Provider-Assigned IPv4 Addresses

  • What is DDNS?
    • Dynamic DNS what dynamically updates DNS record to reflect current IP address.
  • How do you configure a DHCP client interface?
    • ip address dhcp
  • What is the AD of a DHCP learned default route? Why is it different?
    • AD = 254
    • It’s called a floating static route, meaning it is only used if another default route is not learnt from routing protocol (smaller AD).

DHCP

  • What are the states of DHCP negotiation?
    • DORA: Discover (broadcast), Offer (unicast), Request (broadcast), ACK (unicast)
  • What if multiple DHCP servers exist in the LAN?
    • The client will accept the first offer.
  • Other DHCP messages:
    • Decline: address already in use
    • Release: client informs the servers that it’s giving up lease
    • Inform: client informs the server that it already have an IP but need additional info (ie.: dns)
  • What if there are 2 DHCP pool configured? Which one will the system use?
    • The router will choose which pool to use based upon the interface the DHCP request was received on.
  • How do you configure DHCP client/server?
    • !Client
      interface Fa0/0
        ip address dhcp 
      
      !Server
      ip dhcp pool MyPool
        network 10.0.0.0 255.255.255.0
        default-router 10.0.0.1
        lease 2
      ip dhcp excluded address 10.0.0.1 10.0.0.100
  • How do you configure DHCP Relay Agent?
    • interface Fa0/0
        ip helper-address 10.0.0.1 
  • What other UDP broadcasts does ip helper forwards?
    • time, port 37
    • tacacs, port 49
    • dns, port 53
    • bootp (DHCP server), port 67
    • bootp (DHCP client), port 68
    • tftp, port 69
    • You can add / remove additional protocols using “ip forward-protocol udp protocol-name” global command.
  • What other option exist for forwading DHCP messages?
    • ip dhcp relay enable
      ip dhcp relay server 10.0.0.1

NAT

  • Define Inside Local/Global and Outside Local/Global!
    • Inside Local  = A private IP in your network like 192.168.88.1
    • Inside Global  = A public IP which is in your network.
    • Outside Global  = A public IP address in the destination network.
    • Outside Local =A private IP address referencing an outside device (seen when NAT is used at the destination location).
  • What is DNAT?
    • Dynamic NAT: When inside local addresses are assigned to an inside global address from a pool of available addresses.
  • What is SNAT?
    • Static NAT: You statically configure the inside global address to an inside local address. (ie.: server which need to be reached from the outside, using fix IP)
  • What is PAT?
    • Port Address Translation: It allows multiple inside local IP address to use a single inside global IP address via port numbers.
      pat.PNG
  • How do you configure DNAT?
    • interface Fa0/0
         ip address 10.1.1.100 255.255.255.0
         ip nat inside
      
      interface Fa0/1
         ip address 198.51.100.1 255.255.255.240
         ip nat outside
      
      ip nat pool ISP-Pool 198.51.100.3 198.51.100.14 netmask 255.255.255.240
      ip nat inside source list 66 pool ISP-Pool
      access-list 66 permit 10.1.1.0  0.0.0.255
    • Specify an ACL for the inside local IP addresses (acl 66)
    • Specify the NAT pool for the inside global IP addresses (ISP-Pool)
    • Specify inside and outside interfaces
    • Associate the ACL with the NAT pool (
  • How do you configure SNAT?
    • interface Fa0/0
         ip address 10.1.1.100 255.255.255.0
         ip nat inside
      
      interface Fa0/1
         ip address 198.51.100.1 255.255.255.240
         ip nat outside
      
      ip nat inside source static 10.1.1.100 198.51.100.3
      ip nat inside source static 10.1.1.100 198.51.100.4
    • Create one or more inside local to inside global address mappings
    • Specify inside and outside interface
  • How do you configure PAT?
    • interface Fa0/0
         ip address 10.1.1.100 255.255.255.0
         ip nat inside
      
      interface Fa0/1
         ip address 198.51.100.1 255.255.255.240
         ip nat outside
      
      ip nat inside source list 66 interface Fa0/1 overload
      access-list 66 permit 10.1.1.0 0.0.0.255
    • Create ACL to match the inside local addresses to be translated
    • Specify inside and outside interfaces
    • Associate the ACL with the routers outside interface and enable overloading
  • How do you verify NAT?
    • sho ip nat translations
  • How do you clear NAT translations?
    • clear ip nat translations *
  • What are the limitations of NAT?
    • applications that use end to end connectivity, might fail
    • NAT might have issues with IPSEC as IPSEC has integrity check
    • digital signature on a digital certificate could fail
  • What is NVI?
    • NAT Virtual Interface: This configuration doesnt need to specify an inside or outside interface. Only “ip nat enable” needed under interface.

Netflow

  • How does netflow work?
    • When traffic passes through the interfaces of a Netflow enabled device, relevant information about the IP conversation is captured and stored in the Netflow cache.
    • Netflow data is exported from the specific interfaces (Netflow Exporter) to a centralized Netflow Collector.
  • What is NetFlow version 5?
    • All flows are calculated inbound
      When outbound needed that is calculated from another interface.
    • Generally advised that NetFlow v5 be enabled on all interfaces of the device.
  • What is NetFlow version 9?
    • It uses flow-record format (Flexible Netflow technology).
    • It is able to monitor a wide range of IP packet information which is absent in v5
  • How do you configure NetFlow v5?
    • interface Fa0/0
        ip route-cache flow
      !
      ip flow-export destination 10.0.0.1
      ip flow-export source Gi0/0
      ip flow-export version 5
      
      
  • How do you configure NetFlow v9?
    • This consist of 3 components:
      • Flow Record
      • Flow Exporter
      • Flow Monitor
    • flow record NTArecord
        match ip v4 source 10
        match ipv4 destination address
        match ipv4 protocol
        match transport source-port
        ...
      
      flow exporter NTAexport
        destination 10.0.0.1
        source Gi0/0
        transport udp 2055
        template data timeout 60
      
      flow monitor NTAmonitor 
        record NTArecord
        exporter NTAexport
        cache timeout active 60
        cache timeout inactive 15
      
      interface Fa0/0
        ip flow monitor NTAmonitor input
      
      
  • How do you verify netflow?
    • v5: show ip flow export displays status and statistics
    • v9: show flow exporter exporter-name   displays status
  • How can you access NetFlow data?
    • from CLI with show commands
    • through NetFlow collector
Advertisements