7 IP Addressing Services

7.0 Chapter Introduction

7.0.1 Introduction

Page 1:
The Internet and IP-related technologies have experienced rapid growth. One reason for the growth has been due in part to the flexibility of the original design. However, that design did not anticipate the Internet's popularity and the resulting demand for IP addresses. For example, every host and device on the Internet requires a unique IP version 4 (IPv4) address. Because of the dramatic growth, the number of available IP addresses is quickly running out.

To cope with the depletion of IP addresses, several short-term solutions were developed. Two short-term solutions are private addresses and Network Address Translation (NAT).

An inside host typically receives its IP address, subnet mask, default gateway IP address, DNS server IP address, and other information from a Dynamic Host Configuration Protocol (DHCP) server. Instead of providing inside hosts with valid Internet IP addresses, the DHCP server usually provides IP addresses from a private pool of addresses. The problem is that these hosts may still require valid IP addresses to access Internet resources. This is where NAT comes in.

NAT enables inside network hosts to borrow a legitimate Internet IP address while accessing Internet resources. When the requested traffic returns, the legitimate IP address is repurposed and available for the next Internet request by an inside host. Using NAT, network administrators only need one or a few IP addresses for the router to provide to the hosts, instead of one unique IP address for every client joining the network. Although it sounds inefficient, the process is actually very efficient, because host traffic occurs very quickly.

Although private addresses with DHCP and NAT have helped reduce the need for IP addresses, it is estimated that we will run out of unique IPv4 addresses by 2010. For this reason, in the mid-1990s, the IETF requested proposals for a new IP addressing scheme. The IP Next Generation (IPng) working group responded. By 1996, the IETF started releasing a number of RFCs defining IPv6.

The main feature of IPv6 that is driving adoption today is the larger address space: addresses in IPv6 are 128 bits long versus 32 bits in IPv4.

This chapter describes how to implement DHCP, NAT, and IPv6 on enterprise networks.


7.0.1 - Chapter Introduction
The diagram depicts the chapter objectives:
- Configure DHCP in an enterprise branch network. This includes being able to explain DHCP features and benefits, the differences between BOOT P and DHCP, DHCP operation, and configuring, verifying, and troubleshooting DHCP.

- Configure NAT on a Cisco router. This includes explaining key features and operation of NAT and NAT Overload, explaining advantages and disadvantages of NAT, configuring NAT and NAT Overload to conserve IP address space in a network, configuring port forwarding, and verifying and troubleshooting NAT configurations.

- Configure new generation RIP (RIP n g) to use IPv6. This includes explaining how IPv6 solves IP address deletion, assigning IPv6 addresses, describing transition strategies for implementing IPv6, and configuring, verifying, and troubleshooting RIP n g for IPv6.


7.1 DHCP

7.1.1 Introducing DHCP

Page 1:
What is DHCP?

Every device that connects to a network needs an IP address. Network administrators assign static IP addresses to routers, servers, and other network devices whose locations (physical and logical) are not likely to change. Administrators enter static IP addresses manually when they configure devices to join the network. Static addresses also enable administrators to manage those devices remotely.

However, computers in an organization often change locations, physically and logically. Administrators are unable to keep up with having to assign new IP addresses every time an employee moves to a different office or cubicle. Desktop clients do not require a static address. Instead, a workstation can use any address within a range of addresses. This range is typically within an IP subnet. A workstation within a specific subnet can be assigned any address within a specified range. Other items such as the subnet mask, default gateway, and Domain Name System (DNS) server are assigned a value which is common either to that subnet or entire administrated network. For example, all hosts within the same subnet will receive different host IP addresses, but will receive the same subnet mask and default gateway IP address."

Recall from CCNA Exploration: Network Fundamentals that DHCP makes the process of assigning new IP addresses almost transparent. DHCP assigns IP addresses and other important network configuration information dynamically. Because desktop clients typically make up the bulk of network nodes, DHCP is an extremely useful and timesaving tool for network administrators. RFC 2131 describes DHCP.

Administrators typically prefer a network server to offer DHCP services, because these solutions are scalable and relatively easy to manage. However, in a small branch or SOHO location, a Cisco router can be configured to provide DHCP services without the need for an expensive dedicated server. A Cisco IOS feature set called Easy IP offers an optional, full-featured DHCP server.


7.1.1 - Introducing DHCP
The diagram depicts manual and dynamic DCHP configuration and the devices that typically use each method.

Manual Configuration:
Device icons for a switch, router, and server are shown. Network devices that remain in the same place logically and physically are assigned static IP addresses.

Dynamic Configuration:
Device icons for a desktop PC, laptop PC, and IP phone are shown. Network devices that are added, moved, or changed physically and logical need new addresses. Manual configuration is unwieldy.


7.1.2 DHCP Operation

Page 1:
DHCP Operation

Providing IP addresses to clients is the most fundamental task performed by a DHCP server. DHCP includes three different address allocation mechanisms to provide flexibility when assigning IP addresses:

  • Manual Allocation: The administrator assigns a pre-allocated IP address to the client and DHCP only communicates the IP address to the device.
  • Automatic Allocation: DHCP automatically assigns a static IP address permanently to a device, selecting it from a pool of available addresses. There is no lease and the address is permanently assigned to a device.
  • Dynamic Allocation: DHCP automatically dynamically assigns, or leases, an IP address from a pool of addresses for a limited period of time chosen by the server, or until the client tells the DHCP server that it no longer needs the address.

This section focuses on dynamic allocation.

DHCP works in a client/server mode and operates like any other client/server relationship. When a PC connects to a DHCP server, the server assigns or leases an IP address to that PC. The PC connects to the network with that leased IP address until the lease expires. The host must contact the DHCP server periodically to extend the lease. This lease mechanism ensures that hosts that move or power off do not hold onto addresses that they do not need. The DHCP server returns these addresses to the address pool and reallocates them as necessary.

Click the Discover button in the figure.

When the client boots or otherwise wants to join a network, it completes four steps in obtaining a lease. In the first step, the client broadcasts a DHCPDISCOVER message. The DHCPDISCOVER message finds DHCP servers on the network. Because the host has no valid IP information at bootup, it uses L2 and L3 broadcast addresses to communicate with the server.

Click the Offer button in the figure.

When the DHCP server receives a DHCDISCOVER message, it finds an available IP address to lease, creates an ARP entry consisting of the MAC address of the requesting host and the leased IP address, and transmits a binding offer with a DHCPOFFER message. The DHCPOFFER message is sent as a unicast, using the L2 MAC address of the server as the source address and the L2 address of the client as the destination.

Note: Under certain circumstances, the DHCP message exchange from the server may be broadcasted and not unicasted.

Click the Request button in the figure.

When the client receives the DHCPOFFER from the server, it sends back a DHCPREQUEST message. This message has two purposes: lease origination and lease renewal and verification. When used for lease origination, the DHCPREQUEST of the client is requesting that the IP information be verified just after it has been assigned. The message provides error checking to ensure that the assignment is still valid. The DHCPREQUEST also serves as a binding acceptance notice to the selected server and an implicit decline to any other servers that may have provided the host a binding offer.

Many enterprise networks use multiple DHCP servers. The DHCPREQUEST message is sent in the form of a broadcast to inform this DHCP server and any other DHCP servers about the accepted offer.

Click the Acknowledge button in the figure.

On receiving the DHCPREQUEST message, the server verifies the lease information, creates a new ARP entry for the client lease, and replies with a unicast DHCPACK message. The DHCPACK message is a duplicate of the DHCPOFFER, except for a change in the message type field. When the client receives the DHCPACK message, it logs the configuration information and performs an ARP lookup for the assigned address. If it does not receive a reply, it knows that the IP address is valid and starts using it as its own.

Clients lease the information from the server for an administratively defined period. Administrators configure DHCP servers to set the leases to time out at different intervals. Most ISPs and large networks use default lease durations of up to three days. When the lease expires, the client must ask for another address, although the client is typically reassigned the same address.

The DHCPREQUEST message also addresses the dynamic DHCP process. The IP information sent in the DHCPOFFER might have been offered to another client during the dynamic allocation. Each DHCP server creates pools of IP addresses and associated parameters. Pools are dedicated to individual, logical IP subnets. The pools allow multiple DHCP servers to respond and IP clients to be mobile. If multiple servers respond, a client can choose only one of the offers.


7.1.2 - DHCP Operation
The diagram depicts DCHP operation and the client-server processes that occur. A client PC is shown connected to a DHCP server through a switch.

Client / Server DCHP process:
Step 1. Discover: Client broadcasts a DHCP DISCOVER message.
Step 2. Offer: DHCP server sends a DHCP OFFER message as a unicast.
Step 3. Request: Client broadcasts a DHCP REQUEST message and says: "I have looked your offer over, and I accept it."
Step 4. Acknowledge: DHCP server sends a DHCP ACK message as a unicast and says: "We are good to go! Here is your configuration."

Client configuration received from DHCP Server:
IP address: 192.168.10.15
Subnet mask: 255.255.255.0
Default gateway: 192.168.10.1
DNS Servers:
Lease time: 3 days


7.1.3 BOOTP and DHCP

Page 1:
BOOTP and DHCP

The Bootstrap Protocol (BOOTP), defined in RFC 951, is the predecessor of DHCP and shares some operational characteristics. BOOTP is a way to download address and boot configurations for diskless workstations. A diskless workstation does not have a hard drive or an operating system. For example, many automated cash register systems at your local super market are examples of diskless workstations. Both DHCP and BOOTP are client/server based and use UDP ports 67 and 68. Those ports are still known as BOOTP ports.

DHCP and BOOTP have two components, as shown in the figure. The server is a host with a static IP address that allocates, distributes, and manages IP and configuration data assignments. Each allocation (IP and configuration data) is stored on the server in a data set called a binding. The client is any device using DHCP as a method for obtaining IP addressing or supporting configuration information.

To understand the functional differences between BOOTP and DHCP, consider the four basic IP parameters needed to join a network:

  • IP address
  • Gateway address
  • Subnet mask
  • DNS server address

There are three primary differences between DHCP and BOOTP:

  • The main difference is that BOOTP was designed for manual pre-configuration of the host information in a server database, while DHCP allows for dynamic allocation of network addresses and configurations to newly attached hosts. When a BOOTP client requests an IP address, the BOOTP server searches a predefined table for an entry that matches the MAC address for the client. If an entry exists, the corresponding IP address for that entry is returned to the client. This means that the binding between the MAC address and the IP address must have already been configured in the BOOTP server.
  • DHCP allows for recovery and reallocation of network addresses through a leasing mechanism. Specifically, DHCP defines mechanisms through which clients can be assigned an IP address for a finite lease period. This lease period allows for reassignment of the IP address to another client later, or for the client to get another assignment if the client moves to another subnet. Clients may also renew leases and keep the same IP address. BOOTP does not use leases. Its clients have reserved IP address which cannot be assigned to any other host.
  • BOOTP provides a limited amount of information to a host. DHCP provides additional IP configuration parameters, such as WINS and domain name.


7.1.3 - BOOT P and DHCP
The diagram depicts a comparison between BOOT P and DHCP. A client PC is shown connected to a DHCP server through a switch.

BOOT P:
- Static mappings
- Permanent assignment
- Only supports four configuration parameters

DHCP:
- Dynamic mappings
- Lease
- Supports over 20 configuration parameters


Page 2:
DHCP Message Format

The developers of DHCP needed to maintain compatibility with BOOTP and consequently used the same BOOTP message format. However, because DHCP has more functionality than BOOTP, the DHCP options field was added. When communicating with older BOOTP clients, the DHCP options field is ignored.

The figure shows the format of a DHCP message. The fields are as follows:

  • Operation Code (OP) - Specifies the general type of message. A value of 1 indicates a request message; a value of 2 is a reply message.
  • Hardware Type - Identifies the type of hardware used in the network. For example, 1 is Ethernet, 15 is Frame Relay, and 20 is a serial line. These are the same codes used in ARP messages.
  • Hardware Address length - 8 bits to specify the length of the address.
  • Hops - Set to 0 by a client before transmitting a request and used by relay agents to control the forwarding of DHCP messages.
  • Transaction Identifier - 32-bit identification generated by the client to allow it to match up the request with replies received from DHCP servers.
  • Seconds - Number of seconds elapsed since a client began attempting to acquire or renew a lease. Busy DHCP servers use this number to prioritize replies when multiple client requests are outstanding.
  • Flags - Only one of the 16 bits is used, which is the broadcast flag. A client that does not know its IP address when it sends a request, sets the flag to 1. This value tells the DHCP server or relay agent receiving the request that it should send the reply back as a broadcast.
  • Client IP Address - The client puts its own IP address in this field if and only if it has a valid IP address while in the bound state; otherwise, it sets the field to 0. The client can only use this field when its address is actually valid and usable, not during the process of acquiring an address.
  • Your IP Address - IP address that the server assigns to the client.
  • Server IP Address - Address of the server that the client should use for the next step in the bootstrap process, which may or may not be the server sending this reply. The sending server always includes its own IP address in a special field called the Server Identifier DHCP option.
  • Gateway IP Address - Routes DHCP messages when DHCP relay agents are involved. The gateway address facilitates communications of DHCP requests and replies between the client and a server that are on different subnets or networks.
  • Client Hardware Address - Specifies the Physical layer of the client.
  • Server Name - The server sending a DHCPOFFER or DHCPACK message may optionally put its name in this field. This can be a simple text nickname or a DNS domain name, such as dhcpserver.netacad.net.
  • Boot Filename - Optionally used by a client to request a particular type of boot file in a DHCPDISCOVER message. Used by a server in a DHCPOFFER to fully specify a boot file directory and filename.
  • Options - Holds DHCP options, including several parameters required for basic DHCP operation. This field is variable in length. Both client and server may use this field.


7.1.3 - BOOT P and DHCP
The diagram depicts the DHCP message format. The fields are present in the following order and the number of bytes for each one is shown.

O P Code - 1 byte
Hardware type - 1 byte
Hardware address length - 1 byte
Hops - 1 byte
Transaction Identifier - 4 bytes
Seconds - 2 bytes
Flags - 2 bytes
Client IP Address (CIADDR) - 4 bytes
Your IP Address (YIADDR) - 4 bytes
Server IP Address (SIADDR) - 4 bytes
Gateway IP Address (GIADDR) - 4 bytes
Client Hardware Address (CHADDR) - 16 bytes
Server name (S NAME) - 64 bytes
Filename - 128 bytes
DHCP Options - variable


Page 3:
DHCP Discovery and Offer Methods

These figures provide some detail of the packet content of the DHCP discover and offer messages.

When a client wants to join the network, it requests addressing values from the network DHCP server. If a client is configured to receive its IP settings dynamically, it transmits a DHCPDISCOVER message on its local physical subnet when it boots or senses an active network connection. Because the client has no way of knowing the subnet to which it belongs, the DHCPDISCOVER is an IP broadcast (destination IP address of 255.255.255.255). The client does not have a configured IP address, so the source IP address of 0.0.0.0 is used. As you see in the figure, the client IP address (CIADDR), default gateway address (GIADDR), and subnetwork mask are all marked with question marks.

Click the DHCP Offer button in the figure.

The DHCP server manages the allocation of the IP addresses and answers configuration requests from clients.

When the DHCP server receives the DHCPDISCOVER message, it responds with a DHCPOFFER message. This message contains initial configuration information for the client, including the MAC address of the client, followed by the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer. The subnet mask and default gateway are specified in the options field, subnet mask, and router options, respectively. The DHCPOFFER message can be configured to include other information, such as the lease renewal time, domain name server, and NetBIOS Name Service (Microsoft Windows Internet Name Service [Microsoft WINS]).

The server determines the configuration, based on the hardware address of the client as specified in the CHADDR field.

As shown in the diagram, the DHCP server has responded to the DHCPDISCOVER by assigning values to the CIADDR and subnetwork mask.

Administrators set up DHCP servers to assign addresses from predefined pools. Most DHCP servers also allow the administrator to define specifically which client MAC addresses can be serviced and automatically assign them the same IP address each time.

DHCP uses User Datagram Protocol (UDP) as its transport protocol. The client sends messages to the server on port 67. The server sends messages to the client on port 68.

The client and server acknowledge messages, and the process is complete. The client sets the CIADDR only when a host is in a bound state, which means that the client has confirmed and is using the IP address.

For more information on DHCP, see "Cisco IOS DHCP Server" at: http://www.cisco.com/en/US/docs/ios/12_0t/12_ot1/feature/guide/Easyip2.html.


7.1.3 - BOOT P and DHCP
The diagram depicts DHCP discovery and offer methods. PC Client A, without an IP address, is shown connected to a DHCP server, with IP address 192.168.1.254/24. An Ethernet frame, IP packet, and UDP segment are shown encapsulating a DHCP DISCOVER message.

DHCP Discover:
The DHCP client sends a local IP broadcast with a DHCP discover packet. In the simplest case, a DHCP server on the same segment will pick up this request. The server notes that the gateway IP address (GIADDR) field is blank, so the client is on the same segment. The server also notes the hardware address of the client in the request packet.

Ethernet frame:
SOURCE MAC: MAC A
DESTINATION MAC: FF:FF:FF:FF:FF:FF

IP packet:
IP SOURCE: 0.0.0.0
IP DESTINATION: 255.255.255.255

UDP segment:
UDP 67

DHCP DISCOVER message:
CIient IP Address: ?
Mask: ?
Gateway IP Address: ?
Client Hardware Address: MAC A

Legend for DHCP DISCOVER message:
MAC: Media Access Control Address
CIADDR: Client IP Address
GIADDR: Gateway IP Address
CHADDR: Client Hardware Address

DHCP Offer:
The DHCP server sends a DHCP OFFER message as a unicast. The DHCP server picks an IP address from the available pool for that segment, as well as the other segment and global parameters. It puts them into the appropriate fields of the DHCP packet. It then uses the hardware address of Client A to construct an appropriate frame to send back to the client.

Ethernet frame:
SOURCE MAC: MAC Server
DESTINATION MAC: MAC Client A

IP packet:
IP SOURCE: 192.168.1.254
IP DESTINATION: 192.168.1.10

UDP segment:
UDP 68

DHCP OFFER message:
CIient IP Address: 192.168.1.10
Mask: 255.255.255.0
Gateway IP Address: ?
CIient Hardware Address: MAC A

Legend for DHCP OFFER message:
MAC: Media Access Control Address
CIADDR: Client IP Address
GIADDR: Gateway IP Address
CHADDR: Client Hardware Address


7.1.4 Configuring a DHCP Server

Page 1:
Configuring a DHCP Server

Cisco routers running Cisco IOS software provide full support for a router to act as a DHCP server. The Cisco IOS DHCP server assigns and manages IP addresses from specified address pools within the router to DHCP clients.

The steps to configure a router as a DHCP server are as follows:

Step 1. Define a range of addresses that DHCP is not to allocate. These are usually static addresses reserved for the router interface, switch management IP address, servers, and local network printers.

Step 2. Create the DHCP pool using the ip dhcp pool command.

Step 3. Configure the specifics of the pool.

You should specify the IP addresses that the DHCP server should not assign to clients. Typically, some IP addresses belong to static network devices, such as servers or printers. DHCP should not assign these IP addresses to other devices. A best practice is to configure excluded addresses in global configuration mode before creating the DHCP pool. This ensures that DHCP does not assign reserved addresses accidentally. To exclude specific addresses, use the ip dhcp excluded-address command.

Click the DHCP Pool button in the figure.

Configuring a DHCP server involves defining a pool of addresses to assign. The ip dhcp pool command creates a pool with the specified name and puts the router in DHCP configuration mode, which is identified by the Router(dhcp-config)# prompt.

Click the DHCP Tasks button in the figure.

This figure lists the tasks to complete the DHCP pool configuration. Some of these are optional, while others must be configured.

You must configure the available addresses and specify the subnet network number and mask of the DHCP address pool. Use the network statement to define the range of available addresses.

You should also define the default gateway or router for the clients to use with the default-router command. Typically, the gateway is the LAN interface of the router. One address is required, but you can list up to eight addresses.

The next DHCP pool commands are considered optional. For example, you can configure the IP address of the DNS server that is available to a DHCP client using the dns-server command. When configured, one address is required, but up to eight addresses can be listed.

Other parameters include configuring the duration of the DHCP lease. The default setting is one day, but you can change this by using the lease command. You can also configure a NetBIOS WINS server that is available to a Microsoft DHCP client. Usually, this would be configured in an environment that supports pre-Windows 2000 clients. Because most installations now have clients with newer Windows operating system, this parameter is usually not required.

Click the DHCP Example button in the figure.

This figure displays a sample configuration with basic DHCP parameters configured on router R1.

Disabling DHCP

The DHCP service is enabled by default on versions of Cisco IOS software that support it. To disable the service, use the no service dhcp command. Use the service dhcp global configuration command to re-enable the DHCP server process. Enabling the service has no effect if the parameters are not configured.


7.1.4 - Configuring a DHCP Server
The diagram depicts the steps for configuring a DHCP server. These include excluded addresses and DHCP pool configuration. A configuration example is provided.

Step 1: Exclude IP Addresses.
R1(config)#i p dhcp excluded-address low-address [high-address]

Example:
R1(config)#i p dhcp excluded-address 192.168.10.1 192.168.10.9
R1(config)#i p dhcp excluded-address 192.168.10.254

Step 2. Configure a DHCP pool.
R1(config)#i p dhcp pool pool-name

Example:
R1(config)#i p dhcp pool LAN-POOL-1
R1(dhcp-config)#

Step 3. Configure specifics of the pool.
Required Tasks
Task: Define the address pool.
Command: network network-number [mask | /prefix-length]

Task: Define the default router or gateway.
Command: default-router address [address2...address8]

Optional Tasks
Task: Define a DNS server.
Command: dns-server address [address2...address8]

Task: Define the domain name.
Command: domain-name domain

Task: Define the duration of the DHCP lease.
Command: lease {days [hours] [minutes] | infinite}

Task: Define the NetBIOS WINS server.
Command: NetBIOS-name-server address [address2...address8]

DHCP Configuration Example
R1(config)#i p dhcp excluded-address 192.168.10.1 192.168.10.9
R1(config)#i p dhcp excluded-address 192.168.10.254
R1(config)#i p dhcp pool LAN-POOL-1
R1(dhcp-config)#network 192.168.10.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.10.1
R1(dhcp-config)#domain-name span.com
R1(dhcp-config)#end


Page 2:
Verifying DHCP

To illustrate how a Cisco router can be configured to provide DHCP services, refer to the figure. PC1 has not been powered up and therefore does not have an IP address.

Router R1 has been configured with the following commands:

ip dhcp excluded-address 192.168.10.1 192.168.10.9
ip dhcp excluded-address 192.168.10.254
ip dhcp pool LAN-POOL-1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
domain-name span.com


To verify the operation of DHCP, use the show ip dhcp binding command. This command displays a list of all IP address to MAC address bindings that have been provided by the DHCP service.

To verify that messages are being received or sent by the router, use the show ip dhcp server statisticscommand. This command displays count information regarding the number of DHCP messages that have been sent and received.

Click the DHCP-1 button in the figure.

As you can see in the figure, currently there are no bindings or statistics being displayed.

Now, assume that PC1 has been powered and completed its booting process.

Click the DHCP-2 button on the figure.

Notice that the binding information now displays that the IP address of 192.168.10.10 has been bound to a MAC address. The statistics are also displaying DHCPDISCOVER, DHCPREQUEST, DHCPOFFER, and DHCPACK activity.

Click the DHCP Client button in the figure.

The ipconfig /all command displays the TCP/IP configured parameters on PC1. Because PC1 was connected to the network segment 192.168.10.0 /24, it automatically received an IP address, DNS suffix, and default gateway from that pool. There is no DHCP interface configuration required. If a PC is connected to a network segment that has a DHCP pool available, it can obtain an IP address automatically.

So how does PC2 receive an IP address? Router R1 would have to be configured to provide a 192.168.11.0 /24 DHCP pool as follows:

ip dhcp excluded-address 192.168.11.1 192.168.11.9
ip dhcp excluded-address 192.168.11.254
ip dhcp pool LAN-POOL-2
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
domain-name span.com


When PC2 has completed its booting process, it is provided with an IP address for the network segment to which it is connected.

Click the Verifying DHCP-3 button in the figure.

Notice that the DHCP bindings now indicate that two hosts have been provided with IP addresses. The DHCP statistics are also reflecting the exchange of DHCP messages.

Another useful command to view multiple pools is the show ip dhcp pool command.

Click the DHCP Pools button in the figure.

This command summarizes the DHCP pool information.


7.1.4 - Configuring a DHCP Server
The diagram depicts methods for verifying DHCP on the server and client.

Network Topology:
Two LAN's, with network addresses 192.168.10.0/24 and 192.168.11.0/24, are connected by router R1. PC1 in LAN 1 is connected to switch S1, which is connected to R1 interface FA0/0. PC2 in LAN 2 is connected to switch S2, which is connected to R1 interface FA0/1.

PC1 IP address: 192.168.10.10/24
Switch S1 IP address: 192.168.10.2/24
Router R1 FA0/0 IP address: 192.168.10.1/24

PC2 IP address: 192.168.11.10/24
Switch S2 IP address: 192.168.11.2/24
Router R1 FA0/1 IP address: 192.168.11.1/24


DHCP-1 Button:
The show i p dhcp binding command displays a list of all IP address to MAC address bindings that have been provided by the DHCP service. The show i p dhcp server statistics command displays count information regarding the number of DHCP messages that have been sent and received. Because PC1 has not yet been powered up, no bindings or statistics are currently displayed in the output.

DHCP-2 Button
PC1 is powered up, and the show i p dhcp binding and show i p dhcp server statistics commands are used again. The binding information now displays that the IP address of 192.168.10.10 has been bound to a MAC address. The statistics are also displaying DHCP DISCOVER, DHCP REQUEST, DHCP OFFER, and DHCP ACK activity.

DHCP Client Button
The i p config/all command issued in the command window on PC1 displays the TCP/IP configured parameters on the DHCP client. Because PC1 was connected to the network segment 192.168.10.0/24, it automatically received an IP address, DNS suffix, and default gateway from that pool.

DHCP-3 Button
After configuring router R1 to provide IP addresses for clients on the 192.168.11.0 LAN, the show i p dhcp binding and show i p dhcp server statistics commands are used again. The binding information now indicates that two hosts have been provided with IP addresses. The PC1 MAC address is bound to IP address 192.168.10.10, and the PC2 MAC address is bound to IP address 192.168.11.10. The DHCP statistics also reflect the exchange of DHCP messages.

DHCP Pools Button
The show i p dhcp pool command summarizes the DHCP pool information for LAN-POOL-1 and LAN-POOL-2. The LAN-POOL-1 address range is 192.168.10.1 to 192.168.10.254. The LAN-POOL-2 address range is 192.168.11.1 to 192.168.11.254. Each pool shows one IP address leased at this time.


7.1.5 Configuring a DHCP Client

Page 1:
Configuring a DHCP Client

Typically, small broadband routers for home use, such as Linksys routers, can be configured to connect to an ISP using a DSL or cable modem. In most cases, small home routers are set to acquire an IP address automatically from their ISPs. For example, the figure shows the default WAN setup page for a Linksys WRVS4400N router. Notice that the Internet connection type is set to Automatic Configuration - DHCP. This means that when the router is connected to a cable modem, for example, it is a DHCP client and requests an IP address from the ISP.

Sometimes, Cisco routers in SOHO and branch sites have to be configured in a similar manner. The method used depends on the ISP. However, in its simplest configuration, the Ethernet interface is used to connect to a cable modem. To configure an Ethernet interface as a DHCP client, the ip address dhcp command must be configured.

Click the DHCP Client button in the figure.

In the figure, assume that an ISP has been configured to provide select customers with IP addresses from the 209.165.201.0 / 27 range. The output confirms the assigned address.


7.1.5 - Configuring a DHCP Client
The diagram depicts the steps for configuring a router as a DHCP client. These include using the G U I for a Linksys router and the C L I for a Cisco I O S-based router.

Linksys Router:
The diagram shows the default WAN setup page for a Linksys WRVS 4400N router. The Internet connection type is set to Automatic Configuration - DHCP.

DHCP Client:
The diagram shows a SOHO router with interface FA0/0 connected to a modem that connects to an ISP router, which provides access to a DHCP server. Cisco I O S C L I commands are used to configure the SOHO DHCP client. The show i p int f a 0/0 command verifies that IP address 209.165.201.12/27 was obtained from the ISP.

Configuration Commands:
SOHO(config)#interface f a 0/0
SOHO(config-i f)#i p address dhcp
SOHO(config-i f)#no shut


7.1.6 DHCP Relay

Page 1:
What is DHCP Relay?

In a complex hierarchical network, enterprise servers are usually contained in a server farm. These servers may provide DHCP, DNS, TFTP, and FTP services for the clients. The problem is that the network clients typically are not on the same subnet as those servers. Therefore, the clients must locate the servers to receive services and often these services are located using broadcast messages.

In the figure, PC1 is attempting to acquire an IP address from the DHCP server located at 192.168.11.5. In this scenario router R1 is not configured as a DHCP server.

Click the Host Problem button in the figure.

In the figure, PC1 is attempting to renew its IP address. To do so, the ipconfig /release command is issued. Notice that the IP address is released and the current address is now 0.0.0.0. Next, the ipconfig /renew command is issued. This initiates the host to broadcast a DHCPDISCOVER message. However, PC1 is unable to locate the DHCP server. What happens when the server and the client are separated by a router and therefore are not on the same network segment? Remember, routers do not forward broadcasts.

Note: Certain Windows clients have a feature called Automatic Private IP Addressing (APIPA). With this feature, a Windows computer can automatically assign itself an IP address in the 169.254.x.x range in the event that a DHCP server is not available or does not exist on the network.

To make matters worse, DHCP is not the only critical service that uses broadcasts. For example, Cisco routers and other devices may use broadcasts to locate TFTP servers or to locate an authentication server such as a TACACS server.

As a solution to this problem, an administrator could add DHCP servers on all the subnets. However, running these services on several computers creates both cost and administrative overhead.

A simpler solution is to configure the Cisco IOS helper address feature on intervening routers and switches. This solution enables routers to forward DHCP broadcasts to the DHCP servers. When a router forwards address assignment/parameter requests, it is acting as a DHCP relay agent.

For example, PC1 would broadcast a request to locate a DHCP server. If router R1 were configured as a DHCP relay agent, it would intercept this request and forward it to the DHCP server located on subnet 192.168.11.0.

To configure router R1 as a DHCP relay agent, you need to configure the nearest interface to the client with the ip helper-address interface configuration command. This command relays broadcast requests for key services to a configured address. Configure the IP helper address on the interface receiving the broadcast.

Click the Relay Config button in the figure.

Router R1 is now configured as a DHCP relay agent. It accepts broadcast requests for the DHCP service and then forwards them as a unicast to the IP address 192.168.11.5.

Click the Host Renew button in the figure.

As you can see, PC1 is now able to acquire an IP address from the DHCP server.

DHCP is not the only service that the router can be configured to relay. By default, the ip helper-address command forwards the following eight UDP services:

  • Port 37: Time
  • Port 49: TACACS
  • Port 53: DNS
  • Port 67: DHCP/BOOTP server
  • Port 68: DHCP/BOOTP client
  • Port 69: TFTP
  • Port 137: NetBIOS name service
  • Port 138: NetBIOS datagram service

To specify additional ports, use the ip forward-protocol command to specify exactly which types of broadcast packets to forward.


7.1.6 - DHCP Relay
The diagram depicts using DHCP relay to solve a DHCP problem: a client cannot obtain its IP configuration because the DHCP server is on another network segment and separated by a router.

Network Topology:
Two LAN's, 192.168.10.0/24 and 192.168.11.0/24, are connected by router R1. PC1 in LAN 1 is connected to switch S1, which is connected to R1 interface FA0/0. PC2 in LAN 2 is connected to switch S2, which is connected to R1 interface FA0/1. A DHCP server is also connected to switch S2.

PC1 IP address: DHCP client - no IP address initially
Switch S1 IP address: 192.168.10.2/24
Router R1 FA0/0 IP address: 192.168.10.1/24

PC2 IP address: 192.168.11.10/24
Switch S2 IP address: 192.168.11.2/24
Router R1 FA0/1 IP address: 192.168.11.1/24
DHCP Server IP address: 192.168.11.1/24:

DHCP problem:
Client PC1 is attempting to acquire an IP address by broadcasting a DHCP request to locate a DHCP. Router R1 is not configured as a DHCP server. The DHCP server is connected to switch S2 on another network segment. A text bubble for R1 says: "Sorry, I can't forward any broadcasts outside of your network subnet."

Host problem:
A command window shows PC1 attempting to renew its IP address from the DHCP server. First the i p config/release command is used. The IP address is released. The current address is now 0.0.0.0, and the subnet mask is 0.0.0.0. Next, the i p config/renew command is issued. This causes PC1 to broadcast a DHCP DISCOVER message. However, PC1 is unable to contact a DHCP server, and an error message is displayed indicating this.

Relay Config:
Router R1 is configured as a DHCP relay agent. It accepts broadcast requests for the DHCP service and then forwards them as a unicast to the DHCP server at IP address 192.168.11.5.

Configuration Commands:
R1(config)#interface FA0/0
R1(config-i f)#i p helper-address 192.168.11.5
R1(config-i f)#end

Host Renew:
A command window shows PC1 attempting to renew its IP address from the DHCP server. First, the i p config/release command is used. The IP address is released. The current address is now 0.0.0.0, and the subnet mask is 0.0.0.0. Next, the i p config/renew command is issued. The display shows that PC1 is now able to acquire IP address 192.168.10.11/24 from the DHCP server, with a default gateway of 192.168.10.1.


7.1.7 Configuring a DHCP Server Using SDM

Page 1:
Configuring a DHCP Server Using SDM

Cisco routers can also be configured as a DHCP server using SDM. In this example, router R1 will be configured as the DHCP server on the Fa0/0 and Fa0/1interfaces.

Click the DHCP Tasks button in the figure.

The DHCP server function is enabled under Additional Tasks in the Configure tab. From the list of tasks, click on the DHCP folder and then select DHCP Pools to add a new pool. Click Add to create the new DHCP pool.

Click the Add Pool button in the figure.

The Add DHCP Pool window contains the options you need to configure the DHCP IP address pool. The IP addresses that the DHCP server assigns are drawn from a common pool. To configure the pool, specify the starting and ending IP addresses of the range.

Cisco SDM configures the router to automatically exclude the LAN interface IP address in the pool. You must not use the network or subnetwork IP address or broadcast address on the network in the range of addresses that you specify.

If you need to exclude other IP addresses in the range, you can do so by adjusting the starting and ending IP addresses. For instance, if you needed to exclude IP addresses 192.168.10.1 through 192.168.10.9, you would set the Starting IP address to 192.168.10.10. This allows the router to begin address assignment with 192.168.10.10.

The other options that are available are:

  • DNS Server1 and DNS Server2 - The DNS server is typically a server that maps a known device name with its IP address. If you have a DNS server configured for your network, enter the IP address for the server here. If there is an additional DNS server on the network, you can enter the IP address for that server in this field.
  • WINS Server1 and WINS Server2 - Recall that WINS configuration is typically in environments that support pre-Windows 2000 clients.
  • Import All DHCP Options into the DHCP Server Database - Allows the DHCP options to be imported from a higher level server, and is typically used in conjunction with an Internet DHCP server. This option allows you to pull higher level information without having to configure it in for this pool.

Click the DHCP Pools button in the figure.

This screen provides you with a summary of the pools configured on your router. In this example, there have been two pools configured, one for each of the Fast Ethernet interfaces on the R1 router.


7.1.7 - Configuring a DHCP Server Using SDM
The diagram depicts configuring a Cisco router as a DHCP server using SDM. The topology and the SDM screens necessary to complete the configuration are shown.

Network Topology:
Two LAN's, 192.168.10.0/24 and 192.168.11.0/24, are connected by router R1. PC1 in LAN 1 is connected to switch S1, which is connected to R1 interface FA0/0. PC2 in LAN 2 is connected to switch S2, which is connected to R1 interface FA0/1.

PC1 IP address: 192.168.10.10
Switch S1 IP address: 192.168.10.2/24
Router R1 FA0/0 IP address: 192.168.10.1/24

PC2 IP address: 192.168.11.10/24
Switch S2 IP address: 192.168.11.2/24
Router R1 FA0/1 IP address: 192.168.11.1/24

DHCP Tasks:
The SDM screen shows the DHCP server function being enabled under Additional Tasks in the Configure tab. From the list of tasks, the DHCP folder is clicked, and DHCP Pools is selected to add a new pool by clicking Add.

Add Pool:
The Add DHCP Pool window contains the options to configure the DHCP IP address pool.

Basic Parameters configured include:
- DHCP Pool Name: LAN-POOL-1
- DHCP Pool Network: 192.168.10.0
- Subnet Mask: 255.255.255.0
- Starting IP: 192.168.10.10
- Ending IP: 192.168.10.200
- Lease Length: Two days.

DHCP Options configured:
- Domain Name: span.com
- Default Router: 192.168.10.1

Other options include (no entries):
- DNS Server1 and DNS Server2
- WINS Server1 and WINS Server2
- Import All DHCP Options into the DHCP Server Database

DHCP Pools:
The SDM screen shows the DHCP folder clicked and DHCP Pools selected to display the two new pools defined:

Pool Name: LAN-POOL-2
Interface: FastEthernet0/1

Pool Name: LAN-POOL-1
Interface: FastEthernet0/0


7.1.8 Troubleshooting DHCP

Page 1:
Troubleshooting DHCP Configuration

DHCP problems can arise for a multitude of reasons, such as software defects in operating systems, NIC drivers, or DHCP/BOOTP relay agents, but the most common are configuration issues. Because of the number of potentially problematic areas, a systematic approach to troubleshooting is required.

Troubleshooting Task 1: Resolve IP Address Conflicts

An IP address lease can expire on a client still connected to a network. If the client does not renew the lease, the DHCP server can reassign that IP address to another client. When the client reboots, it requests an IP address. If the DHCP server does not respond quickly, the client uses the last IP address. The situation then arises that two clients are using the same IP address, creating a conflict.

The show ip dhcp conflict command displays all address conflicts recorded by the DHCP server. The server uses the ping command to detect conflicts. The client uses Address Resolution Protocol (ARP) to detect clients. If an address conflict is detected, the address is removed from the pool and not assigned until an administrator resolves the conflict.

This example displays the detection method and detection time for all IP addresses that the DHCP server has offered that have conflicts with other devices.

R2# show ip dhcp conflict

IP address Detection Method Detection time

192.168.1.32 Ping Feb 16 2007 12:28 PM

192.168.1.64 Gratuitous ARP Feb 23 2007 08:12 AM

Troubleshooting Task 2: Verify Physical Connectivity

First, use the show interfaceinterface command to confirm that the router interface acting as the default gateway for the client is operational. If the state of the interface is anything other than up, the port does not pass traffic, including DHCP client requests.

Troubleshooting Task 3: Test Network Connectivity by Configuring a Client Workstation with a Static IP Address

When troubleshooting any DHCP issue, verify network connectivity by configuring a static IP address on a client workstation. If the workstation is unable to reach network resources with a statically configured IP address, the root cause of the problem is not DHCP. At this point, network connectivity troubleshooting is required.

Troubleshooting Task 4: Verify Switch Port Configuration (STP Portfast and Other Commands)

If the DHCP client is unable to obtain an IP address from the DHCP server on startup, attempt to obtain an IP address from the DHCP server by manually forcing the client to send a DHCP request.

If there is a switch between the client and the DHCP server, verify that the port has STP PortFast enabled and trunking/channeling disabled. The default configuration is PortFast disabled and trunking/channeling auto, if applicable. These configuration changes resolve the most common DHCP client issues that occur with an initial installation of a Catalyst switch. A review of CCNA Exploration: LAN Switching and Wireless assists in solving this issue.

Troubleshooting Task 5: Distinguishing Whether DHCP Clients Obtain IP Address on the Same Subnet or VLAN as DHCP Server

It is important to distinguish whether DHCP is functioning correctly when the client is on the same subnet or VLAN as the DHCP server. If the DHCP is working correctly, the problem may be the DHCP/BOOTP relay agent. If the problem persists even with testing DHCP on the same subnet or VLAN as the DHCP server, the problem may actually be with the DHCP server.


7.1.8 - Troubleshooting DHCP
The diagram depicts troubleshooting DHCP configuration tasks.

Task 1. Resolving IP address conflicts.

Task 2. Verifying physical connectivity.

Task 3. Testing network connectivity by configuring the client workstation with a static IP address.

Task 4. Verifying the switch port configuration (STP Port fast and other commands).

Task 5. Distinguishing whether DHCP clients obtain an IP address on the same subnet or V LAN as the DHCP server.


Page 2:
Verify Router DHCP/BOOTP Relay Configuration

When the DHCP server is located on a separate LAN from the client, the router interface facing the client must be configured to relay DHCP requests. This is accomplished by configuring the IP helper address. If the IP helper address is not configured properly, client DHCP requests are not forwarded to the DHCP server.

Follow these steps to verify the router configuration:

Step 1. Verify that the ip helper-address command is configured on the correct interface. It must be present on the inbound interface of the LAN containing the DHCP client workstations and must be directed to the correct DHCP server. In the figure, the output of the show running-config command verifies that the DHCP relay IP address is referencing the DHCP server address at 192.168.11.5.

Step 2. Verify that the global configuration command no service dhcp has not been configured. This command disables all DHCP server and relay functionality on the router. The command service dhcp does not appear in the configuration, because it is the default configuration.


7.1.8 - Troubleshooting DHCP
The diagram depicts verifying the router DHCP relay configuration. The terminal window displays partial output from the show running-config command on a router. The output verifies that the DHCP relay IP address is referencing the DHCP server address at 192.168.11.5 and is applied to the correct router interface.

R1#show running-config

Output omitted

interface FastEthernet0/0
i p address 192.168.10.1 255.255.255.0
i p helper-address 192.168.11.5
duplex auto
speed auto

Output omitted


Page 3:
Verify that the Router Is Receiving DHCP Requests Using debug Commands.

On routers configured as DHCP servers, the DHCP process fails if the router is not receiving requests from the client. As a troubleshooting task, verify that the router is receiving the DHCP request from the client. This troubleshooting step involves configuring an access control list for debugging output. The debug access control list is not intrusive to the router.

In global configuration mode, create the following access control list:

access-list 100 permit ip host 0.0.0.0 host 255.255.255.255

Start debugging by using ACL 100 as the defining parameter. In exec mode, enter the following debug command:

debug ip packet detail 100

The output in the figure shows that the router is receiving the DHCP requests from the client. The source IP address is 0.0.0.0 because the client does not yet have an IP address. The destination is 255.255.255.255 because the DHCP discovery message from the client is a broadcast. The UDP source and destination ports, 68 and 67, are the typical ports used for DHCP.

This output only shows a summary of the packet and not the packet itself. Therefore, it is not possible to determine if the packet is correct. Nevertheless, the router did receive a broadcast packet with the source and destination IP and UDP ports that are correct for DHCP.

Verify that the Router Is Receiving and Forwarding DHCP Request Using debug ip dhcp server packet Command

A useful command for troubleshooting DHCP operation is the debug ip dhcp server events command. This command reports server events, like address assignments and database updates. It is also used for decoding DHCP receptions and transmissions.


7.1.8 - Troubleshooting DHCP
The diagram depicts debugging DHCP using router debug commands and an access list. This provides verification that the router is receiving DHCP requests.

R2#access-list 100 permit i p host 0.0.0.0 host 255.255.255.255
R2#debug i p packet detail 100
IP packet debugging is on (detailed) for access list 100
R2#
00:16:46: IP: s-0.0.0.0 (Ethernet4/0), d-255.255.255.255, len 604, rcvd 2
00:16:46: UDP src-68, dst-67
00:16:46: IP: s-0.0.0.0 (Ethernet4/0), d-255.255.255.255, len 604, rcvd 2
00:16:46: UDP src-68, dst-67


Page 4:
DHCP assigns IP addresses and other important network configuration information dynamically. Cisco routers can use the Cisco IOS feature set, Easy IP, as an optional, full-featured DHCP server. Easy IP leases configurations for 24 hours by default. In this activity, you will configure DHCP services on two routers and test your configuration.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


7.1.8 - Troubleshooting DHCP
Link to Packet Tracer Exploration: Configuring DHCP Using Easy IP


7.2 Scaling Networks with NAT

7.2.1 Private and Public IP Addressing

Page 1:
All public Internet addresses must be registered with a Regional Internet Registry (RIR). Organizations can lease public addresses from an ISP. Only the registered holder of a public Internet address can assign that address to a network device.

You may have noticed that all the examples in this course use a somewhat restricted number of IP addresses. You may also have noticed the similarity between these numbers and numbers you have used in a small network to view the setup web pages of many brands of printers, DSL and cable routers, and other peripherals. These are reserved private Internet addresses drawn from the three blocks shown in the figure. These addresses are for private, internal network use only. RFC 1918 specifies that private addresses are not to be routed over the Internet. This sometimes sees private addresses described as ""non-routable"". However, packets with private addresses can be routed within private internetworks.

Unlike public IP addresses, private IP addresses are a reserved block of numbers that can be used by anyone. That means two networks, or two million networks, can each use the same private addresses. To protect the public Internet address structure, ISPs typically configure the border routers to prevent privately addressed traffic from being forwarded over the Internet.

By providing more address space than most organizations could obtain through a RIR, private addressing gives enterprises considerable flexibility in network design. This enables operationally and administratively convenient addressing schemes as well as easier growth.

However, because you cannot route private addresses over the Internet, and there are not enough public addresses to allow organizations to provide one to every one of their hosts, networks need a mechanism to translate private addresses to public addresses at the edge of their network that works in both directions. Without a translation system, private hosts behind a router in the network of one organization cannot connect with private hosts behind a router in other organizations over the Internet.

Network Address Translation (NAT) provides this mechanism. Before NAT, a host with a private address could not access the Internet. Using NAT, individual companies can address some or all of their hosts with private addresses and use NAT to provide access to the Internet.

For a more in-depth look at the development of the RIR system, see the Cisco Internet Protocol Journal article at http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_4-4/regional_internet_registries.html.


7.2.1 - Introducing DHCP
The diagram depicts public and private Internet addresses.

Public Internet addresses are regulated by five regional Internet registries (R I R's). A world map is shown with the approximate area covered by each R I R:
- ARIN - United States and Canada
- RIPE - Europe and Northern Asia
- APNIC - Southern Asia and Australia
- LACNIC - Latin America and South America
- AfriNIC - Africa

Private Internet addresses are defined in RFC 1918:
Class: A
Address Range: 10.0.0.0 to 10.255.255.255
CIDR Prefix: 10.0.0.0/8

Class: B
Address Range: 172.16.0.0 to 172.31.255.255
CIDR Prefix: 172.16.0.0/12

Class: C
Address Range: 192.168.0.0 to 192.168.255.255
CIDR Prefix: 192.168.0.0/16


7.2.2 What is NAT?

Page 1:
What is NAT?

NAT is like the receptionist in a large office. Assume you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for them to call you back. You tell the receptionist that you are expecting a call from this client, and you ask the receptionist to put them through to your telephone.

The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist who they are looking for, the receptionist checks a lookup table that matches your name to your extension. The receptionist knows that you requested this call; therefore, the receptionist forwards the caller to your extension.

So while the DHCP server assigns IP dynamic addresses to devices inside the network, NAT-enabled routers retain one or many valid Internet IP addresses outside of the network. When the client sends packets out of the network, NAT translates the internal IP address of the client to an external address. To outside users, all traffic coming to and going from the network has the same IP address or is from the same pool of addresses.

NAT has many uses, but its key use is to save IP addresses by allowing networks to use private IP addresses. NAT translates private, internal addresses into public, external addresses. NAT has an added benefit of adding a degree of privacy and security to a network because it hides internal IP addresses from outside networks.

A NAT-enabled device typically operates at the border of a stub network. In our example, R2 is the border router. A stub network is a network that has a single connection to its neighbor network. As seen from the ISP, R2 forms a stub network.

When a host inside the stub network, say PC1, PC2, or PC 3, wants to transmit to a host on the outside, the packet is forwarded to R2, the border gateway router. R2 performs the NAT process, translating the internal private address of the host to a public, outside, routable address.

In NAT terminology, the inside network is the set of networks that are subject to translation. The outside network refers to all other addresses. IP addresses have different designations based on whether they are on the private network or on the public network (Internet) and whether the traffic is incoming or outgoing.

Click the Terminology button in the figure.

The figure shows how to refer to the interfaces when configuring NAT. Assume that router R2 has been configured to provide NAT features. It has a pool of publicly available addresses to lend to inside hosts. This section uses the following terms when discussing NAT:

  • Inside local address - Usually not an IP address assigned by a RIR or service provider and is most likely an RFC 1918 private address. In the figure, the IP address 192.168.10.10 is assigned to the host PC1 on the inside network.
  • Inside global address - Valid public address that the inside host is given when it exits the NAT router. When traffic from PC1 is destined for the web server at 209.165.201.1, router R2 must translate the address. In this case, IP address 209.165.200.226 is used as the inside global address for PC1.
  • Outside global address - Valid public IP address assigned to a host on the Internet. For example, the web server is reachable at IP address 209.165.201.1.
  • Outside local address - The local IP address assigned to a host on the outside network. In most situations, this address will be identical to the outside global address of that outside device.

Note: In this course, we will be referencing the inside local address, inside global address, and the outside global address. The use of the outside local address is outside the scope of this course.

The "inside" of a NAT configuration is not synonymous with private addresses as defined by RFC 1918. Although "inside" addresses are usually private addresses, NAT can translate between "outside" and "inside" public addresses.


7.2.2 - What Is NAT?
The diagram depicts using NAT to translate private addresses to public addresses and identifies related NAT terminology.

Network Topology:
Three LAN's, 192.168.10.0/24, 192.168.11.0/24, and 192.168.30.0/24, are connected by three routers, R1, R2, and R3 in a corporate stub network with only one exit to the outside. The corporate stub network devices use only private address space internally. Router R2 is a NAT-enabled border router that connects to the ISP.

PC1 in LAN 1 is connected to switch S1, which is connected to R1 interface FA0/0.
PC2 in LAN 2 is connected to switch S2, which is connected to R1 interface FA0/1.
PC3 in LAN 3 is connected to switch S3, which is connected to R3 interface FA0/1.

Router R1 interface S0/0/0 is connected to R2 interface S0/0/0.
Router R3 interface S0/0/1 is connected to R2 interface S0/0/1.
Router R2 interface S0/1/0 is connected to the ISP.

PC1 IP address: 192.168.10.10/24
PC2 IP address: 192.168.11.10/24
PC3 IP address: 192.168.30.10/24

Switch S1 IP address: 192.168.10.2/24
Switch S2 IP address: 192.168.11.2/24
Switch S3 IP address: 192.168.30.2/24

Router R1 FA0/0 IP address: 192.168.10.1/24
Router R1 FA0/1 IP address: 192.168.11.1/24
Router R1 S0/0/0 IP address: 10.1.1.1/30

Router R2 S0/0/0 IP address: 10.1.1.2/30
Router R2 S0/0/1 IP address: 10.2.2.1/30
Router R2 S0/1/0 IP address: 209.165.200.225/27

Router R3 FA0/1 IP address: 192.168.30.1/24
Router R3 S0/0/1 IP address: 10.2.2.2/30

NAT Terminology:
The diagram shows PC1 connected to an inside network cloud, which is connected to router R2. R2 is connected to the ISP router in a cloud. A Web server is connected to the ISP cloud. A bubble from R2 says: "NAT-enabled router. NAT Pool 209.165.200.226 to 230."

PC1 IP address: 192.168.10.10
Router R2 S0/1/0 NAT Pool IP address: 209.165.200.226 to 230
ISP Web Server IP address: 209.165.201.1

A NAT table contains the following entries.
Inside Local Address: 192.168.10.10 (Arrow points to PC1)
Inside Global Address: 209.165.200.226 (Arrow points to packet with source address (S A) at the R2 external interface)
Outside Global Address: 209.165.201.1 (Arrow points to ISP Web Server)


Page 2:
How Does NAT Work?

In this example, an inside host (192.168.10.10) wants to communicate with an outside web server (209.165.201.1). It sends a packet to R2, the NAT-configured border gateway for the network.

Use the controls on the figure to start the animation.

R2 reads the source IP address of the packet and checks if the packet matches the criteria specified for translation. R2 has an ACL that identifies the inside network as valid hosts for translation. Therefore, it translates an inside local IP address to an inside global IP address, which in this case is 209.165.200.226. It stores this mapping of the local to global address in the NAT table.

The router then sends the packet to its destination. When the web server responds, the packet comes back to the global address of R2 (209.165.200.226).

R2 refers to its NAT table and sees that this was a previously translated IP address. Therefore, it translates the inside global address to the inside local address, and the packet is forwarded to PC1 at IP address 192.168.10.10. If it does not find a mapping, the packet is dropped.

Dynamic Mapping and Static Mapping

There are two types of NAT translation: dynamic and static.

Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP address from the pool that is not already in use by another host. This is the mapping described so far.

Static NAT uses a one-to-one mapping of local and global addresses, and these mappings remain constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices.

Both static and dynamic NAT require that enough public addresses are available to satisfy the total number of simultaneous user sessions.

For another look at how dynamic NAT works, go to http://www.cisco.com/warp/public/556/nat.swf.


7.2.2 - What Is NAT?
The animation depicts how NAT works.

The diagram shows PC1 connected to router R1, which is connected to router R2. R2 is connected to the ISP router in a cloud. A Web server is connected to the ISP cloud.

PC1 IP address: 192.168.10.10
ISP Web Server: 209.165.201.1

A NAT table contains the following entries.
Inside Local Address: 192.168.10.10
Inside Global Address: 209.165.200.226
Outside Global Address: 209.165.201.1

As the animation progresses:
Step 1. PC1 sends a packet to router R1 with source address 192.168.10.10.
Step 2. The packet is forwarded by R1 to R2, which translates the inside local IP address (192.168.10.10) to an inside global IP address (209.165.200.226). The source address of the packet is now 209.165.200.226, and it is passed through the ISP router and on to the Web server.
Step 3. The web server sends return packets to destination address 209.165.200.226, and the packet travels back to router R2.
Step 4. R2 translates the inside global IP address 209.165.200.226 to the inside local IP address 192.168.10.10 and forwards it to R1, which delivers it to PC1.


Page 3:
NAT Overload

NAT overloading (sometimes called Port Address Translation or PAT) maps multiple private IP addresses to a single public IP address or a few addresses. This is what most home routers do. Your ISP assigns one address to your router, yet several members of your family can simultaneously surf the Internet.

With NAT overloading, multiple addresses can be mapped to one or to a few addresses because each private address is also tracked by a port number. When a client opens a TCP/IP session, the NAT router assigns a port number to its source address. NAT overload ensures that clients use a different TCP port number for each client session with a server on the Internet. When a response comes back from the server, the source port number, which becomes the destination port number on the return trip, determines to which client the router routes the packets. It also validates that the incoming packets were requested, thus adding a degree of security to the session.

Click the controls to start and pause the animation.

The animation illustrates the process. NAT overload uses unique source port numbers on the inside global IP address to distinguish between translations. As NAT processes each packet, it uses a port number (1331 and 1555 in this example) to identify the client from which the packet originated. The source address (SA) is the inside local IP address with the TCP/IP assigned port number attached. The destination address (DA) is the outside local IP address with the service port number attached, in this case port 80: HTTP.

At the border gateway router (R2), NAT overload changes the SA to the inside global IP address of the client, again with the port number attached. The DA is the same address, but is now referred to as the outside global IP address. When the web server replies, the same path is followed but in reverse.

Port numbers are encoded in 16 bits. The total number of internal addresses that can be translated to one external address could theoretically be as high as 65,536 per IP address. However, realistically, the number of internal addresses that can be assigned a single IP address is around 4,000.

Click the Next Available Port button in the figure.

In the previous example, the client port numbers in the two SAs, 1331 and 1555, do not change at the border gateway. This is not a very likely scenario because there is a good chance that these numbers may have already been attached to other ongoing sessions.

NAT overload attempts to preserve the original source port. However, if this source port is already used, NAT overload assigns the first available port number starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address configured, NAT overload moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses.

In the figure, both hosts have somehow chosen the same port number 1444. This is acceptable for the inside address, because they both have unique private IP addresses. However, at the border gateway, the port numbers need to be changed-otherwise, two packets from two hosts would leave R2 with the same source address. NAT overload has given the second address the first available port number, which in this case happens to be 1445.

Differences Between NAT and NAT Overload

Summarizing the differences between NAT and NAT overload will help your understanding. NAT generally only translates IP addresses on a 1:1 correspondence between publicly exposed IP addresses and privately held IP addresses. NAT overload modifies both the private IP address and port number of the sender. NAT overload chooses the port numbers seen by hosts on the public network.

NAT routes incoming packets to their inside destination by referring to the incoming source IP address given by the host on the public network. With NAT overload, there is generally only one or a very few publicly exposed IP addresses. Incoming packets from the public network are routed to their destinations on the private network by referring to a table in the NAT overload device that tracks public and private port pairs. This is called connection tracking.


7.2.2 - What Is NAT?
The animation depicts how NAT Overloading (sometimes called Port Address Translation or PAT) works and how the next available port is selected.

NAT Process:
The diagram shows two PC's connected to router R2, which is connected to the Internet cloud. Two servers are connected to the ISP cloud.

Inside Network:
PC1 IP address: 192.168.10.10
PC2 IP address: 192.168.10.11
Both PC1 and PC2 are connected to a FastEthernet interface on router R2.

Outside Network:
Server1 IP address: 209.165.201.1
Server2 IP address: 209.165.202.129
Both Server1 and Server2 are connected to a serial interface on router R2.

As the animation progresses:
Step 1. PC1 sends a packet to router R2 with source address 192.168.10.10 and source port 1555. The destination is Server1 with address 209.165.201.1 and port 80.

Step 2. PC2 sends a packet to router R2 with source address 192.168.10.11 and source port 1331. The destination is Server2 with address 209.165.202.129 and port 80.

Step 3. The PC1 packet is received by R2, which translates the PC1 inside local IP address 192.168.10.10 to an inside global IP address 209.165.200.226 and port number 1555.

Step 4. The PC2 packet is received by R2, which translates the PC2 inside local IP address 192.168.10.11 to the same inside global IP address 209.165.200.226 but with port number 1331.

Step 5. Router R2 creates NAT Overload table entries as follows:

NAT Table entries for PC1:
Inside Local IP Address: 192.168.10.10:1555
Inside Global IP Address: 209.165.200.226:1555
Outside Global IP Address: 209.165.201.1:80
Outside Local IP Address: 209.165.201.1:80

NAT Table entries for PC2:
Inside Local IP Address: 192.168.10.11:1331
Inside Global IP Address: 209.165.200.226:1331
Outside Global IP Address: 209.165.202.129:80
Outside Local IP Address: 209.165.202.129:80

Step 6. The packets from PC1 and PC2 reach the destination servers.

Next Available Port:
The diagram shows three PC's connected to router R2, which is connected to the Internet cloud.

Inside Network:
PC1 IP address: 192.168.10.10
PC2 IP address: 192.168.10.11
PC3 IP address: 192.168.10.12
PC1, PC2, and PC3 are connected to a FastEthernet interface on router R2.

Outside Network:
Router R2 Serial interface

As the animation progresses:
Step 1. PC2 sends a packet to router R2 with source address 192.168.10.11 and source port 1444.

Step 2. The PC2 packet is received by R2, which translates the PC2 inside local IP address 192.168.10.11 using port 1444 to an inside global IP address 209.165.200.226 using port 1444. Note that when the address is translated or changed, the source port number of 1444 does not change.

Step 3. PC3 sends a packet to router R2 with source address 192.168.10.12 and source port 1444.

Step 4. The PC3 packet is received by R2, which translates the PC2 inside local IP address 192.168.10.11 to an inside global IP address 209.165.200.226 but uses the next available port number 1445, because port 1444 was already in use by the PC2 translation.

Router R1 creates NAT Overload table entries as follows:

NAT Table entries for PC2:
Inside Local IP Address: 192.168.10.11:1444
Inside Global IP Address: 209.165.200.226:1444

NAT Table entries for PC3:
Inside Local IP Address: 192.168.10.12:1444
Inside Global IP Address: 209.165.200.226:1445


7.2.3 Benefits and Drawbacks of Using NAT

Page 1:
Benefits and Drawbacks of Using NAT

NAT provides many benefits and advantages. However, there are some drawbacks to using NAT, including the lack of support for some types of traffic.

The benefits of using NAT include the following:

  • NAT conserves the legally registered addressing scheme by allowing the privatization of intranets. NAT conserves addresses through application port-level multiplexing. With NAT overload, internal hosts can share a single public IP address for all external communications. In this type of configuration, very few external addresses are required to support many internal hosts.
  • NAT increases the flexibility of connections to the public network. Multiple pools, backup pools, and load-balancing pools can be implemented to ensure reliable public network connections.
  • NAT provides consistency for internal network addressing schemes. On a network without private IP addresses and NAT, changing public IP addresses requires the renumbering of all hosts on the existing network. The costs of renumbering hosts can be significant. NAT allows the existing scheme to remain while supporting a new public addressing scheme. This means an organization could change ISPs and not need to change any of its inside clients.
  • NAT provides network security. Because private networks do not advertise their addresses or internal topology, they remain reasonably secure when used in conjunction with NAT to gain controlled external access. However, NAT does not replace firewalls.

However, NAT does have some drawbacks. The fact that hosts on the Internet appear to communicate directly with the NAT device, rather than with the actual host inside the private network, creates a number of issues. In theory, a single globally unique IP address can represent many privately addressed hosts. This has advantages from a privacy and security point of view, but in practice, there are drawbacks.

The first disadvantage affects performance. NAT increases switching delays because the translation of each IP address within the packet headers takes time. The first packet is process-switched, meaning it always goes through the slower path. The router must look at every packet to decide whether it needs translation. The router needs to alter the IP header, and possibly alter the TCP or UDP header. Remaining packets go through the fast-switched path if a cache entry exists; otherwise, they too are delayed.

Many Internet protocols and applications depend on end-to-end functionality, with unmodified packets forwarded from the source to the destination. By changing end-to-end addresses, NAT prevents some applications that use IP addressing. For example, some security applications, such as digital signatures, fail because the source IP address changes. Applications that use physical addresses instead of a qualified domain name do not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings.

End-to-end IP traceability is also lost. It becomes much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops, making troubleshooting challenging. On the other hand, hackers who want to determine the source of a packet find it difficult to trace or obtain the original source or destination address.

Using NAT also complicates tunneling protocols, such as IPsec, because NAT modifies values in the headers that interfere with the integrity checks done by IPsec and other tunneling protocols.

Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. Some protocols can accommodate one instance of NAT between participating hosts (passive mode FTP, for example), but fail when both systems are separated from the Internet by NAT.


7.2.3 - Benefits and Drawbacks of Using NAT
The diagram depicts the benefits and drawbacks of using NAT.

NAT Benefits:
- Conserves the legally registered addressing scheme.
- Increases the flexibility of connections to the public network.
- Provides consistency for internal network addressing schemes.
- Provides network security.

NAT Drawbacks:
- Performance is degraded.
- End-to-end functionality is degraded.
- End-to-end IP traceability is lost.
- Tunneling is more complicated.
- Initiating TCP connections can be disrupted.
- Architectures need to be rebuilt to accommodate changes.


7.2.4 Configuring Static NAT

Page 1:
Static NAT

Remember that static NAT is a one-to-one mapping between an inside address and an outside address. Static NAT allows connections initiated by external devices to inside devices. For instance, you may want to map an inside global address to a specific inside local address that is assigned to your web server.

Configuring static NAT translations is a simple task. You need to define the addresses to translate and then configure NAT on the appropriate interfaces.Packets arriving on an inside interface from the identified IP address are subject to translation. Packets arriving on an outside interface addressed to the identified IP address are subject to translation.

The figure explains the commands for the steps. You enter static translations directly into the configuration. Unlike dynamic translations, these translations are always in the NAT table.

Click the Example button in the figure.

The figure is a simple static NAT configuration applied to both interfaces. The router always translates packets from the host inside the network with the private address of 192.168.10.254 into an outside address of 209.165.200.254. The host on the Internet directs web requests to the public IP address 209.165.200.254, and router R2 always forwards that traffic to the server at 192.168.10.254.


7.2.4 - Configuring Static NAT
The diagram depicts the steps and command syntax involved in configuring static NAT. An example configuration is provided.

Commands:

Step 1.
Action: Establish static translation between an inside local address and an inside global address.
Command: Router(config)#i p nat inside source static local-i p global-i p
Notes: Enter the global command no i p nat inside source static to remove the static source translation.

Step 2.
Action: Specify the inside interface.
Command: Router(config)#interface type number
Notes: Enter the interface command. The C L I prompt changes from (config)# to (config-i f)#.

Step 3.
Action: Mark the interface as connected to the inside.
Command: Router(config-i f)#i p nat inside

Step 4.
Action: Exit interface configuration mode.
Command: Router(config-i f)#exit

Step 5.
Action: Specify the outside interface.
Command: Router(config)#interface type number

Step 6.
Action: Mark the interface as connected to the outside.
Command: Router(config-i f)#i p nat outside

Example:
i p nat inside source static 192.168.10.254 209.165.200.254
Establishes static translation between an inside local address and an inside global address.
interface serial0/0/0
i p nat inside
Identifies serial0/0/0 as an inside NAT interface.
interface serial0/1/0
i p nat outside
Identifies serial0/1/0 as an outside NAT interface.

With this configuration, 192.168.10.254 always translates to 206.265.200.254.


7.2.5 Configuring Dynamic NAT

Page 1:
Configuring Dynamic NAT

While static NAT provides a permanent mapping between an internal address and a specific public address, dynamic NAT maps private IP addresses to public addresses. These public IP addresses come from a NAT pool. Dynamic NAT configuration differs from static NAT, but it also has some similarities. Like static NAT, it requires the configuration to identify each interface as an inside or outside interface. However, rather than creating a static map to a single IP address, a pool of inside global addresses is used.

Click the Commands button in the figure for the steps to configure dynamic NAT.

To configure dynamic NAT, you need an ACL to permit only those addresses that are to be translated. When developing your ACL, remember there is an implicit "deny all" at the end of each ACL. An ACL that is too permissive can lead to unpredictable results. Cisco advises against configuring access contol lists referenced by NAT commands with the permit any command. Using permit any can result in NAT consuming too many router resources, which can cause network problems.

Click the Example button in the figure.

This configuration allows translation for all hosts on the 192.168.10.0 and 192.168.11.0 networks when they generate traffic that enters S0/0/0 and exits S0/1/0. These hosts are translated to an available address in the 209.165.200.226 - 209.165.200.240 range.


7.2.5 - Configuring Dynamic NAT
The diagram depicts the steps and command syntax involved in configuring dynamic NAT. An example configuration is provided.

Commands:
Step 1.
Action: Define a pool of global addresses to be allocated as needed.
Command: Router(config)#i p nat pool name start-i p end-i p {netmask netmask | prefix-length prefix-length}
Notes: Enter the global command no i p nat pool name to remove the pool of global addresses.

Step 2.
Action: Define a standard access list permitting those addresses that are to be translated.
Command: Router(config)#access-list access-list-number permit source [source-wildcard]
Notes: Enter the global command no access-list access-list-number to remove the access list.

Step 3.
Action: Establish dynamic source translation, specifying the access list defined in the prior step.
Command: Router(config)#i p nat inside source list access-list-number pool name
Notes: Enter the global command no i p nat inside source to remove the dynamic source translation.

Step 4.
Action: Specify the inside interface
Command: Router(config)#interface type number
Notes: Enter the interface command. The C L I prompt changes from (config)# to (config-i f)#.

Step 5.
Action: Mark the interface as connected to the inside.
Command: Router(config-i f)#i p nat inside

Step 6.
Action: Specify the outside interface.
Command: Router(config)#interface type number

Step 7.
Action: Mark the interface as connected to the outside.
Command: Router(config-i f)#i p nat outside

Step 8.
Action: Exit interface configuration mode.
Command: Router(config-i f)#exit

Example:
The diagram shows two PC's connected to the inside network cloud, which is connected to router R2. Router R2 is connected to the Internet cloud.

Inside Network:
PC1 IP address: 192.168.10.10
PC2 IP address: 192.168.10.11
Router R2 S0/0/0 interface IP address: 10.1.1.2

Outside Network:
Router R2 S0/1/0 interface IP address: 209.165.200.225

Router Output Configuration Commands:
i p nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224
Defines a pool of public IP addresses under the pool name NAT-POOL1.
access-list 1 permit 192.168.0.0 0.0.255.255
Defines which addresses are eligible to be translated.
i p nat inside source list 1 pool NAT-POOL1
Binds the NAT pool with ACL 1.
interface serial0/0/0
i p nat inside
Identifies interface serial0/0/0 as an inside NAT interface.
interface serial0/1/0
i p nat outside
Identifies interface serial0/1/0 as an outside NAT interface.


7.2.6 Configuring NAT Overload

Page 1:
Configuring NAT Overload for a Single Public IP Address

There are two possible ways to configure overloading, depending on how the ISP allocates public IP addresses. In the first instance, the ISP allocates one public IP address to the organization, and in the other, it allocates more than one public IP address.

The figure shows the steps to follow to configure NAT overload with a single IP address. With only one public IP address, the overload configuration typically assigns that public address to the outside interface that connects to the ISP. All inside addresses are translated to the single IP address when leaving the outside interface.

Click the Commands button in the figure for the steps to configure NAT overload.

The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the interface keyword is used to identify the outside IP address. Therefore, no NAT pool is defined. The overload keyword enables the addition of the port number to the translation.

Click the Example button in the figure.

This example shows how NAT overload is configured. In the example, all hosts from network 192.168.0.0 /16 (matching ACL 1) sending traffic through router R2 to the Internet are translated to IP address 209.165.200.225 (interface S0/1/0 IP address). The traffic flows are identified by port numbers, because the overload keyword was used.


7.2.6 - Configuring NAT Overload
The diagram depicts the steps and command syntax involved in configuring NAT Overload for a single public IP address. An example configuration is provided.

Commands:

Step 1.
Action: Define a standard access list permitting those addresses that are to be translated.
Command: Router(config)#access-list ACL-number permit source [source-wildcard]
Notes: Enter the global command no access-list access-list-number to remove the access list.

Step 2.
Action: Establish dynamic source translation, specifying the access list defined in the prior step.
Command: Router(config)#i p nat inside source list ACL-number interface interface overload
Notes: Enter the global command no i p nat inside source to remove the dynamic source translation. The overload keyword enables PAT.

Step 3.
Action: Specify the inside interface.
Commands:
Router(config)#interface type number
Router(config-i f)#i p nat inside
Notes: Enter the interface command. The C L I prompt changes from (config)# to (config-i f)#.

Step 4.
Action: Specify the outside interface.
Commands:
Router(config-i f)#interface type number
Router(config-i f)#i p nat outside

Example:
The diagram is the same as the 7.2.5 example topology.

Router Output Configuration Commands:
Access-list 1 permit 192.168.0.0 0.0.255.255
Defines which addresses are eligible to be translated.
i p nat inside source list 1 interface serial0/1/0 overload
Identifies the outside interface serial0/1/0 as the inside global address to be overloaded.
interface serial0/0/0
i p nat inside
Identifies serial0/0/0 as an inside NAT interface.
interface serial0/1/0
i p nat outside
Identifies serial0/1/0 as an outside NAT interface.


Page 2:
Configuring NAT Overload for a Pool of Public IP Addresses

In the scenario where the ISP has provided more than one public IP address, NAT overload is configured to use a pool. The primary difference between this configuration and the configuration for dynamic, one-to-one NAT is that the overload keyword is used. Remember that the overload keyword enables port address translation.

Click the Commands button in the figure for the stpes to configure NAT overload using a pool of addresses.

Click the Example button in the figure.

In this example, the configuration establishes overload translation for NAT pool NAT-POOL2. The NAT pool contains addresses 209.165.200.226 - 209.165.200.240 and is translated using PAT. Hosts in the 192.168.0.0 /16 network are subject to translation. Finally, the inside and outside interfaces are identified.


7.2.6 - Configuring NAT Overload
The diagram depicts the steps and command syntax involved in configuring NAT Overload for a pool of public IP addresses. An example configuration is provided.

Commands:

Step 1.
Action: Define a standard access list permitting those addresses that are to be translated.
Command: Router(config)#access-list ACL-number permit source [source-wildcard]
Notes: Enter the global command no access-list access-list-number to remove the access list.

Step 2.
Action: Specify the global address to be used for overloading as a pool.
Command: Router(config)#i p nat pool name start-i p end-i p {netmask netmask | prefix-length prefix-length}

Step 3.
Action: Establish overload translation.
Command: Router {config}#i p nat inside source list ACL-number pool name overload.

Step 4.
Action: Specify the inside interface.
Commands:
Router(config)#interface type number
Router(config-i f)#i p nat inside
Notes: Enter the interface command. The C L I prompt changes from (config)# to (config-i f)#.

Step 5.
Action: Specify the outside interface.
Commands:
Router(config-i f)#interface type number
Router(config-i f)#i p nat outside


Example:
The diagram is the same as the 7.2.5 example topology.

Router Output Configuration Commands:
access-list 1 permit 192.168.0.0 0.0.255.255
Defines which addresses are eligible to be translated.
i p nat pool NAT-POOL2 209.165.200.226 209.165.200.240
Defines a pool of addresses named NAT-POOL2 to be used in NAT translation.
i p nat inside source list 1 pool NAT-POOL2 overload
Binds the NAT pool with ACL 1.
interface serial0/0/0
i p nat inside
Identifies interface serial0/0/0 as an inside NAT interface.
interface serial0/1/0
i p nat outside
Identifies interface serial0/1/0 as an outside NAT interface.


7.2.7 Configuring Port Forwarding

Page 1:
Port Forwarding

Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside through a NAT-enabled router.

Typically, peer-to-peer file-sharing programs and key operations, such as web serving and outgoing FTP, require that router ports be forwarded or opened to allow these applications to work. Because NAT hides internal addresses, peer-to-peer only works from the inside out where NAT can map register outgoing requests against incoming replies.

The problem is that NAT does not allow requests initiated from the outside. This situation can be resolved with manual intervention. Port forwarding allows you to identify specific ports that can be forwarded to inside hosts.

Recall that Internet software applications interact with user ports that need to be open or available to those applications. Different applications use different ports. For example, Telnet uses port 23, FTP uses ports 20 and 21, HTTP port 80, and SMTP uses port 25. This makes it predictable for applications and routers to identify network services. For example, HTTP operates through the well-known port 80. When you enter the address http://cisco.com, the browser displays the Cisco Systems, Inc. website. Notice that we do not have to specify the HTTP port number for the page requests because the application assumes port 80.

Configuring Port Forwarding

Port forwarding allows users on the Internet to access internal servers by using the WAN port address and the matched external port number. When users send these types of requests to your WAN port IP address via the Internet, the router forwards those requests to the appropriate servers on your LAN. For security reasons, broadband routers do not by default permit any external network request to be forwarded to an inside host.

For instance, the figure is displaying the Single Port Forwarding window of a Linksys WRVS4400N business-class SOHO router. Currently, port forwarding is not configured.

Click the Port Forwarding Example button in the figure.

You can enable port forwarding for applications and specify the inside local address to forward the request to. For example, in the figure, HTTP service requests coming into this Linksys is now forwarded to the web server with the inside local address of 192.168.1.254. If the external WAN IP address of the SOHO router is 209.165.200.158, the external user could enter http://209.165.200.158 and the Linksys router would redirect the HTTP request to the internal web server at IP address 192.168.1.254, using the default port number 80.

We could specify a port different from the default port 80. However, the external user would have to know the specific port number to use.

The approach you take to configure port forwarding depends on the brand and model of the broadband router in the network. However, there are some generic steps to follow. If the instructions supplied by your ISP or that came with the router do not provide adequate guidance, the website www.portforward.com provides guides for several broadband routers. You can follow the instructions to add or delete ports as required to meet the needs of any applications you want to allow or deny.


7.2.7 - Configuring Port Forwarding
The diagram depicts configuring port forwarding on a Linksys ISR using the G U I.

Port Forwarding:
The Linksys ISR G U I screenshot shows the Single Port Forwarding option under the Firewall tab. Application HTTP port 80 is highlighted.

Port Forwarding Example:
The Linksys G U I screenshot shows the Single Port Forwarding option under the Firewall tab. A specific IP address has been entered (192.168.1.254) to which application HTTP port 80 requests will be forwarded. The Enabled box is also checked.


7.2.8 Verifying and Troubleshooting NAT Configurations

Page 1:
Verifying NAT and NAT Overload

It is important to verify NAT operation. There are several useful router commands to view and clear NAT translations. This topic explains how to verify NAT operation using tools available on Cisco routers.

One of the most useful commands when verifying NAT operation is the show ip nat translations command. Before using the show commands to verify NAT, you must clear any dynamic translation entries that might still be present, because by default, dynamic address translations time out from the NAT translation table after a period of non-use.

In the figure, router R2 has been configured to provide NAT overload to the 192.168.0.0 /16 clients. When the internal hosts exit router R2 to the Internet, they are translated to the IP address of the serial interface with a unique source port number.

Assume that the two hosts in the internal network have been accessing web services from the Internet.

Click on the NAT Translations button in the figure.

Notice that the output of the show ip nat translations command displays the details of the two NAT assignments. Adding verbose to the command displays additional information about each translation, including how long ago the entry was created and used.

The command displays all static translations that have been configured as well as any dynamic translations that have been created by traffic. Each translation is identified by protocol as well as inside and outside local and global addresses.

Click on the NAT Statistics button in the figure.

The show ip nat statistics command displays information about the total number of active translations, NAT configuration parameters, how many addresses are in the pool, and how many have been allocated.

In the figure, the hosts have initiated web traffic as well as ICMP traffic.

Alternatively, use the show run command and look for NAT, access command list, interface, or pool commands with the required values. Examine these carefully and correct any errors you discover.

By default, translation entries time out after 24 hours, unless the timers have been reconfigured with the ip nat translation timeouttimeout_ seconds command in global configuration mode.

Click the Cleared NAT button in the figure.

It is sometimes useful to clear the dynamic entries sooner than the default. This is especially true when testing the NAT configuration. To clear dynamic entries before the timeout has expired, use the clear ip nat translation global command.

The table in the figure is displaying the various ways to clear the NAT translations. You can be very specific about which translation to clear, or you can clear all translations from the table using the clear ip nat translation * global command, as shown in the example.

Only the dynamic translations are cleared from the table. Static translations cannot be cleared from the translation table.


7.2.8 - Verifying and Troubleshooting NAT Configurations
The diagram depicts verifying NAT and NAT Overload with various examples, including NAT Overload, NAT translations, NAT statistics, and cleared NAT.

NAT Overload:
The diagram shows two PC's connected to the inside network cloud, which is connected to router R2. Router R2 is connected to the Internet cloud.

Inside Network:
PC1 IP address: 192.168.10.10
PC2 IP address: 192.168.10.11
Router R2 S0/0/0 interface IP address: 10.1.1.2

Outside Network:
Router R2 S0/1/0 interface IP address: 209.165.200.225

Router Configuration Commands:
access-list 1 permit 192.168.0.0 0.0.255.255
i p nat inside source list 1 interface serial0/1/0 overload
interface serial0/0/0
i p nat inside
interface serial0/1/0
i p nat outside

NAT Translations:
Output from the show i p nat translations and show i p nat translations verbose commands is displayed.

Below is a sample of information presented in the show i p nat translations output for NAT overload. The verbose option provides additional details on entries.

Pro: tcp
Inside Global: 209.165.200.225:16642
Inside Local: 192.168.10.10:16642
Outside Local IP Address: 209.165.200.254:80
Outside Global: 209.165.200.254:80

Pro: tcp
Inside Global: 209.165.200.225:62452
Inside Local: 192.168.11.10:62452
Outside Local IP Address: 209.165.200.254:80
Outside Global: 209.165.200.254:80

NAT Statistics:
Output from the show i p nat translations and show i p nat statistics commands is displayed.

Below is a sample of information presented in the show i p nat statistics output for NAT overload.
R2#show i p nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Outside interfaces:
Serial0/1/0
Inside interfaces:
Serial0/0/0, Serial0/0/1
Hits: 173 Misses: 9
CEF Translated packets: 182, CEF Punted packets: 0
Expired translations: 6
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Serial0/1/0 ref count 3
Queued Packets: 0
R2#

Cleared NAT:
The clear i p nat translation * command clears the NAT table of entries. Output from the show i p nat translations now displays no output.

Syntax for the clear i p nat translation command:
Command: clear i p nat translation *
Description: Clears all dynamic address translation entries from the NAT translation table.

Command: clear i p nat translation inside global-i p local-i p [outside local-i p global-i p]
Description: Clears a simple dynamic translation entry containing an inside translation or both inside and outside translations.

Command: clear i p nat translation protocol inside global-i p global-port local-i p local-port [outside local-i p local-port global-i p global-port]
Description: Clears an extended dynamic translation entry.


Page 2:
Troubleshooting NAT and NAT Overload Configuration

When you have IP connectivity problems in a NAT environment, it is often difficult to determine the cause of the problem. The first step in solving your problem is to rule out NAT as the cause. Follow these steps to verify that NAT is operating as expected:

Step 1. Based on the configuration, clearly define what NAT is supposed to achieve. This may reveal a problem with the configuration.

Step 2. Verify that correct translations exist in the translation table using the show ip nat translations command.

Step 3. Use the clear and debug commands to verify that NAT is operating as expected. Check to see if dynamic entries are recreated after they are cleared.

Step 4. Review in detail what is happening to the packet, and verify that routers have the correct routing information to move the packet.

Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip nat detailed command generates a description of each packet considered for translation. This command also outputs information about certain errors or exception conditions, such as the failure to allocate a global address.

The figure shows a sample debug ip nat output. In the output you can see that inside host 192.168.10.10 initiated traffic to outside host 209.165.200.254 and has been translated to address 209.165.200.225.

When decoding the debug output, note what the following symbols and values indicate:

  • * - The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process-switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists.
  • s= - Refers to the source IP address.
  • a.b.c.d--->w.x.y.z - Indicates that source address a.b.c.d is translated to w.x.y.z.
  • d= - Refers to the destination IP address.
  • [xxxx] - The value in brackets is the IP identification number. This information may be useful for debugging in that it enables correlation with other packet traces from protocol analyzers.

You can view the following demonstrations about verifying and troubleshooting NAT at these sites:

Flash Animation Case Study: Can Ping Host, but Cannot Telnet: This is a seven-minute Flash animation on why a device can ping the host, but cannot telnet: http://www.cisco.com/warp/public/556/index.swf.

Flash Animation Case Study: Cannot Ping Beyond NAT: This is a ten-minute Flash animation on why a device cannot ping beyond NAT: http://www.cisco.com/warp/public/556/TS_NATcase2/index.swf.


7.2.8 - Verifying and Troubleshooting NAT Configurations
The diagram depicts troubleshooting NAT and NAT Overload configurations using the debug i p nat command. Time-stamped entries with the source address, translated address, and destination address are shown.

R2#debug i p nat
IP NAT debugging is on.
Output omitted
Output depicts sample entries:
R#
*Oct 6 19:55:31.579 NAT*: s-192.168.10.10 -> 209.165.200.225, d-209.165.200.254 [14434]
*Oct 6 19:55:31.579 NAT*: s-209.165.200.254, d-209.165.200.225 -> 192.168.10.10 [6334]


Page 3:
NAT translates non-routable private, internal addresses into routable, public addresses. NAT has an added benefit of providing a degree of privacy and security to a network because it hides internal IP addresses from outside networks. In this activity, you will configure dynamic and static NAT.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


7.2.8 - Verifying and Troubleshooting NAT Configurations
Link to Packet Tracer Exploration: Scaling Networks with NAT


7.3 IPv6

7.3.1 Reasons for Using IPv6

Page 1:
Why We Need More Address Space

To comprehend the IP addressing issues facing network administrators today, consider that the IPv4 address space provides approximately 4,294,967,296 unique addresses. Of these, only 3.7 billion addresses are assignable because the IPv4 addressing system separates the addresses into classes and reserves addresses for multicasting, testing, and other specific uses.

Based on figures as recent as January 2007, about 2.4 billion of the available IPv4 addresses are already assigned to end users or ISPs. That leaves roughly 1.3 billion addresses still available from the IPv4 address space. Despite this seemingly large number, IPv4 address space is running out.

Click the Play button in the figure to see just how fast this has happened over the past 14 years.

Over the past decade, the Internet community has analyzed IPv4 address exhaustion and published mountains of reports. Some reports predict IPv4 address exhaustion by 2010, and others say it will not happen until 2013.

Click the Shrinking button in the figure to see how the available address space is shrinking.

The growth of the Internet, matched by increasing computing power, has extended the reach of IP-based applications.

Click the Why IPv6 button in the figure and consider what is forcing a change to IPv6.

The pool of numbers is shrinking for the following reasons:

  • Population growth - The Internet population is growing. In November 2005, Cisco estimated that there were approximately 973 million users. This number has doubled since then. In addition, users stay on longer, reserving IP addresses for longer periods and are contacting more and more peers daily.
  • Mobile users - Industry has delivered more than one billion mobile phones. More than 20 million IP-enabled mobile devices, including personal digital assistants (PDAs), pen tablets, notepads, and barcode readers, have been delivered. More and more IP-enabled mobile devices are coming online every day. Old mobile phones did not need IP addresses, but new ones do.
  • Transportation - There will be more than one billion automobiles by 2008. Newer models are IP-enabled to allow remote monitoring to provide timely maintenance and support. Lufthansa already provides Internet connectivity on their flights. More carriers, including ships at sea, will provide similar services.
  • Consumer electronics - The newest home appliances allow remote monitoring using IP technology. Digital Video Recorders (DVRs) that download and update program guides from the Internet are an example. Home networking can connect these appliances.


7.3.1 - Reasons for Using IPv6
The diagram depicts the depletion of IPv4 address space and why we need more address space.

Blocks:
A matrix is shown with blocks of IP addresses identified as allocated, unavailable, and available, starting with year 1993. As the animation progresses through years 2000 and 2007, the number of allocated blocks increases significantly to where there are very few blocks available.

Shrinking:
A bar chart view of the information in the previous matrix shows the allocated, unavailable, and available blocks of IP addresses for the years 1993, 2000, and 2007. The number of allocated blocks increases significantly while the available blocks decrease significantly. Unavailable blocks stays consistent.

Why IPv6:
A global collage of IP devices, labeled Global Addressing Realm, is shown with the question "Why do we need a larger address space?"

Only compelling reason: more IP addresses!
- For billions of new users and new consumer devices in Asia, Europe, and America and mobile phones, cars, PDA's, and home and industrial appliances
- For always-on access (cable, xDSL, wireless, Ethernet-to-the-home)
- For applications that are difficult, expensive, or impossible to operate through NAT (IP telephony, IP fax, peer-to-peer gaming, home servers)


Page 2:
Reasons for Using IPv6

Movement to change from IPv4 to IPv6 has already begun, particularly in Europe, Japan, and the Asia-Pacific region. These areas are exhausting their allotted IPv4 addresses, which makes IPv6 all the more attractive and necessary. Japan officially started the move in 2000 when the Japanese government mandated the incorporation of IPv6 and set a deadline of 2005 to upgrade existing systems in every business and public sector. Korea, China, and Malaysia have launched similar initiatives.

In 2002, the European Community IPv6 Task Force forged a strategic alliance to foster IPv6 adoption worldwide. The North American IPv6 Task Force has set out to engage the North American markets to adopt IPv6. The first significant North American advances are coming from the U.S. Department of Defense (DoD). Looking into the future and knowing the advantages of IP-enabled devices, DoD mandated, as early as 2003, that all new equipment purchased not only be IP-enabled, but also be IPv6-capable. In fact, all U.S. government agencies must start using IPv6 across their core networks by 2008, and the agencies are working to meet that deadline.

The ability to scale networks for future demands requires a limitless supply of IP addresses and improved mobility that DHCP and NAT alone cannot meet. IPv6 satisfies the increasingly complex requirements of hierarchical addressing that IPv4 does not provide.

Given the huge installed base of IPv4 in the world, it is not difficult to appreciate that transitioning to IPv6 from IPv4 deployments is a challenge. There are, however, a variety of techniques, including an auto-configuration option, to make the transition easier. The transition mechanism you use depends on the needs of your network.

The figure compares the binary and alphanumeric representations of IPv4 and IPv6 addresses. An IPv6 address is a 128-bit binary value, which can be displayed as 32 hexadecimal digits. IPv6 should provide sufficient addresses for future Internet growth needs for many years to come. There are enough IPv6 addresses to allocate more than the entire IPv4 Internet address space to everyone on the planet.

Click the Perspective button in the figure.

So what happened to IPv5? IPv5 was used to define an experimental real-time streaming protocol. To avoid any confusion, it was decided to not use IPv5 and name the new IP protocol IPv6.


7.3.1 - Reasons for Using IPv6
The diagram compares IPv4 and IPv6 addresses and provides some perspective on how many addresses IPv6 offers.

Address Structure:
IPv4 Addresses:
Number of octets: Four
Binary example: 11000000.10101000.00001010.01100101
Decimal example: 192.168.10.101
Number of IP addresses: 4,294,467,295 (2 to the power of 32)

IPv6 Addresses:
Number of octets: Sixteen
Binary example: 11010001.11011100.11001001.01110001.11011100. 11001100.01110001.11010001.11011100.11001001. 11010001.11011100.11001001.01110001.00000010.11011110
Hexadecimal example: A524:72D3:2C80:DD02:0029:EC7A:002B:EA73
Number of addresses: 3.4 x 10 to the power of 38

Perspective:
Number of addresses: 340,282,366,920,938,463,463,374,607,431,768,211,456
- There are so many IPv6 addresses available that many trillions of addresses could be assigned to every human being on the planet.
- There are approximately 665,570,793,348,866,943,898,599 addresses per square meter of the surface of the planet Earth!


Page 3:
IPv6 would not exist were it not for the recognized depletion of available IPv4 addresses. However, beyond the increased IP address space, the development of IPv6 has presented opportunities to apply lessons learned from the limitations of IPv4 to create a protocol with new and improved features.

A simplified header architecture and protocol operation translates into reduced operational expenses. Built-in security features mean easier security practices that are sorely lacking in many current networks. However, perhaps the most significant improvement offered by IPv6 is the address autoconfiguration features it has.

The Internet is rapidly evolving from a collection of stationary devices to a fluid network of mobile devices. IPv6 allows mobile devices to quickly acquire and transition between addresses as they move among foreign networks, with no need for a foreign agent. (A foreign agent is a router that can function as the point of attachment for a mobile device when it roams from its home network to a foreign network.)

Address autoconfiguration also means more robust plug-and-play network connectivity. Autoconfiguration supports consumers who can have any combination of computers, printers, digital cameras, digital radios, IP phones, Internet-enabled household appliances, and robotic toys connected to their home networks. Many manufacturers already integrate IPv6 into their products.

Many of the enhancements that IPv6 offers are explained in this section, including:

  • Enhanced IP addressing
  • Simplified header
  • Mobility and security
  • Transition richness

Enhanced IP Addressing

A larger address space offers several enhancements, including:

  • Improved global reachability and flexibility.
  • Better aggregation of IP prefixes announced in routing tables.
  • Multihomed hosts. Multihoming is a technique to increase the reliability of the Internet connection of an IP network. With IPv6, a host can have multiple IP addresses over one physical upstream link. For example, a host can connect to several ISPs.
  • Autoconfiguration that can include Data Link layer addresses in the address space.
  • More plug-and-play options for more devices.
  • Public-to-private, end-to-end readdressing without address translation. This makes peer-to-peer (P2P) networking more functional and easier to deploy.
  • Simplified mechanisms for address renumbering and modification.

Click the Simple Header button in the figure.

The figure compares the simplified IPv6 header structure to the IPv4 header. The IPv4 header has 20 octets and 12 basic header fields, followed by an options field and a data portion (usually the Transport layer segment). The IPv6 header has 40 octets, three IPv4 basic header fields, and five additional header fields.

The IPv6 simplified header offers several advantages over IPv4:

  • Better routing efficiency for performance and forwarding-rate scalability
  • No broadcasts and thus no potential threat of broadcast storms
  • No requirement for processing checksums
  • Simplified and more efficient extension header mechanisms
  • Flow labels for per-flow processing with no need to open the transport inner packet to identify the various traffic flows

Enhanced Mobility and Security

Mobility and security help ensure compliance with mobile IP and IP Security (IPsec) standards functionality. Mobility enables people with mobile network devices, many with wireless connectivity, to move around in networks.

  • The IETF Mobile IP standard is available for both IPv4 and IPv6. The standard enables mobile devices to move without breaks in established network connections. Mobile devices use a home address and a care-of address to achieve this mobility. With IPv4, these addresses are manually configured. With IPv6, the configurations are dynamic, giving Ipv6-enabled devices built-in mobility.
  • IPsec is available for both IPv4 and IPv6. Although the functionalities are essentially identical in both environments, IPsec is mandatory in IPv6, making the IPv6 Internet more secure.

Transition Richness

IPv4 will not disappear overnight. Rather, it will coexist with and then gradually be replaced by IPv6. For this reason, IPv6 was delivered with migration techniques to cover every conceivable IPv4 upgrade case. However, many were ultimately rejected by the technology community.

Currently, there are three main approaches:


Some of these approaches are discussed in more detail later in the chapter.

The current advice for transitioning to IPv6 is "Dual stack where you can, tunnel where you must!"


7.3.1 - Reasons for Using IPv6
The diagram lists IPv6 advanced features and compares the IPv4 header and the simple IPv6 header.

Advanced Features:
Enhanced IP addressing:
- Global reachability and flexibility
- Aggregation
- Multihoming
- Autoconfiguration
- Plug-and-play
- End-to-end without NAT
- Renumbering

Mobility and security:
- Mobile IP RFC-compliant
- IPSec mandatory (or native) for IPv6

Simple header:
- Routing efficiency
- Performance and forwarding rate scalability
- No broadcasts
- No checksums
- Extension headers
- Flow labels

Transition richness:
- Dual stack
- 6 to 4 and manual tunnels
- Translation

Simple IPv6 header:
The diagram shows the IPv4 header and the simple IPv6 header. A legend is provided indicating the field names kept from IPv4 to IPv6, fields not kept in IPv6, name and position changes in IPv6, and new fields in IPv6.

Field names kept from IPv4 to IPv6:
- Version
- Source Address
- Destination Address

IPv4 fields not kept in IPv6:
- I H L
- Identification
- Flags
- Fragment Offset
- Header Checksum
- Options
- Padding

Field name and position changes from IPv4 to IPv6:
- IPv6 Traffic Class field replaces the IPv4 Type of Service field.
- IPv6 Payload Length field replaces the IPv4 Total Length field.
- IPv6 Hop Limit field replaces the IPv4 Time to Live field.
- IPv6 Next Header field replaces the IPv4 Protocol field.

New fields in IPv6
- Flow Label


7.3.2 IPv6 Addressing

Page 1:
IPv6 Address Representation

You know the 32-bit IPv4 address as a series of four 8-bit fields, separated by dots. However, larger 128-bit IPv6 addresses need a different representation because of their size. IPv6 addresses use colons to separate entries in a series of 16-bit hexadecimal.

Click the Representation button in the figure.

The figure shows the address 2031:0000:130F:0000:0000:09C0:876A:130B. IPv6 does not require explicit address string notation. The figure shows how to shorten the address by applying the following guidelines:

  • Leading zeros in a field are optional. For example, the field 09C0 equals 9C0, and the field 0000 equals 0. So 2031:0000:130F:0000:0000:09C0:876A:130B can be written as 2031:0:130F:0000:0000:9C0:876A:130B.
  • Successive fields of zeros can be represented as two colons "::". However, this shorthand method can only be used once in an address. For example 2031:0:130F:0000:0000:9C0:876A:130B can be written as 2031:0:130F::9C0:876A:130B.
  • An unspecified address is written as "::" because it contains only zeros.

Using the "::" notation greatly reduces the size of most addresses as shown. An address parser identifies the number of missing zeros by separating any two parts of an address and entering 0s until the 128 bits are complete.

Click the Examples button in the figure for some additional examples.


7.3.2 - IPv6 Addressing
The diagram depicts the IPv6 address structure including formats, representation, and examples.

IPv6 Format:
- x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field.
- Case-insensitive for hexadecimal A, B, C, D, E, and F.
- Leading zeros in a field are optional.
- Successive fields of zeros can be represented as :: only once per address.

Examples:
- 2031:0000:130F:0000:0000:09C0:876A:130B
- Can be represented as 2031:0:130f::9c0:876a:130b
- Cannot be represented as 2031::130f::9c0:876a:130b
- FF01:0:0:0:0:0:0:1 FF01::1
- 0:0:0:0:0:0:0:1 ::1
- 0:0:0:0:0:0:0:0 ::


Representation:
- 2031:0000:130F:0000:0000:09C0:876A:130B
- Can be represented as 2031:0:130f::9c0:876a:130b
- Cannot be represented as 2031::130f::9c0:876a:130b

The diagram is based on the previous example and shows:
- The second 16-bit hex field of 0000 can be abbreviated as 0.
- The fourth and fifth 16-bit hex fields of 0000:0000 can be abbreviated as 0:0 or compressed to simply ::.
- The sixth 16-bit hex field of 09C0 can be abbreviated as 9C0 by dropping the leading zero.

Examples:
- FF01:0:0:0:0:0:0:1 becomes FF01::1
- 0:0:0:0:0:0:0:1 becomes ::1
- 0:0:0:0:0:0:0:0 becomes ::
- FF01:0000:0000:0000:0000:0000:0000:1 becomes FF01:0:0:0:0:0:0:1 becomes FF01::1
- E3D7:0000:0000:0000:51F4:00C8:C0A8:6420 becomes E3D7::51F4:C8:C0A8:6420
- 3FFE:0501:0008:0000:0260:97FF:FE40:EFAB becomes 3FFE:501:8:0:260:97FF:FE40:EFAB becomes 3FFE:501:8::260:97FF:FE40:EFAB


Page 2:
IPv6 Global Unicast Address

IPv6 has an address format that enables aggregation upward eventually to the ISP. Global unicast addresses typically consists of a 48-bit global routing prefix and a 16-bit subnet ID. Individual organizations can use a 16-bit subnet field to create their own local addressing hierarchy. This field allows an organization to use up to 65,535 individual subnets.

At the top of the figure, it can be seen how additional hierarchy is added to the 48-bit global routing prefix with the registry prefix, ISP Prefix, and site prefix.

The current global unicast address that is assigned by the IANA uses the range of addresses that start with binary value 001 (2000::/3), which is 1/8 of the total IPv6 address space and is the largest block of assigned addresses. The IANA is allocating the IPv6 address space in the ranges of 2001::/16 to the five RIR registries (ARIN, RIPE NCC, APNIC, LACNIC, and AfriNIC).

For more information, refer to RFC 3587, IPv6 Global Unicast Address Format, which replaces RFC 2374.

Reserved Addresses

The IETF reserves a portion of the IPv6 address space for various uses, both present and future. Reserved addresses represent 1/256th of the total IPv6 address space. Some of the other types of IPv6 addresses come from this block.

Private Addresses

A block of IPv6 addresses is set aside for private addresses, just as is done in IPv4. These private addresses are local only to a particular link or site, and are therefore never routed outside of a particular company network. Private addresses have a first octet value of "FE" in hexadecimal notation, with the next hexadecimal digit being a value from 8 to F.

These addresses are further divided into two types, based upon their scope.

  • Site-local addresses, are addresses similar to the RFC 1918 Address Allocation for Private Internets in IPv4 today. The scope of these addresses is an entire site or organization. However, the use of site-local addresses is problematic and is being deprecated as of 2003 by RFC 3879. In hexadecimal, site-local addresses begin with "FE" and then "C" to "F" for the third hexadecimal digit.
  • Link-local addresses, are new to the concept of addressing with IP in the Network layer. These addresses have a smaller scope than site-local addresses; they refer only to a particular physical link (physical network). Routers do not forward datagrams using link-local addresses at all, not even within the organization; they are only for local communication on a particular physical network segment. They are used for link communications such as automatic address configuration, neighbor discovery, and router discovery. Many IPv6 routing protocols also use link-local addresses. Link-local addresses begin with "FE" and then have a value from "8" to "B" for the third hexadecimal digit.

Loopback Address

Just as in IPv4, a provision has been made for a special loopback IPv6 address for testing; datagrams sent to this address "loop back" to the sending device. However, in IPv6 there is just one address, not a whole block, for this function. The loopback address is 0:0:0:0:0:0:0:1, which is normally expressed using zero compression as "::1".

Unspecified Address

In IPv4, an IP address of all zeroes has a special meaning; it refers to the host itself, and is used when a device does not know its own address. In IPv6, this concept has been formalized, and the all-zeroes address (0:0:0:0:0:0:0:0) is named the "unspecified" address. It is typically used in the source field of a datagram that is sent by a device that seeks to have its IP address configured. You can apply address compression to this address; because the address is all zeroes, the address becomes just "::".


7.3.2 - IPv6 Addressing
The diagram depicts the IPv6 global unicast address format. The 128-bit address is initially divided into two 64-bit sections. The first section is assigned by the Internet Assigned Numbers Authority (IANA) and contains the registry portion, the first 23 bits (/23), and other potential prefixes. The remaining bits of the first 64 can be subdivided into:
- ISP Prefix (/32)
- Site Prefix (/48)
- Subnet Prefix (/64)

The second 64-bit section is the device interface ID.


Page 3:
IPv6 Address Management

IPv6 addresses use interface identifiers to identify interfaces on a link. Think of them as the host portion of an IPv6 address. Interface identifiers are required to be unique on a specific link. Interface identifiers are always 64 bits and can be dynamically derived from a Layer 2 address (MAC).

You can assign an IPv6 address ID statically or dynamically:

  • Static assignment using a manual interface ID
  • Static assignment using an EUI-64 interface ID
  • Stateless autoconfiguration
  • DHCP for IPv6 (DHCPv6)

Manual Interface ID Assignment

One way to statically assign an IPv6 address to a device is to manually assign both the prefix (network) and interface ID (host) portion of the IPv6 address. To configure an IPv6 address on a Cisco router interface, use the ipv6 address ipv6-address/prefix-length command in interface configuration mode. The following example shows the assignment of an IPv6 address to the interface of a Cisco router:

RouterX(config-if)#ipv6 address 2001:DB8:2222:7272::72/64

EUI-64 Interface ID Assignment

Another way to assign an IPv6 address is to configure the prefix (network) portion of the IPv6 address and derive the interface ID (host) portion from the Layer 2 MAC address of the device, which is known as the EUI-64 interface ID.

Click the EUI-64 button in the figure.

The EUI-64 standard explains how to stretch IEEE 802 MAC addresses from 48 to 64 bits by inserting the 16-bit 0xFFFE in the middle at the 24th bit of the MAC address to create a 64-bit, unique interface identifier.

To configure an IPv6 address on a Cisco router interface and enable IPv6 processing using EUI-64 on that interface, use the ipv6 address ipv6-prefix/prefix-length eui-64 command in interface configuration mode. The following example shows the assignment of an EUI-64 address to the interface of a Cisco router:

RouterX(config-if)#ipv6 address 2001:DB8:2222:7272::/64 eui-64

Stateless Autoconfiguration

Autoconfiguration automatically configures the IPv6 address. In IPv6, it is assumed that non-PC devices, as well as computer terminals, will be connected to the network. The autoconfiguration mechanism was introduced to enable plug-and-play networking of these devices to help reduce administration overhead.

DHCPv6 (Stateful)

DHCPv6 enables DHCP servers to pass configuration parameters, such as IPv6 network addresses, to IPv6 nodes. It offers the capability of automatic allocation of reusable network addresses and additional configuration flexibility. This protocol is a stateful counterpart to IPv6 stateless address autoconfiguration (RFC 2462), and can be used separately or concurrently with IPv6 stateless address autoconfiguration to obtain configuration parameters.

For more information on IPv6 address assignment visit the following: http://www.netbsd.org/docs/network/ipv6/.


7.3.2 - IPv6 Addressing
The diagram depicts IPv6 address assignment methods, which include static assignment and dynamic assignment.

Assigning IPv6 Addresses
Static Assignment:
- Manual interface ID assignment
- EUI-64 interface ID assignment

Dynamic Assignment:
- Stateless autoconfiguration
- DHCPv6 (stateful)

Extended Universal Identifier (EUI-64):
The diagram shows how EUI inserts the 16-bit hex value FFFE in the middle at the 24th bit of the MAC address to create a 64-bit, unique interface identifier.


7.3.3 IPv6 Transition Strategies

Page 1:
IPv6 Transition Strategies

The transition from IPv4 does not require upgrades on all nodes at the same time. Many transition mechanisms enable smooth integration of IPv4 and IPv6. Other mechanisms that allow IPv4 nodes to communicate with IPv6 nodes are available. Different situations demand different strategies. The figure illustrates the richness of available transition strategies.

Recall the advice: "Dual stack where you can, tunnel where you must." These two methods are the most common techniques to transition from IPv4 to IPv6.

Dual Stacking

Dual stacking is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network. This is the recommended option and involves running IPv4 and IPv6 at the same time. Router and switches are configured to support both protocols, with IPv6 being the preferred protocol.

Tunneling

The second major transition technique is tunneling. There are several tunneling techniques available, including:

  • Manual IPv6-over-IPv4 tunneling - An IPv6 packet is encapsulated within the IPv4 protocol. This method requires dual-stack routers.
  • Dynamic 6to4 tunneling - Automatically establishes the connection of IPv6 islands through an IPv4 network, typically the Internet. It dynamically applies a valid, unique IPv6 prefix to each IPv6 island, which enables the fast deployment of IPv6 in a corporate network without address retrieval from the ISPs or registries.

Other less popular tunneling techniques that are beyond the scope of this course include:

  • Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling - Automatic overlay tunneling mechanism that uses the underlying IPv4 network as a link layer for IPv6. ISATAP tunnels allow individual IPv4 or IPv6 dual-stack hosts within a site to communicate with other such hosts on a virtual link, creating an IPv6 network using the IPv4 infrastructure.
  • Teredo tunneling - An IPv6 transition technology that provides host-to-host automatic tunneling instead of gateway tunneling. This approach passes unicast IPv6 traffic when dual-stacked hosts (hosts that are running both IPv6 and IPv4) are located behind one or multiple IPv4 NATs.

NAT-Protocol Translation (NAT-PT)

Cisco IOS Release 12.3(2)T and later (with the appropriate feature set) also include NAT-PT between IPv6 and IPv4. This translation allows direct communication between hosts that use different versions of the IP protocol. These translations are more complex than IPv4 NAT. At this time, this translation technique is the least favorable option and should be used as a last resort.


7.3.3 - IPv6 Transition Strategies
The diagram depicts IPv6 transition strategies.

Network Topology:
Two IPv6 network clouds are interconnected by an IPv4 network cloud, such as the Internet.

IPv6 Host1 is connected to IPv6 Network Cloud1, which is connected to R1, a 6-to-4 router. R1 is connected to the IPv4 network cloud. IPv6 Host2 is connected to IPv6 Network Cloud2, which is connected to R2, a 6-to-4 router. R2 is also connected to the IPv4 network cloud. The two 6-to-4 routers allow IPv6 traffic to travel between them over the IPv4 network.

Different transition mechanisms:
- Dual stack
- Manual tunnel
- 6-to-4 tunnel
- ISATAP tunnel
- Teredo tunnel

Different compatibility mechanisms:
- Proxying and translation (NAT-PT)The diagram depicts IPv6 transition strategies.

Network Topology:
Two IPv6 network clouds are interconnected by an IPv4 network cloud, such as the Internet.

IPv6 Host1 is connected to IPv6 Network Cloud1, which is connected to R1, a 6-to-4 router. R1 is connected to the IPv4 network cloud. IPv6 Host2 is connected to IPv6 Network Cloud2, which is connected to R2, a 6-to-4 router. R2 is also connected to the IPv4 network cloud. The two 6-to-4 routers allow IPv6 traffic to travel between them over the IPv4 network.

Different transition mechanisms:
- Dual stack
- Manual tunnel
- 6-to-4 tunnel
- ISATAP tunnel
- Teredo tunnel

Different compatibility mechanisms:
- Proxying and translation (NAT-PT)


7.3.4 Cisco IOS Dual Stack

Page 1:
Cisco IOS Dual Stack

Dual stacking is an integration method that allows a node to have connectivity to an IPv4 and IPv6 network simultaneously. Each node has two protocol stacks with the configuration on the same interface or on multiple interfaces.

The dual-stack approach to IPv6 integration, in which nodes have both IPv4 and IPv6 stacks, will be one of the most commonly used integration methods. A dual-stack node chooses which stack to use based on the destination address of the packet. A dual-stack node should prefer IPv6 when it is available. Old IPv4-only applications continue to work as before. New and modified applications take advantage of both IP layers.

A new application programming interface (API) has been defined to support IPv4 and IPv6 addresses and DNS requests. An API facilitates the exchange of messages or data between two or more different software applications. An example of an API is the virtual interface between two software functions, such as a word processor and a spreadsheet. The API is built into software applications to translate IPv4 into IPv6, and vice versa using the IP conversion mechanism. New applications can use both IPv4 and IPv6.

Experience in porting IPv4 applications to IPv6 suggests that for most applications, there is a minimal change in some localized places inside the source code. This technique is well known and has been applied in the past for other protocol transitions. It enables gradual application upgrades, one by one, to IPv6.

Click the Configuring IPv6 Interface button in the figure.

Cisco IOS Release 12.2(2)T and later (with the appropriate feature set) are IPv6-ready. As soon as you configure basic IPv4 and IPv6 on the interface, the interface is dual-stacked and forwards IPv4 and IPv6 traffic on that interface. Note that an IPv4 and an IPv6 address have been configured.

Using IPv6 on a Cisco IOS router requires that you use the global configuration command ipv6 unicast-routing. This command enables the forwarding of IPv6 datagrams.

You must configure all interfaces that forward IPv6 traffic with an IPv6 address using the ipv6 addressIPv6-address [/prefix length] interface command.


7.3.4 - Cisco I O S Dual Stack
The diagram depicts using the Cisco I O S dual-stack transition mechanism.

Dual Stack:
Network Topology:
An IPv6 network cloud and an IPv4 network cloud are connected to a router running Cisco I O S dual stack with IPv4 and IPv6. IPv6 Host1 and IPv4 Host2 are on the same network segment and are also connected to router R1. A protocol stack is expanded from R1 as follows:

Layer 5 - Application (upper layers)
Layer 4 - TCP/UDP
Layer 3 - IPv4 and IPv6
Layer 2 - Driver
Layer 1 - Physical (not shown)

Dual stack is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network.

Configuring an IPv6 Interface:
The diagram shows an IPv4 and IPv6 network connected to router A on its Ethernet 0 interface. Router A interface Ethernet 0 has the IPv4 address 192.168.99.1/24 and IPv6 address 3ffe:b00:800:1::3/127. When both IPv4 and IPv6 are configured on an interface, the interface is considered dual-stacked.

Configuration Commands:
RouterA#conf t
RouterA(config)#i pv6 unicast-routing
RouterA(config)#interface ethernet0
RouterA(config-i f)#i p address 192.168.99.1 255.255.255.0
RouterA(config-i f)#i pv6 address 3ffe:b00:800:1::3/127


7.3.5 IPv6 Tunneling

Page 1:
IPv6 Tunneling

Tunneling is an integration method where an IPv6 packet is encapsulated within another protocol, such as IPv4. This method enables the connection of IPv6 islands without needing to convert the intermediary networks to IPv6. When IPv4 is used to encapsulate the IPv6 packet, a protocol type of 41 is specified in the IPv4 header, and the packet includes a 20-byte IPv4 header with no options and an IPv6 header and payload. It also requires dual-stack routers.

Tunneling presents these two issues. The maximum transmission unit (MTU) is effectively decreased by 20 octets if the IPv4 header does not contain any optional fields. In addition, a tunneled network is often difficult to troubleshoot.

Tunneling is an intermediate integration and transition technique and should not be considered as a final solution. A native IPv6 architecture should be the ultimate goal.


7.3.5 - IPv6 Tunneling
The diagram depicts IPv6 tunneling as a transition mechanism.

Network Topology:
Two IPv6 network clouds are interconnected by an IPv4 network cloud, such as the Internet. IPv6 Host1 is connected to IPv6 Network Cloud1, which is connected to R1, a dual-stacked router. R1 is connected to the IPv4 network cloud. IPv6 Host2 is connected to IPv6 Network Cloud2, which is connected to R2, a dual-stacked router. R2 is also connected to the IPv4 network cloud.

Tunneling is an integration method in which an IPv6 packet is encapsulated within another protocol, such as IPv4. This method of encapsulation is IPv4:
- Includes a 20-byte IPv4 header with no options, and an IPv6 header and payload.
- Requires dual-stack routers.

The two dual-stacked routers, R1 and R2, provide a tunnel for IPv6 over IPv4 packets. The IPv6 data is encapsulated in an IPv6 header, and the entire IPv6 data and IPv6 header combined are encapsulated in an IPv4 header.


Page 2:
Manually Configured IPv6 Tunnel

A manually configured tunnel is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone. The primary use is for stable connections that require regular secure communication between two edge routers or between an end system and an edge router, or for connection to remote IPv6 networks. The end routers must be dual stacked, and the configuration cannot change dynamically as network and routing needs change.

Administrators manually configure a static IPv6 address on a tunnel interface, and assign manually configured static IPv4 addresses to the tunnel source and the tunnel destination. The host or router at each end of a configured tunnel must support both the IPv4 and IPv6 protocol stacks. Manually configured tunnels can be configured between border routers or between a border router and a host.


7.3.5 - IPv6 Tunneling
The diagram depicts a manually configured IPv6 tunnel.

Network Topology:
Two IPv6 network clouds are interconnected by an IPv4 network cloud, such as the Internet.

IPv6 Network Cloud1 is connected to R1, a dual-stacked router. R1 is connected to the IPv4 network cloud. IPv6 Network Cloud2 is connected to R2, a dual-stacked router. R2 is also connected to the IPv4 network cloud.

Configured tunnels require:
- Dual-stack endpoints.
- IPv4 and IPv6 addresses configured at each end.

Router R1's tunnel interface has IPv4 address 192.168.99.1 and IPv6 address 3ffe:b00:c18:1::3. Router R2's tunnel interface has IPv4 address 192.168.30.1 and IPv6 address 3ffe:b00:c18:2::2.


7.3.6 Routing Considerations with IPv6

Page 1:
Routing Configurations with IPv6

Like IPv4 classless interdomain routing (CIDR), IPv6 uses longest prefix match routing. IPv6 uses modified versions of most of the common routing protocols to handle longer IPv6 addresses and different header structures.

Larger address spaces make room for large address allocations to ISPs and organizations. An ISP aggregates all of the prefixes of its customers into a single prefix and announces the single prefix to the IPv6 Internet. The increased address space is sufficient to allow organizations to define a single prefix for their entire network.

But how does this affect router performance? A brief review of how a router functions in a network helps illustrate how IPv6 affects routing. Conceptually, a router has three functional areas:

  • The control plane handles the interaction of the router with the other network elements, providing the information needed to make decisions and control the overall router operation. This plane runs processes such as routing protocols and network management. These functions are generally complex.
  • The data plane handles packet forwarding from one physical or logical interface to another. It involves different switching mechanisms such as process switching and Cisco Express Forwarding (CEF) on Cisco IOS software routers.
  • Enhanced services include advanced features applied when forwarding data, such as packet filtering, quality of service (QoS), encryption, translation, and accounting.

IPv6 presents each of these functions with specific new challenges.

IPv6 Control Plane

Enabling IPv6 on a router starts its control plane operating processes specifically for IPv6. Protocol characteristics shape the performance of these processes and the amount of resources necessary to operate them:

  • IPv6 address size - Address size affects the information-processing functions of a router. Systems using a 64-bit CPU, bus, or memory structure can pass both the IPv4 source and destination address in a single processing cycle. For IPv6, the source and destination addresses require two cycles each-four cycles to process source and destination address information. As a result, routers relying exclusively on software processing are likely to perform slower than when in an IPv4 environment.
  • Multiple IPv6 node addresses - Because IPv6 nodes can use several IPv6 unicast addresses, memory consumption of the Neighbor Discovery cache may be affected.
  • IPv6 routing protocols - IPv6 routing protocols are similar to their IPv4 counterparts, but since an IPv6 prefix is four times larger than an IPv4 prefix, routing updates have to carry more information.
  • Routing table Size -Increased IPv6 address space leads to larger networks and a much larger Internet. This implies larger routing tables and higher memory requirements to support them.

IPv6 Data Plane

The data plane forwards IP packets based on the decisions made by the control plane. The forwarding engine parses the relevant IP packet information and does a lookup to match the parsed information against the forwarding policies defined by the control plane. IPv6 affects the performance of parsing and lookup functions:

  • Parsing IPv6 extension headers - Applications, including mobile IPv6, often use IPv6 address information in extension headers, thus increasing their size. These additional fields require additional processing. For example, a router using ACLs to filter Layer 4 information needs to apply the ACLs to packets with extension headers as well as those without. If the length of the extension header exceeds the fixed length of the hardware register of the router, hardware switching fails, and packets may be punted to software switching or dropped. This severely affects the forwarding performance of the router.
  • IPv6 address lookup - IPv6 performs a lookup on packets entering the router to find the correct output interface. In IPv4, the forwarding decision process parses a 32-bit destination address. In IPv6, the forwarding decision could conceivably require parsing a 128-bit address. Most routers today perform lookups using an application-specific integrated circuit (ASIC) with a fixed configuration that performs the functions for which it was originally designed - IPv4. Again, this could result in punting packets into slower software processing, or dropping them all together.


7.3.6 - Routing Configurations with IPv6
The diagram depicts IPv6 routing considerations. A router is shown with an upper level plane through it labeled Control Plane and a lower level plane labeled Data Plane. Above the Control Plane are the terms ACL, Q o S, and so on.

On the Control Plane is a cloud labeled "View of Network Topology" and text bubbles pointing to it labeled Routing Table, Neighbor Information, and Network Management.

On the Data Plane is a packet being forwarded and the labels "Forwarding Mechanisms" and "Cisco Express Forwarding". An arrow labeled "Decision" comes down from the Control Plane to the Data Plane.

Control Plane Considerations:
- IPv6 Address Size
- Multiple IPv6 Node Addresses
- IPv6 Routing Protocols
- Routing Table Size

Forwarding Data Plane Considerations:
- Parsing IPv6 Extension Headers
- IPv6 Address Lookup


Page 2:
RIPNg Routing Protocol

IPv6 routes use the same protocols and techniques as IPv4. Although the addresses are longer, the protocols used in routing IPv6 are simply logical extensions of the protocols used in IPv4.

RFC 2080 defines Routing Information Protocol next generation (RIPng) as a simple routing protocol based on RIP. RIPng is no more or less powerful than RIP, however, it provides a simple way to bring up an IPv6 network without having to build a new routing protocol.

RIPng is a distance vector routing protocol with a limit of 15 hops that uses split horizon and poison reverse updates to prevent routing loops. Its simplicity comes from the fact that it does not require any global knowledge of the network. Only neighboring routers exchange local messages.

RIPng includes the following features:

  • Based on IPv4 RIP version 2 (RIPv2) and is similar to RIPv2
  • Uses IPv6 for transport
  • Includes the IPv6 prefix and next-hop IPv6 address
  • Uses the multicast group FF02::9 as the destination address for RIP updates (this is similar to the broadcast function performed by RIP in IPv4)
  • Sends updates on UDP port 521
  • Is supported by Cisco IOS Release 12.2(2)T and later

In dual-stacked deployments, both RIP and RIPng are required.


7.3.6 - Routing Configurations with IPv6
The diagram depicts the RIP n g routing protocol.

Similar IPv4 features:
- Distance vector, radius of 15 hops, split horizon, and poison reverse.
- Based on RIP v2.

Updated features for IPv6:
- IPv6 prefix, next-hop IPv6 address.
- Uses the multicast group FF02::9, the all-rip-routers multicast group, as the destination address for RIP updates.
- Uses IPv6 for transport.
- Named RIP n g.


7.3.7 Configuring IPv6 Addresses

Page 1:
Enabling IPv6 on Cisco Routers

There are two basic steps to activate IPv6 on a router. First, you must activate IPv6 traffic-forwarding on the router, and then you must configure each interface that requires IPv6.

By default, IPv6 traffic-forwarding is disabled on a Cisco router. To activate it between interfaces, you must configure the global command ipv6 unicast-routing.

The ipv6 address command can configure a global IPv6 address. The link-local address is automatically configured when an address is assigned to the interface. You must specify the entire 128-bit IPv6 address or specify to use the 64-bit prefix by using the eui-64 option.


7.3.7 - Configuring IPv6 Addresses
The diagram depicts the command syntax for enabling IPv6 on Cisco routers.

Command: RouterX(config)#i pv6 unicast-routing
Purpose: Enables IPv6 traffic forwarding.

Command: RouterX(config-i f)#i pv6 address i pv6prefix/prefix-length e u i-64
Purpose: Configures the interface IPv6 addresses.


Page 2:
IPv6 Address Configuration Example

You can completely specify the IPv6 address or compute the host identifier (rightmost 64 bits) from the EUI-64 identifier of the interface. In the example, the IPv6 address of the interface is configured using the EUI-64 format.

Alternatively, you can completely specify the entire IPv6 address to assign a router interface an address using the ipv6 addressipv6-address/prefix-length command in interface configuration mode.

Configuring an IPv6 address on an interface automatically configures the link-local address for that interface.


7.3.7 - Configuring IPv6 Addresses
The diagram depicts an IPv6 address configuration example. A router is shown connected to an IPv6 LAN with the a subnet prefix address of 2001:db8:c18:1::/64. The following commands are issued on the router to activate IPv6 routing and configure the router Ethernet 0 interface. The EUI-64 option is used to create the 64-bit MAC address.

RouterX(config)#i pv6 unicast-routing
RouterX(config)#interface Ethernet 0
RouterX(config-i f)#i pv6 address 2001:db8:c18:1::/64 e u i-64

The MAC address of the interface is 0260.3e47.1530. In the output from the show i pv6 interface Ethernet 0 command, the MAC address is displayed as part of the IPv6 address with the hex characters FFFE (16 bits) imbedded in the middle, which expands the 48-bit MAC address to create the IPv6 64-bit link local address.

RouterX#show i pv6 interface Ethernet 0
Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::260:3EFF:FE47:1530
Global unicast addresses:
2001:DB8:C18:1:260:3EFF:FE47:1530, subnet is 2001:DB8:C18:1::/64
Joined group addresses:
FF02::1:FF47:1530
FF02::1
FF02::2
MTU is 1500 bytes


Page 3:
Cisco IOS IPv6 Name Resolution

There are two ways to perform name resolution from the Cisco IOS software process:

  • Define a static name for an IPv6 address using the ipv6 host name [port] ipv6-address1 [ipv6-address2...ipv6-address4] command. You can define up to four IPv6 addresses for one hostname. The port option refers to the Telnet port to be used for the associated host.
  • Specify the DNS server used by the router with the ip name-serveraddress command. The address can be an IPv4 or IPv6 address. You can specify up to six DNS servers with this command.


7.3.7 - Configuring IPv6 Addresses
The diagram depicts Cisco I O S IPv6 name resolution. There are two ways to perform name resolution from the Cisco I O S software process:

Command syntax: RouterX(config)#i pv6 host name [port] ipv6address [{i pv6address} ...]
Example: RouterX(config)#i pv6 host router1 3ffe:b00:ffff:b::1
Purpose: Define a static name for IPv6 addresses.

Command syntax: RouterX(config)#i p name-server address
Example: RouterX(config)#i p name-server 3ffe:b00:ffff:1::10
Purpose: Configure a DNS server or servers to query.


7.3.8 Configuring RIPng with IPv6

Page 1:
Configure RIPng with IPv6

When configuring supported routing protocols in IPv6, you must create the routing process, enable the routing process on interfaces, and customize the routing protocol for your particular network.

Before configuring the router to run IPv6 RIP, globally enable IPv6 using the ipv6 unicast-routing global configuration command, and enable IPv6 on any interfaces on which IPv6 RIP is to be enabled.

To enable RIPng routing on the router, use the ipv6 router rip name global configuration command. The name parameter identifies the RIP process. This process name is used later when configuring RIPng on participating interfaces.

For RIPng, instead of using the network command to identify which interfaces should run RIPng, you use the command ipv6 rip name enable in interface configuration mode to enable RIPng on an interface. The name parameter must match the name parameter in the ipv6 router rip command.

Enabling RIP on an interface dynamically creates a "router rip" process if necessary.


7.3.8 - Configuring RIP n g with IPv6
The diagram depicts configuration commands for RIP n g with IPv6.

Command: RouterX(config)#i pv6 router rip name
Purpose: Creates and enters RIP router configuration mode.

Command: RouterX(config-i f)#i pv6 rip name enable
Purpose: Configures RIP on an interface.


Page 2:
Example: RIPng for IPv6 Configuration

The example shows a network of two routers. Router R1 is connected to the default network. On both router R2 and router R1, the name RT0 identifies the RIPng process. RIPng is enabled on the first Ethernet interface of router R1 using the ipv6 rip RT0 enable command. Router R2 shows that RIPng is enabled on both Ethernet interfaces using the ipv6 rip RT0 enable command.

This configuration allows Ethernet 1 on router R2 and the Ethernet 0 interfaces of both routers to exchange RIPng routing information.


7.3.8 - Configuring RIP n g with IPv6
The diagram depicts RIP n g with an IPv6 configuration. Router R1 interface Ethernet0 is connected to LAN1, :2001:db8:1:1::/64. Router R2 interface Ethernet0 is also connected to LAN1, :2001:db8:1:1::/64. Router R2 interface Ethernet1 is connected to LAN2, :2001:db8:1:2::/64.

Commands to configure RIP n g for IPv6 are as follows:

Router R1 config:
i pv6 unicast-routing
i pv6 router rip RT0

interface Ethernet0
i pv6 address 2001:db8:1:1:/64 e u i-64
i pv6 rip RT0 enable

Router R2 config:
i pv6 unicast-routing
i pv6 router rip RT0

interface Ethernet0
i pv6 address 2001:db8:1:1::/64 e u i-64
i pv6 rip RT0 enable

interface Ethernet1
i pv6 address 2001:db8:1:2::/64 e u i-64
i pv6 rip RT0 enable


7.3.9 Verifying and Troubleshooting RIPng

Page 1:
Verifying and Troubleshooting RIPng for IPv6

After configuring RIPng, verification is required. The figure lists the various show commands you can use.

Click the Troubleshooting button in the figure.

If you discover during verification that RIPng is not working properly, you need to troubleshoot.

The figure lists the commands used to troubleshoot RIPng problems.


7.3.9 - Verifying and Troubleshooting RIP n g
The diagram depicts Cisco I O S commands for verifying and troubleshooting RIP n g for IPv6.

Verifying:
Command: show i pv6 interface
Purpose: Displays the status of interfaces configured for IPv6.

Command: show i pv6 interface brief
Purpose: Displays a summarized status of interfaces configured for IPv6.

Command: show i pv6 neighbors
Purpose: Displays IPv6 neighbor discovery cache information.

Command: show i pv6 protocols
Purpose: Displays the parameters and current state of the active IPv6 routing protocol processes.

Command: show i pv6 rip
Purpose: Displays information about current IPv6 RIP processes.

Command: show i pv6 route
Purpose: Displays the current IPv6 routing table.

Command: show i pv6 route summary
Purpose: Displays a summarized form of the current IPv6 routing table.

Command: show i pv6 routers
Purpose: Displays IPv6 router advertisement information received from other routers.

Command: show i pv6 static
Purpose: Displays only static IPv6 routes installed in the routing table.

Command: show i pv6 static 2001:db8:5555:0/16
Purpose: Displays only static route information about the specific address given.

Command: show i pv6 static interface serial0/0
Purpose: Displays only static route information with the specified interface as the outgoing interface.

Command: show i pv6 static detail
Purpose: Displays a more detailed entry for IPv6 static routes.

Command: show i pv6 traffic
Purpose: Displays statistics about IPv6 traffic.

Troubleshooting:

Command: clear i pv6 rip
Purpose: Deletes routes from the IPv6 RIP routing table and, if installed, routes in the IPv6 routing table.

Command: clear i pv6 route *
Purpose: Deletes all routes from the IPv6 routing table.
NOTE: Clearing all routes from the routing table causes high CPU use rates as the routing table is rebuilt.

Command: clear i pv6 route 2001:db8:c18:3::/64
Purpose: Clears this specific route from the IPv6 routing table.

Command: clear i pv6 traffic
Purpose: Resets IPv6 traffic counters.

Command: debug i pv6 packet
Purpose: Displays debug messages for IPv6 packets.

Command: debug i pv6 rip
Purpose: Displays debug messages for IPv6 RIP routing transactions.

Command: debug i pv6 routing
Purpose: Displays debug messages for IPv6 routing table updates and route cache updates.


Page 2:


7.3.9 - Verifying and Troubleshooting RIP n g
The diagram depicts an activity where you implement IPv6.

Note: You may want to contact your instructor for assistance with this activity.

A network is being transitioned from IPv4 to IPv6. Your task is to complete the IPv6 configuration on all routers using the following information. Enter the commands necessary to complete the following on each router:
- Enable IPv6 traffic forwarding.
- Configure and enable specified interfaces with the IPv6 addresses.
- Configure IPv6 RIP using the process name cisco.
- Enable the IPv6 routing process named cisco on the required interfaces.

Network Topology
There are three routers. Router R1 S0/0/0 is connected to R2 S0/0/0. Router R2 S0/0/1 is connected to R3 S0/0/1.

Router configuration information:
Hostname: R1
Interface s0/0/0: 2001:410:1:10::/65 e u i-64
Interface s0/0/1: not connected

What configuration commands should be used for R1?


Hostname: R2
Interface s0/0/0: 2001:410:1:10::/65 e u i-64
Interface s0/0/1: 2001:410:2:10::/65 e u i-64

What configuration commands should be used for R1?


Hostname: R3
Interface s0/0/0: not connected
Interface s0/0/1: 2001:410:2:10::/65 e u i-64

What configuration commands should be used for R1?


7.4 Chapter Labs

7.4.1 Basic DHCP and NAT Configuration

Page 1:
In this lab, you will configure the DHCP and NAT IP services. One router is the DHCP server. The other router forwards DHCP requests to the server. You will also configure both static and dynamic NAT configurations, including NAT overload. When you have completed the configurations, verify the connectivity between the inside and outside addresses.


7.4.1 - Basic DHCP and NAT Configuration
Link to Hands-on Lab: Basic DHCP and NAT Configuration


Page 2:
This activity is a variation of Lab 7.4.1. Packet Tracer may not support all the tasks specified in the hands-on lab. This activity should not be considered equivalent to completing the hands-on lab. Packet Tracer is not a substitute for a hands-on lab experience with real equipment.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


7.4.1 - Basic DHCP and NAT Configuration
Link to Packet Tracer Exploration: Basic DHCP and NAT Configuration


7.4.2 Challenge DHCP and NAT Configuration

Page 1:
In this lab, configure the IP address services using the network shown in the topology diagram. If you need assistance, refer back to the basic DHCP and NAT configuration lab. However, try to do as much on your own as possible.


7.4.2 - Challenge DHCP and NAT Configuration
Link to Hands-on Lab: Challenge DHCP and NAT Configuration


Page 2:
This activity is a variation of Lab 7.4.2. Packet Tracer may not support all the tasks specified in the hands-on lab. This activity should not be considered equivalent to completing the hands-on lab. Packet Tracer is not a substitute for a hands-on lab experience with real equipment.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


7.4.2 - Challenge DHCP and NAT Configuration
Link to Packet Tracer Exploration: Challenge DHCP and NAT Configuration


7.4.3 Troubleshooting DHCP and NAT

Page 1:
The routers at your company were configured by an inexperienced network engineer. Several errors in the configuration have resulted in connectivity issues. Your boss has asked you to troubleshoot and correct the configuration errors and document your work. Using your knowledge of DHCP, NAT, and standard testing methods, find and correct the errors. Make sure all clients have full connectivity.


7.4.3 - Troubleshooting DHCP and NAT
Link to Hands-on Lab: Troubleshooting DHCP and NAT


Page 2:
This activity is a variation of Lab 7.4.3. Packet Tracer may not support all the tasks specified in the hands-on lab. This activity should not be considered equivalent to completing the hands-on lab. Packet Tracer is not a substitute for a hands-on lab experience with real equipment.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


7.4.3 - Troubleshooting DHCP and NAT
Link to Packet Tracer Exploration: Troubleshooting DHCP and NAT


7.5 Chapter Summary

7.5.1 Summary

Page 1:
This chapter has dealt with the key solutions to the problem of diminishing Internet address space. You have learned how to use DHCP to assign private IP addresses inside your network. This conserves public address space and saves considerable administrative overhead in managing adds, moves and changes. You learned how to implement NAT and NAT overload to conserve public address space and build private secure intranets without affecting your ISP connection. However, NAT has drawbacks in terms of its negative affects on device performance, security, mobility and end-to-end connectivity.

Overall, the ability to scale networks for future demands requires a limitless supply of IP addresses and improved mobility that DHCP and NAT alone cannot meet. IPv6 satisfies the increasingly complex requirements of hierarchical addressing that IPv4 does not provide. The emergence of IPv6 not only deals with the depletion of IPv4 addresses and shortcomings of NAT, it provides new and improved features. In the brief introduction to IPv6 in this lesson, you learned how IPv6 addresses are structured, how they will enhance network security and mobility, and how the IPv4 world will transition to IPv6.


7.5.1 - Summary and Review
In this chapter, you have learned to:
- Configure DHCP in an enterprise branch network. This includes being able to explain DHCP features and benefits, the differences between BOOT P and DHCP, DHCP operation, and configuring, verifying, and troubleshooting DHCP.

- Configure NAT on a Cisco router. This includes explaining key features and operation of NAT and NAT Overload, explaining advantages and disadvantages of NAT, configuring NAT and NAT Overload to conserve IP address space in a network, configuring port forwarding, and verifying and troubleshooting NAT configurations.

- Configure new generation RIP (RIP n g) to use IPv6. This includes explaining how IPv6 solves IP address deletion, assigning IPv6 addresses, describing transition strategies for implementing IPv6, and configuring, verifying, and troubleshooting RIP n g for IPv6.


Page 2:


7.5.1 - Summary and Review
This is a review and is not a quiz. Questions and answers are provided.
Question One. Describe the four DHCP discovery and offer messages in sequence of operation and function.
Answer:
DHCP DISCOVER message:
- Broadcast forwarded by the host looking for a DHCP server.
- Messages are forwarded to the DHCP BOOT P server using UDP port 67.
DHCP OFFER message:
- When the DHCP DISCOVER message reaches the DHCP server, the server responds with a unicast DHCP OFFER message containing the MAC address of the client, offered IP address and mask, default gateway, and the IP address of the server.
- Messages are forwarded to the DHCP BOOT P client using UDP port 68.
DHCP REQUEST message:
- Used for two purposes: first, to initially negotiate an IP address lease, and second, to renegotiate (or renew) the IP address halfway through its lease time.
- The client broadcasts the DHCP REQUEST message to the DHCP server using UDP port 67.
DHCP ACK message:
- Nearly identical to the original DHCP OFFER but sent to the client to confirm that it now can use that address using UDP port 68.

Question Two. Refer to the topology diagram description below to answer the question.

Network Topology:
Two LAN's, with network addresses 192.168.10.0/24 and 192.168.11.0/24, are connected by router R1. PC1 in LAN 1 is connected to switch S1, which is connected to R1 interface FA0/0. PC2 in LAN 2 is connected to switch S2, which is connected to R1 interface FA0/1.

PC1 IP address: 192.168.10.10/24
Switch S1 IP address: 192.168.10.2/24
Router R1 FA0/0 IP address: 192.168.10.1/24

PC2 IP address: No IP address obtained
Switch S2 IP address: 192.168.11.2/24
Router R1 FA0/1 IP address: 192.168.11.1/24

Question:
Router R1 has been configured to provide DHCP service to the hosts on network 192.168.11.0/24, excluding the first nine IP addresses from the pool. However, after releasing and renewing its IP address, host PC2 still cannot acquire an IP address automatically. Which changes in the configuration would help this problem?

Commands used to configure R1:
hostname R1
i p dhcp excluded-address 192.168.11.1 192.168.11.254
i p dhcp pool LAN-POOL-2
network 192.168.10.0 255.255.255.0
default-router 192.168.11.2
domain-name span.com

Answer: On router R1
- The pool is excluding the entire pool. The command should be i p dhcp excluded-address 192.168.11.1 192.168.11.9.
- The network pool is allocating the wrong subnet. The command should be network 192.168.11.0 255.255.255.0.
- The default router IP address is pointing to the switch. The command should be default-router 192.168.11.1.

Question Three.
Refer to the topology diagram description below to answer the question.

Network Topology:
Two LAN's, with network addresses 192.168.10.0/24 and 192.168.11.0/24, are connected by router R1. PC1 in LAN 1 is connected to switch S1, which is connected to R1 interface FA0/0. PC2 in LAN 2 is connected to switch S2, which is connected to R1 interface FA0/1.

PC1 IP address: 192.168.10.10/24
Switch S1 IP address: 192.168.10.2/24
Router R1 FA0/0 IP address: 192.168.10.1/24

PC2 IP address: 192.168.11.10/24
Switch S2 IP address: 192.168.11.2/24
Router R1 FA0/1 IP address: 192.168.11.1/24
DHCP Server IP address: 192.168.11.5/24

Question:
The DHCP server located at IP address 192.168.11.5 has been configured to provide IP addresses to the hosts on network 192.168.10.1/24. However, the hosts receive an error stating that their DHCP server request has timed out and that the DHCP server is unreachable. Which configuration command would correct this problem?

Answer: On router R1, configure the DHCP relay feature on interface Fast Ethernet 0/0 using the following commands:

interface FastEthernet0/0
i p helper-address 192.168.11.5

Question Four. Describe the differences between dynamic NAT, static NAT, and NAT overload.
Answer:
Dynamic NAT:
- Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis.
- When a host requests access to the Internet, dynamic NAT chooses an IP address from the public pool and temporarily binds it with the internal local address.
Static NAT:
- Static NAT uses a one-to-one mapping of local and global addresses and these mappings remain constant.
- Static NAT is particularly useful for web servers or in general hosts that must have a consistent address that is accessible from the Internet.
NAT Overload:
- NAT overloading (sometimes called Port Address Translation or PAT) maps inside local IP addresses to a combination of a global IP address and unique port number.
- When a response returns to the NAT router, the router examines the source port number and forwards the packet to the originating inside local address.
- It also validates that the incoming packets were requested, thus adding a degree of security to the session.

Question Five.
Router R2 has been configured to provide NAT service. On the basis of the information provided, comment on the NAT translations.

Refer to the command output to answer the question.
R2#show i p nat translations
Pro: tcp
Inside Global: 209.165.200.225:16642
Inside Local: 192.168.10.10:16642
Outside Local IP Address: 209.165.200.254:80
Outside Global: 209.165.200.254:80

Pro: tcp
Inside Global: 209.165.200.225:62452
Inside Local: 192.168.10.10:62452
Outside Local IP Address: 209.165.200.254:80
Outside Global: 209.165.200.254:80


Answer: Router R2 was configured to provide NAT overload translation to hosts on the 192.168.10.0 and 192.168.11.0 networks.

- The host with the inside local IP address 192.168.10.10 was translated to the overloaded inside global IP address 209.165.200.225 using the unique port number 16642 when accessing the web server located at 209.165.200.254.
- The host with the inside local IP address 192.168.11.10 was translated to the overloaded inside global IP address 209.165.200.255 using the unique port number 62452 when accessing the web server located at 209.165.200.254.

Question Six. Refer to the following IPv6 host address. Abbreviate the IPv6 address to its shortest allowable form.
Address: 2031:0000:130F:0000:0000:09C0:876A:130B

Answer: The shortest form is 2031:0:130F::9C0:876A:130B

Question Seven. Refer to following statement and fill in the blanks. Describe the two main IPv4-to-IPv6 transition options and complete the IPv6 transition sentence in the exhibit.

Statement:
"BLANK" where you can, "BLANK" where you must!"

Answer:
"Dual-stack where you can, tunnel where you must!"

Dual-stack method:
- Is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network.
- This is the recommended option and involves running IPv4 and IPv6 at the same time.
- Router and switches are configured to support both protocols, with IPv6 being the preferred protocol.

6-to-4 tunneling method:
- Is an integration method in which an IPv6 packet is encapsulated within the IPv4 protocol.
- However, this method also requires dual-stack routers.
- The dynamic 6-to-4 tunneling method automatically establishes the connection of IPv6 islands through an IPv4 network.
Other tunneling methods:
- Other tunneling protocols include NAT-PT, ISATAP tunneling, and Teredo tunneling.
- These tunneling protocols are complex and are considered methods of last resort.


Page 3:
In this culminating activity, you will configure PPP, OSPF, DHCP, NAT and default routing to ISP. You will then verify your configuration.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


7.5.1 - Summary and Review
Link to Packet Tracer Exploration: Packet Tracer Skills Integration Challenge


7.6 Chapter Quiz

7.6.1 Chapter Quiz

Page 1:


7.6.1 - Chapter Quiz
1.Which two statements are true about the DHCP server functions? (Choose two.)
A.When a client requests an IP address, the DHCP server searches the binding table for an entry that matches the MAC address for the client. If an entry exists, the corresponding IP address for that entry is returned to the client.
B.Clients can be assigned an IP address from a predefined DHCP pool for a finite lease period.
C.DHCP services must be installed on a dedicated network server to define the pool of IP addresses available to the clients.
D.The DHCP server can answer requests and assign IP addresses for a particular subnet only.
E.Each subnet in the network requires a dedicated DHCP server to assign IP addresses to the host on the subnet.
F.The DHCP server provides clients with an IP address, subnet mask, default gateway, and domain name.

2.Refer to the following command to answer the question.

Router(config)#i p dhcp pool 10.10.10.0

What does the string 10.10.10.0 used after the i p dhcp pool command specify?
A.Name of the DHCP pool.
B.Pool of IP addresses available for lease.
C.Range of excluded IP addresses.
D.IP subnet where the DHCP server resides.

3.Which three statements about DHCP are true? (Choose three.)
A.DHCP uses UDP.
B.The DHCP OFFER message is sent by the DHCP server after receiving a DHCP DISCOVER message from a client.
C.DHCP uses ports 67 and 68.
D.The DHCP REQUEST message is sent by a DHCP client to locate a DHCP server.
E.The DHCP ACK message is sent by the DHCP server to provide the DHCP client with the DHCP server MAC address for further communication.
F.All DHCP communications are broadcast.

4.Refer to the following topology description and partial show run output to answer the question.

Network Topology:
Host A is connected to switch SW1, which is connected to router R1 interface FA0/0/0. Router R1 interface S0/0/0 is connected to router R2 interface S0/0/1, with IP address 10.10.1.254.

R1 show run output:
R1#show run

interface fast ethernet 0/0/0
i p helper address 10.10.1.254

output omitted

Router R2 is configured as a DHCP server. What would happen when host A sends a DHCP request to the DHCP server?
A.The request is dropped by router R1.
B.The request is forwarded to the DHCP server.
C.The request is forwarded to the DHCP server, but the DHCP server does not respond with an IP address.
D.Router R1 responds with an IP address.

5.Refer to the following command output to answer the question.

Router#:debug i p dhcp server events
DHCPD: DHCP DISCOVER received from client 0b07.1134.a029.
DHCPD: Assigned IP address 10.1.0.3 to client 0b07.1134.a029.
DHCPD: Sending DHCP OFFER to client 0b07.1134.a029 (10.1.0.4)
DHCPD: DHCP REQUEST received from client 0b07.1134.a029.
DHCPD: Sending DHCP NACK to client 0b07.1134.a029 (10.1.0.3).
output omitted

Router#show i p dhcp conflict
IP address: 10.1.0.3
Detection method: ping
Detection time: Jan 01 1999 00:00 AM

Based on the output, which statement is true regarding this DHCP exchange?
A.The client was successfully configured with the address 10.1.0.3.
B.The DHCP server offered the address 10.1.0.3 to the client.
C.The client requested 10.1.0.3 from the server.
D.The DHCP server could not ping 10.1.0.3.

6.Refer to the following command output to answer the question.

NAT1#show i p nat translations (output reformatted)
Pro: udp
Inside global: 198.18.24.211:123
Inside local: 192.168.254.7:123
Outside local: 192.2.182.4:123
Outside global: 192.2.182.4:123

Pro: tcp
Inside global: 198.18.24.211:4509
Inside local: 192.168.254.66:4509
Outside local: 192.0.2.184:80
Outside global: 192.0.2.184:80

Pro: tcp
Inside global: 198.18.24.211:4643
Inside local: 192.168.254.2:4643
Outside local: 192.0.2.71:5190
Outside global: 192.0.2.71:5190

Pro: tcp
Inside global: 198.18.24.211:4630
Inside local: 192.168.254.7:4630
Outside local: 192.0.2.71:5190
Outside global: 192.0.2.71:5190

Pro: udp
Inside global: 198.18.24.211:1026
Inside local: 192.168.254.9:1026
Outside local: 198.18.24.4:53
Outside global: 198.18.24.4:53

Based on the output, which statement is correct concerning the NAT configuration?
A.Static NAT is configured.
B.Dynamic NAT is configured.
C.PAT is configured.
D.NAT is incorrectly configured.

7.If an administrator chooses to avoid using NAT overload, what is the default timeout value for NAT translations?
A.1 hour
B.1 day
C.1 week
D.Indefinite

8.Match each characteristic to the corresponding NAT technique.
Characteristics:
A. Provides one-to-one fixed mappings of local and global addresses.
B. Assigns the translated addresses of IP hosts from a pool of public addresses.
C. Can map multiple addresses to a single address of the external interface.
D. Assigns the unique source port number of an inside global address on a session-by-session basis.
E. Allows external hosts to establish a session with an internal host.
F. Defines translations on a host-to-host basis.

NAT Techniques:
One. Dynamic NAT
Two. NAT with Overload
Three. Static NAT

9.Refer to the following command output to answer the question.

Router1(config)#i p nat inside source static 192.168.0.100 209.165.200.2
Router1(config)#interface serial0/0/0
Router1(config-i f)#i p nat inside
Router1(config-i f)#no shut
Router1(config-i f)#i p address 10.1.1.2 255.255.255.0
Router1(config)#interface serial 0/0/2
Router1(config-i f)#i p address 209.165.200.2 255.255.255.0
Router1(config-i f)#i p nat outside
Router1(config-i f)#no shut

Which host or hosts will have their addresses translated by NAT?
A.10.1.1.2
B.192.168.0.100
C.209.165.200.2
D.All hosts on the 10.1.1.0 network
E.All hosts on the 192.168.0.0 network

10.Refer to the following command output to answer the question.

R1(config)#i p nat pool nat-pool1 209.165.200.255. 209.165.200.240 netmask 255.255.255.0
R1(config)#i p nat inside source list 1 pool nat-pool1
R1(config)#interface serial 0/0/0
R1(config-i f)#i p address 10.1.1.2 255.255.0.0
R1(config-i f)#i p nat inside
R1(config)#interface serial s0/0/2
R1(config-i f)#i p address 209.165.200.1 255.255.255.0
R1(config-i f)#i p nat outside
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255

Which addresses will be translated by NAT?
A.10.1.1.2 to 10.1.1.255
B.192.168.0.0 to 192.168.0.255
C.209.165.200.240 to 209.165.200.255
D.Only host 10.1.1.2
E.Only host 209.165.200.255

11.Refer to the following topology description to answer the question.

Network Topology:
Web Server 1 and several hosts are connected to Switch1, which is connected to the Router1 Ethernet interface. Router1 is connected to the Internet.

Web Server 1 is assigned a single IP address of 192.168.14.5/24. For hosts from the Internet to access Web Server 1, which type of NAT configuration is required on Router1?

A.Static NAT
B.Dynamic NAT
C.NAT overload
D.Port forwarding

12.Which NAT solution allows external users to access an internal FTP server on a private network?
A.Dynamic NAT
B.NAT with overload
C.Port forwarding
D.Static NAT

13.Refer to the following command output to answer the question.
Given the debug output from a Cisco router, what kind of address is 24.74.237.203?

s=10.10.10.3 to 24.74.237.203, d=64.102.252.3 [29854]
s=10.10.10.3 to 24.74.237.203, d=64.102.252.3 [29855]
s=10.10.10.3 to 24.74.237.203, d=64.102.252.3 [29856]
s=64.102.252.3 d=24.74.237.203 to 10.10.10.3 [9935]
s=64.102.252.3 d=24.74.237.203 to 10.10.10.3 [9937]
s=10.10.10.3 to 24.74.237.203, d=64.102.252.3 [29857]
s=64.102.252.3 d=24.74.237.203 to10.10.10.3 [9969]
s=64.102.252.3 d=24.74.237.203 to10.10.10.3 [9972]
s=10.10.10.3 to 24.74.237.203, d=64.102.252.3 [29858]


A.Inside local
B.Inside global
C.Outside local
D.Outside global

14.Which two statements accurately describe the RIP n g routing protocol? (Choose two.)
A.RIP n g has a limit of 15 hops.
B.RIP n g is a link-state routing protocol.
C.RIP n g uses UDP port 238 for updates.
D.RIP n g uses poison reverse.
E.RIP n g forwards IPv6 broadcasts.

15.Which two methods of assigning an IPv6 address to an interface are automatic and can be used in conjunction with each other? (Choose two.)
A.DHCPv6
B.Stateless auto-configuration
C.EUI-64
D.Static assignment
E.DNS

16.Match the IPv6 command to the appropriate description.
Commands:
A. i pv6 unicast-routing
B. i pv6 address
C. I p name-server
D. i pv6 host name
E. i pv6 router rip name

Descriptions:
One. Specifies the DNS server used by the router.
Two. Defines a static hostname-to-address mapping.
Three. Configure a global IPv6 address.
Four. Enables IPv6 traffic-forwarding between interfaces on the router.
Five. Enables RIP n g routing on the router and identifies the RIP process.

17.Refer to this IPv6 address:

2031:0000:0300:0000:0000:00C0:8000:130B

Which three items are equivalent representations of the full IPv6 address? (Choose three.)
A.2031:300::C0:8:130B
B.2031:0:300::C0:8000:130B
C.2031:1:0:3::C0:8000:130B
D.2031:0:0300:0:0:C0:8000:130B
E.2031::300:0:0:0C0:8000:130B
F.2031::0300::C0:8::130B

0 comments:

Post a Comment