IP Services

Disclaimer! These are my notes that I wrote down while studying. It’s not a description of how something works, it’s more like small bits and pieces that I felt I didn’t know very well and needed to remember. It’s probably entirely useless for anyone except for me, but if it helps someone that’s great!

Location in docs: IP -> IP addressing configuration -> DHCP


Discover -> Offer -> Request -> Ack
DHCP relay: add gateway IP address in GIADDR field (Gateway IP ADDRess), DHCP server uses this to select pool.

Option 82

RFC 3046 defines just a couple of sub-options, namely the “remote-id” (option ID 0×2) and the “circuit-id” (ID 0×01). Those two are supposed to identify the remote device and the port where the DHCP request was received.
(c-if)# ip helper-address <ip>
DHCP static entries:
ip dhcp pool R4
client-identifier <27-byte-hex>

IRDP, ICMP Router Discovery Protocol

(c-if)# ip irdp
# ip irdp address <ipv4> [preference]

(c)# no ip unicast-routing            (need to disable to receive def route)
# ip gdp irdp


IOS can be both client, server and relay. Client:
(c)# ip name-server <ip>

Disable lookups:
(c)# no ip domain-lookup

(c)# ip dns server
(c)# ip host <name> [rr-type] <ip>

Enable subnet/directed broadcast: etc
(c)# ip directed-broadcast


Inside zone – networks that the translator wants to hide
inside local – inside IP before translation (often private IP)
inside global – inside IP after translation (often public IP)
Outside zone – exterernal to the translator
outside global – original outside IP address
outside local – outside IP after translation (only used with double NAT, translating both src and dst)

NAT on the inside:
packets are first routed, then the source address is translated (destination IP is global so it can be lookup up in routing table)
NAT on the outside:
packets have destination un-translated first, routing occurs after translation

NVI does not use inside/outside interfaces, uses NVI interfaces
docs: IP addressing configuration -> NAT
'ip nat enable' on all interfaces
unlike in/out NAT you also need to enable NAT on loopback if you use them as source
reversible keyword not supported with NVI
NVI can do all types of NAT: static, dynamic, overload
With NVI there are two routing lookups, once to send traffic to NVI if, then again to route out of box
the original scope of NVI was to do inter-VRF NAT, the two routing lookups can be in different VRFs
the NVI interface is basically a bridge between the VRFs in that case
Commands are the same, but without ‘inside’ and ‘outside’ keywords. Ex:
(c)# ip nat source static <local> <global>
# show ip nat nvi [statistics|translations]

config: (NAT sources from ACL to inside-global loopback with ip
1. ip nat pool INSIDE_GLOBAL prefix-length 30
2. ip nat inside source list <ACL> pool <interface|INSIDE_GLOBAL> [overload]
3. define inside/outside interface last        (if you configure without rules, outside interface will drop incoming traffic?)
ACL can’t match everything, then control-plane protocols like IGP from the router is going to get translated. And traffic coming in to outside interface is going to need to be un-translated before routing lookup.

Publish port: (port forwarding, remember to use inside and not outside nat)
(c)# ip nat inside source static tcp <inside> <inside-port> <outside> <outside-port>


Extended NAT = not only src/dst IP, but also protocol type and port number (TCP port 80 etc)
To allow static NAT mappings of one IL address to multiple IG addresses, the keyword extendable is added to the end of the mapping statements.
extendable = “Extend this translation when used” / “The extendable keyword allows every new translation to be fully extended, without binding a local IP address to a fixed global IP.”
if trying to configure multiple static translations without extendable:
"% already mapped ( ->"

The NAT Default Interface feature allows all traffic received on the outside interface that does not already match an existing dynamic translation to be statically forwarded to an inside host:
ip access-list standard ALL
permit any
ip nat inside source list ALL interface GigabitEthernet1.45 overload
ip nat inside source static interface GigabitEthernet1.45

Reversible NAT

“Route Maps Outside-to-Inside”
An initial session from the inside to the outside host is required to trigger a NAT. New translation sessions can then be initiated from outside to the inside host that triggered the initial translation.

By default, when you use route-maps with NAT rules, extendable entries are created. This disallows an external user to open a reverse connection back to an inside host because no one-to-one mapping exists in the translation table. Reversible NAT allows creation of extendable entries along with reversible one-to-one mappings.

Policy NAT

ip nat inside source static <local> <global> route-map <rm> [reversible]
only match NAT entry if route-map matches. by default route-map is only checked for traffic
going from inside to outside. add ‘reversible’ keyword to check the routemap when going out -> in

Multiple policy NAT route-maps with overlapping matches will be processed in alphanumeric order
More specefic matches does not count, only the name of the route-map

NAT order of operations:
1. check inbound ACL
2. check policy routing
3. check IP routing table
4. translate inside local to global outside
5. check outbound ACL
6. inspect CBAC (context-based access list)

CBAC: dynamic modification of ACLs. similar to reflexive ACLs, but can do up to L7 filtering
“CBAC is configured and operates per interface, dynamically modifying ACL entries facing one direction based on the traffic it sees flowing in the opposite direction.”

For outside nat you need to have a route for the virtual “outside local” address, even though it doesn’t really exist
Create a host-route towards the real destination IP, or use the ‘add-route’ keyword in the NAT statement.
Routing is done before the translation, which means you don’t really need a route for the real destination in the routing table
For inside NAT, routing is done after translation?

TCP load balancing NAT

Create pool with real servers:
ip nat pool RS prefix-len 24 type rotary
ip access-list ext NAT
permit ip any host
ip nat inside destination list NAT pool RS

DHCPv6 Prefix Delegation

DHCPv6 prefix delegation is separate from address assignment with DHCP
IA_PD = Identity Association for Prefix Delegation. identify a set of prefixes, can be one IA_PD per router or per a set of interfaces. Chosen by the requesting router

1. Requesting router sends a ‘Solicit’ message with the chosen IA_PD
2. Delegating router responds with ‘Advertise’ message
3. Requesting router sends ‘Request’ message to populate the IA_PD with prefixes
4. Delegating router returns prefixes and other info in a ‘Reply’ message
‘Renew’ message to update lifetimes

ipv6 unicast-routing
ipv6 dhcp pool POOL1
prefix-delegation pool PXPOOL1
! Pool points to a local prefix pool
interface Ethernet0/0
no ip address
ipv6 address 2001::1/64
ipv6 enable
ipv6 nd ra suppress
ipv6 dhcp server POOL1 allow-hint
ipv6 local pool PXPOOL1 2002::/32 48

ipv6 unicast-routing
interface Ethernet0/0
no ip address
ipv6 address autoconfig default
!The autoconfig default adds a static ipv6 default route pointing to upstream DHCP server.
ipv6 enable
ipv6 nd ra suppress
ipv6 dhcp client pd P1
!You can specify 'hint <prefix>' here to give a hint of what prefixes (multiple) you preffer
interface Ethernet0/1
ipv6 address P1 BEEF::1/64
ipv6 enable

P1 is the name of the prefix on the client, used to reference on internal interfaces
Server will put static route for prefix towards client (does not appear in running config)

IP Accounting

Accounting for IP traffic. Only captures traffic transiting the router, and only in the output direction.
(c-if)# ip accounting output-packets


Accounting for IP traffic both inbound and outbound, but only on physical interfaces (not subinterfaces). Accounting is recorded per MAC-address
On physical interface:
(c-if)#  ip accounting mac-address input
(c-if)#  ip accounting mac-address output

Leave a Reply

Your email address will not be published. Required fields are marked *