200-301 IP Services

IP Services Detailed Explanation

The IP Services section introduces essential networking functions that enhance IP-based communication.

Part 1: DHCP (Dynamic Host Configuration Protocol)

4.1 What is DHCP?

DHCP is a protocol that automates the assignment of network configurations such as:

• IP Address: Unique identifier for each device on the network.
• Subnet Mask: Defines the range of IPs within the network.
• Default Gateway: The router that connects the local network to other networks or the internet.
• DNS Server: Translates domain names (e.g., www.google.com) into IP addresses.

4.1.1 Why is DHCP Important?

Without DHCP:

• You would need to manually configure these settings for each device, which is time-consuming and error-prone.
• Misconfigurations could lead to IP conflicts, where two devices are assigned the same IP.

With DHCP:

• The process is automated, ensuring no conflicts and efficient management.
• Devices can quickly join a network and obtain an IP address.

4.1.2 The DHCP Process (DORA)

The DHCP process consists of four key steps, often remembered as DORA:

1. Discover:

   • A client device broadcasts a request to find a DHCP server.
   • Message: "Is there a DHCP server available?"

2. Offer:

   • The DHCP server replies with an available IP address and configuration.
   • Message: "I have an IP address for you: 192.168.1.10."

3. Request:

   • The client requests the offered IP address.
   • Message: "I’d like to use 192.168.1.10."

4. Acknowledge:

   • The DHCP server confirms and assigns the IP address to the client.
   • Message: "You’re now assigned 192.168.1.10."

4.1.3 DHCP Configuration on Cisco Devices

Let’s walk through a DHCP configuration example on a Cisco router.

Scenario:

• You want to assign IPs from the range 192.168.1.11 - 192.168.1.254.
• The default gateway is 192.168.1.1.
• DNS server is 8.8.8.8.

Configuration Steps:

1. Exclude Certain IPs:

   • Reserve specific IPs (e.g., for the router or servers):

     ip dhcp excluded-address 192.168.1.1 192.168.1.10
     

2. Create a DHCP Pool:

   • Define the range of assignable IP addresses:

     ip dhcp pool MY_POOL
     network 192.168.1.0 255.255.255.0
     

3. Set the Default Gateway:

   • Specify the router’s IP as the gateway:

     default-router 192.168.1.1
     

4. Specify the DNS Server:

   • Provide a DNS server for name resolution:

     dns-server 8.8.8.8
     

5. Verify the DHCP Configuration:

   • Check active leases:

     show ip dhcp binding
     

   • Display DHCP statistics:

     show ip dhcp pool
     

4.1.4 Advanced DHCP Scenarios

1. Setting Lease Time:

   • Configure how long a device can keep its assigned IP:

     lease 1 12
     

     • 1 12: 1 day and 12 hours.

2. DHCP Relay:

   • Used when the DHCP server is on a different subnet.

   • Enable DHCP relay on the router:

     interface GigabitEthernet0/1
     ip helper-address 192.168.2.1
     

     • 192.168.2.1: The IP of the DHCP server.

Part 2: NAT (Network Address Translation)

4.2 What is NAT?

NAT translates private IP addresses (used within a local network) into public IP addresses (used for internet communication). It’s essential for conserving public IP addresses and hiding internal network details.

4.2.1 Why Use NAT?

1. Private IPs Are Not Routable:

   • Devices with private IPs (e.g., 192.168.x.x) cannot directly communicate with the internet.

2. Public IP Conservation:

   • NAT allows multiple devices to share a single public IP.

3. Enhanced Security:

   • NAT hides internal IP addresses from external networks.

4.2.2 Types of NAT

1. Static NAT:

   • One-to-one mapping between private and public IP addresses.
   • Example:
     • Internal: 192.168.1.10 → Public: 203.0.113.10.

2. Dynamic NAT:

   • A pool of public IPs is used for translation.
   • Example:
     • Pool: 203.0.113.10 - 203.0.113.20.

3. PAT (Port Address Translation):

   • Maps multiple private IPs to a single public IP using unique port numbers.
   • Example:
     • 192.168.1.10:12345 → 203.0.113.10:54321.

4.2.3 NAT Configuration Examples

Static NAT:

1. Map a private IP to a public IP:

   ip nat inside source static 192.168.1.10 203.0.113.10
   

Dynamic NAT:

1. Define a pool of public IPs:

   ip nat pool MY_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
   

2. Specify which private IPs can use the pool:

   access-list 1 permit 192.168.1.0 0.0.0.255
   ip nat inside source list 1 pool MY_POOL
   

PAT:

1. Configure PAT to use a single public IP:

   ip nat inside source list 1 interface GigabitEthernet0/1 overload
   

4.2.4 Verifying NAT

• Show active translations:

  show ip nat translations
  

• Display NAT statistics:

  show ip nat statistics
  

Part 3: Access Control Lists (ACLs)

4.3 What is an ACL?

An Access Control List (ACL) is a set of rules applied to a network interface to allow or deny specific traffic. These rules filter traffic based on criteria such as:

• Source IP Address
• Destination IP Address
• Port Number
• Protocol (e.g., TCP, UDP)

4.3.1 Why Use ACLs?

1. Improve Security:
   • Prevent unauthorized access to sensitive resources.
2. Control Traffic Flow:
   • Limit bandwidth usage or block specific types of traffic.
3. Network Segmentation:
   • Control communication between subnets or VLANs.

4.3.2 Types of ACLs

1. Standard ACLs:

   • Filter traffic based only on the source IP address.
   • Best Practice: Place as close to the destination as possible to avoid unnecessary filtering.

2. Extended ACLs:

   • Filter traffic based on source and destination IPs, port numbers, and protocols.
   • Best Practice: Place as close to the source as possible to prevent unwanted traffic from traversing the network.

4.3.3 ACL Configuration Examples

Standard ACL Example:

1. Permit traffic from 192.168.1.0/24:

   access-list 10 permit 192.168.1.0 0.0.0.255
   

2. Apply the ACL to an interface:

   interface GigabitEthernet0/0
   ip access-group 10 in
   

   • Direction:
     • In: Filters traffic entering the interface.
     • Out: Filters traffic leaving the interface.

Extended ACL Example:

1. Permit HTTP traffic from 192.168.1.0/24 to 192.168.2.0/24:

   access-list 100 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80
   

2. Apply the ACL:

   interface GigabitEthernet0/1
   ip access-group 100 in
   

Named ACLs:

1. Create a named ACL for better manageability:

   ip access-list extended WEB_FILTER
   permit tcp 192.168.1.0 0.0.0.255 any eq 80
   deny tcp any any
   

2. Apply the named ACL:

   interface GigabitEthernet0/2
   ip access-group WEB_FILTER in
   

4.3.4 Verifying ACLs

• Display all configured ACLs:

  show access-lists
  

• Check which ACL is applied to an interface:

  show running-config | include access-group
  

Part 4: Quality of Service (QoS)

4.4 What is QoS?

QoS manages network bandwidth by prioritizing traffic to ensure critical services (e.g., voice, video) receive sufficient resources. This prevents issues like jitter, latency, and packet loss in real-time applications.

4.4.1 Why Use QoS?

1. Prioritize Critical Traffic:
   • Voice-over-IP (VoIP) and video conferencing require low latency.
2. Avoid Congestion:
   • Prevent data-intensive tasks (e.g., file downloads) from degrading performance for critical services.
3. Ensure Reliability:
   • Provides a consistent experience for end users.

4.4.2 Key QoS Mechanisms

1. Classification:

   • Identifies traffic types (e.g., VoIP, web browsing) using attributes like IP addresses, port numbers, or protocols.

2. Marking:

   • Marks packets with priority levels using DSCP (Differentiated Services Code Point) or CoS (Class of Service) values.

3. Queueing and Scheduling:

   • Organizes traffic into queues and prioritizes packets based on their class.
   • Example: Prioritize voice traffic over file downloads.

4. Traffic Shaping and Policing:

   • Shaping: Delays excess packets to smooth traffic flow.
   • Policing: Drops packets that exceed the configured rate.

4.4.3 QoS Configuration Examples

Classification and Marking:

1. Identify and mark VoIP traffic:

   class-map VOIP
   match protocol rtp
   policy-map VOIP_POLICY
   class VOIP
   set dscp ef
   

Queueing and Scheduling:

1. Prioritize voice traffic:

   policy-map PRIORITY_POLICY
   class VOIP
   priority 1000
   

2. Apply the policy to an interface:

   interface GigabitEthernet0/0
   service-policy output PRIORITY_POLICY
   

Traffic Shaping:

1. Limit traffic to 1 Mbps:

   policy-map SHAPE_POLICY
   class WEB
   shape average 1000000
   

Traffic Policing:

1. Drop packets exceeding 500 Kbps:

   policy-map POLICE_POLICY
   class WEB
   police 500000 conform-action transmit exceed-action drop
   

4.4.4 Verifying QoS

• Check QoS policies applied to an interface:

  show policy-map interface GigabitEthernet0/0
  

• View DSCP markings:

  show running-config | include dscp
  

Summary of IP Services

Feature	Purpose	Key Concepts	Configuration Example
DHCP	Automates IP assignment for devices.	- DORA process: Discover, Offer, Request, Acknowledge.- Assigns IP, subnet mask, gateway, DNS server.	plaintext<br>ip dhcp pool MY_POOL<br>network 192.168.1.0 255.255.255.0<br>default-router 192.168.1.1<br>dns-server 8.8.8.8
NAT (Network Address Translation)	Translates private IPs to public IPs for internet access.	- Types: Static NAT, Dynamic NAT, PAT.- Conserves public IPs, adds security.	plaintext<br>ip nat inside source static 192.168.1.10 203.0.113.10<br>ip nat inside source list 1 pool MY_POOL
ACLs (Access Control Lists)	Filters traffic based on IP, port, or protocol.	- Types: Standard ACLs (source IP), Extended ACLs (source/destination IP, port, protocol).	plaintext<br>access-list 10 permit 192.168.1.0 0.0.0.255<br>ip access-group 10 in
QoS (Quality of Service)	Prioritizes important traffic to ensure smooth performance.	- Mechanisms: Classification, Marking (DSCP), Queueing, Shaping, Policing.- Ensures voice/video priority.	plaintext<br>policy-map PRIORITY_POLICY<br>class VOICE<br>priority 1000<br>service-policy output PRIORITY_POLICY

IP Services (Additional Content)

1. DHCP (Dynamic Host Configuration Protocol) – Advanced Concepts

1.1 DHCP Snooping

DHCP Snooping is a Layer 2 security feature that protects the network from rogue DHCP servers distributing unauthorized IP addresses.

Key Features:

• Differentiates between trusted (e.g., uplinks to legitimate DHCP servers) and untrusted ports (e.g., user ports).

• Drops DHCP responses from untrusted sources.

• Maintains a DHCP binding table that records MAC, IP, lease time, and interface.

Configuration Example:

ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
 ip dhcp snooping trust

1.2 DHCP Lease Renewal: T1 and T2 Timers

The DHCP lease process includes two key renewal stages:

• T1 Timer (50% of lease time): Client attempts renewal with original DHCP server.

• T2 Timer (87.5% of lease time): If T1 fails, client broadcasts to any DHCP server.

Use Case in Exams: Identify when a client will attempt to contact other servers after initial renewal fails.

1.3 DHCP Security Threats and Countermeasures

• DHCP Starvation Attack: Flooding the DHCP server with fake requests to exhaust IP addresses.

• MAC/IP Spoofing: Pretending to be another device to get a specific lease or access control.

Countermeasures:

• DHCP Snooping + Port Security (limit MAC addresses per port)

• Rate limiting on untrusted interfaces

1.4 DHCPv6 Overview

In IPv6, DHCP has two modes:

• Stateful DHCPv6: Similar to IPv4; server assigns full address and info.

• Stateless DHCPv6: Devices generate their own IPs using SLAAC, and DHCP only provides extra info (e.g., DNS).

Router Advertisement controls which mode is used.

2. NAT (Network Address Translation) – Expanded Coverage

2.1 Inside/Outside Interface Role

When configuring NAT, you must define traffic direction:

interface GigabitEthernet0/0
 ip nat inside

interface GigabitEthernet0/1
 ip nat outside

This tells the router which interface faces the private and which faces the public network.

2.2 PAT vs. Overloading

PAT (Port Address Translation) = NAT Overload

• Allows multiple private IPs to share a single public IP.

• Distinguishes sessions using port numbers.

Example:

ip nat inside source list 1 interface GigabitEthernet0/1 overload

2.3 NAT and VPN Conflicts

NAT modifies IP headers, which may break IPsec VPN tunnels by altering authenticated data.

Solution: Use NAT Traversal (NAT-T), which encapsulates IPsec in UDP packets to preserve integrity.

2.4 Port Forwarding (Static NAT with Port Mapping)

Exposes an internal service (e.g., web server) to the internet.

Example:

ip nat inside source static tcp 192.168.1.100 80 interface GigabitEthernet0/1 8080

This maps external port 8080 to internal server at 192.168.1.100:80.

3. ACLs (Access Control Lists) – Critical Concepts

3.1 Implicit Deny All

All ACLs end with an invisible deny all rule, meaning:

deny ip any any

If no permit rule matches, traffic is denied by default — a common exam trick.

3.2 Encrypted Traffic Limitations

ACLs cannot inspect encrypted payloads (e.g., VPN or SSL/TLS content), as they match on IPs, ports, and protocols — not application data.

3.3 ACL Placement Rules

• Standard ACLs: Place close to the destination (filters only by source IP).

• Extended ACLs: Place close to the source (filters by source, destination, and port).

Example:

To block HTTP from 192.168.1.0/24 to 10.0.0.0/24:

access-list 100 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 80

Apply inbound on a source-facing interface to avoid wasting bandwidth.

3.4 access-class for Management Plane

Restrict Telnet/SSH access to specific hosts:

line vty 0 4
 access-class 10 in

4. QoS (Quality of Service) – Advanced Features

4.1 Priority vs. Bandwidth Commands

• priority:

  • Assigns strict priority queue

  • Ideal for voice (VoIP)

  • Risk: starving other queues

• bandwidth:

  • Allocates guaranteed bandwidth

  • Used for less time-sensitive traffic

Example Use:

class-map VOICE
 match ip dscp ef

policy-map QOS_POLICY
 class VOICE
  priority 1000
 class OTHER
  bandwidth 2000

4.2 Common DSCP Values

• EF (Expedited Forwarding): dscp ef – Used for VoIP (High priority)

• AF (Assured Forwarding): e.g., af31 – Used for video or business-critical data

• BE (Best Effort): Default traffic with no priority

4.3 Multi-Class QoS Example

Handling mixed traffic types in a single policy:

class-map VOICE
 match ip dscp ef

class-map WEB
 match protocol http

policy-map ENTERPRISE_POLICY
 class VOICE
  priority 1000
 class WEB
  bandwidth 500
 class class-default
  fair-queue

This shows how different traffic is classified and shaped — typical on exams.

4.4 Verifying QoS: Output Interpretation

Command:

show policy-map interface GigabitEthernet0/0

Key Fields:

• Matched Packets/Bytes: Indicates traffic volume

• Drops: Congestion or policing effects

• Rate: Current bandwidth usage

Summary of Key Additions

• DHCP Snooping secures DHCP from rogue servers

• PAT = NAT Overload, mapping multiple devices to one public IP

• ACLs obey "implicit deny all" — crucial to remember

• QoS uses priority for VoIP, bandwidth for general traffic

• DSCP values must be matched correctly to traffic types

• access-class restricts management access, not just data plane