Ch 15: IP Services Flashcards

1
Q

NTP uses the concept of ________ to calculate the accuracy of the time source.

  1. administrative distance
  2. stratum
  3. atomic half-life
  4. deviation time
A

2.

NTP uses the stratum to measure the number of hops a device is from a time source to provide a sense of time accuracy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

T/F: An NTP client can be configured with multiple NTP servers and can

synchronize its local clock with all the servers.

A

False.

An NTP client can be configured with multiple NTP servers but can synchronize its time with only one active NTP server. Only during failure does the NTP client use a different NTP server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In a resilient network topology, first-hop redundancy protocols (FHRP) overcome the limitations of which of the following? (Choose two.)

  1. Static default routes
  2. Link-state routing protocols
  3. Vector-based routing protocols
  4. A computer with only one default gateway
A

1 and 4.

A first-hop redundancy protocol creates a virtual IP address for a default gateway, and this address can be used by computers or devices that only have a static default route.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following FHRPs are considered Cisco proprietary? (Choose two.)

a. VRRP
b. HSRP
c. GLBP
d. ODR

A

B and C.

HSRP and GLBP are Cisco proprietary FHRPs.

Hot Spare Redundancy Protocol, Gateway Load Balancing Protocol are First Hop Redundancy Protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following commands defines the HSRP instance 1 with a VIP gateway instance 10.1.1.1?

  1. standby 1 ip 10.1.1.1
  2. hsrp 1 ip 10.1.1.1
  3. hsrp 1 vip 10.1.1.1
  4. hsrp 1 10.1.1.1
A

1.

The HSRP VIP gateway instance is defined with the command:

  • standby instance-id ip vip-address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following FHRPs supports load balancing?

a. ODR
b. VRRP
c. HSRP
d. GLBP

A

D.

Gateway Load Balancing Protocol provides load-balancing support to multiple AVFs (Active Virtual Forwarders).

Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol that attempts to overcome the limitations of existing redundant router protocols by adding basic load balancing functionality.

In addition to being able to set priorities on different gateway routers, GLBP allows a weighting parameter to be set. Based on this weighting (compared to others in the same virtual router group), ARP requests will be answered with MAC addresses pointing to different routers. Thus, by default, load balancing is not based on traffic load, but rather on the number of hosts that will use each gateway router. By default, GLBP load balances in round-robin fashion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which command displays the translation table on a router?

  1. show ip translations
  2. show ip xlate
  3. show xlate
  4. show ip nat translations
A

D.

The command show ip nat translations displays the active translation table on a NAT device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A router connects multiple private networks in the 10.0.0.0/8 network range to the Internet. A user’s IP address of 10.1.1.1 is considered the __________ IP address.

  1. inside local
  2. inside global
  3. outside local
  4. outside global
A

1.

The router would be using a form of inside NAT, and the 10.1.1.1 IP address is the inside local IP address; the IP address that a server on the Internet would use for return traffic is the inside global address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The IP translation table times out and clears dynamic TCP connection entries from the translation table after how long?

  • 1 hour
  • 4 hours
  • 12 hours
  • 24 hours
A

The default NAT timeout is 24 hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

NTP is a UDP-based protocol that connects with servers on port ___. The client source port is ___.

A

NTP is a UDP-based protocol that connects with servers on port 123. The client source port is dynamic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NTP servers that are directly attached to an authoritative time source are stratum _____ servers.

A

NTP uses the concept of stratums to identify the accuracy of the time clock source. NTP servers that are directly attached to an authoritative time source are stratum 1 servers. An NTP client that queries a stratum 1 server is considered a stratum 2 client. The higher the stratum, the greater the chance of deviation in time from the authoritative time source due to the number of time drifts between the NTP stratums.

Figure 15-1 demonstrates the concept of stratums, with R1 attached to an atomic clock and considered a stratum 1 server. R2 is configured to query R1, so it is considered a stratum 2 client. R3 is configured to query R2, so it is considered a stratum 3 client. This could continue until stratum 15. Notice that R4 is configured to query R1 over multiple hops, and it is therefore considered a stratum 2 client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the command to configure a Cisco device as an NTP client?

A

The configuration of an NTP client is pretty straightforward. The client configuration uses the global configuration command:

  • ntp server ip-address [prefer] [source interface-id].

The source interface, which is optional, is used to stipulate the source IP address for queries for that server. Multiple NTP servers can be configured for redundancy, and adding the optional prefer keyword indicates which NTP server time synchronization should come from.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the command to set the stratum number for a Cisco device acting as an NTP server?

A

The command to statically set the stratum for a device when it acts as an NTP server is:

  • ntp master stratum-number
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the command to view NTP on a Cisco device to see the frequency and precision of the clock?

A

To view the status of NTP service, use the command show ntp status, which has the following output:

  1. Whether the hardware clock is synchronized to the software clock (that is, whether the clock resets during power reset), the stratum reference of the local device, and the reference clock identifier (local or IP address)
  2. The frequency and precision of the clock
  3. The NTP uptime and granularity
  4. The reference time
  5. The clock offset and delay between the client and the lower-level stratum server
  6. Root dispersion (that is, the calculated error of the actual clock attached to the atomic clock) and peer dispersion (that is, the root dispersion plus the estimated time to reach the root NTP server)
  7. NTP loopfilter (which is beyond the scope of this book)
  8. Polling interval and time since last update

NTP status is shown in Example 15-2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the command show ntp associations reveal?

A

A streamlined version of the NTP server status and delay is provided with the command show ntp associations.

The address 127.127.1.1 reflects to the local device when configured with the ntp master stratum-number command.

Example 15-3 shows the NTP associations for R1, R2, and R3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

T/F: An NTP client can be configured with multiple NTP servers.

A

True.

The device will use only the NTP server with the lowest stratum. The top portion of Figure 15-2 shows R4 with two NTP sessions: one session with R1 and another with R3.

In the topology shown in Figure 15-2, R4 will always use R1 for synchronizing its time because it is a stratum 1 server. If R2 crashes, as shown at the bottom of Figure 15-2, preventing R4 from reaching R1, it synchronizes with R3’s time (which may or may not be different due to time drift) and turns into a stratum 4 time device. When R2 recovers, R4 synchronizes with R1 and becomes a stratum 2 device again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the command to configure an NTP peer?

A

NTP peers are configured with the command ntp peer ip-address.

Example 15-4 shows the sample NTP peer configuration for R1 and R2 (refer to Figure 15-3) peering with their loopback interfaces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

T/F: NTP peers act as clients and servers to each other, in the sense that they try to blend their time to each other.

A

True.

NTP peers act as clients and servers to each other, in the sense that they try to blend their time to each other. The NTP peer model is intended for designs where other devices can act as backup devices for each other and use different primary reference sources.

Figure 15-3 shows a scenario where R1 is an NTP client to 100.64.1.1, and R2 is an NTP client to 100.64.2.2. R1 and R2 are NTP peers with each other, so they query each other and move their time toward each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the command to track routes in the routing table?

What is the command to view the status of a specific object tracking?

A

Tracking of routes in the routing table is accomplished with the command:

  • track object-number ip route route/prefix-length reachability.

The status of an object tracking can be viewed with the command:

  • show track [object-number].
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How can you automatically react to a route change? For example this is useful with FHRPs.

A

FHRPs are deployed in a network for reliability and high availability to ensure load balancing and failover capability in case of a router failover. To ensure optimal traffic flow when a WAN link goes down, it would be nice to be able to determine the availability of routes or the interface state to which FHRP route traffic is directed.

Object tracking offers a flexible and customizable mechanism for linking with FHRPs and other routing components (for example, conditional installation of a static route). With this feature, users can track specific objects in the network and take necessary action when any object’s state change affects network traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the command to track the line protocol state of an interface?

A

Tracking of an interface’s line protocol state is accomplished with the command:

  • track object-number interface interface-id line-protocol.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the command to show tracking of all states?

A

show track

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is HSRP?

A

Hot Standby Routing Protocol (HSRP) is a Cisco proprietary protocol that provides transparent failover of the first-hop device, which typically acts as a gateway to the hosts.

HSRP provides routing redundancy for IP hosts on an Ethernet network configured with a default gateway IP address. A minimum of two devices are required to enable HSRP.

One device acts as the active device and takes care of forwarding the packets, and the other acts as a standby that is ready to take over the role of active device in the event of a failure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

T/F: In an HSRP pair, the active router receives and routes the packets destined for the virtual MAC address of the group.

A

True.

On a network segment, a virtual IP address is configured on each HSRP-enabled interface that belongs to the same HSRP group. HSRP selects one of the interfaces to act as the HSRP active router. Along with the virtual IP address, a virtual MAC address is assigned for the group. The active router receives and routes the packets destined for the virtual MAC address of the group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

T/F: HSRP-enabled interfaces send and receive multicast UDP-based hello messages to detect any failure.

A

True.

HSRP-enabled interfaces send and receive multicast UDP-based hello messages to detect any failure and designate active and standby routers.

If a standby device does not receive a hello message or the active device fails to send a hello message, the standby device with the second highest priority becomes HSRP active.

The transition of HSRP active between the devices is transparent to all hosts on the segment because the MAC address moves with the virtual IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

These are the steps to configure HSRP. Put them in the correct order.

  1. standby instance-id authentication {text-password | text text-password | md5 {key-chain key-chain | key-string key-string}} (Optional)
  2. standby instance-id mac-address mac-address (Optional)
  3. standby instance-id preempt (Optional) ​
  4. standby instance-id ip vip-address
  5. standby instance-id timers {seconds | msec milliseconds} (Optional)
  6. standby instance-id priority priority (Optional)
A

The proper order is: 4, 3, 6, 2, 5, 1. Like this:

  1. Define the HSRP instance by using the command standby instance-id ip vip-address
  2. (Optional) Configure HSRP router preemption to allow a more preferred router to take the active router status from an inferior active HSRP router. Enable preemption with the command standby instance-id preempt.
  3. (Optional) Define the HSRP priority by using the command standby instance-id priority priority. The priority is a value between 0 and 255. Default value is 100.
  4. Define the HSRP MAC Address (Optional). The MAC address can be set with the command standby instance-id mac-address mac-address. Most organizations accept the automatically generated MAC address, but in some migration scenarios, the MAC address needs to be statically set to ease transitions when the hosts may have a different MAC address in their ARP table.
  5. (Optional) Define the HSRP timers by using the command standby instance-id timers {seconds | msec milliseconds}. HSRP can poll in intervals of 1 to 254 seconds or 15 to 999 milliseconds.
  6. Step 6. (Optional) Establish HSRP authentication by using the command standby instance-id authentication {text-password | text text-password | md5 {key-chain key-chain | key-string key-string}}.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

T/F: It is possible to load balance traffic across an HSRP pair. If so, how? If not, why not?

A

True. It is possible, sort of.

It is possible to create multiple HSRP instances for the same interface. Some network architects configure half of the hosts for one instance and the other half of the hosts for a second instance.

Setting different priorities for each instance makes it possible to load balance the traffic across multiple routers. Crude but functional!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the command to view HSRP status?

A

The HSRP status can be viewed with the command:

  • show standby [interface-id] [brief].
  • Specifying an interface restricts the output to a specific interface; this can be useful when troubleshooting large amounts of information.

Example 15-10 shows the command show standby brief being run on SW2, which includes the interfaces and the associated groups that are running HSRP. The output also includes the local interface’s priority, whether preemption is enabled, the current state, the active speaker’s address, the standby speaker’s address, and the VIP gateway instance for that standby group.

29
Q

What are the commands needed to configure a basic HSRP configuration for VLAN 10 on SW2 and SW3 with an HSRP instance 10 and the VIP gateway instance 172.16.10.1?

Assume there are no SVIs on the VLANs. Use .2 and .3.

A

SW2:

  • SW2# configure terminal
  • SW2(config)# interface vlan 10
  • SW2(config-if)# ip address 172.16.10.2 255.255.255.0
  • SW2(config-if)# standby 10 ip 172.16.10.1
  • SW2(config-if)# standby 10 preempt

SW3:

  • SW3# configure terminal
  • SW3(config)# interface vlan 10
  • SW3(config-if)# ip address 172.16.10.3 255.255.255.0
  • SW3(config-if)# standby 10 ip 172.16.10.1
  • SW1(config-if)# standby 10 preempt​

Example 15-9 shows a basic HSRP configuration for VLAN 10 on SW1 and SW2, using the HSRP instance 10 and the VIP gateway instance 172.16.10.1. Notice in the attached image that once preemption was enabled, that SW3 became the active speaker, and SW2 became the standby speaker.

30
Q

What is the command to show the number of state changes for an HSRP instance?

A

The non-brief iteration of the show standby command also includes the number of state changes for the HSRP instance, along with the time since the last state change, the timers, and a group name, as shown in Example 15-11.

31
Q

What are the commands to configure:

  1. Configure a tracked object to SW2’s WAN link (in this example, VL1).
  2. Make SW2’s priority higher than SW3’s (use 110, which is higher than the default value of 100)
    • Note: Higher priority takes precedence.
  3. Configure SW2 to lower the priority if the tracked object state changes to down.
A

3: This is accomplished with the command standby instance-id track object-id decrement decrement-value. The decrement value should be high enough so that when it is removed from the priority, the value is lower than that of the other HSRP router.

This configuration is accomplished as follows:

Example 15-12 shows the configuration of SW2 where a tracked object is created against VLAN 1’s interface line protocol, increasing the HSRP priority to 110, and linking HSRP to the tracked object so that the priority decrements by 20 if interface VLAN 1 goes down.

32
Q

HSRP and VRRP are very similar. What are some differences?

A

Virtual Router Redundancy Protocol (VRRP) is an industry standard and operates similarly to HSRP. The behavior of VRRP is so close to that of HSRP that the following differences should be noted:

  1. The preferred active router controlling the VIP gateway is called the master router. All other VRRP routers are known as backup routers.
  2. VRRP enables preemption by default.
  3. The MAC address of the VIP gateway uses the structure 0000.5e00.01xx, where xx reflects the group ID in hex.
  4. VRRP uses the multicast address 224.0.0.18 for communication.
33
Q

T/F: Hot Standby Routing Protocol (HSRP) is a Cisco proprietary protocol.

A

True.

34
Q

How many versions of VRRP are there?

A

There are currently two versions of VRRP:

VRRPv2: Supports IPv4

VRRPv3: Supports IPv4 and IPv6

35
Q

What is the command to enable VRRP?

A

Define the VRRP instance by using the command:

  • vrrp instance-id ip vip-address

There are optional commands:

  • (Optional) Define the VRRP priority by using the command vrrp instance-id priority priority. The priority is a value between 0 and 255.
  • (Optional) Enable object tracking so that the priority is decremented when the object is false. Do so by using the command vrrp instance-id track object-id decrement decrement-value. The decrement value should be high enough so that when it is removed from the priority, the value is lower than that of the other VRRP router.
  • (Optional) Establish VRRP authentication by using the command vrrp instance-id authentication {text-password | text text-password | md5 {key-chain key-chain | key-string key-string}}
36
Q

see the following VRRP configuration example on the answer side of this card.

A

R2 and R3 are two routes that share a connection to a Layer 2 switch with their Gi0/0 interfaces, which both are on the 172.16.20.0/24 network. R2 and R3 use VRRP to create the VIP gateway 172.16.20.1.

Example 15-15 shows the configuration. Notice that after the VIP is assigned to R3, R3 preempts R2 and becomes the master.

37
Q

What is the command to view the VRRP group?

A

The command show vrrp [brief] provides an update on the VRRP group, along with other relevant information for troubleshooting.

Example 15-16 demonstrates the brief iteration of the command. All the output is very similar to output with HSRP.

38
Q

What is the command to show detailed info on a VRRP configuration?

A

show vrrp

39
Q

T/F: The newer version of IOS XE software provides configuration of VRRP in a multi-address format that is hierarchical.

A

True.

The steps for configuring hierarchical VRRP are as follows:

  1. Enable VRRPv3 on the router by using the command fhrp version vrrp v3.
  2. Define the VRRP instance by using the command vrrp instance-id address-family {ipv4 | ipv6}. This places the configuration prompt into the VRRP group for additional configuration.
  3. (Optional) Change VRRP to Version 2 by using the command vrrpv2. VRRPv2 and VRRPv3 are not compatible.
  4. Define the gateway VIP by using the command address ip-address.
  5. (Optional) Define the VRRP priority by using the command priority priority. The priority is a value between 0 and 255.
  6. (Optional) Enable object tracking so that the priority is decremented when the object is false. Do so by using the command track object-id decrement decrement-value. The decrement value should be high enough so that when it is removed from the priority, the value is lower than that of the other VRRP router.
40
Q

What is GLBP?

A

As the name suggests, Gateway Load Balancing Protocol (GLBP) provides gateway redundancy and load-balancing capability to a network segment. It provides redundancy with an active/standby gateway, and it provides load-balancing capability by ensuring that each member of the GLBP group takes care of forwarding the traffic to the appropriate gateway.

41
Q

What are these two roles for GLBP?

  1. AVG
  2. AVF
A

The GLBP contains two roles:

Active virtual gateway (AVG): The participating routers elect one AVG per GLBP group to respond to initial ARP requests for the VIP. For example, when a local PC sends an ARP request for the VIP, the AVG is responsible for replying to the ARP request with the virtual MAC address of the AVF.

Active virtual forwarder (AVF): The AVF routes traffic received from assigned hosts. A unique virtual MAC address is created and assigned by the AVG to the AVFs. The AVF is assigned to a host when the AVG replies to the ARP request with the assigned AVF’s virtual MAC address. ARP replies are unicast and are not heard by other hosts on that broadcast segment. When a host sends traffic to the virtual AVF MAC, the current router is responsible for routing it to the appropriate network. The AVFs are also recognized as Fwd instances on the routers.

42
Q

How many active AVFs and AVGs per GLBP group are supported by a GLBP group?

Can a router be both an AVG and an AVF at the same time?

A

GLBP supports four active AVFs and one AVG per GLBP group.

A router can be an AVG and an AVF at the same time.

In the event of a failure of the AVG, there is not a disruption of traffic due to the AVG role transferring to a standby AVG device. In the event of a failure of an AVF, another router takes over the forwarding responsibilities for that AVF, which includes the virtual MAC address for that instance.

43
Q

What are the steps to configure GLBP?

A

The following steps detail how to configure a GLBP:

  1. Define the GLBP instance by using the command glbp instance-id ip vip-address.
  2. (Optional) Configure GLBP preemption to allow for a more preferred router to take the active virtual gateway status from an inferior active GLBP router. Preemption is enabled with the command glbp instance-id preempt.
  3. (Optional) Define the GLBP priority by using the command glbp instance-id priority priority. The priority is a value between 0 and 255.
  4. (Optional) Define the GLBP timers by using the command glbp instance-id timers {hello-seconds | msec hello-milliseconds} {hold-seconds | msec hold-milliseconds}.
  5. (Optional) Establish GLBP authentication by using the command glbp instance-id authentication {text text-password | md5 {key-chain key-chain | key-string key-string}}.
44
Q

What is the command to view a GLBP configuration?

A

sh glbp [brief}

45
Q

T/F: By default, GLBP balances the load of traffic in a WRR, Weighted Round-Robin fashion.

A

False.

By default, GLBP balances the load of traffic in a simple round-robin fashion.

However, GLBP supports three methods of load balancing traffic:

  • Round robin: Uses each virtual forwarder MAC address to sequentially reply for the virtual IP address.
  • Weighted: Defines weights to each device in the GLBP group to define the ratio of load balancing between the devices. This allows for a larger weight to be assigned to bigger routers that can handle more traffic.
  • Host dependent: Uses the host MAC address to decide to which virtual forwarder MAC to redirect the packet. This method ensures that the host uses the same virtual MAC address as long as the number of virtual forwarders does not change within the group.
46
Q

What is the command to change the GLBP load balancing method?

A
  • The load-balancing method can be changed with the command:

glbp instance-id load-balancing {host-dependent | round-robin | weighted}

The weighted load-balancing method has the AVG direct traffic to the AVFs based on the percentage of weight a router has over the total weight of all GLBP routers. Increasing the weight on more capable, bigger routers allows them to take more traffic than smaller devices. The weight can be set for a router with the command glbp instance-id weighting weight.

47
Q

In GLBP, what are the commands to set the weight of VL30 to 20 on SW2 and 80 on SW3 so that SW2 receives 20% of the traffic and SW3 receives 80% of the traffic?

A

Example 15-23 shows how to change the load balancing to weighted and setting the weight to 20 on SW2 and 80 on SW3 so that SW2 receives 20% of the traffic and SW3 receives 80% of the traffic.

48
Q

What command will show a summary of the TCP sessions on a router?

A

When you are logged in to a router, the command show tcp brief displays the source IP address and port, along with the destination IP address and port.

In the attached example, the local IP address reflects R1 (10.123.4.1), and the remote address is R7 (10.78.9.7). These IP addresses match expectations, and therefore no NAT has occurred on R5 for this Telnet session.

49
Q

Static NAT involves the translation of a global IP address to a local IP address, based on a static mapping of the global IP address to the local IP address. There are two types of static NAT, what are the differences?

  1. Inside static NAT
  2. Outside static NAT
A

Inside static NAT involves the mapping of an inside local (private) IP address to an inside global (public) IP address. In this scenario, the private IP addresses are being hidden from the outside hosts.

Outside static NAT involves the mapping of an outside global (public) IP address to an outside local (private) IP address. In this scenario, the real external IP addresses are being hidden from the inside hosts.

50
Q

What are the 3 steps to configure an Inside Static NAT?

A

The steps for configuring inside static NAT are as follows:

  1. Configure the outside interfaces by using the command ip nat outside.
  2. Configure the inside interface with the command ip nat inside.
  3. Configure the inside static NAT by using the command ip nat inside source static inside-local-ip inside-global-ip.
51
Q

T/F: The NAT translation table consists of static and dynamic entries.

A

True.

The NAT translation table consists of static and dynamic entries. The NAT translation table is displayed with the command show ip nat translations.

Example 15-30 shows R5’s NAT translation table after R7 initiated a Telnet session to R1. There are two entries:

The first entry is the dynamic entry correlating to the Telnet session. The inside global, inside local, outside local, and outside global fields all contain values. Notice that the ports in this entry correlate with the ports in Example 15-29.

The second entry is the inside static NAT entry that was configured. Example 15-30 NAT Translation Table for Inside Static NAT

52
Q

T/F: A static NAT entry is a one-to-one mapping between the inside global and the inside local address.

A

True.

As long as the outside devices can route traffic to the inside global IP address, they can use it to reach the inside local device as well.

53
Q

______ ________ NAT involves the mapping of an outside global (public) IP address to an outside local (private) IP address. In this scenario, the real external IP addresses are being hidden from the inside hosts.

A

Outside static NAT involves the mapping of an outside global (public) IP address to an outside local (private) IP address. In this scenario, the real external IP addresses are being hidden from the inside hosts.

54
Q

What are the 3 steps to configure an outside static NAT?

A

The steps for configuring outside static NAT are as follows:

  1. Configure the outside interfaces by using the command ip nat outside.
  2. Configure the inside interface by using the command ip nat inside.
  3. Configure the outside static NAT entry by using the command ip nat outside source static outside-global-ip outside-local-ip [add-route]. The router performs a route lookup first for the outside-local-ip address, and a route must exist for that network to forward packets out of the outside interface before NAT occurs. The optional add-route keyword adds the appropriate static route entry automatically.
55
Q

______ NAT provides a more dynamic method of providing a one-to-one IP address mapping—but on a dynamic, as-needed basis.

A

Pooled NAT provides a more dynamic method of providing a one-to-one IP address mapping—but on a dynamic, as-needed basis.

The dynamic NAT translation stays in the translation table until traffic flow from the local address to the global address has stopped and the timeout period (24 hours by default) has expired. The unused global IP address is then returned to the pool to be used again.

56
Q

What are the 5 steps to configure a pooled NAT?

A

Pooled NAT can operate as inside NAT or outside NAT. In this section, we focus on inside pooled NAT. The steps for configuring inside pooled NAT are as follows:

  1. Configure the outside interfaces by using the command ip nat outside.
  2. Configure the inside interface by using the command ip nat inside.
  3. Specify which by using a standard or extended ACL referenced by number or name. Using a user friendly name may be simplest from an operational support perspective.
  4. Define the global pool of IP addresses by using the command ip nat pool nat-pool-name starting-ip ending-ip prefix-length prefix-length.
  5. Configure the inside pooled NAT by using the command ip nat inside source list acl pool nat-pool-name.
57
Q

Write the commands to:

  1. Create a NAT pool with the IP addresses 10.45.1.10/24 and 10.45.1.11/24.
  2. Create a named ACL, ACL-NAT-CAPABLE which allows only packets sourced from the 10.78.9.0/24 network to be eligible for pooled NAT.
  3. G0/0 is the outside interface.
  4. G0/1 is the inside interface.
A

Example 15-35 shows a sample configuration for inside pooled NAT.

This example uses a NAT pool with the IP addresses 10.45.1.10 and 10.45.1.11.

A standard named ACL, ACL-NAT-CAPABLE, allows only packets sourced from the 10.78.9.0/24 network to be eligible for pooled NAT.

58
Q

Write the commands to:

  1. Configure an inside Static NAT configuration, where packets sourced from R7 (10.78.9.7) appear as if they came from 10.45.1.7.
  2. G0/1 is the inside interface
  3. G0/0 is the outside interface
A

Example 15-28 shows the inside static NAT configuration on R5, where packets sourced from R7 (10.78.9.7) appear as if they came from 10.45.1.7.

59
Q

What is the downfall to pooled NAT?

A

A downfall to using pooled NAT is that when the pool is exhausted, no additional translation can occur until the global IP address is returned to the pool.

60
Q

What is the command to change the default timeout for NAT translations?

What is the default timeout?

A

The default timeout for NAT translations is 24 hours, but this can be changed with the command:

  • ip nat translation timeout seconds.
61
Q

What is the command to reset all NAT translations?

A

The dynamic NAT translations can be cleared out with the command:

  • clear ip nat translation {ip-address | *}

Note: This removes all existing translations and could interrupt traffic flow on active sessions as they might be assigned new global IP addresses.

62
Q

__________ is an iteration of NAT that allows for a mapping of many local IP addresses to one global IP address.

A

Port Address Translation (PAT) is an iteration of NAT that allows for a mapping of many local IP addresses to one global IP address.

The NAT device maintains the state of translations by dynamically changing the source ports as a packet leaves the outside interface. Another term for PAT is NAT overload.

63
Q

What are the four steps required to configure PAT?

A

Configuring PAT involves the following steps:

  1. Configure the outside interface by using the command ip nat outside.
  2. Configure the inside interface by using the command ip nat inside.
  3. Specify which traffic can be translated by using a standard or extended ACL referenced by number or name. Using a user-friendly name may be simplest from an operational support perspective.
  4. Configure Port Address Translation by using the command the command:
    • ip nat inside source list acl-name {interface interface-id | pool nat-pool-name} overload.
    • Specifying an interface involves using the primary IP address assigned to that interface. Specifying a NAT pool requires the creation of the NAT pool, as demonstrated earlier, and involves using those IP addresses as the global address.
64
Q

Write the config to:

  1. Allow network traffic sourced from the 10.78.9.0/24 network to be translated to R5’s Gi0/0 interface (10.45.1.5) IP address
  2. Create a named ACL, ACL-NAT-CAPABLE
  3. G0/0 is the outside interface
  4. G0/1 is the inside interface
A

Example 15-41 demonstrates R5’s PAT configuration, which allows network traffic sourced from the 10.78.9.0/24 network to be translated to R5’s Gi0/0 interface (10.45.1.5) IP address.

65
Q

What is the command to configure a device as an NTP client with the IP address of the NTP server

A

ntp server ip-address [prefer] [source interface-id]

66
Q

Create more command related cards for NTP, VRRP, GLBP, HSRP and NAT if needed from table 15-4.

A

There are many…

67
Q

Compare the 3 commands for

  1. Outside Static NAT: (In this scenario, the real external IP addresses are being hidden from the inside hosts.)
  2. Inside Static NAT: (In this scenario, the private IP addresses are being hidden from the outside hosts.)
  3. Pooled NAT:
  4. PAT:
A
  1. ip nat outside source static outside-global-ip outside-local-ip [add-route]
  2. ip nat inside source static inside-local-ip inside-global-ip
  3. ip nat inside source list acl-name pool nat-pool-name
    • and… ​​ip nat pool nat-pool-name starting-ip ending-ip prefix-length prefix-length
    • also need an ACL to reference.
  4. ip nat inside source list acl {interface interface-id | pool nat-pool-name} overload.
68
Q

______ ______ NAT involves the mapping of an inside local (private) IP address to an inside global (public) IP address.

In this scenario, the ________ IP addresses are being hidden from the ________ hosts.

A

Inside static NAT involves the mapping of an inside local (private) IP address to an inside global (public) IP address.

In this scenario, the private IP addresses are being hidden from the outside hosts.

  • Inside local: The actual private IP address assigned to a device on the inside network(s).
  • Inside global: The public IP address that represents one or more inside local IP addresses to the outside.
69
Q

________ ________NAT involves the mapping of an outside global (public) IP address to an outside local (private) IP address.

In this scenario, the real ___________ ip addresses are being hidden from the ________ hosts.

A

Outside static NAT involves the mapping of an outside global (public) IP address to an outside local (private) IP address.

In this scenario, the real external IP addresses are being hidden from the inside hosts.

  • Outside local: The IP address of an outside host as it appears to the inside network. The IP address does not have to be reachable by the outside but is considered private and must be reachable by the inside network.
  • Outside global: The public IP address assigned to a host on the outside network. This IP address must be reachable by the outside network.