1

2
Rick Graziani
graziani@cabrillo.edu
3
Rick Graziani
graziani@cabrillo.edu
4
BOOTP and DHCP differences
There are two primary differences between DHCP and BOOTP:

DHCP defines mechanisms through which clients can be assigned an IP
address for a finite lease period.
This lease period allows for reassignment of the IP address to another
client later, or for the client to get another assignment, if the client
moves to another subnet.
Clients may also renew leases and keep the same IP address.
DHCP provides the mechanism for a client to gather other IP configuration
parameters, such as WINS and domain name.

Major DHCP features

Dynamic Host Configuration Protocol
(DHCP)
Rick Graziani graziani@cabrillo.edu 8
DHCP Relay
DHCP clients use IP broadcasts to find the DHCP server on the
segment.
What happens when the server and the client are not on the same
segment and are separated by a router?
Routers do not forward these broadcasts.
When possible, administrators should use the ip helper-address
command to relay broadcast requests for these key UDP services.
Using helper addresses
Configuring IP helper addresses
To configure RTA e0, the interface that receives the Host A broadcasts, to
relay DHCP broadcasts as a unicast to the DHCP server, use the
following commands:
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.9
Broadcast Unicast
Configuring IP helper addresses
Helper address configuration that relays broadcasts to all servers on the
segment.
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.255
But will RTA forward the broadcast?
Broadcast Unicast
Configuring IP helper addresses
Helper address configuration that relays broadcasts to all servers on the
segment.
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.255
RTA(config)#interface e3
RTA(config-if)#ip directed-broadcast
L3 Broadcast L2 Broadcast
Configuring IP helper addresses
By default, the ip helper-address command forwards the eight UDPs services.
Directed Broadcast
Notice that the RTA interface e3, which connects to the server farm, is not
configured with helper addresses.
However, the output shows that for this interface, directed broadcast
forwarding is disabled.
This means that the router will not convert the logical broadcast 172.24.1.255
into a physical broadcast with a Layer 2 address of FF-FF-FF-FF-FF-FF.
To allow all the nodes in the server farm to receive the broadcasts at Layer 2,
e3 will need to be configured to forward directed broadcasts with the following
command:
RTA(config)#interface e3
RTA(config-if)#ip directed-broadcast
ACCESS CONTROL LISTs
Standard ACL Extended ACL
Range : 1-99 Range : 100 -199
General Specific
Source Address only Source and Destination
address
Applied close to destination Applied close to Source
Filters Complete Protocol
Suite
Can filter one protocol out of
complete protocol suite
C#(config) access-list 10 deny 2.1.1.1 0.0.0.0
C#(config) access-list 10 permit any

C#(config) int ser 1/0
C#(config-if) ip access-group 10 in
B#(config) access-list 101 deny tcp 200.100.100.1 0.0.0.0
200.100.150.100 0.0.0.0 eq telnet
B#(config) access-list 101 permit ip any any

B#(config) int ser 1/0
B#(config-if) ip access-group 101 out
Create a Named Standard ACL on R2 that should deny packets sourced by host 1.1.1.1
and apply the list to fa 0/0






R1# (config) int ser 1/0
R1#(config-if) ip nat outside
R1#(config) int fa 0/0
R1#(config-if) ip nat inside
R1# (config) ip nat inside source static 192.168.1.5 12.1.1.3




R1 (config)# access-list 10 per host 192.168.1.5
R1 (config)# access-list 10 per host 192.168.1.6
R1 (config)# access-list 10 per host 192.168.1.7
R1 (config)# access-list 10 per host 192.168.1.8
R1 (config)# ip nat pool ABC 12.1.1.3 12.1.1.5 netmask 255.0.0.0
R1 (config)# ip nat inside source list 10 pool ABC
R1(config)# int ser 1/0
R1 (config-if)# ip nat outside
R1(config)# int fa 0/0
R1 (config-if)# ip nat inside
R1(config)# Int fastethernet 0/0
R1 (config-if)# ip address 192.168.1.6 255.255.255.0 secondary
R1 (config-if) # ip address 192.168.1.7 255.255.255.0 secondary
R1 (config-if) # ip address 192.168.1.8 255.255.255.0 secondary

PORT ADDRESS TRANSLATION (PAT)
OVERLOADING
R1 (config)# access-list 10 per host 192.168.1.5
R1 (config)# access-list 10 per host 192.168.1.6
R1 (config)# access-list 10 per host 192.168.1.7
R1 (config)# access-list 10 per host 192.168.1.8
R1 (config)# ip nat pool ABC 12.1.1.3 12.1.1.3 netmask 255.0.0.0
R1 (config)# ip nat inside source list 10 pool ABC overload
R1(config)# int ser 1/0
R1 (config-if)# ip nat outside
R1(config)# int fa 0/0
R1 (config-if)# ip nat inside
PORT ADDRESS TRANSLATION (PAT)
OVERLOADING



Network Management Tools
Syslog, SNMP & Netflow


Syslog is a standard for logging program messages. It
sends information to a Syslog server via either UDP or
TCP port 514 (UDP is the default). It allows separation
of the software that generates messages from the
system that stores them and the software that reports
and analyzes them. It also provides devices which
would otherwise be unable to communicate a means
to notify administrators of problems or performance.
SNMP is a set of protocols for managing complex
networks. It utilizes UDP is a transport means. SNMP
capable devices store information about themselves in
Management Information Bases (MIBs) and return the
data stored to the SNMP requestors.

Router Logging
Configure the router to send log messages to:
Console: Console logging is used when modifying or
testing the router while it is connected to the console.
Messages sent to the console are not stored by the
router and, therefore, are not very valuable as security
events.
Terminal lines: Configure enabled EXEC sessions to
receive log messages on any terminal lines. Similar to
console logging, this type of logging is not stored by the
router and, therefore, is only valuable to the user on that
line.
Implementing Router Logging
Buffered logging: Store log messages in router
memory. Log messages are stored for a time, but events
are cleared whenever the router is rebooted.
Syslog: Configure routers to forward log messages to an
external syslog service. This service can reside on any
number of servers, including Microsoft Windows and
UNIX-based systems, or the Cisco Security MARS
appliance.
Router Logging
Syslog - Mechanism
Syslog servers: Known as log hosts, these systems
accept and process log messages from syslog clients.
Syslog clients: Routers or other types of equipment that
generate and forward log messages to syslog servers.
e0/0
10.2.1.1
e0/1
10.2.2.1
e0/2
10.2.3.1
User 10.2.3.3
Public Web
Server
10.2.2.3
Mail
Server
10.2.2.4
Administrator
Server
10.2.2.5
Syslog
Server 10.2.3.2
Protected LAN
10.2.3.0/24
DMZ LAN 10.2.2.0/24
Syslog Client
R3


Configuring System Logging
R3(config)# logging 10.2.2.6
R3(config)# logging trap informational
R3(config)# logging source-interface loopback 0
R3(config)# logging on
1. Set the destination logging host
2. Set the log severity (trap) level
3. Set the source interface
4. Enable logging
Turn logging on and off using the
logging buffered, logging
monitor, and logging commands

SNMP ARCHITECTURE





Capturing Running-Configurations &
comparing using Ultra-Edit Software


-
SNMP Net flow
Both gather statistics from network devices
Device Statistics ( e-g CPU usage,
memory usage, interface errors
etc). Primary focus is on
collection of various statistics
from components within
network devices.
Traffic Statistics (collects
information about IP traffic
flowing through the device) -
Only gathers traffic statistics.
Use PULL based model NMS
queries SNMP agents.
Use PUSH based model- devices
send data to the collector.
Less granular More granular
Available on all enterprise
network devices
Available on routers and high
end switches