Lecture 04: Network Management and NAT
HKUSPACE CCIT ENA
Syllabus inspired by Cisco Networking Academy CCNA v7.0 (ENSA)
Module Objectives
Copyright By PowCoder代写 加微信 powcoder
Topic Title
Topic Objective
Implement NTP between an NTP client and NTP server.
Explain how SNMP operates.
Explain syslog operation.
Topic Title
Topic Objective
NAT Characteristics
Explain the purpose and function of NAT.
Types of NAT
Explain the operation of different types of NAT.
NAT Advantages and Disadvantages
Describe the advantages and disadvantages of NAT.
Static NAT
Configure static NAT using the CLI.
Dynamic NAT
Configure dynamic NAT using the CLI.
Configure PAT using the CLI.
Describe NAT for IPv6.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Time and Calendar Services
• The software clock on a router or switch starts when the system boots. It is the primary source of time for the system. It is important to synchronize the time across all devices on the network. When the time is not synchronized between devices, it will be impossible to determine the order of the events and the cause of an event.
• Typically, the date and time settings on a router or switch can be set by using one of two methods You can manually configure the date and time, as shown in the example, or configure the Network Time Protocol (NTP).
R1# clock set 20:36:00 nov 15 2019
*Nov 15 20:36:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 21:32:31 UTC Fri Nov 15 2019 to 20:36:00 UTC Fri Nov 15 2019, configured from console by console.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Time and Calendar Services (Cont.)
As a network grows, it becomes difficult to ensure that all infrastructure devices are operating with synchronized time using the manual method.
A better solution is to configure the NTP on the network. This protocol allows routers on the network to synchronize their time settings with an NTP server, which provides more consistent time settings. NTP can be set up to synchronize to a private master clock, or it can synchronize to a publicly available NTP server on the internet. NTP uses UDP port 123 and is documented in RFC 1305.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
NTP Operation
NTP networks use a hierarchical system of time sources. Each level in this hierarchical system is called a stratum. The stratum level is defined as the number of hop counts from the authoritative source. The synchronized time is distributed across the network by using NTP.
The max hop count is 15. Stratum 16, the lowest stratum level, indicates that a device is unsynchronized.
NTP Operation (Cont.)
• Stratum 0: These authoritative time sources are high-precision timekeeping devices assumed to be accurate and with little or no delay associated with them.
• Stratum 1: Devices that are directly connected to the authoritative time sources. They act as the primary network time standard.
• Stratum 2 and Lower: Stratum 2 servers are connected to stratum 1 devices through network connections. Stratum 2 devices, such as NTP clients, synchronize their time by using the NTP packets from stratum 1 servers. They could also act as servers for stratum 3 devices.
Time servers on the same stratum level can be configured to act as a peer with other time servers on the same stratum level for backup or verification of time.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 5
Configure and Verify NTP
• Before NTP is configured on the network, the show clock command displays the current time on the software clock. With the detail option, notice that the time source is user configuration. That means the time was manually configured with
the clock command.
• The ntp server ip-address command is issued in global configuration mode to configure 209.165.200.225 as the NTP server for R1. To verify the time source is set to NTP, use the show clock detail command. Notice that now the time source is NTP.
R1# show clock detail
20:55:10.207 UTC Fri Nov 15 2019
Time source is user configuration
R1# config t
R1(config)# ntp server 209.165.200.225 R1(config)# end
R1# show clock detail
21:01:34.563 UTC Fri Nov 15 2019
Time source is NTP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Configure and Verify NTP (Cont.)
The show ntp associations and show ntp status commands are used to verify that R1 is synchronized with the NTP server at 209.165.200.225. Notice that R1 is synchronized with a stratum 1 NTP server at 209.165.200.225, which is synchronized with a GPS clock. The show ntp status command displays that R1 is now a stratum 2 device that is synchronized with the NTP server at 209.165.220.225.
R1# show ntp associations
address ref clock st when poll each delay offset disp *~209.165.200.225 .GPS. 1 61 64 377 0.481 7.480 4.261
• sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured
R1# show ntp status
Clock is synchronized, stratum 2, reference is 209.165.200.225
nominal freq is 250.0000 Hz, actual freq is 249.9995 Hz, precision is 2**19 (output omitted)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Configure and Verify NTP (Cont.)
• The clock on S1 is configured to synchronize to R1 with the ntp server command and the configuration is verified with the show ntp associations command.
• Output from the show ntp associations command verifies that the clock on S1 is now synchronized with R1 at 192.168.1.1 via NTP. R1 is a stratum 2 device, making S1 is a stratum 3 device that can provide NTP service to other devices in the network.
S1(config)# ntp server 192.168.1.1
S1(config)# end
S1# show ntp associations
address ref clock st when poll reach delay offset disp *~192.168.1.1 209.165.200.225 2 12 64 377 1.066 13.616 3.840
• sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured (output omitted)
S1# show ntp status
Clock is synchronized, stratum 3, reference is 192.168.1.1
nominal freq is 119.2092 Hz, actual freq is 119.2088 Hz, precision is 2**17 (output omitted
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Introduction to SNMP
SNMP was developed to allow administrators to manage nodes on an IP network. It enables network administrators to monitor and manage network performance, find and solve network problems, and plan for network growth.
SNMP is an application layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of three elements:
• SNMP manager
• SNMP agents (managed node)
• Management Information Base (MIB)
SNMP defines how management information is exchanged between network management applications and management agents. The SNMP manager polls the agents and queries the MIB for SNMP agents on UDP port 161. SNMP agents send any SNMP traps to the SNMP manager on UDP port 162.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Introduction to SNMP (Cont.)
• The SNMP manager is part of a network management system (NMS). The SNMP manager can collect information from an SNMP agent by using the “get” action and can change configurations on an agent by using the “set” action. SNMP agents can forward information directly to a network manager by using “traps”.
• The SNMP agent and MIB reside on SNMP client devices. MIBs store data about the device and operational statistics and are meant to be available to authenticated remote users. The SNMP agent is responsible for providing access to the local MIB.
SNMP Operation
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 11
• SNMP agents that reside on managed devices collect and store information about the device and its operation locally in the MIB. The SNMP manager then uses the SNMP agent to access information within the MIB.
• There are two primary SNMP manager requests, get and set. In addition to configuration, a set can cause an action to occur, like restarting a router.
Description
get-request
Retrieves a value from a specific variable.
get-next-request
Retrieves a value from a variable within a table; the SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table.
get-bulk-request
Retrieves large blocks of data, such as multiple rows in a table, that would otherwise require the transmission of many small blocks of data. (Only works with SNMPv2 or later.)
get-response
Replies to a get-request, get-next-request, and set-request sent by an NMS.
set-request
Stores a value in a specific variable.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
SNMP Operation (Cont.)
The SNMP agent responds to SNMP manager requests as follows:
• Get an MIB variable – The SNMP agent performs this function in response to a GetRequest-PDU from the network manager. The agent retrieves the value of the requested MIB variable and responds to the network manager with that value.
• Set an MIB variable – The SNMP agent performs this function in response to a SetRequest-PDU from the network manager. The SNMP agent changes the value of the MIB variable to the value specified by the network manager. An SNMP agent reply to a set request includes the new settings in the device.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
SNMP Agent Traps
• Traps are unsolicited messages alerting the SNMP manager to a condition or event on the network. Trap-directed notifications reduce network and agent resources by eliminating the need for some of SNMP polling requests.
• The figure illustrates the use of an SNMP trap to alert the network administrator that interface G0/0/0 has failed. The NMS software can send the network administrator a text message, pop up a window on the NMS software, or turn the router icon red in the NMS GUI.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
SNMP Versions
• SNMPv1 – Legacy standard defined in RFC 1157. Uses a simple community-string based authentication method. Should not be used due to security risks.
• SNMPv2c – Defined in RFCs 1901-1908. Uses a simple community-string based authentication method. Provides for bulk retrieval options, as well as more detailed error messages.
• SNMPv3 – Defined in RFCs 3410-3415. Uses username authentication, provides data protection using HMAC-MD5 or HMAC-SHA and encryption using DES, 3DES, or AES encryption.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Community Strings
SNMPv1 and SNMPv2c use community strings that control access to the MIB. Community strings are plaintext passwords. SNMP community strings authenticate access to MIB objects.
There are two types of community strings:
• Read-only (ro) – This type provides access to the MIB variables, but does not allow these variables to be changed, only read. Because security is minimal in version 2c, many organizations use SNMPv2c in read-only mode.
• Read-write (rw) – This type provides read and write access to all objects in the MIB.
To view or set MIB variables, the user must specify the appropriate community string for read or write access.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Introduction to uses UDP port 514 to send event notification messages across IP networks to event message collectors, as shown in the figure.
The syslog logging service provides three primary functions, as follows:
• The ability to gather logging information for monitoring and troubleshooting
• The ability to select the type of logging information that is captured
• The ability to specify the destinations of captured syslog messages
© 2016 Cisco and/or its affiliates. All rights reserved.
The syslog protocol starts by sending system messages and debug output to a local logging process. Syslog configuration may send these messages across the network to an external syslog server, where they can be retrieved without needing to access the actual device.
Alternatively, syslog messages may be sent to an internal buffer. Messages sent to the internal buffer are only viewable through the CLI of the device.
The network administrator may specify that only certain types of system messages be sent to various destinations. Popular destinations for syslog messages include the following:
• Logging buffer (RAM inside a router or switch)
• Console line
• Terminal line
• Syslog server
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 18
Cisco Confidential 17
Message Format
Cisco devices produce syslog messages as a result of network events. Every syslog message contains a severity level and a facility.
The smaller numerical levels are the more critical syslog alarms. The severity level of the messages can be set to control where each type of message is displayed (i.e. on the console or the other destinations). The complete list of syslog levels is shown in the table.
Facilities
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 19
Severity Name
Severity Level
Explanation
System Unusable
Immediate Action Needed
Critical Condition
Error Condition
Warning Condition
Notification
Normal, but Significant Condition
Informational
Informational Message
Debugging Message
In addition to specifying the severity, syslog messages also contain information on the facility. Syslog facilities are service identifiers that identify and categorize system state data for error and event message reporting. The logging facility options that are available are specific to the networking device.
Some common syslog message facilities reported on Cisco IOS routers include:
• OSPF protocol
• SYS operating system
• IP security (IPsec)
• Interface IP (IF)
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 20
Facilities (Cont.)
By default, the format of syslog messages on the Cisco IOS Software is as follows: %facility-severity-MNEMONIC: description
For example, sample output on a Cisco switch for an EtherChannel link changing state to up is:
%LINK-3-UPDOWN: Interface Port-channel1, changed state to up
Here the facility is LINK and the severity level is 3, with a MNEMONIC of UPDOWN.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Configure Syslog Timestamp
By default, log messages are not timestamped. Log messages should be timestamped so that when they are sent to another destination, such as a Syslog server, there is record of when the message was generated. Use the command service timestamps log datetime to force logged events to display the date and time.
R1# configure terminal
R1(config)# interface g0/0/0
R1(config-if)# shutdown
%LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down R1(config-if)# exit
R1(config)# service timestamps log datetime
R1(config)# interface g0/0/0
R1(config-if)# no shutdown
*Mar 1 11:52:42: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down
*Mar 1 11:52:45: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
*Mar 1 11:52:46: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
R1(config-if)#
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
NAT Characteristics
IPv4 Address Space
• Networks are commonly implemented using private IPv4 addresses, as defined in RFC 1918.
• Private IPv4 addresses cannot be routed over the internet and are used within an organization or site to allow devices to communicate locally.
• To allow a device with a private IPv4 address to access devices and resources outside of the local network, the private address must first be translated to a public address.
• NAT provides the translation of private addresses to public addresses.
NAT Characteristics What is NAT
• The primary use of NAT is to conserve public IPv4 addresses.
• NAT allows networks to use private IPv4 addresses internally and translates them to a public address when needed.
• A NAT router typically operates at the border of a stub network.
• When a device inside the stub network wants to communicate with a device outside of its network, the packet is forwarded to the border router which performs the NAT process, translating the internal private address of the device to a public, outside, routable address.
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 23
Activity Type
Activity Name
10.0.0.0 – 10.255.255.255
10.0.0.0/8
172.16.0.0 – 172.31.255.255
172.16.0.0/12
192.168.0.0 – 192.168.255.255
192.168.0.0/1 6
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 24
NAT Characteristics How NAT Works
PC1 wants to communicate with an outside web server with public address 209.165.201.1.
1. PC1 sends a packet addressed to the web server.
2. R2 receives the packet and reads the source IPv4 address to determine if it needs translation.
3. R2 adds mapping of the local to global address to the NAT table.
4. R2 sends the packet with the translated source address toward the destination.
5. The web server responds with a packet addressed to the inside global address of PC1 (209.165.200.226).
6. R2 receives the packet with destination address 209.165.200.226. R2 checks the NAT table and finds an entry for this mapping. R2 uses this information and translates the inside global address (209.165.200.226) to the inside local address (192.168.10.10), and the packet is forwarded toward PC1.
NAT Characteristics NAT Terminology
NAT includes four types of addresses:
• Inside local address
• Inside global address
• Outside local address
• Outside global address
© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 25
NAT terminology is always applied from the perspective of the device with the translated address:
• Inside address – The address of the device which is being translated by NAT.
• Outside address – The address of the destination device.
• Local address – A local address is any address that appears on the inside portion of the network.
• Global address – A global address is any address that appears on the outside portion of the network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
NAT Characteristics
NAT Terminology (Cont.)
Inside local address
The address of the source as seen from inside the network. This is typically a private IPv4 address. The inside local address of PC1 is 192.168.10.10.
Inside global addresses
The address of source as seen from the outside network. The inside global address of PC1 is 209.165.200.226
Outside global address
The address of the destination as seen from the outside network. The outside global address of the web server is 209.165.201.1
Outside local address
The address of the destination as seen from the inside network. PC1 sends traffic to the web server at the IPv4 address 209.165.201.1. While uncommon, this address could be different than the globally routable address of the destination.
Types of NAT Static NAT
Static NAT uses a one-to-one mapping of local and global addresses configured by the network administrator that remain constant.
• Static NAT is useful for web servers or devices that must have a consistent address that is accessible from the internet, such as a compan
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com