Before discussing the configuration of the NAT in this article we will discuss the NAT advantages and disadvantages.
NAT Advantages
The main advantage of NAT is that it can prevent the depletion of IPv4 addresses. It conserves the public IPv4 address by allowing the privatization of intranets. NAT save the addresses using application port-level multiplexing. With Port Address Translation, the hosts with private IPv4 addresses can share a single public IPv4 address for all external communications.
Network Address Translation (NAT) also provides increased flexibility when connecting to the public Internet. We can implement a backup pool, and load-balancing pools to ensure reliable public network connections.
If a network uses a public IP address, first the administrator will get an address space as a network grows, the chance of getting IP addresses from the same IP address class is minimal and even zero. But in case of using private address and NAT for external traffic using some addresses, an organization does not have to purchase IP addresses for every computer in use there is a significant cost saving due to using the process of Network Address Translation.
Network Address Translation (NAT) allows to use your own private IPv4 addressing scheme and prevent the internal address changes in case of changing the service provider.
Network Address Translation (NAT) provides additional security by masking the original source and destination addresses. The private networks do not advertise their addresses or internal topology, therefore, are secure when used in conjunction with NAT to gain controlled external access.
Disadvantages of NAT
With NAT advantages the NAT also some disadvantages. Because of the host on the Internet communicates directly with the NAT-enabled router in place of the actual host inside the private network. That situation creates several issues.
Network Address Translation (NAT) consumes the processor and memory because NAT need to translate IPv4 addresses for all incoming and outgoing IPv4 datagram and to keep the translation details in memory.
It slows down the network performance, therefore it creates a problem in real-time protocols. It increases switching delays because the translation of each IPv4 address within the packet headers takes time.
When using, NAT the end-to-end addressing is lost. Several Internet protocols and applications basis on end-to-end addressing from the source to the destination therefore many applications do not work with NAT. Some applications use physical addresses, in its place of a qualified domain name, cannot reach the destinations when using a NAT router.
In the case of using NAT, the end-to-end IPv4 traceability is not possible. The tracing of the packets is much difficult because of changing the address over multiple NAT hops. This makes troubleshooting difficult.
There are three types of NAT translation. In this lesson, we will explore the types of NAT. The main types of NAT translations are Static address translation (static NAT), Dynamic address translation (dynamic NAT) and Port Address Translation (PAT).
Static NAT
Static NAT translation is also known as one to one NAT. Static NAT translation maps network traffic from a static external IP address to a static internal IP address or an internal whole network. It translates real addresses to mapped addresses.
In other works Static NAT uses a one-to-one mapping of local and global addresses. The mapping includes destination IP address translation and source IP address translation in different directions.
Static NAT allows connections to be established and start a conversation from either side of the network, but translation is limited to one-to-one or between blocks of addresses of the same size. In static NAT for each private address, a public address must be reserved. No address pools are necessary for static NAT.
A static NAT translation is mostly used in enterprise networks to enables external network or Internet connectivity to computers, servers or networking devices within a private local area network having an unregistered private IP address. It creates a one-to-one relationship between the public and private IP address.
So, the private IP address can be mapped to only one public IP address at a time. The end-user, on the other hand, has a transparent view of the remote device/network and accesses it using the mapped public IP address. It also ensures network security and privacy by hiding the details of internal network usage, architecture and patterns from external or public users.
R1 is configured with static NAT for the inside local addresses of PC1, PC2, and PC3. When PC1, PC2 and PC3 send data to the Internet, their inside local addresses are translated to the configured inside global addresses. To outside networks, these devices have public IPv4 addresses.
Static NAT is also useful for devices that required authorized access while offsite, but not by the general public on the Internet. For example, a network administrator from PC4 can SSH to devices in LAN inside global address 20.240.5.19. R1 translates this inside global address to the inside local address and connects the administrator to any device on the LAN.
The static NAT requires enough public IPv4 addresses to accommodate the total number of the user. The static NAT translation table is also illustrated in the image below.
Dynamic NAT
In the dynamic NAT, multiple private IP addresses is mapped to a pool of public IP address. Dynamic NAT is working on the principle of first-come, first, get basis.
We use dynamic NAT when we know the number of fixed users who wants to access the Internet at a given point of time. When an inside user requests access to an outside network, dynamic NAT assigns an available public IPv4 address from the pool of addresses.
When an inside user sends traffic through the NAT router, it examines the source IP address and compares it to the internal local address pool. If it finds a match, then it determines which inside global address pool it should use for the translation.
The figure below illustrates the dynamic NAT. PC1 has accessed the Internet using the first available address in the dynamic NAT pool. The other addresses of the pool are still available for further use. Similarly to static NAT, dynamic NAT also requires enough public IPv4 addresses to assure the total number of simultaneous user sessions.
Port Address Translation (PAT)
Port Address Translation (PAT) is an extension of Network Address Translation (NAT) also known as the NAT overload. NAT permits multiple devices on a LAN to be mapped to a single public IPv4 address to conserve IP addresses.
In Port Address Translation (PAT), all devices that go through the address NAT router have the same global IP address assigned to them including the source TCP or UDP port numbers to differentiate the different connections. If two devices have the same port number, the NAT router changes one of them to ensure uniqueness.
With Port Address Translation (PAT), when a device initiates a TCP/IP session, it generates a TCP or UDP source port value to individually recognize the session. When the NAT router receives a packet from the client, it uses its source port number to individually identify the specific NAT translation.
Port Address Translation ensure the use of a different TCP port number for each session with a server on the Internet. When a reply comes back from the server, the source port number becomes the destination port number, which determines the device forwards to the packets. The PAT process also ensure the incoming packets were requested, this adds the security to the session. Now examine the figure below.
When R1 processes any packet, it uses a port number, to individually identify the source of the packet. The source address is the inside local address including the TCP/IP assigned port number added by the NAT overloading.
The destination address is the outside local address including the service port number added by the NAT configured router. The port 80 is the HTTP port. R1 translates the inside local address to an inside global address including the port number. The destination address is not changed.
In the example, the client port numbers are 1205, 1285 and 1339. The NAT-enabled router did not change the port numbers. There are chances that these port numbers may have already been used to other active sessions.
PAT try to maintain the original source port. But, if the original source port is already in use with some active sessions, PAT assigns the first available port number starting from the beginning of the appropriate port group (0–511), (512–1,023), or (1,024–65,535).
If there is no more ports available for use and there is more than one global IP address in the address pool, PAT moves to the next address to allocate the original source port. This process continues until check all the available ports or IP address.
As discussed before, That NAT translates Private IP addresses into public IP addresses. So in the process of translation, there are different operations involve and understanding each of them requires understanding NAT terminology. Therefore before understanding NAT in details, it is important to understand basic NAT terminology. In a NAT terminology, the inside network is the set of networks that is subject to translation and the outside network refers to all other networks.
It is important to recall that NAT terminology is always applied from the viewpoint of the device with the translated address when determining the type of address. NAT also uses the perception of local or global concerning addresses
Inside address– The address of the device which is needed to be translated with NAT.
Outside address– This is the address of the destination device.
Local address– Any address that appears on the inside portion of the network.
Global address– Any address that appears on the outside portion of the network.
Let’s understand the above terms with an example. For example when a user browsing a website from his computer. The network which connects him with the internet is considered as a local network for him and the network which connects the webserver where the website is located with the internet is considered as a local network for a webserver. The network which connects both networks on the internet is considered as a global network.
Inside and outside in the NAT depend on the direction of the data. For example in the below topology for PC-1, router R1 is inside and router R2 is outside as illustrated in the first image below. If we change the direction of data as illustrated in the second image. The router R2 is inside for the server and R1 is outside for the server.
The interface of the router which is connected with the local network will be configured with an inside local IP address and the interface connected with the global network will be configured with an inside global IP address.
Now, look at the below topology where we have to expend the above topology and assign an IP address to the devices. PC1 has an inside local address of 192.168.1.100 and inside global address 172.35.10.2 has assigned to R1 outside interface. From the side of PC1, the webserver has an outside address of 20.41.5.19. When PC-1 sending packets to the global address of the webserver, the inside local address 192.168.1.100 of PC1 is translated to the inside global address of 172.35.10.2.
The R1 is configured as NAT router and working as the demarcation point between the inside and outside networks and as between local and global addresses.
The term inside and outside is combined with the terms local and global for specific addresses. In the above topology the, router R1 has been configured to provide NAT.
Inside local address– In the above topology, the IP address 192.168.1.100 is assigned to PC-1. This is the inside local address of PC1.
Inside global address– When traffic is sending from PC1 to the webserver. The R1 translates the inside local address 192.168.1.100 to an inside global addresses 172.35.10.20. In the terminology of NAT, the inside local address is translated to the inside global address.
Outside global address– The outside global address is usually a Public IPv4 address assigned to a host on the Internet. For example, the webserver is reachable at IPv4 address 209.165.201.1. Most often the outside local and outside global addresses are the same.
Outside local address– The address of the destination as seen from the inside network. In this example, PC1 sends traffic to the webserver at the IPv4 address 20.41.5.19.
When PC-1 sending traffic to a web server. Its web server also returns traffic is initially addressed and translated. The figure below illustrates the return traffic.
All public IPv4 addresses must be registered with a Regional Internet Registry (RIR). The registered holder of a public Internet address can assign these addresses to a network device. There is a maximum of 4.3 billion IPv4 addresses available. Still, with the increase of personal computing and the beginning of the World Wide Web, it soon became clear that 4.3 billion IPv4 addresses would not be enough.
The long-term solution for the shortage was IPv6, but urgent solutions to address exhaustion were required. So, for the short term, the IETF implemented numerous solutions, including Network Address Translation (NAT), Port Address Translation, and RFC 1918 private IPv4 addresses.
In the coming article, we will discuss briefly how Network Address Translation (NAT) works and how Network Address Translation (NAT) combines with the use of private address space.
IPv4 Private Address Space
RFC 1918 describes the “Address Allocation for Private Internets.” It is the Internet Engineering Task Force (IETF) memorandum on methods of assigning private IP addresses on TCP/IP networks.
This document provides essential information for the network administrator considering using these addresses on their network. The following table shows the ranges of Private IP addresses for different classes.
Class
Internal Address Range define in RFC 1918
CIDR Prefix
A
10.0.0.0 to 10.255.255.255
10.0.0.0/8
B
172.16.0.0 to 172.16.255.255
172.16.0.0/12
C
192.168.0.0 to 192.168.255.255
192.168.0.0/16
Private IP addresses are used to communicate devices within an organization locally and are routed over the Internet because they do not identify any single company or organization. To route a private IP address to the Internet, it must first be translated to a public address.
Network Address Translation (NAT) is the technique for translating private addresses to public addresses and vice versa. Network Address Translation (NAT) allows a device configured with a private IPv4 address to access network resources outside their private or local network.
The Internet is one big example of NAT. It is a valuable method of preserving public IPv4 addresses because we can use and share a single public IPv4 address with hundreds and thousands of private IPv4 addresses. NAT temporarily solves the exhaustion of IPv4 address space. The permanent solution to the exhaustion of IPv4 address space is the transition to IPv6. The figure below illustrates the NAT process.
What is Network Address Translation (NAT)?
Many users use Network Address Translation (NAT) most crucially to conserve public IPv4 addresses. NAT conserves public IPv4 addresses by allowing networks to use private IPv4 addresses internally and translating private IPv4 into a public address only when required. NAT hides internal private IPv4 addresses from an outside public network, which provides extra privacy and security to a network.
The router configured with NAT requires one or more public IPv4 addresses, which are known as the NAT pool. When an internal device sends traffic from the private IP address out of the network, the router configured with NAT translates the internal IPv4 address of the device into a public address from the NAT pool. When receiving the reply from outside to that public IPv4 address, the NAT-enabled router translates the public IPv4 address into a private IPv4 address.
A Network Address Translation (NAT) router is typically required at the border of a stub network. We have already discussed the stub network in one of my previous articles. It is a network providing only one way to its neighboring network, one way in, and one way out of the network. The figure below illustrates the stub network and NAT-enabled router.
When someone wants to communicate outside the stub networks, the device sends the packet to the border router, which is NAT-enabled. The NAT-enabled border router translates the private IPv4 address of the stub network into a Public IPv4 address.
We can configure the stateful DHCPv6 server, similar to a stateless server. The difference between stateless and stateful is that a stateful server also includes IPv6 addressing information similar to a DHCPv4 server and obtains the state of the DHCP.
Similar to stateless DHCPv6, we need to enable unicast routing. The command ipv6 unicast-routing enables IPv6 routing on the router. Unicast routing is also needed for ICMPv6 RA messages.
Configure a DHCPv6 Pool
First, we need the IPv6 addressing pool similar to a stateless DHCPv6 server. To configure the IPv6 DHCP pool we used ipv6 dhcp pool <pool-name> command in global configuration mode. Executing this command, we also enter into the DHCPv6 configuration mode, which is identified by the Router(config-dhcpv6)#
Configure Pool Parameters
The RA message contains the prefix, prefix length, and default gateway information. The client creates its global unicast address, including the default gateway, using the information in the RA message. However, with stateful DHCPv6, the DHCPv6 server must assign all addresses, including other configuration parameters.
We can configure the address prefix and lease time using address prefix <prefix/prefix-length> lifetime <valid-time-in-second | inifinte> command.
Other information is also included in stateful DHCPv6 configuration, usually the DNS server address and the domain name.
Interface Commands
After configuring the DHCPv6 pool, we must bind it to the corresponding interface. The ipv6 dhcp server <pool-name> interface command binds the pool to the interface. The M flag needs and O flag must be 1. This informs the client not to use SLAAC and to obtain all IPv6 addressing, including all configuration parameters, from a stateful DHCPv6 server.
DHCPv6 Stateful Server Example configuration
The figure below illustrates an example of a stateful DHCPv6 server configuration. We are using the same topology used in stateless DHCPv6 configuration. Now, I am going to configure the same topology for stateful DHCPv6. The default gateway is not specified, as the router will automatically send its link-local address as the default gateway.
Configuring a Router as a Stateful DHCPv6 Client
Similar to stateless DHCPv6 client configuration, the ipv6 enable interface configuration mode command is used. This command allows the router to receive a link-local address to send RS messages and participate in the DHCPv6 process.
Next, use the interface mode command ipv6 address dhcp. This command enables the router to behave as a DHCPv6 client on this interface. The figure below illustrates the stateful DHCPv6 client configuration.
Verifying Stateful DHCPv6 Server
We can verify the stateful DHCPv6 server using different commands. The first command we can use for DHCPv6 server verification is the show ipv6 dhcp pool. The figure below illustrates the output of this command.
The command verifies the name of the DHCPv6 pool, including its parameters. Only 1 client is active, which reflects the client DHCP Client receiving its IPv6 global unicast address from this server.
Another command is show ipv6 dhcp binding. The figure below illustrates the output of this command, showing the automatic binding between the interface of the router and the address assigned by the server.
The output illustrates that the DHCPv6 pool name is my pool, and the prefix length is 64. You can also see the DNS server address and the domain name “networkustad-a2bb2f.ingress-alpha.ewp.live. You can see that there is 1 active client. It is a stateful protocol. Therefore, it has a record of the active client.
We can also use the “show running-config” command to verify the stateful DHCPv6 configuration.
Verifying the Stateful DHCPv6 Client
To verify the DHCPv6 client configuration, we can use the show ipv6 interface command. We can also use the show running-config and show ipv6 interface brief commands.
Before a stateless DHCPv6 server is configured on the Cisco router, it is important to enable IPv6 unicast routing. The unicast routing is not necessary for stateless DHCPv6 servers, but it is required for RA messages due to using of ICMPv6. In global configuration mode, we can enable the IPv6 unicast routing using the “ipv6 unicast-routing” command. Other steps for configuring stateless DHCPv6 are the following:
Configure a DHCPv6 Pool
Just like the DHCPv4 IP addressing pool, we need the IPv6 addressing pool. To configure the IPv6 DHCP pool, we used ipv6 dhcp pool <pool-name> command in global configuration mode. Executing this command, we also enter into the DHCPv6 configuration mode, which is identified by the Router(config-dhcpv6)#
Configure Pool Parameters
The RA message contains the prefix, prefix length, and default gateway information. The client creates its global unicast address from the information in the RA message and configures its default gateway address, which is the router’s link-local address. The DHCPv6 server can be configured for providing additional information that is not included in the RA message, for example, DNS server address and domain name, etc
Configure the DHCPv6 Interface
After creating the IPv6 addressing pool, we need to bind the pool to the corresponding interface. The interface configuration mode command “ipv6 dhcp server <pool-name> binds the DHCPv6 pool to the interface.
When a router receives a DHCPv6 request on this interface it replies with the information configured in the pool. The O flag must be set to 1 and the M flag to 0 for the stateless DHCPv6. The interface mode command ipv6 nd other-config-flag command is used to configure the O flag to 1. RA messages send on this interface with M flag 0 and O flag 1 indicate that additional information is available from a stateless DHCPv6 server.
Example Command of DHCPv6 Stateless
The example configuration topology for the stateless DHCPv6 server on the Cisco router is illustrated in the following figure.
Configure Cisco Router as a Stateless DHCPv6 Client
Previously, we configured the Cisco Router as a DHCPv4 client, but now, we will configure it as a DHCPv6 client. A DHCPv6 client is typically a computer, tablet, mobile device, or webcam, not a router.
A router configured as a DHCPv6 client needs an IPv6 link-local address on the interface. The router cannot send and receive IPv6 messages without a link-local address, such as RS and DHCPv6 messages.
When the IPv6 address is enabled on the interface, the link-local address is automatically created. This is possible when configuring a global unicast address on the interface or using the “ipv6 enable” command. When the router creates a link-local address, it can send RS messages and participate in the DHCPv6 process.
We will use the ipv6 enable command because the router does not yet have a global unicast address and we want to configure the global unicast address from DHCPv6.
The next command for configuring a DHCPv6 client is “ipv6 address autoconfig”. This command enables the automatic configuration of IPv6 addressing using SLAAC. An RA message then informs the client router to use stateless DHCPv6 for address configuration. The figure below illustrates the configuration of the DHCPv6 client on Cisco router command is the following:
Verifying Stateless DHCPv6
We can verify the DHCPv6 server configuration using several commands. The figure below illustrates the output of the command “show ipv6 dhcp pool”. The output of the command verifies the name of the DHCPv6 pool and its parameters. The number of active clients is 0 because there is no state being maintained by the server.
We can also use the show running-configcommand to verify all the commands that were previously configured.
Verifying the Stateless DHCPv6 Client
We have configured the stateless DHCPv6 client. We can verify the client and server configurations from the client. The command show ipv6 interface is used to verify that the router is configured with ”Stateless address autoconfig enabled“ and has an IPv6 global unicast address. We can also verify the configuration using the show running-config command. Another command to verify the configuration is debug ipv6 dhcp detail. The command shows the DHCPv6 messages exchanged between the client and the server.
Bothe of the stateless and stateful DHCPv6 operation are started with an ICMPv6 RA message from the router. The RA message may have been periodic or solicited by the device using an RS message. The devices start client and server communication when stateless or stateful DHCPv6 is indicated in the RA message. The DHCPv6 operation is started when an RA message indicate stateful or stateless DHCPv6.
The DHCPv6 messages are sent in user datagram protocol (UDP). Messages from the server to client uses UDP destination port 546 and messages from the client to server uses UDP destination port 547.
The DHCPv6 client needs to discover a DHCPv6 server. The client sends a Router SOLICIT (RS) message to the reserved IPv6 multicast all-DHCPv6-servers addressFF02::1:2. This multicast address has a link-local scope, which means routers do not forward the messages to other networks.
The available DHCPv6 servers respond with a DHCPv6 ADVERTISE message which tells the client that the server is available for DHCPv6 service. The client responds with a DHCPv6 REQUEST in case of stateful DHCPv6 and Information-request in case of stateless DHCPv6 to the server. The figure below illustrates the DHCPv6 operation.
Stateless DHCPv6 client– The client sends a DHCPv6 INFORMATION-REQUEST message to the DHCPv6 server. The message including request only for configuration parameters, such as DNS address. The client generated its IPv6 address with the help of the RA message and a self-generated Interface ID. The server reply with the information requested.
Stateful DHCPv6 client– The client sends a DHCPv6 REQUEST to the DHCPv6 server to get IPv6 address information including all other configuration parameters.
Remember that we already discussed the introduction of the SLAAC and DHCPv6 in Router Advertisement (RA) messages. Now, we will briefly discuss both SLAAC and DHCPv6. Recall that the router sends a Router Advertisement (RA) message. The setting of the Router Advertisement (RA) message decides whether a client can obtain its IPv6 address information automatically using SLAAC, DHCPv6, or a combination of both.
The Router Advertisement (RA) message always contains the Managed Address Configuration flag (M flag) and another configuration flag (O Flag) with a different combination. The combination of M Flag and O Flag tells the host how he can get an IPv6 address. The RA message presents three addressing options for the IPv6-enabled devices using a different combination of M Flag and O Flag.
SLAAC – Use of SLAAC Only
Stateless DHCPv6 – Use of both SLAAC and DHCPv6
Stateful DHCPv6 – Use of DHCPv6 Server Only
The RA message specifies the above three options for the client to obtain an IPv6 address, but the client computer doesn’t need to choose one. The client computer can ignore the RA message and use the services of a DHCPv6 server exclusively.
RFC 4861 recommends detecting Duplicate Addresses (DAD) on any unicast address and address configured with SLAAC and DHCPv6. This ensures that all configured IPv6 addresses are unique on the particular subnet.
SLAAC Option
It is the default option on Cisco routers. The M flag and the O flag value are set to 0 in the RA for this option. It simplifies IPv6 address management by providing plug-and-play IP connectivity without manually configuring hosts. It enables an IPv6 client to create its IPv6 addresses using a combination of locally available information and information advertised by routers through an RA message.
In the SLAAC option, the client uses the information in the RA message exclusively. The information in the RA message includes a prefix, prefix length, DNS server, Maximum Transmission Unit, and default gateway. The client does not use any information from the DHCPv6 server. The IPv6 global unicast address combines the advertised link-local prefix (first 64 bits) with the interface identifier (last 64 bits).
The RA option is configured on an individual router interface. If it is configured with other options, e.g., stateless DHCPv6 or stateful DHCPv6. To re-configure an interface for SLAAC, the M flag and O flags are required to reset to initial values of 0. The configuration command is the following:
Router(config-if)# no ipv6 nd managed-config-flag
Router(config-if)# no ipv6 nd other-config-flag
Stateless DHCPv6 Option
The function of DHCPv6 is similar to DHCPv4.It also runs between a client and a server. Like DHCP for IPv4, DHCPv6 clients and DHCPv6 servers exchange DHCPv6 packets using the UDP. In IPv6, packets cannot be broadcast; therefore, DHCPv6 uses multicast packets. In this case, DHCPv6 clients do not need to be configured with IPv6 addresses of DHCPv6 servers.
In this option, the client used the information in the RA message and a DHCPv6 server. The client gets the addressing information from the RA message, but additional parameters for configuration are available from a DHCPv6 server. The client creates its IPv6 global unicast address using the RA message’s prefix and length, along with the EUI-64 process or a randomly generated ID.
After configuring the IP addressing information, the client communicates with a stateless DHCPv6 server to get supplementary information. This process is called stateless DHCPv6 because the server does not maintain any client state information, such as the state of available and allocated IPv6 addresses. The server only provides configuration parameters for clients, not IPv6 addresses.
The O flag is 1, and the M is 0 for the stateless DHCPv6 option. The O flag value of 1 tells the client that additional configuration information is available from a stateless DHCPv6 server. To configure and modify the RA message, enter into the concern interface mode and use the following command:
Router(config-if)# ipv6 nd other-config-flag
Stateful DHCPv6 Option
It works like DHCP for IPv4 addresses. A device can get its addressing plan and information, including a global unicast address, prefix length, and the addresses of DNS servers, automatically using the services of a stateful DHCPv6 server. The RA message in this option informs the client that I can’t give you any information you need. Send a request to the DHCPv6 server for all your required information. This option is stateful DHCPv6 because the DHCPv6 server keeps all records and states of IPv6 addresses.
The M and O flags must be set to 1 in stateful DHCPv6. The following command is used to change the M flag and O flag from 0 to 1 to apply stateful DHCPv6:
Troubleshoot DHCPv4 problem is the most important topic because of the importance of DHCP services. It is the most important service for a small, medium and large network. In this article, we will take a look at several common DHCP errors and their solution.DHCPv4 failure occurs due to multiple reasons, such as problem in operating system, network interface card, line cable issues, relay agent problem and also the configuration problem. The systematic approach is needed to troubleshoot DHCP server problems.
Troubleshoot DHCPv4 IP Address Conflicts
An IP address conflict occurs when two communication terminals on a network are assigned the same IP address. The terminal can be a mobile device, PCs, or any network interface card (NIC). Normally IP address conflicts between two devices make either one or both of them unusable for network operations.
When the lease of a device using DHCP has expired and the client still connected to a network. If the client does not renew the lease on expiring, then the server can reassign that address to another client. When the first client reboots, it requests an IPv4 address from the server. When the server does not respond quickly, the client uses the last assigned IPv4 address. This situation results in an IP address conflict. We can check the IP address conflict using show ip dhcp conflict.The command shows all address conflicts recorded by the DHCPv4 server.
The client uses ARP to detect conflicts and the server uses theping command to detect clients. If an address conflict is detected, the address is removed from the pool and not assigned until an administrator resolves the conflict.
Verify Physical Connectivity
Verify the physical connectivity of the devices with servers. We can also use theshow interfaces <interface> command to verify that the router interface acting as the default gateway. The state of the interface must be up; otherwise, the port does not pass traffic, including DHCP client requests.
Test Connectivity using a Static IP Address
We can verify the network connectivity using the static IPv4 address information on a client computer. If the client computer is unable to reach network resources with a statically configured IPv4 address, the cause of the problem is not DHCPv4. At this point, network connectivity troubleshooting is required.
Troubleshoot DHCPv4 Operation on the Same Subnet or VLAN
The problem of DHCP may be related to the DHCP relay agent. To differentiate whether DHCPv4 is functioning correctly when the client is on the same subnet or VLAN as the DHCPv4 server. If DHCPv4 is working correctly within the same subnet or VLAN, the problem may be the DHCP relay agent.
Verify Router DHCPv4 Configuration
In case there is a DHCPv4 server on a separate LAN from the client, the router interface connected to that client must be configured to relay DHCPv4 requests using “IPv4 helper-address” command. If the IPv4 helper address is not set, client DHCPv4 requests are not forwarded to the DHCPv4 server. To verify the IPv4 helper address configuration use the following procedure:
The ip helper-address command is necessary to be configured on the correct interface. It and must be configured on the inbound interface of the LAN containing the DHCPv4 client workstations. The IP address of the DHCPv4 server must be correct. We can check and verify this information using theshow running-configcommand. The figure below illustrates the output of the show running-configcommand.
We can also use the show ip interface command to verify the DHCPv4 relay on an interface. Which is already discussed in the previous lesson.
Another important verification is a service dhcp. Verify that the no service dhcp has not been configured. If the router is configured with this command then all DHCPv4 server and relay functionality on the router is disabled. The running-config file will now display the service dhcp because it is the default configuration. If no service dhcp is configured simply use the service dhcp command in global configuration mode
Debugging DHCPv4
Some time routers configured as DHCPv4 servers not receiving requests from the client and the client cannot get an IP address from the server. So, the first thing is to verify that the router is receiving the DHCPv4 request from the client. For this purpose, we can use an ACL for debugging output.
We know that port number 67 and port number 68 are used as DHCPv4 ports. So we can configure ACL for these ports permitting them. The figure below shows an extended ACL permitting only packets with UDP destination ports of 67 and 68 and apply the ACL to corresponding interface inbound. After configuring an extended ACL we can use the debug ip packet command to display only DHCPv4 messages.
Now we can verify the incoming traffic from gigabitEthernet 0/2 for UDP port 67 and 68 using the “debug ip packet 101” command Another command for troubleshooting DHCPv4 operation is the debug ip dhcp server events command. This command reports server actions, like address assignments and database updates.
In some cases, we need a router to be configured as DHCPv4 clients just like a client computer. But this method is not recommended for routers in an internal network. The dynamic addressing is extremely useful for routers that connect to the Internet through an ISP.
We can simply connect a router using with just plug-in the Ethernet cable. To configure an Ethernet interface as a DHCPv4 client we use the ip address dhcp command in interface configuration mode.
When an interface on the router is configured with ip address dhcp command, it can dynamically learn its IP address, and network mask, via DHCP. The router can also learn its TFTP server address, NETBIOS name server, DNS servers, vendor-specific information, static routes, domain name, and default router information.
Configuration
The Figure below contains the topology including DHCPSERVER and Client. You may suppose that the DHCPSEVER is an ISP server configured to provide DHCP service to clients with IP addresses from the selected of 192.168.1.2 – 192.168.1.100.
After the Fa0/0 interface of the client, the router is configured with the ip address dhcp command, We can verify the configuration using the show ip interface fa0/0 command confirms that the interface is up and that the address was allocated by a DHCPv4 server. Now lets come to the configuration:
Now check and verify that the address configuration using the show ip interface fa0/0 command. The figure below illustrates the output of this command.
