CCNA (200-301) Topics: NAT, NTP, & DHCP

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey welcome back to the channel everybody this is kevin you might remember earlier this year that i got together with a couple of good friends charles judd and anthony sakura and over the period of three days we taught you topics from the ccna the encore and the anarchy exams and i thought for this week's video it might be fun to show you a segment from the cert summit and in this segment i'm going to be teaching you three topics from the ccna exam blueprint specifically we'll be covering in this video network address translation or nat network time protocol ntp and we'll be talking about the dynamic host configuration protocol or d8cp and this video is longer than normal i think it's over an hour long so get comfortable get some snacks and do me a favor if you enjoy this video please give me a like down below and subscribe so you don't miss any of our weekly content now join me from this segment from the cert summit welcome back everybody to our final session can you believe it session number six of six it's the part two session of day three of the cert summit and in this session we're gonna be talking about three different ip services that you need to know about on the ccna exam and this also kind of bleeds over to the encore exam as well we're definitely going to be talking about some encore encore content in this session now we want to start off with network address translation or nat and there's a few different versions in that we're going to be demonstrating several of those different versions but let's think about what what is the purpose in life for nat well for one thing we know that we're out of ipv4 addresses well nat has allowed us to continue putting up new networks running ipv4 addressing with uh without overlapping one another's addresses and causing problems and the way that is we can have private i p addressing inside of our network remember those rfc 1918 addresses that uh where that are not radical on the public internet well we could use those inside our organization and then we could have one or a few publicly routable addresses that our internet service provider gives us or sells us and we can translate between those private addresses that are not routable on the public internet out to those internet routable addresses now let's take a look at how this can work here on this topology on screen and i want to make my camera just a little bit smaller i know i was overlapping some stuff in the last session so i'm going to be just a adb thumbnail up here hopefully that will that will make things a little bit better there we go but um let's take a look at this topology we've got a couple of clients on the inside of our network clients one and two and we want to get out to this web server that's on the internet and the way this is going to work is we've got a private ip address of 10.1.1.1 on client1 it wants to go out to the internet well that's not going to work is it that cannot be routable on the public internet but r1 is a nat enabled router so what's going to happen is the packet comes into r1 and it's destined for 203.113.100 and we're going to translate it now before we get into this there's some terminology we need to understand we need to understand the inside versus the outside that's going to be an important term in a few moments because when you're configuring that how does the router know it doesn't know what you consider to be the inside of the network and the outside of the network so we've got to tell it there's going to be a command we're going to enter here in a few moments that says this interface is connected to the inside of our network so in this case everything to the left of r1 is the inside everything to the right of r1 is the outside and client one sends this packet to r1 notice the source and destination ip addresses the source is obviously client one the destination is that publicly routable ip address of the server well the nat enabled router is going to take that private address that 10.1.1.1 and it's going to convert it into a publicly routable address and it's going to pick in this case from a pool a publicly writable addresses this particular network they have the luxury the uncommon luxury of having more than one publicly routable address and they'll just pick a publicly writable address from that pool perhaps they choose 192.0.2 when client 2 wants to go out to the very same server well we could give it a different address that can be routed on the public internet and i wanted to find some terms for you please take some notes on this this is one of the more confusing part of parts of nat because we've got if you want to make a little table we have four different kinds of nat addresses we have inside local inside global outside local and outside global wow what does all that mean well the first word tells us the device we're talking about so if i'm talking about client one or client two it's going to be some kind of inside address maybe inside local inside global but inside says we're talking about a device on the inside of the network if the first word is outside then we're talking about a device on the outside of the network which in this case would be our our web server okay what's the difference then between inside local and inside global well let's consider this local you might want to put this in your notes local is only going to be locally significant it's not ratable in the public internet it can only be routed locally where a global address is globally routable as the name suggests so these addresses that are talking about client one and client two are inside devices that are on the inside of our network if they have a local address it's only routable locally it's in the ten dot address space well those are inside local addresses what happens is those addresses get translated and go out to the internet well here's where a lot of people get tripped up they think we're outside the network now we must be some sort of an outside address no no what what device is it talking about yeah even after r1 translates 10.1.1.1 even after it translates it into 192.0.2.101 it's still talking about a device on the inside of our network it's still talking about client one so it's still an inside address but now it happens to be a globally routable address that makes it an inside global address that is a key point that trips up so many people please get that and then we're talking to the web server and where does that live it lives on the outside of our network is that a publicly writable address yes it is so that means the web server's address of 203.0.13.100 that is an outside global address and our router r1 is making a nat routing table and it's keeping track of this it knows that 10.1.1.1 gets translated into an inside global address of 192.0.2.101 that way when the return traffic comes back in if that return traffic is coming back in and it's got a destination address of 192.0.2.101 the router says oh i know who that's for i'm going to look at my table and see that if the address equals this then the real inside local address is 10.1.1.1 and it's going to change it and it's going to send it into the inside network now you might be thinking i left one out i talked about inside local and inside global and outside global i didn't talk about uh i didn't talk about an outside local is that a thing kind of i doubt that you will ever see one here's the idea let's say that you've got a couple of corporate sites you've got site a site b and the internet is in between at each of these sites you're using a private i p addressing if you want to go from a private i p address at one site to a private i p address at another site over the public internet where does that device live it lives outside of your nat router but it's a locally significant address it can only be routed locally so that would be an outside local address that is a pain to set up i'll tell you you have to get into a bunch of dns stuff you have to have a dns mapping to to translate it into this and that it you don't want to do it that way there are easier ways to do that we talked about one yesterday didn't we we saw how vx lens would allow us to route between private ip addresses over a routed network or the first thing that comes to mind here we could just have a tunnel we could have a gre tunnel we could have an ipsec tunnel interconnecting those two sites it could look local to us that's a way that we could get to a local address that happens to live at a remote site but in this case we had that luxury i mentioned we had the luxury of a big pool of addresses we could pick from but we're kind of out of ipv4 ipv4 addresses so what do we normally get from our service provider i don't know about you but my service provider they gave me a whopping one a publicly a routable ip address for my uh for my internet router but i've got literally dozens of devices inside my home that need to get out to the internet and talk to one another well for those devices i'm using private address spaces but they're all sharing that single publicly routable address how does that work because it seems like all the return traffic coming back into my network it's all going to be going to that one address once the router gets it how does it know who to send it to they're all destined for the same address the answer is in addition to keeping track of the source and destination ip addresses there's a variant of that called port address translation or pat it keeps track of port numbers remember when we're setting up a a session let's say with the web server we've got we've got a well-known address of of 80 or 443 for http or https and we're going to be going to that destination address of 80 or 443 well we've also got to have a source address don't we that source address is uh is a randomly sent selected number sort of in the higher end sometimes we call it an ephemeral port number or a dynamic port number but in this case take a look at this example client one it's picking one of those ephemeral port numbers and they just happen to pick 41 025 and it's going to this web server on the well-known port of 80. well when the nat router gets that it says let me make a note of not only the ip address that just came in i'm going to make a note of the port number it's a femoral port number so when i see return traffic coming back in i'm going to know where to send it now in this case i wanted to show you kind of an edge case here notice when we're sending it out to the internet the natting router has actually changed the uh the source port id it changed it to forty two thousand and twenty five that can't happen let me make this very clear though usually it doesn't usually the port number that we had on the inside of the network is just carried on to the outside of the network but think about this if i've got a bunch of devices inside of my network when they're setting up their sessions like i said they're they're just kind of randomly picking one of those ephemeral port numbers what if they pick the same one well if they picked the same one the natting router is going to prevent that overlap it's going to make sure they're unique so i'm showing you in this graphic that it doesn't have to be the same as the original ephemeral port number that our our client selected but it usually is those overlaps don't happen that often and when client two wants to go out again as we go out to this web server we're all being translated into that one and only one publicly writable ip address we have which looks like it's 192.0.2.100 but we're keeping track of port number information and we see that now in the nat table so when the return traffic comes back if it comes back to 192.0.2.100 with a port number of 42025 we know to send it to client one if it comes back in with 42 050 we know to send it to client two and another variant of nat that kind of goes in the opposite direction but technically you set it up like that it's called port mapping now a lots of gamers do this if you've got some sort of a gaming system and your instructions say you need to open up a certain port so that you can receive incoming connections from the internet well those port numbers can be mapped to your gaming console uh let's see the last time i set this up uh well the church i was telling you about they have an accounting server there at the church and the outside accountants they come in and they do work on that accounting server and they use a remote desktop protocol to do that and i had to set up a mapping to say when when traffic is coming in on the remote desktop protocol port then i'm going to direct it using the same port to this specific inside local address of the accounting computer or the accounting server so that's a that's a variant of nat called port mapping that many gamers are very familiar with now let's take a look at how to set this up and i want to set up both uh static nat where we say here's a inside local address i always always always want it mapped to this inside global address so it's always going to be the same or more commonly we're going to have a dynamic nat configuration where we have an access control list that matches all of our inside ip addresses we don't have to do them one at a time and this group of addresses matched by this access control list they're going to go pick an available number and a available ip address out of this pool that we're going to define and if we don't have a pool we'll take a look not just at nat we'll take a look at pat where we can have everybody sharing the same inside global address so let's go i know let me take my picture off the screen certainly don't want to block any of the topology or the output and let's take a look at this basic configuration we've got a pc at the top a router r1 and we're going to this internet router at the bottom and obviously we're going to be setting up nat network address translation we're going to be setting that up on router r1 so let's go over to router r1 and remember earlier i said that the router itself has no clue what we consider to be the inside of the network and what we consider to be the outside of the network so we need to tell it now if you look at this topology you can see that gig zero slash one that connects us to the pc that's inside of our network so what i'm gonna do is i'm gonna go into global configuration mode and into interface configuration mode for zero gigs zero slash one and i'm just gonna say hey you're the inside and to do that we use the command ipnat inside and by the way this happens all the time with viral apparently what i just did was incredibly processor intensive and viral fussies just a little bit that i love the terminology they use here that was a cpu hog that always happens when i set up nab but it's calmed down now so it's all right now i'm going to say what the outside address is i'll go into interface gigabit 0 2 and i'll say ipnat outside now let's set up this static mapping and in this case what is our inside local address well it's the address of the pc it's 192.168.1.100. and we're going to be mapping it into and i don't even i don't even show you this on screen but we're we were saying that we've got an available address that we can map it into of 172.16.1.100. we're assuming that we've got that big pool of addresses so here's the command one simple command i'll say ipnet inside source static so in other words who is my inside address my inside local address well it's the pc it's 192.168 what am i converting that into i'm converting it into the inside global address of 172.16.1.100. and we're done let's see if it works let's go over to the uh let's go over to our pc and let's see if i can ping the quote unquote internet i've got a loopback interface on the internet router and we'll see if we can ping it can i ping 1.1.1.1 yes i can don't be concerned about that first dot that first timeout that was an arp timeout the pc said i have no clue what my next top smack address is so it's sent out on our broadcast any subsequent pings they're going to work just fine okay that worked let's go take a look at the nat table that should have been constructed during that we'll do a show ipnat translations command look at that the the icmp by the way that's our that's our ping and we see that our inside global that's what we translated into that's 172.16.1.100 it translated our inside local address into that that was the address of the pc the outside global address the address we were pinging was all ones now outside local this is a little bit misleading we didn't really have an outside local address in this case and because we didn't it just uses the same as the outside global address so i give zero meaning to this column in nine out of nine cases pretty much but that shows our translation but that's not scalable to say this maps to this and this maps to this if we want if we do have the luxury of having this big pool of addresses let's do it dynamically where i don't have to do them one at a time so just staying here staying here live let's remove our existing configuration i'm going to bring up my previous configuration and i'm going to negate it by putting a putting a no in front of it oh i you know what i'm just going to leave the ipnet inside and the ipnot outside commands because they apply to all these configurations that we're going to be doing you've always got to say who's the inside and who's the outside now let's define who's on the inside of our network we're going to use an access control list to do that remember back on day one we talked about how an access control list could be used not just to say yes or no you can be transmitted or you're going to be dropped we could also use an access control list to match traffic well now we're going to be matching all of the inside traffic i'll say access list one and all we need we're just specif we're just identifying the source and that's what a standard access list can do for us i'll just use that and i'll say permit and i'm going to permit the entire inside network which is 192.168.1.0 and it's a size 24 subnet mask and we talked earlier about how we create a wildcard mask and that's going to give us a wildcard mask of 0.0.0.255. so that access list is matching the inside network now i need to create a pool of addresses that we can pull from as we're translating these addresses so i'm going to create a pool and i'll say ipnat pool and i'm going to give it the oh so creative name of pool well at least i did it in an uppercase normally when i'm coming up with something that i'm naming in cisco ios i normally use uppercase that way when i'm looking through a config i can say oh pool that's something that i typed in that's not some sort of an ios keyword and i'm going to still i'm going to start the addresses that i have at 172.16.1.100 and let's say that i've got a 100 publicly routable ip addresses wouldn't that be nice and i'm going to go through the range of 172.16. oh by the way yes i realize that is a private ip address when i use this i just stuck with private ip addresses so squint and pretend this is an outside address if you would an outside global or a publicly routable ip address but i'm just trying to show you how do we do the configuration so that's my pool uh oh that's not all i need to say what the uh what the subnet mask is i'll say net mask 255.255.25 and if i could spell that would be incredibly helpful mask there we go so to review we've done two things well we've done three things step one we said who's the inside who's the outside step two i created an access control list to identify my inside local addresses i created a pool to identify my inside global addresses now here comes the connective tissue that ties it all together i'm going to say ipnat inside source list1 so in other words my inside local addresses are gonna be something that matches access control list one and we're gonna translate those into a member of the pool that was named pull and we're done let's test it again i'll go to the pc can i ping the internet yes i can let's go back and look at our nat table let's do another show ip net translations icmp yep that's our ping and yeah looks pretty much like it did before doesn't it oh by the way there's another command that i kind of like it's ipr show ipnet statistics and this gives you more information about your nat configuration for example if you don't know if you're maybe on a customer router you're not sure who they say the inside and outside interfaces are well this tells us can see how many times we've actually done a translation how many of those translations have timed out we can see the pool that we're going to be translating into we can see the access control list that we're using uh to identify the inside local addresses all right all that to build up to what i think is probably going to be the most common nat configuration and that's pat port address translation this is for the very common scenario where our internet service provider gives us a measly single publicly routable ip address and we've got to get all the devices on the inside of our network to share that ip address here's how we do it first of all let me get rid of our dynamic nat configuration i'll say go up to our pool command oh yeah let me get rid of this one first i really want to get rid of that i'll say yes let's get rid of the pool i created and let's get rid of our access list that i created okay i think we're good now i think we're back to the way we started let's now set up port address translation and actually i could have left that access control list because we're still going to need an access control list to match all of our inside local addresses so i'm just going to create it again it's quick i'll say access hyphen list we'll give it a number of one and i'm going to permit not meaning allow but meaning match 192.168.1.0 and the wildcard mask is 0.0.0.255. now check this out here's how i say you take all of those inside local addresses and translate them into a single inside global address here's how we do it ipnat inside source the command starts out just like we've been seeing but this time i'm going to say list one is where i'm where my inside local addresses are and i'm going to translate those into whatever i p address happens to be assigned to interface gigabit zero slice two and there's one more thing if i just left it like this the first translation would work and the second one would fail because we already used that address that was assigned to interface gigabit zero size two but if we want to share that among multiple inside local addresses we've got to give one other keyword and that other keyword is overload in fact if you want to make a note of this port address translation is commonly called nat overloading because we're giving this overload keyword and let's set up a few different connections here let's go back over to our pc and i'm going to connect via http i've got that enabled on this internet router i'll say telnet to 1.1.1.1 but on port 80. so that's like opening up a web connection and it's successful it says open break out of that disconnect let's try just a regular telnet now and i didn't have it set up to log in but at least the translation happened i don't actu actually don't know if i've got this set up for secure http or not let's try port 443 does that work no it didn't but let's take a look at our nat translation let's do show ipnat translations look at this we see those three sessions i just set up the inside local addresses were all the pc 192.168.1.100 but notice this time we're keeping track of those dynamically chosen ephemeral port numbers they're all different for our different flows one was destined for http one was destined for telnet one was destined for https that was our outside local address and that was obviously stored here on our nat translation table we were going to an outside global address of 1.1.1.1 on all these different ports but now when let's say the uh the web server the http server sends return traffic back saying okay here's your web page it's sending it back to 192 or sending it back to what did we say the uh inside global was 172.16.1.1 on port 16386 and our router is going to look at that and it's going to say oh that maps to 192.168.1.100 on port 16386 so it knows which flow it knows which inside device to send it to that is a much more common uh common implementation of nat and that's a look at network address translation let's take a quick break right now and see if we have any questions on that we covered a lot of terminology a lot of configuration let's uh if you have questions remember to pre-pin that with some question marks so i know it's a question for me and we'll take some quick questions before we go on to our next topic which is network address which is excuse me it's a network time protocol can you please explain identity nat or nat exemption to me i'm having a bit of trouble understanding the use case for it identity nat uh let's see do we need nat and ipv version six let's see rfc 1900 okay wow lots of questions coming in what is the maximum number of inside local addresses that can be translated um wow okay let's pick a few of these questions to answer i don't know that there's a maximum number of addresses that we can do this with as long as we can keep coming up with unique port numbers and there's tens of thousands of those that should work fine when do we use ipnat outside we stick that on the outside interface and uh we'll take one other question here oh yeah here's a good one do we need to use nat for ipv version 6 because after all we're not running out of ipv6 addresses anytime soon so is there is there a purpose for that actually there is uh there's actually a nat version six and uh actually it's not version six it's called nat 64 or nat 64. what you can use that for is to help merge together a section of your network that's running ipv4 and a section of your network that's running ipv6 what it will do is translate an ipv6 address into a corresponding ipv4 address and vice versa that's primarily where you seen that used with uh with ipv version 6. great questions didn't didn't answer all of them there were a flood of them coming in but i tried to pick out some of the some of the really relevant ones let's take a look at our at our next service which is network time protocol one of my well i started saying one of my favorite sayings about i've got two favorite quotes about time the first one is the reason time exists is so that everything doesn't happen at once i love that one uh but uh more relevant to our discussion of network time protocol is the saying a man with one watch always knows what time it is a man with two watches is never quite sure think about that one well we want our network to have one watch one believable time source we don't want our different devices to have different clocks let's think about how or why that's important and how we can use something called network time protocol in order to assure that why do what does it matter that time be consistent on our network devices well for one reason if we're doing logging of events and maybe we're doing some troubleshooting and we're sending this information maybe to a syslog server and we're trying to troubleshoot something that happened at 2am last night well we might see that this device fired off a syslog alert uh at um at 1 58 this other one fired something off at 159 this other thing happened at two o'clock in the morning well because those times were so close together we might be able to do some what is called event correlation and see if these very different systems that are sending these alerts at roughly the same time if that can give us a clue as to what was going on another reason that it's important to have accurate time is digital certificates these digital certificates that we use use for secure connections they've got an expiration date and time on them and if we don't have our clock set and we think it's some other year than it really is then we might think that a certificate that's valid is really invalid or vice versa we might think an invalid certificate is valid oh i'll give you another one i do a lot with ip telephony in the cisco world and the time that shows up on your cisco ip phones that is learned via ntp usually from our cisco communications manager server but it can learn its time via ntp and then it hands it out to the phone so we want those times to be correct those are just a few examples so how do we all coordinate exact time well cisco routers do have internal clocks they're not known for having being like swiss watch time keepers they're not they drift a little bit they're not they're not great but if we keep updating them to the correct time great they're they're good if we can update them every so often and they key up that's going to help keep them with the correct time but who does everybody look to as an authoritative time source well this varies in different countries but in the united states it's the it's the naval observatory that is the keeper of the official time they've got a site in washington dc and they've got another site in colorado springs colorado and at these sites they have atomic clocks now an atomic clock is considered to be the most accurate time source that we can build maybe a pulsar is an accurate time source out in the universe but it's something that we can build is is an atomic clock and the reason we say it's atomic is it uses the element of cesium 133 and cesium-133 has this property where over i forget the exact number but it's a little bit over 9 billion oscillations of cesium-133 of that element that equals one second i mean that is very very accurate if you're measuring something based on nine plus billion oscillations we say okay there that's one second and that's where the true authoritative time comes from now we don't have the ability from our pc in our home to say well let me point to one of those clocks and i'll get my time from the best time source there is no we don't have that option but we can point to an internet based time source i mean google has some you can just uh do a web search for for ntp time sources many of them are publicly available and um i typically use some of the ones from google when i'm setting up a router but think about this you could have your router at your site the main router may be going out to the internet or really any router at your site it could be the device on at your site that's responsible for going out uh and getting time from one of those internet based time sources which get their time maybe from that one of those atomic clocks we're not going to be able to speak to those atomic clocks directly but we can get our time from somebody that gets their time from the atomic the atomic clock and now that we've got this device inside of our network that's getting time that's getting time from the official source then we can take the time that we have and we can be the time source for our network and we can spread it out through our network now when i do that does it seem like we might be using a little bit of accuracy every time we do that i i can see that i mean it's like when uh when you used to have before digital and uh people used to try to make copies of vhs tapes or cassettes you would record one cassette to another and then you would record that copy and make another copy of every copy you lost a little bit well i guess technically with time every time you go from one time source to another you lose a little fractional bit of accuracy so there's a measurement of how believable how authoritative a time source is and kind of like you kind of like administrative distance when it comes to writing protocols we have something called a stratima value a stratum value and the lower the value the more believable a time source and you can configure your router if you want it to be your time source and not get it from somebody else i wouldn't recommend that but maybe in an isolated lab environment you could you can go in and you can set your your time source uh to a stratum value of one that's as low as you can go on a cisco router but it actually can go as low as zero that's what those atomic clocks have they have a stratum value of zero and a device on the internet that learns time from one of those stratum zero clocks they have a stratum one value you see every time we make a we we go one hop we're incrementing the stratum value and so here we've got the internet clock we go to router r1 that's a stratum that r1 has a stratum of one and if we go out to our devices and we're the time source for our company well we have a stratum value of two every hop there is we increase the stratum value by one and it only goes as high as 15. it's kind of like rip the rip routing protocol remember with rip if you're 16 hop counts away you're considered to be unreachable well if your if your stratum value ever reaches 16 you're considered to be unbelievable it's it's like you're you're too far removed from the original time source to give any reliability to you so uh it only goes as high as 15. now the anti ntp protocol i made a note here on screen that it uses uh uses port 123 in fact it's a udp port 123. not not tcp and here's a memory aid for you in case you might need to know this in a certification environment this reminds me of the old jackson 5 song you remember remember uh abc easy as 123. well think of and i'll try not to sing it it's hard not to but think of ntp easy as one two three because that's the port number that's being used by ntp it's udp port 123. now let's take a look at how we can set up ntp let's go back out to our live interface i'll take my face off the pc there just did not get in the way and let's go to our internet router first of all we're just using the same topology as we used with nat and i want to show you how we can configure how we can configure this router to be the time source that's not warning from anybody else again this is not a recommendation because unless you're here i'm in an isolated lab environment so i need to i need to say somebody's the the time source but normally you would want to learn from somebody on the internet that's eventually learning from one of those atomic clocks but here's what we could do on a cisco router first of all let's actually set the time i'll say i'll say clock actually i don't even need to be in global configuration mode to do this i'm going to say clock set let's get some context sensitive help it says okay what is the current time uh let's do this let's pretend that uh that this router on the internet is not in my time zone let's pretend it's uh it's it's utc it's actually at utc time it's gmt zero it's in greenwich england we'll say uh so let's see i'm in eastern i'm trying to do the math in my head i'm four hours behind utc it's currently 2 4 2 30 almost 2 39 so that'll be 6 39 in military time that would be eight i did that math really quickly so i could be totally wrong here but um i'm going to say it's about 18 30 oh 18 39 that's the that's the time but i got to set the date and the date is april 2nd 2020. so i've set the date on this internet clock that we're pretending lives over in england somewhere and now i need to say what time zone do i live in let's go into global configuration mode and i'll say my clock is in a time zone that is offset from universal time coordinated utc by zero i'll say utc the offset is zero i'm actually at utc and i'll say here and again the command i'm about to give is a command you would not normally give if you're learning time from the internet which you probably should be i'm going to say ntp master and i'm going to give myself a stratum value now i'm not going to have delusions of grandeur and say i have a stratum value of 1 and if i use context sensitive help notice we cannot even set ourselves to 0 but i'll set myself to a 3. that'll work i'll set myself to a stratum value of 3. so our internet router it is now providing time down to r1 or once we configure r1 to configure r1 let's go into global configuration mode oh well let's just verify something first i'm going to ping one of the ip addresses on that internet router it's 1.1.1.1 i'm i'm proving to us now that it's reachable because when i give all the correct commands here in a moment it's it's going to look like i messed up it's going to look like it didn't work and i'll explain why and it will work before the glass is over but right now just proving it i don't want you to start troubleshooting before there's a need to i can get to the internet time source and let's go into global configuration mode and i'll say my ntp server is 1.1.1.1 that's the internet i just proved i could get to it now what's my time zone well my time zone i'll say clock time zone now i'm in eastern time and currently we're in eastern daylight time but i need to say what it is when we're not doing daylight savings so i'll say normally not even normally really but without doing any adjustments i'm in eastern standard time and that's utc minus five however we do observe daylight savings time where i live so i'll say in the summer time we're called edt for eastern daylight time and you can go in and say when it changes i always get that mixed up i know it's sometime in march and sometime in november where we spring forward and fall back i don't try to keep up with that i just use the keyword of recurring and if you're using cisco ios it's been made in the last five years or so it's going to know exactly when to spring forward and fall back and at this time i promise you i've configured everything correctly but did it work let's do a show clock it looks to be a few minutes off doesn't it and that's just because that's the time it was before i started doing anything it looks like ntp isn't doing a great job so let's do a show etp status this does not look good it says the clock is unsynchronized the stratum value is 16 which we said was unbelievable and look at this even though i just configured it a second ago it says i have no reference clock what's up with that well oddly enough this is normal behavior for ntp specifically cisco ios routers they're running ntp version 4 and they don't wanna they don't jump to conclusions i guess we should say they're going to in fact i could do a debug ntp events and occasionally we'll see what we'll see now let's do uh yeah that'll work debug ntp events now every minute or so we'll see that there is an exchange there's periodic communication between my router and the uh and the internet router but it's going to make sure over a period of time that the clock is not drifting it's also trying to measure how much offset there is between ourselves and that clock and it's going to take no kidding about 15 minutes to actually synchronize and in that time we will probably have moved on to the dhcp configuration and if i forget it let me just do a debug let's do a debug ntp pack it maybe we'll get something there if i forget somebody please remind me that um in about 15 minutes or so in fact i'm gonna set a timer set timer for 15 minutes okay 15 minutes and counting okay that will remind me to come back and see if we have synchronized but as of right now and i'm not going to stick around long enough to see the debug packets pop up so i'll just do a a you all but right now if i say show ntp status it looks not good we're unsynchronized our stratum is 16. i have no reference clock all right we're not going to touch that right now but we're going to come back and yeah i wanted to show you one other thing with ndp but i wanted to be synchronized first i wanted to show you ntp security which is something you might want to know if you're taking the encore exam so i'll tell you what when we come back and verify that the time is correct then i'll show you how to set up ntp security for now though let's move on to our next to our next service and our next service is going to be dhcp now we're not leaving ntp we're coming back we just got to give it 15 minutes uh we're coming back to that and i want to show you how to secure it but in the meantime let's talk about our other deets our other service which is dhcp the dynamic host configuration protocol we love dhcp because can you imagine having to go around and statically configure ip addresses on all of your devices that's administratively intense fortunately dhcp comes to the rescue by allowing us to set up a server that will hand out ip addresses to our devices and it's going to work much like this it's going to go through a four-step process i'd love for you to put in your notes i don't know about you but uh when i uh i guess i'm showing my age again when my daughters were really young they used to watch the nickelodeon show dora the explorer anybody watched in fact recently there's a there's a movie out dora and the lost city of gold or something like that i've not seen that it looks like it'll be funny but uh there's a live action door movie now but i always think of dora the explorer when i'm thinking about dhcp because the acronym of d-o-r-a explains the four-step process of the dynamic host configuration protocol let's say for example that laptop a just boots up and it's gonna it needs to get some ip address information so it's gonna send a broadcast out on the network because it doesn't know where a dhcp server lives it's going to send a broadcast out on the network to say hey are there any dhcp servers out there and we've got one and it's going to respond to that broadcast so watch this with me remember it's a broadcast so when it gets to the switch what's the switch going to do what does it do with the broadcast it floods the broadcast out of all ports other than the port the packet was received on which means the switch is going to send it to the server and the switch is going to send it to the router does the broadcast cross a router it does not so you'll notice it it doesn't make it through the router but it will get to the dhcp server and that first message is the d indora it's the discover message we're trying to discover a dhcp server by kind of broadcasting out are there any dhcp servers out there and in this case there is one and it's going to respond with the oh andorra it's going to respond with an offer saying yes i'm a dhcp server i would like to offer my services and here's my ip address awesome now the laptop knows a destination ip address where it can say okay can you please give me some ip address information so we're going to send a packet directly to the dhcp server it's no longer broadcast that's the r in dora that's the request now you might be wondering how is that packet possible yeah we now know the destination address but the laptop that's the whole point of this the laptop doesn't have an address what was the source ip address in that packet it was all zeros it was 0.0.0.0 that's what it temporarily uses as its source ip address as it's going out and requesting its actual ip address information so so far we've got discover is there a dhcp server out there one response with an offer saying yes and here's my ip address then we send a request saying okay give me some ip address information and finally the andorra the acknowledgement that's where we do the big download that's where the dhcp server says all right here you go here is your uh here is your ip address information and that's the a and or that's the acknowledgement and that's the way that laptop a got its address it uh has an address now of 192.168.1.100. however take a look at laptop b down at the bottom it has a router separating it from the dhcp server what's going to happen when we send out that discover broadcast a broadcast does not cross a router what happens that discover broadcasts poof it gets dropped how do we have to go install a dhcp server on our subnet no what we can do is make that router into a dhcp relay agent or some people call it an ip helper configuration because that's the command that we're going to be using if we configure this with the ip helper command as i'm going to do for you live here in just a few moments we're telling the router to make an exception for specific types of broadcasts we're going to say in fact there are nine types of broadcasts that it applies to there's boot p there's d8 cp and i don't remember what the other seven are but dhcp is one of them and it's going to say if you receive a d8cp broadcast then forward it to this destination and we can specify the dhcp server as that destination we can say go to 192.168.1.2. or we could just say go to this go to this network we can give a directed broadcast address to go to everybody throughout another subnet and maybe we have one or two dhcp servers on that subnet but here i'm just going to set it up in our example where we point to the ip address of the server once we've got that configured then then the packet makes it through the offer of the offer comes back and the whole door process continues on once we have each other's ip address but the way we got that initial discover broadcast through that pesky router is that we configured it as a d8cp relay agent and now at long last laptop b has its ip address that's the way it works but let's dig a little bit deeper let's talk about some of the different options for d8cp some of the different things that we can set up because it's got a lot of options for example we can if we always want the same device to always have the same address we can set up a mapping we can set up some mac address reservations where this mac address always always always is going to be mapped to a specific ip address so for example i'm giving you example on screen of that one mac address can always be mapped to 192.168.1.125 and we can set up multiple pools of addresses maybe a different pool for different subnets by the way if you work with microsoft windows server if you work with their dhcp server they typically use the term scope to refer to this pool of ip addresses so we can use those terms interchangeably a pool or scope notice i've got a couple of pools here i've got a pool of 192.168.1.100 and that fourth octet can go from 100 all the way through 199 and you see i've got a i've got another pool of addresses as well we can set up different pools for different subnets and you might wonder when this discover broadcast comes in how do we know which pool to give it an ip address from well we know the uh we can know the interface that was the ingress interface we know what its network was and we know it needs to be part of that network and we if we want to we can exclude some ip addresses maybe there are some ip addresses we don't want to hand out we've got some static statically configured ip addresses maybe like the router interface as an example maybe we've got servers maybe we've got printers that we're pointing to by their ip address we don't want those to be handed out to somebody else so we can say don't hand out the specific ip addresses for example we can set up a range notice in the example on the right hand side of the screen i say uh don't i want to exclude 192.168.1.1 all the way through all the way through 99 then i can start at 100 but i want to stop right after 200 so i can or i want to stop after 199. so i'll follow that up with another exclusion command that say says exclude 192.168.1.200 through 254. what's left what's in between what's left in between is that 100 through 199. so we we've allocated 100 addresses that we can hand out as part of that pool and when we're handing out ip addresses it's not just here's an ip address in your subnet mask there's a lot of information that a dhcp server can give us for example it's going to give us our default gateway it's probably going to give us our dns server it can even give us a time to live value for our packets and in the the reason i included another option 150 that's the address of a tftp server we use that a lot in the in the ip telephony world because when a cisco iphone boots up it doesn't have a configuration it needs to go download its configuration file from a tftp server how does it know where that tftp server lives well when it sends out its dhcp request the dhcp server sends it back here's your ip address and subnet mask and default gateway and option 150 which is the ip address of a tftp server the phone then goes out and downloads from that tftp server its configuration file oh remember yesterday charles was telling us about cisco dna center and he was talking about the different things that cisco dna center could do for us like like provisioning what we can do with cisco dna center is if if i'm going to be sending a router out to some remote site somewhere and uh the network administrator there is not a ccie will say we don't want them to have to do the configuration we can set up we can set everything up ahead of time we can provision it we can configure it before it's even shipped out to the destination and then when they plug it in when they plug in their device and plug it into the network it will go out to a to a server a dhcp server which is going to give it the address of a dns server uh in a maybe a tftp server and it can go out and it can download its configuration from a server as well so dhcp can use be used for a lot more than just handing out a single ip address and default gateway and those are a few of the options you see here now let's talk about lease timers a lot of people will assume that okay i got a dhcp address assigned to me it's good until i turn my machine off no a d8cp address that you're given is actually a lease it's like when you're leasing an apartment you get it for a certain period of time now most people when they lease an apartment they're not going to wait till their lease runs out and and run over to the office and say all right i'd like to renew my lease it's it's expired no they want to renew ahead of time they don't want to be they don't want to be out on the street they don't want to be they don't want to have any interruption in service so what they will do is they'll well in advance of their lease expiration they'll go to the management say hey i'd like to renew my lease for another year or whatever well that's what dhcp does after let's say that we've got a lease period of uh let's make it easy math let's say it's eight days you're given this and you can set that on your server you can say what the least period is but let's say that we've been given a lease period of eight days well at one half of that time at after four days we're gonna go back to that dhcp server and say hey can you uh uh can you renew my lease i'll keep the same ip address but can you just renew me for another eight days and it'll set hopefully if it's there if it's available it'll say sure and you're renewed for another eight days but if that doesn't happen maybe that dhcp server is having issues it's down for maintenance it's not reachable for whatever reason well at least we've still got an ip address for four more days so we're gonna wait a little longer we'll wait until we hit seven days in other words seven eighths of the lease period at seven eights of least period which is seven days in our case we're going to try again to renew our lease and hopefully then the dhcp server is going to be active so we're not going to wait to the end to try to renew our lease and finally notice i put on screen that we've got something called d8cp version 6. you can have d8cp version 6 servers for ip version 6 networks but they can be used in a couple of different ways let's think about how let's think about how an ip ipv4 client gets its ip address information well it goes out to the dhcp server and the server says here's your ip address here's your subnet mask here's your default gateway maybe some extra information like here's your dns server it all comes from the dhcp server now with dhcp version 6 we can still do that we can have an ipv6 client get all of its information from the dhcp server if we're doing that that's called stateful dhcp version 6. stateful means we're getting everything from that server but ip6 has some bells and whistles that we don't ipv6 has some bells and whistles that we do not have with ipv4 for example with ib version 6 we can learn what network we're on and how long the prefix length is it's called uh it's called the the prefix length is actually what it's called the prefix is like the network address and here the length is how many bits it is we can go out to the router and say uh what's my prefix length or in other words what network am i on oh our 15 minutes are up so um as soon as i finish this well let me finish my dtb discussion then we'll jump back but uh just real quick let's see is it working now i said we'd check after 15 minutes i'm on the wrong router uh oh i'm sorry i was i need to do ntp uh show ntp status that's what i meant to do oh look at this we got a stratum before it knows our reference clock it says it's unsynchronized more on that later but at least uh if i do a a show clock yeah it's now synchronized it is now accurate so we'll come back later and i'll talk about why it says unsynchronized i don't want to get away from our dhcp discussion but i did want to prove to you after 15 minutes that it worked and it did and notice it had a stratum value of four and that's because it learned time from the router that we set up that had a stratum value of three so it got incremented one but back to our dcp discussion if we're doing stateful dhcp version 6 we get all the information but i can use something called uh i could use uh something called a neighbor solicitation or router solicitation from an ipv6 client to go out and request information from my router to say what is my prefix and length basically what network am i on how many bits are making up the network and it might say we've got a 64-bit network and here it is and we've got 128 bit ipv6 address so we know the network but we don't know our address on the network we don't know our the host portion of that address those extra 64 bits well that client can generate that on its own using something called eui 64. eui 64 takes the 48-bit mac address that's burned into the network interface card it splits it in half it inserts four hexadecimal digits it flips the seventh bit i'm not trying to get you to remember this i'm just showing you that there's some manipulations that go on and it we end up with a 64-bit address that we can use for the host and we just kind of stick those guys together and we've got our address we don't nee we don't need to know our ip address from our dhcp server we learned all that by self-generating and getting the network information from the router we could still use the dhcp server to give us supplementary information though like like a dns server or like a tftp server it could still tell us that but if we're using that dhcp version 6 server for just partial information in that case it's called stay stateless dhcp version 6. so stateful dhcp version 6 gives us everything from the server stateless gives us maybe some things from the server and other things we generate locally all right that's the theory of dhcp let's take a look at a demo and then we'll go back and we'll talk ntp for a moment but let's take a look at this d8cp demo and i'm going to go back out to our live interface i've got a slightly different topology that we're going to use here i've got some different routers that we're using excuse me but uh here in this topology we've got a dhcp server down at the bottom and we've got router r1 and we've got our pc now let's go to the pc in fact we're at the pc right now let me show you how we can tell assist by the way yes this pc is not a pc it's a cisco router acting as a pc i'm not running a routing protocol on it for example i just have like uh we can just statically set a default gateway but it's it's not acting really as a router uh it's going to learn all that information via dhcp i just wanted to show you how you can tell a router interface to learn its ip address via dhcp because this is what you would do if you're pointing out your internet service provider here it is instead of saying ip address and then giving an address i have gigabit ethernet 061 pointing out to router r1 and i said ip address d8cp let's see if we have an address let's do a let's do a show ip interface brief command for interface uh ethernet our gigabit ethernet zero slash one and it says it's unassigned now the method is dhcp we know that we're supposed to be getting it via dhcp but currently it's unassigned i mean everything's up at layer 1 and layer 2 but we don't have an address yet well no wonder we've not yet configured a dhcp server let's go do that over on our dhcp server i want to show you how to make a cisco router into a d8cp server let's go into global configuration mode and remember we talked about excluding addresses as kind of a best practice i like to exclude addresses before i set up the pools my fear is somebody's going to come online and they're going to request an ip address and i'm going to give them one and it might be one of those that i'm about to exclude but i haven't excluded them yet so i always like to do my exclusions first i'm going to say ipdhcp excluded hyphen address and i'm going to give a range i want to exclude the addresses in the range of 192.168.1.1 all the way through 192.168.1.99 so i'm going to start at 192.168.1.100 that's going to be the first address i can hand out and i want to stop after i get uh to 199. so i'm going to say exclude 192.168.1.2.1.200 all the way through 192.168.1. everything in between that's those are valid addresses to hand out i can hand out 192.168.1.100 all the way through uh 199. now let's create a pool of addresses to hand out to the pc i'll say ip dhcp pool and i'm going to give it a name of pc here i'm going to say what network another what's the network from the uh from which i'm going to be throwing out addresses to these clients i'll say the network is 192.168.1.0 with the 24-bit subnet mask so that's the network we're going to be handing out an address from that address space avoiding the excluded addresses of course and i need to say what its next top gateway is its default router which is going to be r1 and i'll say that the default router is 192.168.1.1 awesome and may i don't have a dns server in this topology but just for fun let's pretend and i'll say dns hyphen server and let's pretend it's 172.16.1.2 so that's the information i'm going to be handing out to this pc let's do a copy run star let's go back to the pc do you think i have an ip address at this point let's try let's do show ip interface brief again huh i still don't have an ip address can anybody help me out with that in the chat can you chat into me and tell me what you think is wrong did i misconfigure something or is something else going on why has this pc not been able to obtain an iperis i'm pretty sure that i configure the dhcp server correctly oh somebody says i need to bounce the interface i think that's that's a great idea because that will shake things up a lot it'll make me uh it'll make it go out and request again so let's go into interface gigabit zero slash one yeah i actually do that quite a bit and i'll do a bounce i'll do a shutdown a shut and a no shut and let's do a show ip interface brief ah still no joy anybody else ah big eric is saying i need a i need relay to get to the other network yeah notice we've got router r1 sitting smack dab in the middle of our of our topology when that first when that d in door goes out the discover uh it's gonna say uh nope this is a broadcast i'm not gonna afford that and our discover broadcast is being dropped by r1 it never has an opportunity to get to our dhcp server let's fix that let's go back over to r1 and let's go into interface gigabit zero slash one that's the that's the interface that's going to be receiving the broadcast we need to be careful and do this on the right interface and i'm going to configure an ip helper address i'll say ip helper hyphen address and i'm going to specify the address of my dhcp server i'm going to say 172.16.1.2 in other words when i receive a one of nine different kinds of broadcasts including a discover broadcast when i receive one of those broadcasts i'm going to forward it as a unicast to 172.16.1.2 let's go back to the pc let's see if things are better now still not yet but let's use let's use that earlier recommendation of bouncing the interface i'm going to do a shutdown oh i need to go into interface gigabit zero slash one let's do a shutdown oh i was too qui i was too uh impatient look at that it got an ip address right before i shut it down great now i'm gonna have to do it again i'll do a no shutdown but you see right here it said it was assigned an ip address hopefully we'll get another one or the same one back let's do a show ip interface brief yeah we got one now look at that we've been assigned 192.168.1.101 via d8cp so that is a way or that is a look at how we can configure a cisco router as a dhcp server we saw how to make a router act as a dhcp client and request ip address information and we saw how we could set up a router sitting in the middle to act as a dhcp relay agent now let's while we're still out in the live interface let's hop real quick back over back over to our back over to our router where we were trying to get time and if i do a show ntp status remember things were a lot better earlier uh we said we had a strata value of four we do have a reference clock and in fact i did a show clock and it was correct but notice it says clock is unsynchronized is that a problem did we do something wrong actually no the reason that it's doing that is because we're running this in cisco viral we're running it in an emulator and in this emulator this root dispersion value gets i forget exactly what the threshold is i think it might be 100 milliseconds but it gets too big the root dispersion value gets too large in other words the the time that we calculate between us and our neighbor is uh is a little too much for us to think it's really synchronized so if we exceed that threshold it says it's unsynchronized but we set things up correctly it so i want to set your mind at ease it's because this root dispersion value is too high because we're running cisco viral but everything was configured correctly hey i hope you enjoyed that replay from the cert summit and if you'd like to get the entire cert summit replay i want to offer you a 30 discount just click on the link below and you'll be taken to the order page to get a 30 discount on the search summit and see all the different topics that we cover thanks a lot for joining us we'll see you next time you

Info

Channel: Kevin Wallace Training, LLC

Views: 9,524

Rating: undefined out of 5

Keywords: ccna, ccnp, ccie, nat, ntp, dhcp, 200-301, cisco, cisco cert, CCNA cert, #kwtrain

Id: _MS2sG03Q-E

Channel Id: undefined

Length: 73min 6sec (4386 seconds)

Published: Thu Oct 22 2020