5.4 Troubleshoot client- and router-based DHCP connectivity issues

Screenshot_2018-12-06_07-00-46

In order for PC-1 to to obtain a DHCP lease from R1 there needs to be L3 connectivity from PC-1 to R1.

Therefore the following needs to happen:

  1. R1 needs to be aware of the PC-1 subnet (I used RIPv2)
  2. R2 needs to be configured as a DHCP relay for the g1/0 interface
  3. R1 needs to be configured with a DHCP pool

To troubleshoot connectivity I used extended pings on R2:

Router#ping 
Protocol [ip]: 
Target IP address: 10.0.0.1
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 172.16.100.1
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.100.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/36 ms
Router#

I also used debug commands on R1/R2:

R2#debug ip dhcp server events 
DHCP server event debugging is on.
R2#
*Dec  6 07:44:16.947: DHCPD: Sending notification of DISCOVER:
*Dec  6 07:44:16.951:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:44:16.951:   DHCPD: remote id 020a0000ac10640110000000
*Dec  6 07:44:16.951:   DHCPD: circuit id 00000000
*Dec  6 07:44:16.951: DHCPD: Seeing if there is an internally specified pool class:
*Dec  6 07:44:16.951:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:44:16.955:   DHCPD: remote id 020a0000ac10640110000000
*Dec  6 07:44:16.955:   DHCPD: circuit id 00000000
*Dec  6 07:44:16.987: DHCPD: Forwarding reply on numbered intf
*Dec  6 07:44:17.955: DHCPD: Seeing if there is an internally specified pool class:
*Dec  6 07:44:17.959:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:44:17.959:   DHCPD: remote id 020a0000ac10640110000000
*Dec  6 07:44:17.959:   DHCPD: circuit id 00000000
*Dec  6 07:44:17.959: DHCPD: there is no pool for 172.16.100.1.
*Dec  6 07:44:17.983: DHCPD: Forwarding reply on numbered intf
DHCP_SERVER#debug ip dhcp server events
DHCP server event debugging is on.
DHCP_SERVER#
*Dec  6 07:43:32.747: DHCPD: checking for expired leases.
*Dec  6 07:43:36.987: DHCPD: Sending notification of DISCOVER:
*Dec  6 07:43:36.991:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:43:36.991:   DHCPD: remote id 020a00000a00000100000000
*Dec  6 07:43:36.991:   DHCPD: circuit id 00000000
*Dec  6 07:43:36.991: DHCPD: Seeing if there is an internally specified pool class:
*Dec  6 07:43:36.991:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:43:36.995:   DHCPD: remote id 020a00000a00000100000000
*Dec  6 07:43:36.995:   DHCPD: circuit id 00000000
*Dec  6 07:43:37.987: DHCPD: Sending notification of ASSIGNMENT:
*Dec  6 07:43:37.987:  DHCPD: address 172.16.100.2 mask 255.255.255.0
*Dec  6 07:43:37.987:   DHCPD: htype 1 chaddr 0050.7966.6800
*Dec  6 07:43:37.987:   DHCPD: lease time remaining (secs) = 2678400

DHCP is a L3 protocol so anything effecting L3 connectivity will also effect DHCP:

  1. Missing/incorrect routes
  2. Interface issues
  3. ACLs

If the DHCP lease is successful but the server’s DHCP configuration is incorrect such as:

  1. Incorrect/missing default gateway
  2. Incorrect/missing DNS servers
  3. Subnet misconfiguration

This will result in a successful lease but will result in lack of connectivity.

PC-1> ip dhcp
DORA IP 172.16.100.2/24 GW 172.16.100.1

PC-1> ping 10.0.0.1
84 bytes from 10.0.0.1 icmp_seq=1 ttl=254 time=19.646 ms
84 bytes from 10.0.0.1 icmp_seq=2 ttl=254 time=19.753 ms
84 bytes from 10.0.0.1 icmp_seq=3 ttl=254 time=12.660 ms
84 bytes from 10.0.0.1 icmp_seq=4 ttl=254 time=12.738 ms
84 bytes from 10.0.0.1 icmp_seq=5 ttl=254 time=13.788 ms

5.7 Configure and verify NTP operating in a client/server mode

Having accurate time on interconnected devices is essential for troubleshooting, security and general sanity. Differences in time between machines even if small can lead to increased difficulty in troubleshooting.

Having accurate and synchronized time on all devices should be part of the basic setup of networking devices. In this lab I used a real NTP server on the internet as the master clock for the simulated network that I built.

Let’s start with the following topology:

Screenshot_2018-10-30_08-42-51

I have used VLSM on each device and loopback interfaces. OSPFv2 has been configured with all devices in area 0. Loopback interfaces have been set as passive:

!!! R1 config excerpt
interface Loopback1
 ip address 172.16.0.1 255.255.255.0
 ip ospf 1 area 0
!
interface GigabitEthernet0/0
 ip address 10.255.255.245 255.255.255.252
 ip ospf 1 area 0
 duplex full
 speed 1000
 media-type gbic
 negotiation auto
!
router ospf 1
 log-adjacency-changes
 passive-interface Loopback1
!

Next NAT has been configured inside GNS3:

!R1 excerpt
interface GigabitEthernet1/0
 ip address dhcp
 negotiation auto
!
ip name-server 1.1.1.1

The internal loopbacks of each router have been set to 172.16.0.x (x being the router number):

!R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.122.1 to network 0.0.0.0

C    192.168.122.0/24 is directly connected, GigabitEthernet1/0
     172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O       172.16.0.4/32 [110/3] via 10.255.255.246, 00:15:08, GigabitEthernet0/0
C       172.16.0.0/24 is directly connected, Loopback1
O       172.16.0.2/32 [110/2] via 10.255.255.246, 00:36:13, GigabitEthernet0/0
O       172.16.0.3/32 [110/3] via 10.255.255.246, 00:36:13, GigabitEthernet0/0
     10.0.0.0/30 is subnetted, 3 subnets
O       10.255.255.248 
           [110/2] via 10.255.255.246, 00:36:13, GigabitEthernet0/0
O       10.255.255.252 
           [110/2] via 10.255.255.246, 00:15:08, GigabitEthernet0/0
C       10.255.255.244 is directly connected, GigabitEthernet0/0
S*   0.0.0.0/0 [254/0] via 192.168.122.1

Next we set R1 as the master and set R1 to get it’s updates from the real world:

ntp master 2
ntp server 0.au.pool.ntp.org

On each router set the timezone (I live in Queensland):

clock timezone AEST 10

Next on all other routers except R1:

ntp server 172.16.0.1

Verify using “show” commands:

r1#show ntp status 
Clock is synchronized, stratum 3, reference is 27.124.125.251
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is DF820DE6.0CFC0557 (08:53:26.050 AEST Tue Oct 30 2018)
clock offset is -0.0034 msec, root delay is 0.14 msec
root dispersion is 0.20 msec, peer dispersion is 0.06 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000002 s/s
system poll interval is 128, last update was 249 sec ago.
r1#show ntp associations 

  address         ref clock       st   when   poll reach  delay  offset   disp
 ~127.127.1.1     .LOCL.           1      0     16   377  0.000   0.000  0.232
*~27.124.125.251  130.217.226.51   2    121    128   177 76.126  -3.484 65.310
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
r1#

r2#show ntp status 
Clock is synchronized, stratum 3, reference is 127.127.1.1   
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is DF829B5E.91AD1430 (18:57:02.569 AEST Tue Oct 30 2018)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000003 s/s
system poll interval is 16, last update was 5 sec ago.
r2#show ntp associations 

  address         ref clock       st   when   poll reach  delay  offset   disp
*~127.127.1.1     .LOCL.           2      6     16   377  0.000   0.000  0.240
 ~172.16.0.1      27.124.125.251   3     40     64   177  4.363 -359793  3.376
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
r2#



That’s it! Now enjoy synchronized time.

Screenshot_2018-10-30_08-38-59.png

5.6 Configure, verify, and troubleshoot inside source NAT c.PAT

PAT is the same as dynamic nat (Pool). Except there is the “overload” command added.

R1 config:
!
ip dhcp excluded-address 10.0.0.100 10.0.0.254
!
ip dhcp pool vlan100
network 10.0.100.0 255.255.255.0
default-router 10.0.100.100
dns-server 10.0.100.100
!
ip dhcp pool vlan200
network 10.0.200.0 255.255.255.0
default-router 10.0.200.100
dns-server 10.0.200.100
!
interface FastEthernet0/0
no ip address
duplex half
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address 10.0.100.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.200
encapsulation dot1Q 200
ip address 10.0.200.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Ethernet6/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
ip ospf 1 area 0
duplex half
!

router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 10.0.100.0 0.0.0.255 area 0
network 10.0.200.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Ethernet6/0 overload
!
access-list 1 permit any
ip paytScreenshot from 2018-01-11 14-03-47
ip pat stati

5.6.b Configure, verify, and troubleshoot inside source NAT

IP NAT POOL configuration:
R1 config:
!
!
ip dhcp excluded-address 10.0.0.100 10.0.0.254
!
ip dhcp pool vlan100
network 10.0.100.0 255.255.255.0
default-router 10.0.100.100
dns-server 10.0.100.100
!
ip dhcp pool vlan200
network 10.0.200.0 255.255.255.0
default-router 10.0.200.100
dns-server 10.0.200.100
!
!
interface FastEthernet0/0
no ip address
duplex half
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.0.0.100 255.255.255.0
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address 10.0.100.100 255.255.255.0
ip nat inside
ip virtual-reassembly
!

interface Ethernet6/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
ip ospf 1 area 0
duplex half
!
ip nat pool clinetworking 1.1.1.100 1.1.1.200 netmask 255.255.255.0
ip nat inside source list 1 pool fred
!
access-list 1 permit 10.0.100.2
access-list 1 permit 10.0.100.1

IOU:
interface Ethernet0/0
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet1/0
ip address 1.1.1.2 255.255.255.0
ip ospf 1 area 0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!

See ICND1 book page 656 for config.
Screenshot from 2018-01-11 14-03-47.png

5.6 Configure, verify, and troubleshoot inside source NAT

I am starting to see why I failed now. There are too many subjects to review and I only really reviewed the 200-105 book. But the 200-125 exam takes parts from both books.

The NAT part of the exam (see title) is only covered in the first book (100-105).

Next time I would probably take the 2 exam route. Now I am sticking to the single exam approach.

So 5.6.a Static:
5.6.a workspace
On the inside local interface (e0/0) type:
ENT1(config-if)#ip nat inside

On the puside local interface (s2/0) type:
ENT(config-if)#ip nat outside

Then in global config mode type:
ENT1(config)#ip nat inside source static 192.168.0.126 1.1.1.2
5.6.a

Full lab here.

5.5 Configure, verify, and troubleshoot basic HSRP

Ok this one is straight forward. But you must use a Layer 2 switch for HSRP messages to work (sending a ARP request to the switch when change over occurs to update the switch’s mac address table).

The config is really simple just add the commands in the interface configuration mode on the interface that router will have internally. Please note the router itself must have a default route in order to route traffic.

5.5a workspace
IOU-1 config:
5.5a r1 config
IOU-2 config:
5.5a r2 config
Routing rable of IOU-2:
5.5a routing table

Here is the log messages on IOU-1 after it’s interfaces is shutdown:
5.5 iou1 shutdown.png
Here are the log messages on IOU-2 after it takes over the router role:
5.5 iou 2
Here is the uninterrupted pings demonstrating uninterrupted network access:
5.5 ping act
Download pre-configured lab here.

5.3c/d Configure and verify DHCP on a router (excluding static reservations)

Ok so I searched through the CCNA Routing and Switching Official Cert Guide by Wendell Odom and it doesn’t mention how to configure the TFTP option with DHCP on Cisco Routers!

So here we go:
Go to config terminal mode and enter ip dhcp config:
# ip dhcp pool REMOTE_LAN
Then type:
IOU3(dhcp-config)#option 150 ip 10.0.0.100 (IP address of TFTP server)
Option 150 is the TFTP server option. See this link.
5.3.c tftp option 150

Other question is Section 5.3.d:
IOU3(dhcp-config)#dns-server 8.8.8.8 8.8.4.4
IOU3(dhcp-config)#default-router 10.0.0.126

Ok the previous one is easy 5.3.c to configure DHCP client mode or DHCP address assignment on an interface type (in interface configuration mode):

IOU3(config-if)#ip address dhcp

Done!

5.3.b Configure and verify DHCP on a router (excluding static reservations)

Now for the relay config. Leave the IOU2 router in place and use “no” commands to remove the DHCP pool and the DHCP exclusion commands.

Build a workspace like this:
5.3.b workspace.png

Then add another router and configure RIP on both routers to share routes (so VPCS and IOU2 can access the remote DHCP server (IOU3)).

On IOU3 configure the dhcp pool.

On IOU2 configure the dhcp relay on the ethernet subinterface.
5.3.b iou1 config

After running “ip dhcp” on the VPCs you should be able to see the dhcp bindings on IOU3:
5.2.b dhcp binding.png

Download lab here.Download lab here.

5.3.a Configure and verify DHCP on a router (excluding static reservations)

5.3.a Configure and verify DHCP on a router (excluding static reservations)

Build a simple ROAS topology with 3 VPCS connected to a L2 switch. Place the the switch ports in VLAN 100.
5.3.a workspace.png
Configure VPC ports with port fast and BPDU guard. Configure the port connecting to the router as a trunk port.

Configure the ROAS port with a virtual interface address and allow dot1q trunking on that interface.

Now configure a simple DHCP server:
5.3.a config

On the VPCS type: ip dhcp

You should see a command prompt saying DORA (Discover Offer Request Acknowledgement).

Now check the bindings on the router:
5.3.a bindings

And that’s it!