Latest News

Home Scaling IP Addresses - Module 32

Scaling IP Addresses - Module 32




 
                                                 Module Overview 
  
  
32.1 Scaling Networks with NAT and PAT   
32.1.1 Private addressing 
32.1.2 Introducing NAT and PAT 
32.1.3 Major NAT and PAT features 
32.1.4 Configuring NAT and PAT 
32.1.5 Verifying PAT configuration 
32.1.6 Troubleshooting NAT and PAT configuration 
32.1.7 Issues with NAT
 
32.2 DHCP   
32.2.1 Introducing DHCP 
32.2.2 BOOTP and DHCP differences 
32.2.3 Major DHCP features 
32.2.4 DHCP operation 
32.2.5 Configuring DHCP 
32.2.6 Verifying DHCP operation 
32.2.7 Troubleshooting DHCP 
32.2.8 DHCP Relay 
   
 Module: Summary

  Overview

  
The rapid growth of the Internet has astonished most observers. One reason that the Internet has grown so quickly is due to the flexibility of the original design. Without developing new methodologies of IP address assignment, this rapid growth of the Internet would have exhausted the current supply of IP addresses. In order to cope with a shortage of IP addresses, several solutions were developed. One widely implemented solution is Network Address Translation (NAT).

NAT is a mechanism for conserving registered IP addresses in large networks and simplifying IP addressing management tasks. As a packet is routed through a network device, usually a firewall or border router, the source IP address is translated from a private internal network address to a routable public IP address. This allows the packet to be transported over public external networks, such as the Internet. The public address in the reply is then translated back to the private internal address for delivery within the internal network. A variation of NAT, called Port Address Translation (PAT), allows many internal private addresses to be translated using a single external public address.

Routers, servers, and other key devices on the network usually require a static IP configuration, which is entered manually. However, desktop clients do not require a specific address but rather any one in a range of addresses. This range is typically within an IP subnet. A workstation within a specific subnet can be assigned any address within a range while other values are static, including the subnet mask, default gateway, and DNS server.

The Dynamic Host Configuration Protocol (DHCP) was designed to assign IP addresses and other important network configuration information dynamically. Because desktop clients typically make up the bulk of network nodes, DHCP is an extremely useful timesaving tool for network administrators.

Students completing this module should be able to:

  • Identify private IP addresses as described in RFC 1918
  • Discuss characteristics of NAT and PAT
  • Explain the benefits of NAT
  • Explain how to configure NAT and PAT, including static translation, dynamic translation, and overloading
  • Identify the commands used to verify NAT and PAT configuration
  • List the steps used to troubleshoot NAT and PAT configuration
  • Discuss the advantages and disadvantages of NAT
  • Describe the characteristics of DHCP
  • Explain the differences between BOOTP and DHCP
  • Explain the DHCP client configuration process
  • Configure a DHCP server
  • Verify DHCP operation
  • Troubleshoot a DHCP configuration
  • Explain DHCP relay requests
 
  32.1  Scaling Networks with NAT and PAT
  32.1.1  Private addressing 

RFC 1918 sets aside the following three blocks of private IP addresses:

  • 1 Class A address
  • 16 Class B addresses
  • 256 Class C addresses
These addresses are for private, internal network use only. Packets containing these addresses are not routed over the Internet.

Public Internet addresses must be registered by a company with an Internet authority, for example, American Registry for Internet Numbers (ARIN) or Réseaux IP Européens (RIPE), the Regional Internet Registry responsible for Europe and North Africa. These public Internet addresses can also be leased from an ISP. Private IP addresses are reserved and can be used by anyone. That means two networks, or two million networks, can each use the same private address. A router should never route RFC 1918 addresses. ISPs typically configure the border routers to prevent privately addressed traffic from being forwarded.

NAT provides great benefits to individual companies and the Internet. Before NAT, a host with a private address could not access the Internet. Using NAT, individual companies can address some or all of their hosts with private addresses and use NAT to provide access to the Internet.

  32.1  Scaling Networks with NAT and PAT
  32.1.2  Introducing NAT and PAT
 
NAT is designed to conserve IP addresses and enable networks to use private IP addresses on internal networks. These private, internal addresses are translated to routable, public addresses. This is accomplished by internetwork devices running specialized NAT software which can increase network privacy by hiding internal IP addresses.

A NAT enabled device typically operates at the border of a stub network. A stub network is a network that has a single connection to its neighbor network.  When a host inside the stub network wants to transmit to a host on the outside, it forwards the packet to the border gateway router. The border gateway router performs the NAT process, translating the internal private address of a host to a public, external routable address.  In NAT terminology, the internal network is the set of networks that are subject to translation. The external network refers to all other addresses.

Cisco defines the following NAT terms:

  • Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address.
  • Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world.
  • Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.
  • Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.

  32.1  Scaling Networks with NAT and PAT 
  32.1.3  Major NAT and PAT features   
 
NAT translations can be used for a variety of purposes and can be either dynamically or statically assigned. Static NAT is designed to allow one-to-one mapping of local and global addresses. This is particularly useful for hosts which must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices.

Dynamic NAT is designed to map a private IP address to a public address. Any IP address from a pool of public IP addresses is assigned to a network host. Overloading, or Port Address Translation (PAT), maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped to a single address because each private address is tracked by a port number.

PAT uses unique source port numbers on the inside global IP address to distinguish between translations.  The port number is encoded in 16 bits. The total number of internal addresses that can be translated to one external address could theoretically be as high as 65,536 per IP address. Realistically, the number of ports that can be assigned a single IP address is around 4000. PAT will attempt to preserve the original source port. If this source port is already used, PAT will assign the first available port number starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address configured, PAT moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses.

NAT offers the following benefits:

  • Eliminates reassigning each host a new IP address when changing to a new ISP. NAT eliminates the need to readdress all hosts that require external access, saving time and money.
  • Conserves addresses through application port-level multiplexing. With PAT, internal hosts can share a single public IP address for all external communications. In this type of configuration, very few external addresses are required to support many internal hosts, thereby conserving IP addresses.
·         Protects network security. Because private networks do not advertise their addresses or internal topology, they remain reasonably secure when used in conjunction with NAT to gain controlled external access. 

  32.1  Scaling Networks with NAT and PAT 
  32.1.4  Configuring NAT and PAT  
 

 Static Translation

To configure static inside source address translation, perform the tasks in Figures  and .

Figure  shows the use of static NAT translation. The router will translate packets from host 10.1.1.2 to a source address of 192.168.1.2.


Dynamic Translation

To configure dynamic inside source address translation, perform the tasks in Figure .

The access list must permit only those addresses that are to be translated. Remember that there is an implicit “deny all” at the end of each access list. An access list that is too permissive can lead to unpredictable results. Cisco advises against configuring access lists referenced by NAT commands with the permit any command. Using permit any can result in NAT consuming too many router resources, which can cause network problems.

Figure  translates all source addresses passing access list 1, which have source address from 10.1.0.0/24, to an address from the pool named nat-pool1. The pool contains addresses from 179.9.8.80/24 to 179.9.8.95/24. 
NOTE:
NAT will not translate the host 10.1.1.2, as it is not permitted for translation by the access list.

Overloading

Overloading is configured in two ways depending on how public IP addresses have been allocated. An ISP can allocate a network only one public IP address, and this is typically assigned to the outside interface which connects to the ISP. Figure  shows how to configure overloading in this situation.

Another way of configuring overload is if the ISP has given one or more public IP addresses for use as a NAT pool. This pool can be overloaded as shown in the configuration in Figure .

Figure  shows an example configuration of PAT.

 32.1  Scaling Networks with NAT and PAT
 32.1.5  Verifying PAT configuration
  
Once NAT is configured, use the clear and show commands to verify that it is operating as expected.

By default, dynamic address translations will time out from the NAT translation table after a period of non-use. When port translation is not configured, translation entries time out after 24 hours, unless the timers are reconfigured with the ip nat translation timeouttimeout_ seconds command from global configuration mode. Clear the entries before the timeout by using one of the commands in Figure .

Translation information may be displayed by performing one of the tasks in EXEC mode .

Alternatively, use the show run command and look for NAT, access list, interface, or pool commands with the required values.

  32.1  Scaling Networks with NAT and PAT 
  32.1.6  Troubleshooting NAT and PAT configuration   
 
When IP connectivity problems in a NAT environment exist, it is often difficult to determine the cause of the problem. Many times NAT is mistakenly blamed, when in reality there is an underlying problem.

When trying to determine the cause of an IP connectivity problem, it helps to rule out NAT. Use the following steps to determine whether NAT is operating as expected:

  1. Based on the configuration, clearly define what NAT is supposed to achieve.
  2. Verify that correct translations exist in the translation table.
  3. Verify the translation is occurring by using show and debug commands.
  4. Review in detail what is happening to the packet and verify that routers have the correct routing information to move the packet along.
Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip natdetailed command generates a description of each packet considered for translation. This command also outputs information about certain errors or exception conditions, such as the failure to allocate a global address.

Figure  shows a sample debug ip nat output. In this example, the first two lines of the debugging output show that a Domain Name System (DNS) request and reply were produced. The remaining lines show the debugging output of a Telnet connection from a host on the inside of the network to a host on the outside of the network.

Decode the debug output by using the following key points:

  • The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation will always go through the slow path, which means this first packet is process-switched. The remaining packets will go through the fast-switched path if a cache entry exists.
  • s = a.b.c.d is the source address.
  • Source address a.b.c.d is translated to w.x.y.z.
  • d = e.f.g.h is the destination address.
  • The value in brackets is the IP identification number. This information may be useful for debugging. This is useful, for example, because it enables correlation with other packet traces from protocol analyzers. 


  32.1  Scaling Networks with NAT and PAT 
  32.1.7  Issues with NAT 
 
NAT has several advantages, including:

  • Conserves the legally registered addressing scheme by allowing the privatization of intranets.
  • Increases the flexibility of connections to the public network. Multiple pools, backup pools, and load balancing pools can be implemented to assure reliable public network connections.
  • Consistency of the internal network addressing scheme. On a network without private IP addresses and NAT, changing public IP addresses requires the renumbering of all hosts on the existing network. The costs of renumbering hosts can be significant. NAT allows the existing scheme to remain while supporting a new public addressing scheme.
NAT is not without drawbacks. Enabling address translation will cause a loss of functionality, particularly with any protocol or application that involves sending IP address information inside the IP payload. This requires additional support by the NAT device.

NAT increases delay. Switching path delays are introduced because of the translation of each IP address within the packet headers. The first packet will always go through the slow path, which means this first packet is process-switched. The remaining packets will go through the fast-switched path if a cache entry exists.

Performance may be a consideration because NAT is currently accomplished by using process switching. The CPU must look at every packet to decide whether it must be translated. The CPU must alter the IP header, and possibly alter the TCP or UDP header.

One significant disadvantage when implementing and using NAT is the loss of end-to-end IP traceability. It becomes much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops. Hackers who want to determine the source of a packet will find it difficult to trace or obtain the original source or destination address.

NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses. Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings.

Cisco IOS NAT supports the following traffic types:

  • ICMP
  • File Transfer Protocol (FTP), including PORT and PASV commands
  • NetBIOS over TCP/IP, datagram, name, and session services
  • RealNetworks' RealAudio
  • White Pines' CUSeeMe
  • Xing Technologies' StreamWorks
  • DNS "A" and "PTR" queries
  • H.323/Microsoft NetMeeting, IOS versions 12.0(1)/12.0(1)T and later
  • VDOnet's VDOLive, IOS versions 11.3(4)11.3(4)T and later 
  • VXtreme's Web Theater, IOS versions 11.3(4)11.3(4)T and later 
  • IP Multicast, IOS version 12.0(1)T with source address translation only 
Cisco IOS NAT does not support the following traffic types:

  • Routing table updates
  • DNS zone transfers
  • BOOTP
  • talk and ntalk protocols
  • Simple Network Management Protocol (SNMP) 

  32.2  DHCP 
  32.2.1  Introducing DHCP 
 
Dynamic Host Configuration Protocol (DHCP) works in a client/server mode. DHCP enables DHCP clients on an IP network to obtain their configurations from a DHCP server. Less work is involved in managing an IP network when DHCP is used. The most significant configuration option the client receives from the server is its IP address. The DHCP protocol is described in RFC 2131.

A DHCP client is included in most modern operating systems including the various Windows operating systems, Novell Netware, Sun Solaris, Linux, and MAC OS. The client requests addressing values from the network DHCP server . This server manages the allocation of the IP addresses and will answer configuration requests from clients.  The DHCP server can answer requests for many subnets. DHCP is not intended for configuring routers, switches, and servers. These type of hosts need to have static IP addresses.

DHCP works by providing a process for a server to allocate IP information to clients. Clients lease the information from the server for an administratively defined period. When the lease expires the client must ask for another address, although the client is typically reassigned the same address.

Administrators typically prefer a network server to offer DHCP services because these solutions are scalable and relatively easy to manage. Cisco routers can use a Cisco IOS feature set, Easy IP, to offer an optional, full-featured DHCP server. Easy IP leases configurations for 24 hours by default. This is useful in small offices and home offices where the home user can take advantage of DHCP and NAT without having an NT or UNIX server.

Administrators set up DHCP servers to assign addresses from predefined pools. DHCP servers can also offer other information, such as DNS server addresses, WINS server addresses, and domain names. Most DHCP servers also allow the administrator to define specifically what client MAC addresses can be serviced and automatically assign them the same IP address each time.

DHCP uses User Datagram Protocol (UDP) as its transport protocol. The client sends messages to the server on port 67. The server sends messages to the client on port 68.
 
  32.2  DHCP 
  32.2.2  BOOTP and DHCP differences
  
The Internet community first developed the BOOTP protocol to enable configuration of diskless workstations. BOOTP was originally defined in RFC 951 in 1985. As the predecessor of DHCP, BOOTP shares some operational characteristics. Both protocols are client/server based and use UDP ports 67 and 68. Those ports are still known as BOOTP ports.

The four basic IP parameters include:

  • IP address
  • Gateway address
  • Subnet mask
  • DNS server address
BOOTP does not dynamically allocate IP addresses to a host. When a client requests an IP address, the BOOTP server searches a predefined table for an entry that matches the MAC address for the client. If an entry exists, then the corresponding IP address for that entry is returned to the client. This means that the binding between the MAC address and the IP address must have already been configured in the BOOTP server.

There are two primary differences between DHCP and BOOTP:

  • DHCP defines mechanisms through which clients can be assigned an IP address for a finite lease period. This lease period allows for reassignment of the IP address to another client later, or for the client to get another assignment, if the client moves to another subnet. Clients may also renew leases and keep the same IP address.
  • DHCP provides the mechanism for a client to gather other IP configuration parameters, such as WINS and domain name. 


  32.2  DHCP  
  32.2.3  Major DHCP features  
 
There are three mechanisms used to assign an IP address to the client:

  • Automatic allocation – DHCP assigns a permanent IP address to a client.
  • Manual allocation – The IP address for the client is assigned by the administrator. DHCP conveys the address to the client.
  • Dynamic allocation – DHCP assigns, or leases, an IP address to the client for a limited period of time.
The focus of this section is the dynamic allocation mechanism. Some of the configuration parameters available are listed in IETF RFC 1533:

  • Subnet mask
  • Router
  • Domain Name
  • Domain Name Server(s)
  • WINS Server(s)
The DHCP server creates pools of IP addresses and associated parameters.  Pools are dedicated to an individual logical IP subnet. This allows multiple DHCP servers to respond and IP clients to be mobile. If multiple servers respond, a client can choose only one of the offers.

  32.2  DHCP 
  32.2.4  DHCP operation

The DHCP client configuration process uses the following steps:

  1. A client must have DHCP configured when starting the network membership process. The client sends a request to a server requesting an IP configuration. Sometimes the client may suggest the IP address it wants, such as when requesting an extension to a DHCP lease. The client locates a DHCP server by sending a broadcast called a DHCPDISCOVER.
  2. When the server receives the broadcast, it determines whether it can service the request from its own database. If it cannot, the server may forward the request on to another DHCP server. If it can, the DHCP server offers the client IP configuration information in the form of a unicast DHCPOFFER. The DHCPOFFER is a proposed configuration that may include IP address, DNS server address, and lease time.
  3. If the client finds the offer agreeable, it will send another broadcast, a DHCPREQUEST, specifically requesting those particular IP parameters. Why does the client broadcast the request instead of unicasting it to the server? A broadcast is used because the first message, the DHCPDISCOVER, may have reached more than one DHCP server. If more than one server makes an offer, the broadcasted DHCPREQUEST allows the other servers to know which offer was accepted. The offer accepted is usually the first offer received.
  4. The server that receives the DHCPREQUEST makes the configuration official by sending a unicast acknowledgment, the DHCPACK. It is possible, but highly unlikely, that the server will not send the DHCPACK. This may happen because the server may have leased that information to another client in the interim. Receipt of the DHCPACK message enables the client to begin using the assigned address immediately.
  5. If the client detects that the address is already in use on the local segment it will send a DHCPDECLINE message and the process starts again. If the client received a DHCPNACK from the server after sending the DHCPREQUEST, then it will restart the process again.
  6. If the client no longer needs the IP address, the client sends a DHCPRELEASE message to the server.
Depending on an organization's policies, it may be possible for an end user or an administrator to statically assign a host an IP address that belongs in the DHCP servers address pool. Just in case, the Cisco IOS DHCP server always checks to make sure that an address is not in use before the server offers it to a client. The server will issue an ICMP echo request, or will ping, to a pool address before sending the DHCPOFFER to a client. Although configurable, the default number of pings used to check for a potential IP address conflict is two.

  32.2  DHCP  
  32.2.5  Configuring DHCP   
 
Like NAT, a DHCP server requires that the administrator define a pool of addresses. The ip dhcp pool command defines which addresses will be assigned to hosts.

The first command, ip dhcp pool, creates a pool with the specified name and puts the router in a specialized DHCP configuration mode. In this mode, use the network statement to define the range of addresses to be leased.  If specific addresses on the network are to be excluded, return to global configuration mode.

The ip dhcp excluded-address command configures the router to exclude an individual address or range of addresses when assigning addresses to clients. The ip dhcp excluded-address command may be used to reserve addresses that are statically assigned to key hosts, for instance, the interface address on the router.

Typically, a DHCP server will be configured to assign much more than an IP address. Other IP configuration values such as the default gateway can be set from the DHCP configuration mode. Using the default-router command sets the default gateway. The address of the DNS server, dns-server, and WINS server, netbios-name-server, can also be configured here. The IOS DHCP server can configure clients with virtually any TCP/IP information.

A list of the key IOS DHCP server commands entered in the DHCP pool configuration mode are shown in Figure .

The DHCP service is enabled by default on versions of Cisco IOS that support it. To disable the service, use the no service dhcp command. Use the service dhcp global configuration command to re-enable the DHCP server process.

  32.2  DHCP 
  32.2.6  Verifying DHCP operation
  
To verify the operation of DHCP, the command show ip dhcp binding can be used. This displays a list of all bindings created by the DHCP service.

To verify that messages are being received or sent by the router, use the command show ip dhcp server statistics. This will display count information regarding the number of DHCP messages that have been sent and received.
 
  32.2  DHCP 
  32.2.7  Troubleshooting DHCP
  
To troubleshoot the operation of the DHCP server, the command debug ip dhcp server events can be used. This command will show that the server periodically checks to see if any leases have expired. Also displayed are the processes of addresses being returned and addresses being allocated.

  32.2  DHCP 
  32.2.8  DHCP Relay
 
DHCP clients use IP broadcasts to find the DHCP server on the segment. What happens when the server and the client are not on the same segment and are separated by a router? Routers do not forward these broadcasts.

DHCP is not the only critical service that uses broadcasts. Cisco routers and other devices may use broadcasts to locate TFTP servers. Some clients may need to broadcast to locate a TACACS server. A TACACS server is a security server. Typically, in a complex hierarchical network, clients do not reside on the same subnet as key servers. Such remote clients will broadcast to locate these servers. However, routers, by default, will not forward client broadcasts beyond their subnet.

Because some clients are useless without services such as DHCP, one of two choices must be implemented. The administrator will need to place servers on all subnets or use the Cisco IOS helper address feature. Running services such as DHCP or DNS on several computers creates overhead and administrative difficulties making the first option inefficient. When possible, administrators should use the ip helper-address command to relay broadcast requests for these key UDP services.

By using the helper address feature, a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP address. By default, the ip helper-address command forwards the following eight UDP services:

  • Time
  • TACACS
  • DNS
  • BOOTP/DHCP Server
  • BOOTP/DHCP Client
  • TFTP
  • NetBIOS Name Service
  • NetBIOS datagram Service
In the particular case of DHCP, a client broadcasts a DHCPDISCOVER packet on its local segment.  This packet is picked up by the gateway. If a helper-address is configured, the DHCP packet is forwarded to the specified address. Before forwarding the packet, the router fills in the GIADDR field of the packet with the IP address of the router for that segment. This address will then be the gateway address for the DHCP client, when it gets the IP address.

The DHCP server receives the discover packet. The server uses the GIADDR field to index into the list of address pools in order to find one which has the gateway address set to the value in GIADDR. This pool is then used to supply the client with its IP address.
  
  Summary   
An understanding of the following key points should have been achieved:

  • Private addresses are for private, internal use and should never be routed by a public Internet router.
  • NAT alters the IP header of a packet so that the destination address, the source address, or both addresses are replaced with different addresses.
  • PAT uses unique source port numbers on the inside global IP address to distinguish between translations.
  • NAT translations can occur dynamically or statically and can be used for a variety of uses.
  • NAT and PAT may be configured for static translation, dynamic translation, and overloading.
  • The process for verifying NAT and PAT configuration include the clear and show commands.
  • The debug ip nat command is used for troubleshooting NAT and PAT configuration.
  • NAT has advantages and disadvantages.
  • DHCP works in a client/server mode, enabling clients to obtain IP configurations from a DHCP server.
  • BOOTP is the predecessor of DHCP and shares some operational characteristics with DHCP, but BOOTP is not dynamic.
  • A DHCP server manages pools of IP addresses and associated parameters. Each pool is dedicated to an individual logical IP subnet.
  • The DHCP client configuration process has four steps.
  • Usually, a DCHP server is configured to assign more than IP addresses.
  • The show ip dhcp binding command is used to verify DHCP operation.
  • The debug ip dhcp server events command is used for troubleshooting DHCP.
  • When a DHCP server and a client are not on the same segment and are separated by a router, the ip helper-address command is used to relay broadcast requests



No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Turn Pc On Designed by Templateism.com Copyright © 2014

Theme images by Bim. Powered by Blogger.