5 ip services dhcp acls nat snmp syslog
Post on 21-Jul-2016
14 Views
Preview:
DESCRIPTION
TRANSCRIPT
1
2
Rick Graziani graziani@cabrillo.edu 3
Rick Graziani graziani@cabrillo.edu 4
BOOTP and DHCP differences
There are two primary differences between DHCP and BOOTP:
• DHCP defines mechanisms through which clients can be assigned an IP address for a finite lease period. – This lease period allows for reassignment of the IP address to another
client later, or for the client to get another assignment, if the client moves to another subnet.
– Clients may also renew leases and keep the same IP address. • DHCP provides the mechanism for a client to gather other IP configuration
parameters, such as WINS and domain name.
Major DHCP features
Dynamic Host Configuration Protocol (DHCP)
Rick Graziani graziani@cabrillo.edu 8
DHCP Relay
• DHCP clients use IP broadcasts to find the DHCP server on the segment.
• What happens when the server and the client are not on the same segment and are separated by a router? – Routers do not forward these broadcasts.
• When possible, administrators should use the ip helper-address command to relay broadcast requests for these key UDP services.
Using helper addresses
Configuring IP helper addresses
To configure RTA e0, the interface that receives the Host A broadcasts, to relay DHCP broadcasts as a unicast to the DHCP server, use the following commands:
RTA(config)#interface e0RTA(config-if)#ip helper-address 172.24.1.9
Broadcast Unicast
Configuring IP helper addresses
Helper address configuration that relays broadcasts to all servers on the segment.
RTA(config)#interface e0RTA(config-if)#ip helper-address 172.24.1.255But will RTA forward the broadcast?
Broadcast Unicast
Configuring IP helper addresses
Helper address configuration that relays broadcasts to all servers on the segment.
RTA(config)#interface e0RTA(config-if)#ip helper-address 172.24.1.255RTA(config)#interface e3RTA(config-if)#ip directed-broadcast
L3 Broadcast L2 Broadcast
Configuring IP helper addresses
By default, the ip helper-address command forwards the eight UDPs services.
Directed Broadcast
• Notice that the RTA interface e3, which connects to the server farm, is not configured with helper addresses.
• However, the output shows that for this interface, directed broadcast forwarding is disabled.
• This means that the router will not convert the logical broadcast 172.24.1.255 into a physical broadcast with a Layer 2 address of FF-FF-FF-FF-FF-FF.
• To allow all the nodes in the server farm to receive the broadcasts at Layer 2, e3 will need to be configured to forward directed broadcasts with the following command:
RTA(config)#interface e3RTA(config-if)#ip directed-broadcast
ACCESS CONTROL LISTs
Standard ACL Extended ACL
Range : 1-99 Range : 100 -199
General Specific
Source Address only Source and Destination address
Applied close to destination Applied close to Source
Filters Complete Protocol Suite
Can filter one protocol out of complete protocol suite
C#(config) access-list 10 deny 2.1.1.1 0.0.0.0C#(config) access-list 10 permit any
C#(config) int ser 1/0C#(config-if) ip access-group 10 in
B#(config) access-list 101 deny tcp 200.100.100.1 0.0.0.0 200.100.150.100 0.0.0.0 eq telnetB#(config) access-list 101 permit ip any any
B#(config) int ser 1/0B#(config-if) ip access-group 101 out
Create a Named Standard ACL on R2 that should deny packets sourced by host 1.1.1.1and apply the list to fa 0/0
R1# (config) int ser 1/0R1#(config-if) ip nat outsideR1#(config) int fa 0/0R1#(config-if) ip nat insideR1# (config) ip nat inside source static 192.168.1.5 12.1.1.3
R1 (config)# access-list 10 per host 192.168.1.5R1 (config)# access-list 10 per host 192.168.1.6R1 (config)# access-list 10 per host 192.168.1.7R1 (config)# access-list 10 per host 192.168.1.8R1 (config)# ip nat pool ABC 12.1.1.3 12.1.1.5 netmask 255.0.0.0R1 (config)# ip nat inside source list 10 pool ABC
R1(config)# int ser 1/0R1 (config-if)# ip nat outsideR1(config)# int fa 0/0R1 (config-if)# ip nat inside
R1(config)# Int fastethernet 0/0R1 (config-if)# ip address 192.168.1.6 255.255.255.0 secondaryR1 (config-if) # ip address 192.168.1.7 255.255.255.0 secondaryR1 (config-if) # ip address 192.168.1.8 255.255.255.0 secondary
PORT ADDRESS TRANSLATION (PAT)OVERLOADING
R1 (config)# access-list 10 per host 192.168.1.5R1 (config)# access-list 10 per host 192.168.1.6R1 (config)# access-list 10 per host 192.168.1.7R1 (config)# access-list 10 per host 192.168.1.8R1 (config)# ip nat pool ABC 12.1.1.3 12.1.1.3 netmask 255.0.0.0R1 (config)# ip nat inside source list 10 pool ABC overload
R1(config)# int ser 1/0R1 (config-if)# ip nat outsideR1(config)# int fa 0/0R1 (config-if)# ip nat inside
PORT ADDRESS TRANSLATION (PAT)OVERLOADING
Network Management ToolsSyslog, SNMP & Netflow
• Syslog is a standard for logging program messages. It sends information to a Syslog server via either UDP or TCP port 514 (UDP is the default). It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices which would otherwise be unable to communicate a means to notify administrators of problems or performance.
• SNMP is a set of protocols for managing complex networks. It utilizes UDP is a transport means. SNMP capable devices store information about themselves in Management Information Bases (MIBs) and return the data stored to the SNMP requestors.
Router Logging
Configure the router to send log messages to:• Console: Console logging is used when modifying or
testing the router while it is connected to the console. Messages sent to the console are not stored by the router and, therefore, are not very valuable as security events.
• Terminal lines: Configure enabled EXEC sessions to receive log messages on any terminal lines. Similar to console logging, this type of logging is not stored by the router and, therefore, is only valuable to the user on that line.
Implementing Router Logging
• Buffered logging: Store log messages in router memory. Log messages are stored for a time, but events are cleared whenever the router is rebooted.
• Syslog: Configure routers to forward log messages to an external syslog service. This service can reside on any number of servers, including Microsoft Windows and UNIX-based systems, or the Cisco Security MARS appliance.
Router Logging
Syslog - Mechanism
• Syslog servers: Known as log hosts, these systems accept and process log messages from syslog clients.
• Syslog clients: Routers or other types of equipment that generate and forward log messages to syslog servers.
e0/010.2.1.1 e0/1
10.2.2.1e0/210.2.3.1
User 10.2.3.3
Public WebServer
10.2.2.3
MailServer
10.2.2.4
AdministratorServer
10.2.2.5
SyslogServer 10.2.3.2
Protected LAN10.2.3.0/24
DMZ LAN 10.2.2.0/24
Syslog Client
R3
Configuring System Logging
R3(config)# logging 10.2.2.6R3(config)# logging trap informationalR3(config)# logging source-interface loopback 0R3(config)# logging on
1. Set the destination logging host2. Set the log severity (trap) level
3. Set the source interface4. Enable logging
Turn logging on and off using the logging buffered, logging monitor, and logging commands
SNMP ARCHITECTURE
Capturing Running-Configurations & comparing using Ultra-Edit Software
-SNMP Net flowBoth gather statistics from network devices
Device Statistics ( e-g CPU usage, memory usage, interface errors etc). Primary focus is on collection of various statistics from components within network devices.
Traffic Statistics (collects information about IP traffic flowing through the device) - Only gathers traffic statistics.
Use PULL based model – NMS queries SNMP agents.
Use PUSH based model- devices send data to the collector.
Less granular More granularAvailable on all enterprise network devices
Available on routers and high end switches
top related