6.3 Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering

IPv4 ACLs

6.3.a Standard

Screenshot_2018-12-09_06-18-36

Using the above topology, we will use standard ACLs to block (1-99) traffic. Using the implicit “deny” at the end of the ACL will reduce the amount of ACLs needed.

On R1:

interface GigabitEthernet1/0
 ip address 10.0.0.1 255.255.255.0
 ip access-group 1 out
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 10.0.1.1 255.255.255.0
 ip access-group 2 out
 negotiation auto
!
access-list 1 permit 192.168.122.0 0.0.0.255 log
access-list 2 permit 10.0.2.0 0.0.0.255 log
!

To verify use pings, and extended pings:

BANKING> ping 10.0.0.2   
*10.0.1.1 icmp_seq=1 ttl=255 time=9.955 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=2 ttl=255 time=3.232 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=3 ttl=255 time=2.574 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=4 ttl=255 time=2.354 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.1.1 icmp_seq=5 ttl=255 time=1.745 ms (ICMP type:3, code:13, Communication administratively prohibited)

DEVOPS> ping 10.0.0.2 
*10.0.2.1 icmp_seq=1 ttl=255 time=9.813 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=2 ttl=255 time=2.622 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=3 ttl=255 time=11.419 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=4 ttl=255 time=10.533 ms (ICMP type:3, code:13, Communication administratively prohibited)
*10.0.2.1 icmp_seq=5 ttl=255 time=2.351 ms (ICMP type:3, code:13, Communication administratively prohibited)

router#ping
Protocol [ip]: 
Target IP address: 10.0.0.2
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: GigabitEthernet0/0
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.122.180 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/266/1040 ms
router#

6.3.b Extended

Extended access list are in the range <100-199>.

Extended commands allow us to match on the destination address as well as the protocol.

<0-255>       An IP protocol number
  ahp           Authentication Header Protocol
  eigrp         Cisco's EIGRP routing protocol
  esp           Encapsulation Security Payload
  gre           Cisco's GRE tunneling
  icmp          Internet Control Message Protocol
  igmp          Internet Gateway Message Protocol
  ip            Any Internet Protocol
  ipinip        IP in IP tunneling
  nos           KA9Q NOS compatible IP over IP tunneling
  object-group  Service object group
  ospf          OSPF routing protocol
  pcp           Payload Compression Protocol
  pim           Protocol Independent Multicast
  tcp           Transmission Control Protocol
  udp           User Datagram Protocol

interface GigabitEthernet1/0
 ip address 10.0.0.1 255.255.255.0
 ip access-group 100 out
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 out
 negotiation auto
!
access-list 100 permit ip 192.168.122.0 0.0.0.255 host 10.0.0.2 log
access-list 101 permit ip 10.0.2.0 0.0.0.255 host 10.0.1.2 log

6.3.c Named

Using named ACLs is the same as the above, except individual sequences can be entered:

<1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment
router(config)#ip access-list extended RULE1
router(config-ext-nacl)#1 permit ip 192.168.122.0 0.0.0.255 host 10.0.0.2 log

router(config)#ip access-list extended RULE2
router(config-ext-nacl)#1 permit ip 10.0.2.0 0.0.0.255 host 10.0.1.2 log

Then you can delete in individual sequence numbers:

router(config)#ip access-list extended RULE1
router(config-ext-nacl)#no ?
  <1-2147483647>  Sequence Number
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  permit          Specify packets to forward
  remark          Access list entry comment

router(config-ext-nacl)#no 1

IPv6 ACLs

According to Cisco: “With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.”

Here is the topology:

Screenshot_2018-12-09_06-18-36

Here are the ACLs:

interface GigabitEthernet0/0
 ip address dhcp
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
 ipv6 address 2001:DB8:4::/48 eui-64
!
interface GigabitEthernet1/0
 no ip address
 negotiation auto
 ipv6 address 2001:DB8:1::/48 eui-64
 ipv6 traffic-filter RULE1 out
!
interface GigabitEthernet2/0
 no ip address
 negotiation auto
 ipv6 address 2001:DB8:2::/48 eui-64
 ipv6 traffic-filter RULE2 out
!
interface GigabitEthernet3/0
 no ip address
 negotiation auto
 ipv6 address 2001:DB8:3::/48 eui-64
!
ipv6 access-list RULE1
 permit ipv6 2001:DB8:4::/48 2001:DB8:1::/48 log
!
ipv6 access-list RULE2
 permit ipv6 2001:DB8:3::/48 2001:DB8:2::/48 log
!
control-plane

The steps to verify are as above. Adding the log keyword helps by showing when the ACL is triggered:

router#
*Dec 9 09:25:43.011: %IPV6_ACL-6-ACCESSLOGDP: list RULE2/10 permitted icmpv6 2001:DB8:3::1 -> 2001:DB8:2::1 (128/0), 1 packet

Ping commands will also return “prohibited” when attempting to reach ACL restricted subnets:

DEVOPS> ping 2001:db8:1::1

*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=1 ttl=64 time=18.509 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=2 ttl=64 time=9.367 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=3 ttl=64 time=9.834 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=4 ttl=64 time=9.151 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)
*2001:db8:3:0:c801:12ff:fe77:54 icmp6_seq=5 ttl=64 time=9.522 ms (ICMP type:1, code:1, Communication with destination administratively prohibited)

6.1 Configure, verify, and troubleshoot port security

Let’s begin with the following topology (download lab here)

Screenshot_2018-12-07_06-55-03

I have configured this topology with R1 acting as a ROAS and as a DHCP server with the DHCP pools configured for each VLAN.

Router#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/	 	    Lease expiration        Type
		    Hardware address/
		    User name
10.10.254.2         0100.5079.6668.01       Jan 07 2019 06:50 AM    Automatic
10.200.100.2        0100.5079.6668.02       Jan 07 2019 06:50 AM    Automatic
10.200.100.3        0100.5079.6668.04       Jan 07 2019 06:51 AM    Automatic
10.200.101.2        0100.5079.6668.00       Jan 07 2019 06:49 AM    Automatic
10.200.102.2        0100.5079.6668.03       Jan 07 2019 06:50 AM    Automatic
10.200.102.3        0100.5079.6668.05       Jan 07 2019 06:50 AM    Automatic
10.200.102.4        0100.5079.6668.07       Jan 07 2019 06:50 AM    Automatic
10.200.102.5        0100.5079.6668.06       Jan 07 2019 06:50 AM    Automatic
Router#

Connectivity has been verified:

PC-1> ping 10.200.100.2
10.200.100.2 icmp_seq=1 timeout
10.200.100.2 icmp_seq=2 timeout
84 bytes from 10.200.100.2 icmp_seq=3 ttl=63 time=13.333 ms
84 bytes from 10.200.100.2 icmp_seq=4 ttl=63 time=14.403 ms
84 bytes from 10.200.100.2 icmp_seq=5 ttl=63 time=13.416 ms

PC-1> ping 10.200.102.2
10.200.102.2 icmp_seq=1 timeout
10.200.102.2 icmp_seq=2 timeout
84 bytes from 10.200.102.2 icmp_seq=3 ttl=63 time=13.100 ms
84 bytes from 10.200.102.2 icmp_seq=4 ttl=63 time=12.385 ms
84 bytes from 10.200.102.2 icmp_seq=5 ttl=63 time=12.282 ms

PC-1> ping 10.200.101.2
10.200.101.2 icmp_seq=1 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=2 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=3 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=4 ttl=64 time=0.001 ms
10.200.101.2 icmp_seq=5 ttl=64 time=0.001 ms

PC-1> ping 10.10.254.2 
10.10.254.2 icmp_seq=1 timeout
10.10.254.2 icmp_seq=2 timeout
84 bytes from 10.10.254.2 icmp_seq=3 ttl=63 time=15.034 ms
84 bytes from 10.10.254.2 icmp_seq=4 ttl=63 time=12.031 ms
84 bytes from 10.10.254.2 icmp_seq=5 ttl=63 time=13.712 ms

PC-1>

The switch shows each computer’s address has been registered into the MAC address table (note the multiple addresses per switchport):

Switch#show mac address-table dynamic 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    ca01.4ce4.0008    DYNAMIC     Et1/3
  33    0050.7966.6800    DYNAMIC     Et0/0
  33    ca01.4ce4.0008    DYNAMIC     Et1/3
  31    0050.7966.6801    DYNAMIC     Et0/1
  31    ca01.4ce4.0008    DYNAMIC     Et1/3
  30    0050.7966.6802    DYNAMIC     Et1/1
  30    0050.7966.6804    DYNAMIC     Et1/1
  30    ca01.4ce4.0008    DYNAMIC     Et1/3
  20    0050.7966.6803    DYNAMIC     Et1/0
  20    0050.7966.6805    DYNAMIC     Et1/0
  20    0050.7966.6806    DYNAMIC     Et1/0
  20    0050.7966.6807    DYNAMIC     Et1/0
  20    ca01.4ce4.0008    DYNAMIC     Et1/3
Total Mac Addresses for this criterion: 13
Switch#

It is now time to configure port security.

6.1.a Static

Configure static on port e0/0 (VLAN 33):

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e0/0
Switch(config-if)#switchport port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  

Switch(config-if)#switchport port-security 
Switch(config-if)#switchport port-security violation shutdown 
Switch(config-if)#switchport port-security mac-address 0050.7966.6801
Switch(config-if)#^Z
Switch#

Attempting to ping from PC-1 will result in the interface being shutdown:

PC-1> ping 10.200.101.1
10.200.101.1 icmp_seq=1 timeout
10.200.101.1 icmp_seq=2 timeout
10.200.101.1 icmp_seq=3 timeout
10.200.101.1 icmp_seq=4 timeout
10.200.101.1 icmp_seq=5 timeout

PC-1> 
Switch#
*Dec  6 21:48:44.071: %PM-4-ERR_DISABLE: secure-violation error detected on Et0/0, putting Et0/0 in err-disable state
Switch#
*Dec  6 21:48:44.071: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6800 on port Ethernet0/0.
*Dec  6 21:48:45.076: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
Switch#
*Dec  6 21:48:46.072: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to down
Switch#show int e0/0
Ethernet0/0 is down, line protocol is down (err-disabled)
Switch#show port-security int e0/0
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0050.7966.6800:33
Security Violation Count   : 1
Switch#

6.1.b Dynamic

Dynamic mode will be triggered when the max mac addresses is exceeded (default is 1). To configure:

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e1/1
Switch(config-if)#switchport port-security    
Switch(config-if)#switchport port-security violation restrict 
Switch(config-if)#^Z

Now if we try to ping with both PC-5 and PC-3 the second machine will be blocked, while PC-5 will be allowed to still access the network.

PC-5> ping 10.10.254.1
84 bytes from 10.10.254.1 icmp_seq=1 ttl=255 time=4.195 ms
84 bytes from 10.10.254.1 icmp_seq=2 ttl=255 time=9.041 ms
84 bytes from 10.10.254.1 icmp_seq=3 ttl=255 time=11.537 ms
84 bytes from 10.10.254.1 icmp_seq=4 ttl=255 time=10.708 ms
84 bytes from 10.10.254.1 icmp_seq=5 ttl=255 time=10.623 ms
PC-3> ping 10.10.254.1
10.10.254.1 icmp_seq=1 timeout
10.10.254.1 icmp_seq=2 timeout
10.10.254.1 icmp_seq=3 timeout
10.10.254.1 icmp_seq=4 timeout
10.10.254.1 icmp_seq=5 timeout
Switch#
*Dec 6 22:03:03.182: %SYS-5-CONFIG_I: Configured from console by console
Switch#
*Dec 6 22:03:11.967: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port Ethernet1/1.
Switch#
*Dec 6 22:03:17.969: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port Ethernet1/1.
Switch#

6.1.c Sticky

The sticky keyword tells the switch to dynamically learn mac-addresses and store them in the running config.

If you want the learned mac-address saved in the startup config run “copy run st”.

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e0/1
Switch(config-if)#switchport port-security 
Switch(config-if)#switchport port-security mac-address sticky 
Switch(config-if)#switchport port-security violation protect 
Switch(config-if)#^Z
Switch#
*Dec  6 22:16:10.803: %SYS-5-CONFIG_I: Configured from console by console

The “protect” violation mode will restrict access to the learned MAC-address but will not log violations. It will not increment the violation counter or disable the interface.

For example after connecting a different PC and trying to access the network the show command does not show any violations:

Switch#show port-security interface e0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Protect
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0050.7966.6808:31
Security Violation Count   : 0
Switch#

However when we change the violation mode to restrict we see warning messages and the violation counter is incremented:

Switch#
*Dec  6 22:24:16.775: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6808 on port Ethernet0/1.
Switch#show port-security interface e0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0050.7966.6808:31
Security Violation Count   : 6
Switch#

6.1.d Max MAC addresses

The “switchport port-security maximum” command allows for a configured amount of max-addresses to be allowed to access an interface.

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e1/0
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum ?
  <1-4097>  Maximum addresses
Switch(config-if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security violation restrict 
Switch(config-if)#^Z
Switch#
*Dec  6 22:26:40.753: %SYS-5-CONFIG_I: Configured from console by console
Switch#

We  can trigger this by attempting to ping 4 computers on the e1/0 interface:

Router#ping 10.200.102.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/24 ms
Router#ping 10.200.102.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/28 ms
Router#ping 10.200.102.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/36 ms
Router#ping 10.200.102.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.102.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router# 

Switch#
*Dec  6 22:32:39.063: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6807 on port Ethernet1/0.
Switch#
*Dec  6 22:32:45.058: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6807 on port Ethernet1/0.

Switch#show port-security interface e1/0 
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6807:20
Security Violation Count : 5

6.1.e Violation actions

Discards traffic:

  • Protect/Restrict/Shutdown -> YES

Sends log and SNMP messges & increments the violation counter for each frame:

  • Protect -> NO
  • Restrict/Shutdown -> YES

Shuts down interface:

  • Protect/Restrict -> NO
  • Shutdown -> YES

 

6.1.f Err-disable recovery

To recover a err-disabled port first verify the port has been disabled due to port security with the following “show” commands:

Switch#show port-security interface e1/0
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 3
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0050.7966.6807:20
Security Violation Count   : 6
Switch#
Switch#show int e1/0
Ethernet1/0 is down, line protocol is down (err-disabled) 

To recover it simply:

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int e1/0
Switch(config-if)#shutdown 
Switch(config-if)#no shutdown 
Switch(config-if)#^Z
Switch#
*Dec  6 22:41:43.901: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
Switch#
*Dec  6 22:41:44.329: %SYS-5-CONFIG_I: Configured from console by console
*Dec  6 22:41:44.901: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up
Switch#

5.4 Troubleshoot client- and router-based DHCP connectivity issues

Screenshot_2018-12-06_07-00-46

In order for PC-1 to to obtain a DHCP lease from R1 there needs to be L3 connectivity from PC-1 to R1.

Therefore the following needs to happen:

  1. R1 needs to be aware of the PC-1 subnet (I used RIPv2)
  2. R2 needs to be configured as a DHCP relay for the g1/0 interface
  3. R1 needs to be configured with a DHCP pool

To troubleshoot connectivity I used extended pings on R2:

Router#ping 
Protocol [ip]: 
Target IP address: 10.0.0.1
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 172.16.100.1
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.100.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/36 ms
Router#

I also used debug commands on R1/R2:

R2#debug ip dhcp server events 
DHCP server event debugging is on.
R2#
*Dec  6 07:44:16.947: DHCPD: Sending notification of DISCOVER:
*Dec  6 07:44:16.951:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:44:16.951:   DHCPD: remote id 020a0000ac10640110000000
*Dec  6 07:44:16.951:   DHCPD: circuit id 00000000
*Dec  6 07:44:16.951: DHCPD: Seeing if there is an internally specified pool class:
*Dec  6 07:44:16.951:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:44:16.955:   DHCPD: remote id 020a0000ac10640110000000
*Dec  6 07:44:16.955:   DHCPD: circuit id 00000000
*Dec  6 07:44:16.987: DHCPD: Forwarding reply on numbered intf
*Dec  6 07:44:17.955: DHCPD: Seeing if there is an internally specified pool class:
*Dec  6 07:44:17.959:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:44:17.959:   DHCPD: remote id 020a0000ac10640110000000
*Dec  6 07:44:17.959:   DHCPD: circuit id 00000000
*Dec  6 07:44:17.959: DHCPD: there is no pool for 172.16.100.1.
*Dec  6 07:44:17.983: DHCPD: Forwarding reply on numbered intf
DHCP_SERVER#debug ip dhcp server events
DHCP server event debugging is on.
DHCP_SERVER#
*Dec  6 07:43:32.747: DHCPD: checking for expired leases.
*Dec  6 07:43:36.987: DHCPD: Sending notification of DISCOVER:
*Dec  6 07:43:36.991:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:43:36.991:   DHCPD: remote id 020a00000a00000100000000
*Dec  6 07:43:36.991:   DHCPD: circuit id 00000000
*Dec  6 07:43:36.991: DHCPD: Seeing if there is an internally specified pool class:
*Dec  6 07:43:36.991:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:43:36.995:   DHCPD: remote id 020a00000a00000100000000
*Dec  6 07:43:36.995:   DHCPD: circuit id 00000000
*Dec  6 07:43:37.987: DHCPD: Sending notification of ASSIGNMENT:
*Dec  6 07:43:37.987:  DHCPD: address 172.16.100.2 mask 255.255.255.0
*Dec  6 07:43:37.987:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:43:37.987:   DHCPD: lease time remaining (secs) = 2678400

DHCP is a L3 protocol so anything effecting L3 connectivity will also effect DHCP:

  1. Missing/incorrect routes
  2. Interface issues
  3. ACLs

If the DHCP lease is successful but the server’s DHCP configuration is incorrect such as:

  1. Incorrect/missing default gateway
  2. Incorrect/missing DNS servers
  3. Subnet misconfiguration

This will result in a successful lease but will result in lack of connectivity.

PC-1> ip dhcp
DORA IP 172.16.100.2/24 GW 172.16.100.1

PC-1> ping 10.0.0.1
84 bytes from 10.0.0.1 icmp_seq=1 ttl=254 time=19.646 ms
84 bytes from 10.0.0.1 icmp_seq=2 ttl=254 time=19.753 ms
84 bytes from 10.0.0.1 icmp_seq=3 ttl=254 time=12.660 ms
84 bytes from 10.0.0.1 icmp_seq=4 ttl=254 time=12.738 ms
84 bytes from 10.0.0.1 icmp_seq=5 ttl=254 time=13.788 ms

5.7 Configure and verify NTP operating in a client/server mode

Having accurate time on interconnected devices is essential for troubleshooting, security and general sanity. Differences in time between machines even if small can lead to increased difficulty in troubleshooting.

Having accurate and synchronized time on all devices should be part of the basic setup of networking devices. In this lab I used a real NTP server on the internet as the master clock for the simulated network that I built.

Let’s start with the following topology:

Screenshot_2018-10-30_08-42-51

I have used VLSM on each device and loopback interfaces. OSPFv2 has been configured with all devices in area 0. Loopback interfaces have been set as passive:

!!! R1 config excerpt
interface Loopback1
 ip address 172.16.0.1 255.255.255.0
 ip ospf 1 area 0
!
interface GigabitEthernet0/0
 ip address 10.255.255.245 255.255.255.252
 ip ospf 1 area 0
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
!
router ospf 1
 log-adjacency-changes
 passive-interface Loopback1
!

Next NAT has been configured inside GNS3:

!R1 excerpt
interface GigabitEthernet1/0
 ip address dhcp
 negotiation auto
!
ip name-server 1.1.1.1

The internal loopbacks of each router have been set to 172.16.0.x (x being the router number):

!R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.122.1 to network 0.0.0.0

C    192.168.122.0/24 is directly connected, GigabitEthernet1/0
     172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O       172.16.0.4/32 [110/3] via 10.255.255.246, 00:15:08, GigabitEthernet0/0
C       172.16.0.0/24 is directly connected, Loopback1
O       172.16.0.2/32 [110/2] via 10.255.255.246, 00:36:13, GigabitEthernet0/0
O       172.16.0.3/32 [110/3] via 10.255.255.246, 00:36:13, GigabitEthernet0/0
     10.0.0.0/30 is subnetted, 3 subnets
O       10.255.255.248 
           [110/2] via 10.255.255.246, 00:36:13, GigabitEthernet0/0
O       10.255.255.252 
           [110/2] via 10.255.255.246, 00:15:08, GigabitEthernet0/0
C       10.255.255.244 is directly connected, GigabitEthernet0/0
S*   0.0.0.0/0 [254/0] via 192.168.122.1

Next we set R1 as the master and set R1 to get it’s updates from the real world:

ntp master 2
ntp server 0.au.pool.ntp.org

On each router set the timezone (I live in Queensland):

clock timezone AEST 10

Next on all other routers except R1:

ntp server 172.16.0.1

Verify using “show” commands:

r1#show ntp status 
Clock is synchronized, stratum 3, reference is 27.124.125.251
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is DF820DE6.0CFC0557 (08:53:26.050 AEST Tue Oct 30 2018)
clock offset is -0.0034 msec, root delay is 0.14 msec
root dispersion is 0.20 msec, peer dispersion is 0.06 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000002 s/s
system poll interval is 128, last update was 249 sec ago.
r1#show ntp associations 

  address         ref clock       st   when   poll reach  delay  offset   disp
 ~127.127.1.1     .LOCL.           1      0     16   377  0.000   0.000  0.232
*~27.124.125.251  130.217.226.51   2    121    128   177 76.126  -3.484 65.310
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
r1#

r2#show ntp status 
Clock is synchronized, stratum 3, reference is 127.127.1.1   
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is DF829B5E.91AD1430 (18:57:02.569 AEST Tue Oct 30 2018)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000003 s/s
system poll interval is 16, last update was 5 sec ago.
r2#show ntp associations 

  address         ref clock       st   when   poll reach  delay  offset   disp
*~127.127.1.1     .LOCL.           2      6     16   377  0.000   0.000  0.240
 ~172.16.0.1      27.124.125.251   3     40     64   177  4.363 -359793  3.376
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
r2#



That’s it! Now enjoy synchronized time.

Screenshot_2018-10-30_08-38-59.png

You have four networks of 99.34.64.0, 99.34.68.0, 99.34.78.0 and 99.34.95.0 you need to supernet in order to use once ACL in a firewall.

99.34.64.0 – 99.34.95.0 fall into the range of 99.34.64.0 – 99.34.95.255 which consists of a 32 decimal division.

The first octets are 255.255, to calculate the 3rd octet we need to covert 32 decimal to a binary bit mask:

Screenshot_2018-10-28_08-49-32

2^5 = 32. As we are working on the subnet we work from the left. The resulting mask is 11100000.

The third octet now has 3 bits making the CIDR 8 + 8 + 3 = 19.

The subnets will be as follows:

99.34.0.0 - 99.34.31.255
99.34.32.0 - 99.34.63.255
99.34.64.0 - 99.34.95.255

The final address will be 99.34.64.0/19.

What is the broadcast address for 145.50.23.1/22?

Classification

145.50.23.1/22 is a “Class A” IPv4 address. It is “classless” address as it does not use the default subnet for “Class A” addresses (255.0.0.0 or /8).

Host Bits

Host bits = (32 – 22) = 10

210 = 1024 addresses (minus 2 for the network id and broadcast address)

Screenshot_2018-10-28_08-49-15.png

Network Bits

Network bits = 22

Each subnet contains 8 bits, so 22 = 8 + 8 + 6 + 0 = 255.255.x.0

x = (255 – 2 left bits) = (255 – (20+ 21)) = 255 – 3 = 252

/22 = 255.255.252.0

Broadcast Address

Here is the network mask in binary:

Screenshot_2018-10-28_08-56-42.png

Lets take the 3r octet:

11111100

Taken from the right to the left the highest significant bit is 22 (3rd bit from the right).

Screenshot_2018-10-28_08-49-32

This means each subnet is a multiple of four. Here are the network ranges:

145.50.0.0 - 145.50.3.255
145.50.4.0 - 145.50.7.255
145.50.8.0 - 145.50.15.255
145.50.16.0 - 145.50.19.255
145.50.20.0 - 145.50.23.255
145.50.24.0 - 145.50.27.255

As you can see the broadcast for this address is 145.50.23.255

1.15 Compare and contrast IPv6 address types

1.15.a Global unicast

Global unicast IPv6 addresses are globally unique and routable addresses that are assigned by IANA/ICANN, its member agencies, and other registries or ISPs.

Global unicast addresses begin with the hexadecimal digits 2 or 3.

1.15.b Unique local

Unique local addresses are unicast addresses similar to IPv4 private addresses. They are not globally unique or routable. They are useful if IPv6 NAT is being used or if traffic only needs to be routed locally.

Uniqe local addresses being with the hexadecimal digits FD.

1.15.c Link local

Link local addresses are a special kind of local address used for overhead protocols and routing.

Link local address are not routable (can not send be routed outside their current network), automatically generated and are commonly used as the next-hop address for IPv6 routes.

Link local addresses being with the hexadecimal digits FE80.

1.15.d Multicast

Multicast IPv6 addresses begin with the hexadecimal digits FF. IPv6 multicast addresses are commonly used in a similar way to IPv4 multicast addresses – routing protocols and other overhead protocols.

1.15.e Modified EUI 64

EUI-64 (extended unique identifier) is a way of auto generating the “host” part of a IPv6 address.

This is done by the following steps:

  1. Split the 12 hex digit MAC address into two halves.
  2. Insert FFFE in between the two.
  3. Invert the seventh bit of the interface ID.

1.15.f Autoconfiguration

Stateless Address Autoconfiguration (SLAAC) allows for the autoconfiguration of an IPv6 address.

This is achieved using ICMPv6 RS and RA messages after generating a Link Local address. Routers respond to a Router Solicitation (RS) message with a Router Advertisment (RA) message advertising the prefix(es) being used. EUI-64 is then use to generate an IPv6 address.

1.15.g Anycast

Anycast IPv6 addresses are IPv6 unicast addresses that have been assigned to multiple nodes. IPv6 packets sent to a anycast address are forwarded to the nearest anycast address (as determined by a routing protocol).

1.14 Configure and verify IPv6 Stateless Address Auto Configuration

To use SLAAC on an interface:

Screenshot_2018-08-28_10-42-05.png

Ensure at least one of the routers has an IPv6 address already configured:

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ipv6 unicast-routing 
R3(config)#int g1/0
R3(config-if)#ipv6 add 2001:db8::1/64
R3(config-if)#no shutdown 
R3(config-if)#^Z
R3#
*Aug 28 10:43:14.631: %SYS-5-CONFIG_I: Configured from console by console

On the other router:

R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#ipv6 unicast-routing 
R4(config)#int g1/0
R4(config-if)#ipv6 address autoconfig 
R4(config-if)#no shutdown
R4(config-if)#^Z
R4#

To verify:

R4#show ipv6 int g1/0
GigabitEthernet1/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C804:2CFF:FEB4:1C 
No Virtual link-local address(es):
Stateless address autoconfig enabled
Global unicast address(es):
2001:DB8::C804:2CFF:FEB4:1C, subnet is 2001:DB8::/64 [EUI/CAL/PRE]
valid lifetime 2591921 preferred lifetime 604721
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFB4:1C
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 26456)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
R4#