Cisco CCNA Study – Day 9

10 Sections left and then it is a week of labbing, Cert Prep video, and prep tests!!  Let’s just keep it going!

Section 29: NAT – Network Address Translation

• NAT was developed to deal with the exhaustion of the IPv4 network range, this allows the Private address ranges to be used while using a single or a few public IP addresses.
• NAT Types 
  • Static Nat
    • One-to-one mapping
    • Usually used for server hosting
    • The static route will route both incoming and outgoing traffic to be routed in a single rule.
    • Commands
      • Route 
        • Outside 
          • (config)#int [interface1]
          • (config-if#ip nat outside
        • Inside
          • (config#int [interface2]
          • (config-if)#ip nat inside
        • Route
          • (config)#ip nat inside source static [Interface1 IP] [Interface2 IP]
      • Verification
        • show ip nat translation
    • For one way NAT, the Outside local and Outside Gloabl addresses will be reported as being the same.
  • Dynamic NAT
    • IP address that is given out on a first come first served basis
    • Usually for users connecting to the Internet but do not accept incoming connections
    • You need a public IP address for each host that will be communicating out of the router on standard Dynamic NAT
    • If no available IP address the device wanting to communicate would have to wait for a connection to be torn done and release back into the pool
    • Commands
      • Route 
        • Outside 
          • (config)#int [interface1]
          • (config-if#ip nat outside
        • Inside
          • (config#int [interface2]
          • (config-if)#ip nat inside
        • Config pool of global address
          • (config)#ip nat pool [pool name] [start ip of range] [End ip of range] netmask [subnet mask]
        • Create an Access list example
          • (config)#access-list 1 10.0.2.0 0.0.0.255
        • An associate access list with NAT pool
          • (config)#ip nat inside source list 1 pool [pool name]
      • Verification
        • #show ip nat translation
        • #show ip nat statistics
      • Clear NAT translations
        • #clear ip nat translation
      • Clear all dynamic translations
        • #cle ip nat translations *
  • Port Address Translation
    • Allows the same IP address to be reused
      • Different ports being directed to different locations
    • The device keeps track of the client’s port number
      • Tracks translations by IP and Layer 4 port
    • Commands
      • Configuration with static IP address(es)
        • Use the same configuration as Standard Dynamic NAT except when associating the access list to the NAT pool us the “overload” variable
          • (config)#ip nat inside source list [list number] pool [name] overload
      • Configuration with the dynamic outside IP address
        • Interfaces
          • (config)#int [interface1 outside]
          • (config-if)#ip address dhcp
          • (config-if)#ip nat outside
          • (config)#int [interface2 inside]
          • (config-if)#ip nat inside
        • Access list
          • (config)#access-list 1 permit 10.0.2.0 0.0.0.255
        • Associate access list to an interface
          • (config)#ip nat inside source list 1 interface [interface1 outside] overload
      • Verification
        • Show ip nat translation
• NAT Translation
  • Inside Local Address
    • IP address actually configured on inside the host’s OS 
      • Example: Internal IP address on the server hosting website.
  • Inside Global Address
    • NAT’d address of an inside host that outside sources will use to reach inside the host.
      • Example: External IP address that an external DNS would point to for a web server.
  • Outside Local Address
    • The address that outside would see if the internal server sent traffic to an outside destination.
  • Outside Global
    • The ip address assigned to the host outside the network by the host’s owner
    • This becomes important if the router is hosting the same IP address as the one that it is routing to.  It has to present a different address to the other router that is hosting the same IP.
      • For example, if two routers are hosting 10.10.10.0, the first router local address could be presenting the IP address range as 10.10.20.0 and the second router as 10.10.30.0, and those ranges would be translated to the Outside local address of 10.10.10.0.
        • Router 1 would know routers 2’s 10.10.10.0 range as 10.10.30.0
        • Router 2 would know routers 1’s 10.10.10.0 range as 10.10.20.0

Section 30: IPv6

• IPv4 and Ipv6 does not have to be an ‘either-or’ decision using a ‘dual-stack’ solution
  • ‘dual-stack’ implementation can have both IPv4 and IPv6 addresses assigned to interfaces.
    • Communication can use either protocol
    • Long term support for both protocols, and a good transition strategy
• IPv6 Addressing Format
  • 128-bit address
  • Uses 8 – 16-bit hexadecimal fields to specify the address, each segment is known as a hexadectet, but AKA hextets, pieces, or quartets.
    • example: fe80:0000:0000:0000:d60a:a9ff:fee1:bc51
  • Addressing shortening
    • When a hextet contains all zeros it can be replaced by a single zeros
      • fe80:0:0:0:d60a:a9ff:fee1:bc51
    • Leading zeros can be removed from a hextet and if all zeros it can be replaced with a single zero
      • Full address example: 2001:0DB9:0000:0001:0000:0000:0000:0001
      • Zero shorting: 2001:DB9:0:1:0:0:0:1
    • If there are several hextets that contain all zeros they can be replaced by two colons,
      • fe80::d60a:a9ff:fee1:bc51
      • This can only be done once on an address as if it was complete twice the system trying to translate it would not know how many are incorporated between the double colon.
        • Example of bad address:
          • Full address /w Zero shorting: 2001:DB9:0:1:0:0:0:1
          • Incorrect format: 0DB9::0001::0001
            • Only 3 hextets are represted and the system need to place 5 additional hextets but it does not know where to place them
          • Correct format: 2001:DB9:0:1::1
            • 5 hextets are been present and since there is only a single place presented where the all-zero hextets can place the translating system will populate the zeros in hextets section 5-7.
          • Also correct 2001:DB9::1:0:0:0:1
            • Not as efficient as we are only replacing a single hextet.
• IPv6 Global Unicast Address
  • IPv6 does not support broadcast traffic but does support multicast using ff02::1
    • Not enable by default 
    • Services that use a broadcast  in IPv4 use more specific multicast addresses in IPv6
      • IANA.org desginations: https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
    • Commands
      • Enable 
        • (config)#ipv6 unicast-routing
        • (config)#int f0/0
        • (config-if)#ipv6 add 2001:db8:0:1::1/64
        • (config-if)#int f2/0
        • (config-if)#ipv6 add 2001:db8:::1/64
      • Verfication
        • show ipv6 interface brief
  • Global Unicast
    • Assigned to an individual host and have global reachability
    • Range 2000::/3
      • Internet authorities assign block for this range to orgs
      • The common assignment is a /48 block
        • Example 2001:10:10::/48
      • The size can be adjusted larger or smaller based on the size of a company
    • IPv6 standard state that addresses assigned to individual hosts should use a /64 mask
      • Network X:X:X:X:|X:X:X:X Host
    • Commands
      • Enable IPv6 routing
        • (config)#ipv6 unicast-routing
        • (config)#int f0/0
        • (config-if)#ipv6 add [ipv6 address]
        • (config-if)#int f2/0
        • (config-if)#ipv6 add [ipv6 address]
  • Unique Local
    • Similar to IPv4 Private addresses RFC 1918 (Example 10.0.0.0)
    • Not Publicly reachable
    • Range FC00::/7
    • Should use the /64 addressing schema
  • Link Local
    • Valid for communication on that link will not be passed by a router
    • Used for things like routing protocol hello packets
    • Mandatory on IPv6 enable Cisco router interfaces
    • range FE80::/10-FEB0::/10
    • Should use the /64 addressing schema
    • Addresses are auto-generated with EUI-64 address on IPv6 enable Cisco router interfaces
      • Addresses can be overridden with manual conf
    • Command
      • Manual link local config
        • (config)#int f0/0
        • (config-if)#ipv6 address [link local address] link-local
  • EUI-64 Addresses
    • Cisco router can auto-generate a full ipv6 addresses for itself when given the interface and /64 network to use
    • Host portion of the address is derived from the interface’s MAC address
      • MAC is only /48 buts compared to /64 of the IPv6 address
      • FF:FE is injected in the middle of the /48 MAC address to make a /64 and the 7th bit is inverted.
        • inverting the 7th bit converts it from a local/#global to a global/#local making the address non-internet routable.
    • Router will borrow the MAC address from the first Ethernet port for non-Ethernet interfaces such as serial ports
    • Not recommended to use EUI-64 on router interfaces.
    • Command
      • Assign eui-64
        • (config)#int [interface]
        • (config-if)#ipv6 address 2001:db8:0:0::/64 eui-64
      • Verification
        • Check MAC
          • #sho int [interface]
            • You will see “Hardware is [type], address is [MAC address]
          • #show ipv6 interface brief
  • Multiple IP Addresses
    • IPv4 (not sure why this was not covered in the IPv4 section
      • You can only have a max of two IPv4 addresses on an interface. 
      • If you enter an IPv4 without the secondary command it will over-write the previous address
      • Command using the “secondary” command
        • (config-if)#ip address [ipv4 address] [subnet] secondary
    • IPv6
      • You can have multiple IPv6 addresses on an interface, so you use the same command for adding a secondary IPv6 address and unlike IPv4 with over-writes the previous IP address it will append the requested address.
  • SLACC – Stateless Address AutoConfiguration
    • Clients can be assigned IPv6 address through static, DHCPv6 or SLAAC
      • DHCP used MAC address to IP address assignment which is stateful addressing
    • Clent’s with SLACC
      • Learn the /64 subnet from their local router to generate their own IPv6 EUI-64 address
        • Modern OS randomize the host portion of the address for privacy reasons
      • The router does not track ip to host address so this is stateless
    • When IPv6 addresses are configured the router advertises the network prefix by default
      • ICMP messages are set by multicast addresses from link-local address to all nodes.
      • Hosts can also sent a ‘Router Solicitaion’ message to request subnet info.
      • Router will also tell host to use itself at the default gateway
    • Current SLAAC does not pass other information such as DNS
      • If you have DHCP pass DNS only and on an IP address it will still be considered “stateless”
  • Unknown address
    • ::/0 in IPv6 is equivalent to IPv4 0.0.0.0 0.0.0.0 when routing
      • :: is used as the source when interface is trying to get an address.
  • Neighbor Discovery
    • IPv6 ARP 
    • Uses ICMP Neighbor Solicitations and Neighbor Advertisements instead of ARP requests
    • Uses a Solicited-Node multicast address to reach all hosts
    • Verification command
      • #show ipv6 neighbors
        • Returns link-layer addresses
  • IPv6 Static Routes
    • IPv4 and IPv6 use separate routing tables
      • These routing tables are created the same way
    • IPv6 has to be enabled ‘#ipv6 unicast-routing’
      • IPv6 can be assigned without enabling routing but traffic will not be passed to other segments