role of DHCP in the network. We have seen that it eases configuration on the clients and eases the administrative overhead. We configured and verified DHCP on the lab and learnt how we can go about troubleshooting DHCP. In the next chapter, we will look at another ip addressing service which is NAT.

ACLs – Part II

Overview

In part one of this chapter, we looked at the ACL concepts, we discussed how they worked and we topped it off with configuration of standard ACLs. In part 2, we will discuss extended ACLs and other ACL concepts, we will then configure extended ACLs and finish off with troubleshooting ACLs.

Extended ACLs

With standard ACLs, we cannot filter traffic with great efficiency because the only criteria is the source address. For more control and flexibility, the use of extended access control lists is ideal. As we mentioned earlier, extended ACLs, look at more than the source IP address. Some of the configuration options we can have include:

In part 1 we said that the standard access lists range from 1 – 99, with extended ACLs ranging from 100 – 199.

The command syntax for configuring extended ACLs is shown below.

The operator is a keyword that compares source and destination address. They include:


NOTE: the operator keyword can only be used on certain protocols such as when UDP or TCP is used.

The statement below shows an example of an extended ACL.

As we mentioned in part 1 of this chapter, maximum effectiveness of extended ACLs is when they are used as close as possible to the source network.

In the next section, we will configure extended ACLs using the topology we had in part 1 but with different instructions.

Configuring extended ACLs


The IP addressing scheme is shown in the table below for all the devices in the network.

Scenario

Unlike in part 1 where the configuration was limited to the source ip address, in this configuration, we will include other parameters, however, the basic configuration should be the same as before.

In this scenario, you have been asked to configure ACLs based on the items on the security policy as listed below.

  1. Users on 192.168.1.0/26 network should not be able to access PC E.
  2. Users on network 172.16.2.128/25 network should only be able to access the HTTP server.
  3. PC A should not have access to secure web services.
  4. PC A can use telnet while PC B cannot use telnet.
  5. Users on network 192.168.30.0/24 should not be able to ping the HTTP and HTTPS servers but they should be able to access websites.

Task 1. Users on 192.168.1.0/26 network should not be able to access PC E.

This access list should limit traffic to PC E only while allowing all other traffic from users on this network. The commands needed to accomplish this are:

This access list denies any ip traffic from network 192.168.1.0/26 that is destined to PC D.

This command allows any other traffic to traverse the network.

Extended ACLs should be applied closest to the source network so that the router does not need to process packets that will be dropped. Thus, we will apply this ACL to the interface connected to 192.168.1.0/26 LAN in an inbound direction. This will ensure R1 drops any packets it receives with a destination ip address of PC D, while allowing all other traffic.

The command needed to apply this ACL to interface FastEthernet 0/0 inwards is shown below.


Task 2. Users on network 172.16.2.128/25 network should only be able to access the HTTP server.This task can be easily accomplished by only allowing network 172.16.2.128/25 access to the HTTP server on R2. It should drop all other traffic.

The command shown above permits access to the HTTP server by users in network 172.16.2.128/25. Since this scenario does not say that we limit traffic to just HTTP traffic, we will allow all traffic.

The command above is used to apply this ACL to the inbound interface connected to the 172.16.2.128/25 network. In the second task, we have only used one ACL statement. Traffic to other destinations other than the HTTP server will be blocked because of the implied deny statement.

Task 3. PC A should not have access to insecure web services.

This task shows how we can apply filtering of traffic based on ports. Web services are accessed using port 80 for HTTP and port 443 for secure HTTP (HTTPS). This task dictates that we block only secure web services, therefore, we will only block port 443 for PC A. this will be configured on R1, using the commands shown below.

This ACL will be applied inbound on R1’s fastEthernet 0/0 interface as shown below.

Task 4. PC A can use telnet while PC B cannot use telnet.

This task needs us to deny telnet traffic on these two PC’s. we need to block PC B from using telnet (port 23) the command shown below is meant to accomplish this:

Applying the ACL to the interface:

Task 5. Users on network 192.168.30.0/24 should not be able to ping the HTTP and HTTPS servers but they should be able to access websites.

This task is very tricky and it examines understanding of protocols. The protocol that makes pings possible is ICMP. In this task, we should block ICMP traffic from getting to the HTTP and HTTP servers, while allowing all other traffic. The commands needed to accomplish this on R3 are:

The first two commands will block the specified traffic which in this case is ICMP, the third command will allow traffic from other protocols and ports to go through the network. The command shown below is used to apply this ACL to the interface that is closest to network 192.168.30.0/24.


NOTE: in this lab, we have taught you how to configure the various types of ACLs. However, you should be careful when configuring and applying ACLs. As mentioned earlier, writing down the configurations command on an application such as notepad is a good way to ensure that you have the correct commands. When you are given a scenario, you should write all the configuration commands before you execute them since ACLs do not allow for modification after they have been configured.

Named ACLs

There are other types of ACLs that you can configure. Using numbers is not descriptive of the ACL that has been configured and as such, named ACLs are a better way to keep track of all the configurations. Standard and extended ACLs both support named ACLs. The commands shown below show the structure that is used to configure named ACLs.

After executing the command above, the ACL configuration mode is enabled and from here you can configure your permit and deny statements as shown below:

Applying these ACLs is the same as for numbered standard ACLs with the only difference being that the access group number is replaced with the ACL name as shown below.


NOTE: these rules are the same for extended ACLs although the keyword in the first command changes from standard to extend.

Complex ACLs

Complex ACLs are usually a way to enhance the functionality of either standard or extended ACLs. Some of the complex ACLs include the following.

  • Dynamic ACLs – they are used to authenticate users who send packets through the router by requiring them to connect to the router using telnet.
  • Time-based ACLs – these ACLs control traffic based on time parameters that may be set. For example, you may want to limit access to the internet on a particular day of the week.

 

Verifying and troubleshooting ACLs

ACL configuration can be a complex task, there are several commands that can be used to verify the operation of ACLs. However, in this chapter, we will focus on two commands and then other ways that can be used will be mentioned.

Show access-lists and show ip access-lists

These commands show the configured access lists and filtering that each ACL configured has performed. In the output below, the access lists that have been configured are shown using both show commands. As you can see from the output, when traffic is filtered, the router shows the number of matches at the end of the statement.

The “show running-config” command is also vital in verifying ACL configuration. Verification and troubleshooting of ACLs can be done using the various hosts. When an ACL is configured to block certain types of traffic, correct configuration is verified when the operation is as expected. For example, if I configure an ACL that blocks web traffic from host A but allows web traffic from Host B, correct configuration would be verified if A cannot view websites but B can.

NOTE: the verification and troubleshooting of ACLs is based on careful configuration, when all the principles that have been discussed in this chapter are considered, then you should not have errors, also make sure you write down the configuration commands on an application such as notepad so as to make sure that all the commands will be correct.

Summary

In this chapter, we have discussed ACLs in detail. In part 1, we learnt the concepts behind ACL operation, we then configured standard ACLs. In part 2, we have discussed Extended ACLs and how they allow for greater control and flexibility in managing traffic. We’ve also learnt how to configure and troubleshoot ACLs. In the next chapter, we will look at DHCP and discuss its role in the network.

 

 

ACLs (Access Control Lists) Part I

Overview

In the last chapter, we discussed network security and saw its importance in our networks. In this chapter, we will delve into the world of ACLs, in part 1, we will look at the ACL concepts as well as configuring standard ACLs. In part 2 of this chapter, we will continue with configuration but we will focus on extended ACLs, other concepts, as well as troubleshooting ACLs.

Definition of an ACL

An ACL (Access Control List) is a list of statements that are meant to either permit or deny the movement of data from the network layer and above. They are used to filter traffic in our networks as required by the security policy.

The use of ACLs is crucial to network security and in this chapter, we will discuss how we can implement them so as to enhance network security.

Packet filtering

Filtering of packets, is a way to check the incoming packets and outgoing packets against set criteria so as to determine whether they should be forwarded or dropped. This is usually accomplished by a router.

In previous chapters, we said that routers forward packets based on the layer 3 information. When we apply filters, the router examines this information and decides whether the packet can traverse the network. If a packet passes the set criteria, it is forwarded, if not, it is dropped.

The criteria used by the router to determine whether packets can traverse the network is made by configuring ACLs. With access control lists, we can filter traffic based on; destination and source layer 3 address, destination and source port number, as well as the protocol in use.

ACL concepts

The ACL is usually a script that is executed in the router to check the packets based on the specified criteria.

The Access Control Lists configured on the router inspect packets against the rules that the administrator has set to determine whether the packet should be forwarded or dropped. The packets are inspected against the ACL criteria from the first to last configuration parameter in the ACL.

Below are some guidelines that may be useful in configuring ACLs.

ACL configuration guidelines

  • ACLs should be ideally configured on the routers that act as firewalls in your network.
  • ACLs should be configured on the routers in your network to control access to sensitive information in a particular subnet. For example, an ACL may be configured to allow authorized access to the finance department network.
  • ACLs should be configured on the edge of your network, for example, to separate traffic from the Headquarters to other branches.
  • ACLs should be configured to control traffic from the various protocols that you may have configured in your network. They may be used to filter traffic that is entering or leaving the router.

The three rules of configuring ACLs

There are three cardinal rules that should always be observed when configuring ACLs. These rules determine how traffic on a network will flow and therefore they should not be ignored.

  • 1 ACL per protocol – this is to control each of the protocols that you may have configured on your router.
  • 1 ACL per direction – there are two directions in this case; inbound traffic is the traffic that is coming into the router whilst outbound traffic is traffic that is leaving the router.
  • 1 ACL per interface – this is meant to control traffic from leaving the router through a specified interface.

NOTE: these rules are crucial to understanding how ACLs work as well as configuring them in not only labs and the CCNA exams but also in real world situations.

What ACLs do

The ACLs work by doing the following:

  • Blocking specified traffic so as to enhance the performance of the network
  • Provide security by blocking packets destined to sensitive areas in your network
  • Determining the type of traffic to forward based on the protocols
  • Denying certain users access to the internet while allowing others.

As you will see in this chapter, the ACLs can be configured to perform a variety of functions that are critical to the security policies of the organization.

How ACLs work

The operation of ACLs is governed by rules that are set by the administrator. When the packets come into the router, the header is inspected for certain information that determines whether the traffic is forwarded or dropped. The routers only check the traffic that is sent through them and not traffic that is originated by the routers themselves.

There are two directions in which ACLs can be configured.

Inbound ACLs- with this type of ACL, the router checks the traffic that it receives from an interface against the configured ACLs before it can determine whether to route the traffic or not. This type of ACL is important since the router does not waste CPU cycles by processing packets that would eventually be dropped.

The figure above shows the operation of an inbound ACL. When packets are received on the router’s interface, they are inspected against the ACLs, the packet header is checked to see if it matches the set criteria, if it does not match any criteria, it is assumed that the router should not forward the packet and it is dropped. For every criteria, there is a decision that is made, whether to forward or deny access. Each packet that is permitted is allowed to be processed by the router and forwarded towards the outbound interface.

Outbound ACLs– with this type of ACL, the packets are usually processed and forwarded to the outward ACL for filtering. In this ACL, the router first checks in its routing table to see if the packet has a destination, if the destination is not in the routing table the packet is dropped. The second thing the router inspects is whether the outbound interface has an ACL, if the interface does not have an ACL for the packet, it is forwarded. Finally, for packets that have an ACL that is bound to the outbound interface, they are inspected by the ACL group statements to see if they match any criteria. If they match any criteria, the router decides whether to forward or drop the packet. If they do not match any criteria and the ACL does not permit them, they are dropped.

The figure shown below, demonstrates how this is done.

.

The implicit deny all statement

When configuring ACLs, it is important to note that at the end of the ACL, the router makes a decision. If the packet has been checked against all the ACL statements and it has not matched any criteria, the router will drop it. This is because the router assumes that the only traffic that should be allowed is traffic that matches one of the statements in the ACLs. To avoid filtering traffic that does not match any of the ACL statements, the command “permit any ” should be used to allow traffic that does not match any ACL but should traverse the router.

NOTE: these concepts are crucial to understanding configuration of ACLs.

Types of ACLs

There are several types of ACLs, however, in this course, we will focus on two types; standard ACLs and Extended ACLs.

Standard ACLs

With these types of ACL, an administrator can permit or deny packets based on their source IP address ONLY. These ACLs do not check the packets for any other criteria and therefore the destination is not usually checked.

Extended ACLs

Extended Access Control Lists check the traffic against several criteria that has been set by the administrator. With these ACLs, you have more control over the traffic that you want to filter. Some of the criteria may include:

Where to apply ACLs

When configuring ACLs, we need to activate them by applying them on the appropriate interfaces. With this in mind, there are a few guidelines that can help to make the use of ACLs more effective.

For the extended type of ACLs, you should place them closest to the source of the traffic. Since they can filter traffic based on different types of criteria, it would be effective to place them on a router closest to the source of the traffic that is being filtered since this way other routers in the domain do not have to process undesired traffic.

Standard ACLs do not look at the destination address, therefore, you should place them closest to the destination network that you are filtering packets to. For example, if you want to filter traffic from network A to network B, standard ACLs should be as close as possible to network B.

When routers check packets against the configured ACLs, they do so in a sequential order. This means, from top to bottom, for this reason, when configuring ACLs, the ACL that matches the most should be placed at the top with the least used ACL at the end of the ACL group. In any ACL, there should be at least one permit statement or else all the traffic will be denied.

REMEMBER: the end of ACLs is usually an implicit deny all statement which means that if no traffic is matched against the ACLs, then it is automatically dropped.

The figure above demonstrates how standard and extended access lists can be applied to control traffic.

In the network diagram, there are three LANs, network 192.168.1.0/26, network 192.168.30.0/24 and network 172.16.2.0/24, the network administrator has been asked to configure access lists based on several criteria.

The first scenario, dictates that standard access lists be used to block traffic from 192.168.1.0/26 from reaching network 192.168.30.0/24. In the rules we mentioned earlier, standard access lists should be close to the destination as possible, therefore, an access list on R1 would not be effective since blocking network 192.168.1.0/26 there would block access by hosts on R2 networks, therefore, the access list needs to be as close as possible to the destination network.

In this case, to block network 192.168.1.0/26 from reaching network 192.168.30.0/24, we would apply an access list on the inbound interface of R3 which is s0/3. This is shown in the figure by the red X on this interface.

Scenario 2 is slightly different, the network administrator only has control of the network 192.168.1.0/26 and he needs to deny FTP and TELNET traffic from reaching R2’s 172.16.2.0/24 network.

Using a standard access list would not work since it would block all the traffic, therefore, we need an extended access list which will block FTP and TELNET traffic from R1 from reaching R2’s LAN, all other traffic should be allowed.

Extended access lists are most effective near the source network therefore, the access list would be applied on the outbound interface of R1 and it should include the ports that should be blocked.

NOTE: the placement of ACLs is very crucial and it forms a major part of the CCNA exams especially in simulation scenarios, therefore, you should understand every aspect of this.

Configuring ACLs

In this section, we will learn how to configure both standard and extended ACLs. The topology diagram shown below, shows the lab we will be using in our configuration. Part 1 of this section will focus on standard access lists and part 2 will focus on extended ACLs.

In the topology shown below, there are three routers and 6 LANs. The task is to configure ACLs according to the requirements and security policies in the organization.


The IP addressing scheme is shown in the table below for all the devices in the network.

In this scenario, we are supposed to use both standard and extended ACLs. But first, we need to refresh other concepts that we have learnt in this course, therefore, the configuration items in this lab are:

Ensure that all devices can communicate on the network before we proceed.

Standard ACL configuration.

The first scenario requires that we configure standard ACLs to limit traffic based on the following policies.

  1. Hosts on network 192.168.1.0/26 should not be able to access the HTTPS server located on network 192.168.3.0/30 but they can access all other networks.
  2. Only hosts on network 192.168.30.0/24 should be able to access network 172.16.2.128/25.
  3. Hosts on 192.168.1.128/26 should only be able to access the 192.168.1.0/26 network.
  4. PC D located on network 172.16.2.131/25 should not be able to access PC E.

Configuration commands

The “access-list global” configuration command defines a standard ACL with a number in the range of 1 to 99.

  1. The full syntax of the standard ACL command is as follows:


  1. The full syntax of the standard ACL command to filter a specific host is as follows:


Or


  1. The command to permit all addresses is:

 

  1. The fourth command is used to apply the access lists to the appropriate interfaces.

As we mentioned earlier, there are two places we can apply ACLs, either inbound or outbound. This command is issued in the interface configuration mode as shown below.

 

Task 1. Hosts on network 192.168.1.0/26 should not be able to access the HTTPS server located on network 192.168.3.0/30 but they can access all other networks.

The standard ACL should block traffic from this network to 192.168.3.0 only, all other traffic should be allowed. Taking into consideration the rules of configuring ACLs, we will configure this ACL as close to the HTTPS server as possible, this means that the ACLs will be applied on the outbound interface to the HTTPS server which is fa0/0 on R3.

The first command will block the traffic from 192.168.1.0/26 from accessing the HTTPS server and it will be configured on R3, this is shown below.

The second command is supposed to allow all other networks to access this network, since applying this ACL without a permit access-list would block all traffic due to the implicit deny all.


The third and final step on step 1, is to apply this access list to the outbound interface, which is Fa0/0 on R3 with the outwards direction as shown below.

When this command is executed, traffic from network 192.168.1.0/26 will not be able to access the HTTPS server on 192.168.3.0/30 network but all other hosts in the network will be able to.

Task 2. Only hosts on network 192.168.30.0/24 should be able to access network 172.16.2.128/25.

The standard ACL should be able to allow traffic from 192.168.30.0/24 only to access the 172.16.2.128/25.

The only command needed is a permit ACL to allow the specified traffic to access 172.16.2.128/25 network, this should be configured on R2 and applied outbound to the fa0/1 interface. The implicit deny all will deny all other traffic from accessing this network. The commands needed to achieve this are shown below.

When these commands are executed, traffic from 192.168.30.0/24 will be allowed to access the 172.16.2.128/25 network, while all other traffic will be blocked.

Task 3. Hosts on 192.168.1.128/26 should only be able to access the 192.168.1.0/26 network.

This task means that traffic on the 192.168.1.128/26 network should be restricted to R1, this means blocking this traffic from going past this router.

We can use a deny statement to deny this traffic from accessing other networks as well as a permit statement for all other traffic. This ACLs can be applied to outbound serial interfaces on R1, only.

The commands needed to accomplish this are shown below:

Deny traffic from 192.168.1.128/25 from accessing networks beyond R1.

Permit all other traffic to networks beyond R1.

Apply the configuration to the serial interfaces on R1.

This will limit access of users on 192.168.1.128/25 to 192.168.1.0/26 only, users in the 192.168.1.0/26 network will be able to access networks that are beyond R1.

Task 4. PC D located on network 172.16.2.128/25 should not be able to access PC E .

This configuration is aimed at limiting access of only 1 host. To do this, we need to apply this access list on R3, we will block PC D with the ip address 172.16.2.131 from accessing PC A 192.168.30.2. in doing so, we should not break any configuration policy. i.e. we should follow the intentions of task 2.

To accomplish this, we will use the command to deny this host from accessing PC E while allowing PC C which will be executed on R3 using the commands shown below.

Deny PC D from accessing PC E

Allow all other hosts on network 172.16.2.128/25 to access network 192.168.30.0/24 while making sure that no policy is broken.

Applying the access list to the interface.

NOTE: to be effective at configuring ACLs, you should make it a habit to write down the commands that will be used in a sequential order on a program such as notepad before executing them on the routers. This is to ensure that the commands you have used are correct.

The use of the wildcard mask is essential in ACLs and a MUST. If you have forgotten this concepts, review the chapters that discuss the use of wildcard masks.

Summary

In part 1 on ACLs, we have discussed the role of ACLs in the network. We learnt what they are as well as how they used. We finished off part 1 with configuration of standard ACLs. In the part 2, we will look at Extended ACLs, other ACL concepts and finally we will finish off with configuration of extended ACLs and troubleshooting of ACLs.