IP Services Study Guide

CCNA 200-301 Exam Domain 4 (10% of exam)

Table of Contents

1. DHCP (Dynamic Host Configuration Protocol)

DHCP automatically assigns IP addresses and other network configuration to hosts. This eliminates the need for manual configuration and reduces errors.

DHCP Process (DORA)

DHCP DORA Process: Client Server | | |-------- DISCOVER (broadcast) ---------------->| | "I need an IP address!" | | | |<------- OFFER (unicast or broadcast) ---------| | "Here's 192.168.1.10 for you" | | | |-------- REQUEST (broadcast) ----------------->| | "I'll take 192.168.1.10" | | | |<------- ACK (unicast or broadcast) -----------| | "Confirmed, it's yours!" | | | D = Discover (Client → Server, UDP 67) O = Offer (Server → Client, UDP 68) R = Request (Client → Server, UDP 67) A = ACK (Server → Client, UDP 68)
DHCP Ports: DHCP server listens on UDP port 67, DHCP client listens on UDP port 68. Remember: "Server drinks (67), Client waits (68)" or "67 is older, servers are older."

DHCP Information Provided

Configuring Router as DHCP Server

! Create DHCP pool Router(config)# ip dhcp pool LAN_POOL Router(dhcp-config)# network 192.168.1.0 255.255.255.0 Router(dhcp-config)# default-router 192.168.1.1 Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4 Router(dhcp-config)# domain-name example.com Router(dhcp-config)# lease 7 ! 7 days (default is 1 day) ! Exclude addresses from pool (for static devices) Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! Verification Router# show ip dhcp binding Router# show ip dhcp pool Router# show ip dhcp server statistics

DHCP Relay Agent

When the DHCP server is on a different network, broadcasts won't reach it. A DHCP relay agent (ip helper-address) forwards DHCP requests to the server.

DHCP Relay: [Client]---(VLAN 10)---[Router]---(VLAN 20)---[DHCP Server] | | | | DISCOVER (broadcast) | | |--------------------->| | | | Forward as unicast | | |----------------------->| | | | | |<-----------------------| | | OFFER | |<---------------------| | | OFFER | |
! Configure DHCP relay on router interface facing clients Router(config)# interface gigabitethernet 0/0 Router(config-if)# ip helper-address 192.168.20.100 ! DHCP server IP ! Multiple DHCP servers Router(config-if)# ip helper-address 192.168.20.100 Router(config-if)# ip helper-address 192.168.20.101
The ip helper-address command forwards several UDP broadcast types by default: DHCP (67/68), DNS (53), TFTP (69), TACACS (49), NetBIOS, and Time service.

DHCP Client Configuration

! Configure router interface as DHCP client Router(config)# interface gigabitethernet 0/0 Router(config-if)# ip address dhcp ! Verify Router# show ip interface gigabitethernet 0/0

2. DNS (Domain Name System)

DNS translates human-readable domain names (www.example.com) to IP addresses (93.184.216.34) that computers use to communicate.

DNS Hierarchy

DNS Hierarchy: . (Root) | +------+-------+-------+------+ | | | | | .com .org .net .edu .gov | +----+----+ | | google amazon | www | www.google.com = 142.250.x.x

DNS Record Types

Record Purpose Example
A Maps hostname to IPv4 address www.example.com → 93.184.216.34
AAAA Maps hostname to IPv6 address www.example.com → 2606:2800:220:1:...
CNAME Alias for another hostname mail.example.com → www.example.com
MX Mail server for domain example.com → mail.example.com
PTR Reverse lookup (IP to hostname) 93.184.216.34 → www.example.com
NS Nameserver for domain example.com → ns1.example.com

DNS Configuration on Router

! Enable DNS lookup (enabled by default) Router(config)# ip domain-lookup ! Configure DNS server Router(config)# ip name-server 8.8.8.8 Router(config)# ip name-server 8.8.4.4 ! Set domain name Router(config)# ip domain-name example.com ! Add static DNS entry Router(config)# ip host server1 192.168.1.100 ! Disable DNS lookup (prevents hostname lookup delays) Router(config)# no ip domain-lookup ! Verify Router# show hosts
DNS Ports: DNS uses UDP port 53 for queries (fast, small packets) and TCP port 53 for zone transfers and large responses over 512 bytes.

3. NAT (Network Address Translation)

NAT translates private IP addresses to public IP addresses, allowing multiple devices to share a single public IP for internet access. This helps conserve the limited IPv4 address space.

NAT Terminology

Term Description Example
Inside Local Private IP of internal host 192.168.1.10
Inside Global Public IP representing internal host 203.0.113.5
Outside Local IP of external host as seen internally Usually same as Outside Global
Outside Global Public IP of external host 8.8.8.8
NAT Address Translation: Inside NAT Router Outside Network Network [192.168.1.10] -----> [Inside Local: 192.168.1.10 ] -----> [8.8.8.8] (PC) [Inside Global: 203.0.113.5 ] (Google DNS) [Outside Local: 8.8.8.8 ] [Outside Global: 8.8.8.8 ]

Types of NAT

Static NAT (1:1 mapping)

! Map one private IP to one public IP permanently Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10 ! Define inside and outside interfaces Router(config)# interface gigabitethernet 0/0 Router(config-if)# ip nat inside Router(config)# interface gigabitethernet 0/1 Router(config-if)# ip nat outside

Dynamic NAT (Pool of addresses)

! Define pool of public addresses Router(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0 ! Define which internal IPs can use NAT (ACL) Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 ! Link ACL to NAT pool Router(config)# ip nat inside source list 1 pool PUBLIC_POOL ! Configure interfaces Router(config-if)# ip nat inside ! on inside interface Router(config-if)# ip nat outside ! on outside interface

PAT / NAT Overload (Many:1 mapping)

PAT (Port Address Translation) allows many internal hosts to share a single public IP by using different source ports.

! PAT using interface's IP address (most common) Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 Router(config)# ip nat inside source list 1 interface gigabitethernet 0/1 overload ^^^^^^^^ The "overload" keyword enables PAT ! PAT using a pool with overload Router(config)# ip nat pool SINGLE_IP 203.0.113.5 203.0.113.5 netmask 255.255.255.0 Router(config)# ip nat inside source list 1 pool SINGLE_IP overload

NAT Verification

! View NAT translations Router# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 203.0.113.5:1024 192.168.1.10:3025 8.8.8.8:53 8.8.8.8:53 tcp 203.0.113.5:1025 192.168.1.11:4567 142.250.x.x:443 142.250.x.x:443 ! View NAT statistics Router# show ip nat statistics ! Clear NAT translations Router# clear ip nat translation *
PAT is the most common type of NAT used. The "overload" keyword is what enables port-based translation. Without it, you get dynamic NAT which requires a 1:1 mapping.

NAT Key Points

  • Static NAT: One-to-one, permanent mapping (good for servers)
  • Dynamic NAT: Pool of public IPs, first-come-first-served
  • PAT/Overload: Many-to-one using port numbers (most common)
  • Inside Local = Private IP; Inside Global = Public IP
  • Must configure both "ip nat inside" and "ip nat outside" interfaces

4. NTP (Network Time Protocol)

NTP synchronizes clocks across network devices. Accurate time is critical for logging, certificates, authentication, and troubleshooting.

NTP Stratum Levels

NTP Stratum Hierarchy: Stratum 0: Atomic clocks, GPS (reference clocks) Cannot be used directly | Stratum 1: Servers directly connected to Stratum 0 (Primary time servers) | Stratum 2: Synchronized to Stratum 1 (Secondary time servers) | Stratum 3: Synchronized to Stratum 2 | ...continuing down... | Stratum 15: Maximum stratum level Stratum 16: Unsynchronized (invalid) Lower stratum = more accurate

NTP Configuration

! Configure NTP server (point to upstream time source) Router(config)# ntp server 216.239.35.0 ! Google's NTP server Router(config)# ntp server 216.239.35.4 ! Backup server ! Prefer a specific server Router(config)# ntp server 216.239.35.0 prefer ! Configure this router as NTP server for other devices Router(config)# ntp master 4 ! Act as stratum 4 server ! Set timezone Router(config)# clock timezone EST -5 Router(config)# clock summer-time EDT recurring ! Verification Router# show ntp status Router# show ntp associations Router# show clock

NTP Authentication

! Enable NTP authentication Router(config)# ntp authenticate Router(config)# ntp authentication-key 1 md5 MySecretKey Router(config)# ntp trusted-key 1 Router(config)# ntp server 216.239.35.0 key 1
NTP Port: NTP uses UDP port 123. It's designed for accuracy, typically achieving synchronization within milliseconds over the internet.
Use "show ntp associations" to verify NTP status. Look for the asterisk (*) which indicates the selected reference clock. A plus (+) indicates a candidate.

5. SNMP (Simple Network Management Protocol)

SNMP enables network monitoring and management. Administrators can query devices for status, receive alerts, and even change configurations.

SNMP Components

Component Description
SNMP Manager Management station that queries agents (NMS)
SNMP Agent Software on managed device that responds to queries
MIB Management Information Base - database of objects
OID Object Identifier - unique ID for each MIB variable

SNMP Operations

Operation Direction Purpose
Get Manager → Agent Request single OID value
GetNext Manager → Agent Request next OID in MIB tree
GetBulk Manager → Agent Request multiple OIDs (SNMPv2+)
Set Manager → Agent Change configuration value
Trap Agent → Manager Unsolicited alert from device
Inform Agent → Manager Trap with acknowledgment (SNMPv2+)

SNMP Versions

Version Security Features
SNMPv1 Community strings (plaintext) Basic functionality
SNMPv2c Community strings (plaintext) GetBulk, Inform, 64-bit counters
SNMPv3 Authentication + Encryption Full security, user-based access

SNMP Configuration

! SNMPv2c configuration Router(config)# snmp-server community PUBLIC ro ! Read-only Router(config)# snmp-server community PRIVATE rw ! Read-write ! Configure SNMP trap destination Router(config)# snmp-server host 192.168.1.100 version 2c PUBLIC Router(config)# snmp-server enable traps ! SNMPv3 configuration (more secure) Router(config)# snmp-server group ADMIN v3 priv Router(config)# snmp-server user SNMPADMIN ADMIN v3 auth sha AuthPass priv aes 128 PrivPass ! Verification Router# show snmp Router# show snmp community
SNMPv1 and SNMPv2c send community strings in plaintext. Always use SNMPv3 with authentication and encryption in production environments.
SNMP Ports: SNMP Agent listens on UDP port 161 for queries. SNMP Manager listens on UDP port 162 for traps.

6. Syslog

Syslog provides a standardized way to generate, store, and transfer log messages. These messages help with troubleshooting, security monitoring, and compliance.

Syslog Severity Levels

Level Name Description Mnemonic
0 Emergency System unusable Every
Awesome
Cisco
Engineer
Will
Need
Ice cream
Daily
1 Alert Immediate action needed
2 Critical Critical condition
3 Error Error condition
4 Warning Warning condition
5 Notification Normal but significant
6 Informational Informational messages
7 Debugging Debug messages
Setting a Level: When you configure a syslog level, you get messages at that level AND all more severe levels. Setting level 4 (Warning) gives you levels 0-4.

Syslog Configuration

! Send logs to syslog server Router(config)# logging host 192.168.1.100 Router(config)# logging trap informational ! Levels 0-6 to server ! Console logging Router(config)# logging console warnings ! Levels 0-4 to console ! Buffer logging (stored in RAM) Router(config)# logging buffered 16384 debugging ! Size in bytes ! Add timestamps to log messages Router(config)# service timestamps log datetime msec localtime show-timezone ! Add sequence numbers Router(config)# service sequence-numbers ! Verification Router# show logging

Syslog Message Format

Example Syslog Message: *Mar 1 00:25:36.123 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up Breakdown: *Mar 1 00:25:36.123 EST = Timestamp %LINEPROTO = Facility (source) 5 = Severity level (Notification) UPDOWN = Mnemonic (message type) Line protocol on... = Message description
Memorize the severity levels! 0 is most severe (Emergency), 7 is least (Debugging). Use the mnemonic: "Every Awesome Cisco Engineer Will Need Ice cream Daily."

7. SSH and Device Management

SSH (Secure Shell) provides encrypted remote access to network devices, replacing the insecure Telnet protocol. SSH uses TCP port 22.

SSH vs Telnet

Feature Telnet SSH
Port TCP 23 TCP 22
Encryption None (plaintext) Yes (encrypted)
Authentication Password only Password, keys, certificates
Security Not recommended Recommended

SSH Configuration

! Step 1: Configure hostname and domain name (required for key generation) Router(config)# hostname R1 R1(config)# ip domain-name example.com ! Step 2: Generate RSA keys R1(config)# crypto key generate rsa modulus 2048 ! Step 3: Configure SSH version 2 (more secure) R1(config)# ip ssh version 2 ! Step 4: Configure local user for authentication R1(config)# username admin privilege 15 secret MySecurePassword ! Step 5: Configure VTY lines for SSH R1(config)# line vty 0 4 R1(config-line)# transport input ssh ! SSH only (no telnet) R1(config-line)# login local ! Use local username/password ! Optional: Set SSH timeout and authentication retries R1(config)# ip ssh time-out 60 R1(config)# ip ssh authentication-retries 3 ! Verification R1# show ip ssh R1# show ssh

Console and VTY Configuration

! Secure console port Router(config)# line console 0 Router(config-line)# password ConsolePass Router(config-line)# login Router(config-line)# exec-timeout 5 0 ! 5 minutes timeout Router(config-line)# logging synchronous ! Prevent message interruption ! Secure VTY lines Router(config)# line vty 0 15 Router(config-line)# login local Router(config-line)# transport input ssh Router(config-line)# exec-timeout 10 0 Router(config-line)# access-class 10 in ! Restrict by ACL ! Define ACL for management access Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255

Password Encryption

! Enable password encryption for type 7 passwords Router(config)# service password-encryption ! Use secret command for type 5 (MD5) or type 9 (scrypt) hashing Router(config)# enable secret MyEnableSecret Router(config)# username admin secret MyUserSecret
Type 7 passwords (from "service password-encryption") are easily reversible. Always use "secret" commands which use stronger hashing algorithms.

8. QoS Concepts

Quality of Service (QoS) manages network traffic to ensure critical applications get the bandwidth and low latency they need. This is especially important for voice and video.

Why QoS?

QoS Characteristics

Characteristic Description Voice Requirement
Bandwidth Data transfer capacity ~100 Kbps per call
Delay (Latency) Time for packet to traverse network < 150ms one-way
Jitter Variation in delay < 30ms
Loss Percentage of packets dropped < 1%

QoS Mechanisms

Mechanism Purpose
Classification Identify traffic types (ACLs, NBAR, markings)
Marking Tag packets for priority handling (DSCP, CoS)
Queuing Manage output queues (CBWFQ, LLQ)
Congestion Avoidance Drop packets before queues fill (WRED)
Policing Drop/mark excess traffic immediately
Shaping Buffer excess traffic, smooth output rate

Traffic Marking

Layer 2 Marking (CoS - Class of Service): - 802.1Q tag contains 3-bit PCP field - Values 0-7 (higher = more priority) - Only works on trunk links Layer 3 Marking (DSCP - Differentiated Services Code Point): - 6 bits in IP header ToS/DS field - Values 0-63 (64 possible values) - End-to-end across network Common DSCP Values: +-------+--------+------------------+ | DSCP | PHB | Traffic Type | +-------+--------+------------------+ | 46 | EF | Voice (Expedited)| | 34 | AF41 | Video | | 26 | AF31 | Mission Critical | | 0 | BE | Best Effort | +-------+--------+------------------+ EF = Expedited Forwarding AF = Assured Forwarding BE = Best Effort

Trust Boundaries

Trust Boundary: The point in the network where you trust QoS markings. Traffic from untrusted sources (like PCs) should be re-marked. IP phones can typically be trusted for CoS/DSCP markings.
Trust Boundary Example: [PC]---[IP Phone]---[Switch]---[Router]---WAN ^ | Trust Boundary - PC traffic: Re-mark at switch (don't trust) - Phone traffic: Trust DSCP 46 from phone

QoS Key Points

  • QoS manages congestion, it doesn't create bandwidth
  • Voice/Video need low latency, jitter, and packet loss
  • DSCP is Layer 3 marking (IP header)
  • CoS is Layer 2 marking (802.1Q tag)
  • DSCP EF (46) is typically used for voice
  • Trust boundary determines where markings are accepted
Know the difference between policing (drops excess traffic) and shaping (buffers and delays excess traffic). Also understand that DSCP is preserved across routers while CoS only exists on Layer 2 trunk links.