Module 1: Scaling IP Addresses 
  
1.1 Scaling Networks with NAT and PAT 
   
1.1.1 Private addressing

RFC 1918 sets aside the following three blocks of private IP addresses:

RFC1918設定了三塊區域的私人IP位址:

These addresses are for private, internal network use only. Packets containing these addresses are not routed over the Internet.

這些地址只能使用在私人、內部的網路上。具備這些地址的封包並不會在網際網路上路由。

Private IP addresses are reserved and can be used by anyone. That means two networks, or two million networks, can each use the same private address. A router should never route RFC 1918 addresses. ISPs typically configure the border routers to prevent privately addressed traffic from being forwarded.

私人用的IP地址是特別保留的,任何人都可以自行使用,也就是說任何二個網路或者是二百萬個網路,都可以使用相同的私人地址。路由器通常不會路由RFC 1918裡面所登錄的這一些私人用網址。ISP通常會在邊界路由器上進行組態設定,以避免使用私人地址的交通流量被轉送出去。

NAT provides great benefits to individual companies and the Internet. Before NAT, a host with a private address could not access the Internet. Using NAT, individual companies can address some or all of their hosts with private addresses and use NAT to provide access to the Internet.

NAT提供給個別的公司和網際網路相當大的便利。在使用NAT之前,採用私人地址的主機無法進入到網際網路;而在使用NAT之後,個別的公司可以讓他們的一些電腦,甚至所有的電腦都採用私人用地址,再利用NAT技術,使得這些帶有私人地址的電腦也可以進入到網際網路。

 
1.1.2 Introducing NAT and PAT

These private, internal addresses are translated to routable, public addresses. This is accomplished by internetwork devices running specialized NAT software which can increase network privacy by hiding internal IP addresses.

這些私人、內部的地址,隨後可以轉換成可以路由的公共地址。這些動作是執行特定NAT軟體的網際設備來執行的,如此,可以藉由隱藏內部IP地址的方式來增加網路的隱私性。

A NAT enabled device typically operates at the border of a stub network. A stub network is a network that has a single connection to its neighbor network. When a host inside the stub network wants to transmit to a host on the outside, it forwards the packet to the border gateway router. The border gateway router performs the NAT process, translating the internal private address of a host to a public, external routable address. In NAT terminology, the internal network is the set of networks that are subject to translation. The external network refers to all other addresses.

一個具備NAT能力的設備,基本上是運作在末端網路(stub network)的邊界位置。所謂的末端網路,是指連接至臨近網路只有單一聯繫出口的一種網路。當處在末端網路裡的一部電腦想與外界的電腦聯繫時,會將它的封包傳送到邊界閘道路由器上(border gateway router)。這個邊界閘道路由器會執行必要的NAT 程序,將內部私人地址轉換成公共外部可路由的地址。在NAT的名詞當中,所謂的內部網路(internal network),是指需要進行地址轉換或翻譯的那一群網路,而所謂的外部網路(external network)是指剩下的其它部分。

Cisco defines the following NAT terms:

思科定義下列NAT相關的一些名詞:

 
8a.gif
 
1.1.3 Major NAT and PAT features

NAT translations can be used for a variety of purposes and can be either dynamically or statically assigned. Static NAT is designed to allow one-to-one mapping of local and global addresses. This is particularly useful for hosts which must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices.

NAT的翻譯功能可以用在許多的方式上,可以是動態式的指定,或者是靜態式的指定。在靜態的NAT中,允許在本地和總體地址之間進行一對一的對應。對一些需要被網際網路存取,而必須擁有固定地址的主機,是非常方便而且適用的。此處所謂內部的主機是指企業的伺服器或者是網路設備。

Dynamic NAT is designed to map a private IP address to a public address. Any IP address from a pool of public IP addresses is assigned to a network host. Overloading, or Port Address Translation (PAT), maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped to a single address because each private address is tracked by a port number.

動態NAT可以將一個私人用的IP地址對應轉換成一個公共的IP地址。一群公共地址當中的任何一個IP地址,都可以指定給一台網路上的電腦。過載(overloading)或者埠號地址轉換(PAT),可以將許多個私用IP地址轉換成單一的公共IP地址。多個私用IP地址可以對應轉換到一個單一公共IP地址,是因為可以依照埠號(port number)來追蹤每一個私人地址。

PAT uses unique source port numbers on the inside global IP address to distinguish between translations. The port number is encoded in 16 bits. The total number of internal addresses that can be translated to one external address could theoretically be as high as 65,536 per IP address. Realistically, the number of ports that can be assigned a single IP address is around 4000. PAT will attempt to preserve the original source port. If this source port is already used, PAT will assign the first available port number starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address configured, PAT moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses.

PAT是採用內部總體IP地址(Inside global IP address)中唯一的來源端埠號(source port number),來區隔不同的地址轉換。由於埠號有16個位元,因此在理論上,一個外部的IP位址可以對應65,536個內部的網路位址;在實務上,真正可以指定給單一IP地址的埠號數目大約在4000個。PAT會盡量嘗試去保留原始的來源埠號,如果來源埠號已經被佔用,PAT將會在數組的埠號群當中,用第一個可用埠號來進行指定。可用埠號群組有0-511、512-1023或1024-65535。當所有埠號都全部被使用完畢,但仍有其他可用的外部IP地址時,PAT會移向使用下一個IP地址,並且嘗試分配原始的來源埠號。這個程序會週而復始不斷執行,直到所有的埠號和所有的IP地址全部耗盡為止。

NAT offers the following benefits:

NAT提供下列的優點:

 
1.1.4 Configuring NAT and PAT

Static Translation

靜態轉換

To configure static inside source address translation, perform the tasks in Figures and .

執行圖1和圖2當中的步驟,可以進行靜態內部起始地址轉換的組態工作。

Figure shows the use of static NAT translation. The router will translate packets from host 10.1.1.2 to a source address of 192.168.1.2.

顯示靜態NAT轉換的使用方式,其中路由器會將來自於主機10.1.1.2之封包的起始地址轉換成192.168.1.2。

Dynamic Translation

動態翻譯

To configure dynamic inside source address translation, perform the tasks in Figure .

執行圖當中的步驟,可以進行動態內部起始地址轉換的組態設定。

The access list must permit only those addresses that are to be translated. Remember that there is an implicit “deny all” at the end of each access list. An access list that is too permissive can lead to unpredictable results. Cisco advises against configuring access lists referenced by NAT commands with the permit any command. Using permit any can result in NAT consuming too many router resources, which can cause network problems.

在存取表列(access list)當中,必須只允許可以轉換的那些地址,請特別記得在每一個存取表列的最尾端有一個隱藏的”否定所有”(deny all)。一個存取表列如果過度許可時,可能會導致不可預測的結果。思科建議NAT命令所引用之存取表列的組態中,不要有permit any這種命令。使用permit any會造成NAT耗損太多的路由器資源,如此可能會導致網路產生問題。

Figure translates all source addresses passing access list 1, which have source address from 10.1.0.0/24, to an address from the pool named nat-pool1. The pool contains addresses from 179.9.8.80/24 to 179.9.8.95/24.

將所有通過存取列表1的來源位址轉換,也就是說,來源端的位址為10.1.0.0/24,轉換為名稱nat-pool1的地址群。這個地址群包括的IP從179.9.8.80/24到179.9.8.85/24。

NOTE:

請注意:

NAT will not translate the host 10.1.1.2, as it is not permitted for translation by the access list.

NAT將不會轉換主機10.1.1.2,因為它並不在存取表列中許可轉換的範圍內。

Overloading

過載

Overloading is configured in two ways depending on how public IP addresses have been allocated. An ISP can allocate a network only one public IP address, and this is typically assigned to the outside interface which connects to the ISP. Figure shows how to configure overloading in this situation.

過載可以藉由二種方式來進行組態設定,端視公共IP地址的分配狀況而定。如果一個ISP只分配一個公共IP地址給一個網路,那麼這個地址通常會被指定在連接到ISP的對外界面上。在圖當中將展示在此種情況下,如何針對過載去進行組態設定。

Another way of configuring overload is if the ISP has given one or more public IP addresses for use as a NAT pool. This pool can be overloaded as shown in the configuration in Figure .

另外一種過載的組態設定是,當ISP提供一個或多個公共IP地址作為NAT地址群(NAT pool)時。此群地址可以依圖7所述來進行過載的組態設定。

Figure shows an example configuration of PAT.

顯示PAT組態設定的範例。

Lab Exercise: Configuring NAT

In this lab, a router will be configured to use Network Address Translation (NAT).

Lab Exercise: Configuring PAT

In this lab, a router will be configured to use Port Address Translation (PAT).

Lab Exercise: Configuring static NAT Addresses

In this lab, a router will be configured to use network address translation (NAT) to convert internal IP addresses, typically private addresses, into outside public addresses.

 
1.1.5 Verifying PAT configuration

Once NAT is configured, use the clear and show commands to verify that it is operating as expected.

一旦NAT的組態設定完成後,可以使用clearshow命令來確認是否如預期運作。

By default, dynamic address translations will time out from the NAT translation table after a period of non-use. When port translation is not configured, translation entries time out after 24 hours, unless the timers are reconfigured with the ip nat translation timeouttimeout_ seconds command from global configuration mode. Clear the entries before the timeout by using one of the commands in Figure .

一般來說,動態地址的轉換在一段時間沒用之後,將會在NAT的轉換表格當中失效。當埠號轉換並未設定時,除非計時器在總體組態模式之下,用ip nat translation timeout timeout_seconds命令重新設定過,轉換項目的逾時時間是二十四小時。可以使用圖1所示的命令,在逾時之前清除這些項目。

Translation information may be displayed by performing one of the tasks in EXEC mode .

可以在EXEC模式下,執行圖所示的工作,來顯示轉換相關的資訊。

Alternatively, use the show run command and look for NAT, access list, interface, or pool commands with the required values.

此外,也可以利用show run命令以及觀察NAT、存取表列、界面,或具適當參數值的pool命令來查看轉換的相關資料。
 

Lab Exercise: Verifying NAT and PAT Configuration

In this lab, the student will configure a router for Network Address Translation (NAT) and Port Address Translation (PAT).

 
 
1.1.6 Troubleshooting NAT and PAT configuration

When IP connectivity problems in a NAT environment exist, it is often difficult to determine the cause of the problem. Many times NAT is mistakenly blamed, when in reality there is an underlying problem.

在一個NAT的環境中,當IP的連線發生問題時,判定問題的主要原因通常會比較困難。NAT經常都遭到誤解和抱怨,而真正的狀況卻是基本的問題。

When trying to determine the cause of an IP connectivity problem, it helps to rule out NAT. Use the following steps to determine whether NAT is operating as expected:

當嚐試去決定IP連線問題的原因時,下列所述當有助於排除NAT的問題,以及提供一些具體步驟來決定NAT是否如預期的方式運作:

  1. Based on the configuration, clearly define what NAT is supposed to achieve.
  2. Verify that correct translations exist in the translation table.
  3. Verify the translation is occurring by using show and debug commands.
  4. Review in detail what is happening to the packet and verify that routers have the correct routing information to move the packet along.

1. 以組態設定為基礎,清楚定義什麼是NAT要達到的

2. 確認在轉換表格當中記載的是正確的轉換資訊

3. 用show和debug命令來確認轉換的進行

4. 仔細檢查到底封包發生了什麼問題,並確認路由器有正確的路由資訊來傳送封包。

Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip natdetailed command generates a description of each packet considered for translation. This command also outputs information about certain errors or exception conditions, such as the failure to allocate a global address.

使用debug ip nat命令可以顯示路由器轉換之封包的相關資訊,以驗證NAT運作的正確性。而debug ip natdetailed命令可以產生將進行轉換之封包的描述,也會產生一些有關錯誤和例外狀況的相關資訊,像是分配總體地址失敗的一些資訊等等。

Figure shows a sample debug ip nat output. In this example, the first two lines of the debugging output show that a Domain Name System (DNS) request and reply were produced. The remaining lines show the debugging output of a Telnet connection from a host on the inside of the network to a host on the outside of the network.

在圖當中顯示一個debug ip nat 的輸出範例。在此例中,偵錯輸出的前二行是顯示DNS要求和回應的訊息。而其它的輸出是顯示內部網路中的一台主機,用Telnet連線到外部網路時,所產生的除錯輸出畫面。

Decode the debug output by using the following key points:

可以用以下的關鍵資訊對除錯的輸出結果進行解釋:

Lab Exercise: Troubleshooting NAT and PAT

In this lab, the student will configure and troubleshoot a router for Network Address Translation (NAT) and Port Address Translation (PAT).

 
1.1.7 Issues with NAT

NAT is not without drawbacks. Enabling address translation will cause a loss of functionality, particularly with any protocol or application that involves sending IP address information inside the IP payload. This requires additional support by the NAT device.

NAT並不是沒有缺點。啟動地址轉換會造成一些功能的喪失,特別是一些通訊協定或應用程式中,涉及到必須在IP的承載資料中夾帶IP地址資訊時。在此種狀況,NAT設備將需要支援一些額外的功能,才可以完成。

NAT increases delay. Switching path delays are introduced because of the translation of each IP address within the packet headers. The first packet will always go through the slow path, which means this first packet is process-switched. The remaining packets will go through the fast-switched path if a cache entry exists.

NAT將會增加一些延遲時間。因為針對每一個封包標頭的IP地址進行轉換,所以會帶來一些交換路徑的延遲。其中,第一個封包通常都會透過緩慢的路徑來傳遞,也就是說,第一個封包是依程序交換的方式來傳遞。如果快取項目存在時,剩餘的封包將會沿著快速交換的路徑來傳遞。

Performance may be a consideration because NAT is currently accomplished by using process switching. The CPU must look at every packet to decide whether it must be translated. The CPU must alter the IP header, and possibly alter the TCP or UDP header.

效能將是一個非常大的考量,因為NAT是採用程序交換的方式來運作。CPU將查看每一個封包來決定是否需要進行地址轉換。CPU必須要修改IP標頭的內容,甚至於需要修改TCP標頭的內容。

One significant disadvantage when implementing and using NAT is the loss of end-to-end IP traceability. It becomes much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops. Hackers who want to determine the source of a packet will find it difficult to trace or obtain the original source or destination address.

一個明顯的缺點是在實現和使用NAT時,將會喪失端點對端點的IP追蹤能力。也就是說,要去追蹤一個歷經許多個封包地址轉換並跨越許多個NAT節點的封包,會變得非常的困難。但是,在此同時,駭客想要窺探得知封包的起始地址,將會發現非常難以追蹤,或是非常難以得到其真正的原始起始地址或終端目的地址。

NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses. Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings.

因為NAT隱藏端點對端點的IP地址,可能導致使用IP地址的一些應用程式無法正常運作。採用實體地址而不使用合格領域名稱的應用程式,也可能會因為NAT路由器轉換的原因而無法到達目的地。有時此問題可用靜態NAT對應的方式來避免。

Cisco IOS NAT supports the following traffic types:

思科的IOS NAT支援下列的交通型態:

  • 檔案傳輸協定(FTP),包含PORT以及PASV命令。
  • NetBIOS over TCP/IP、資料塊(data gram)名稱,和會談服務
  • RealNetwork 的RealAudio
  • White pine的CUSeeMe
  • Xing Technologies的StreamWorks
  • DNS”A”和”PTR”查詢
  • H.323/Microsoft NetMeeting、IOS 版本12.0(1)/12.0(1)T和之後的版本
  • VDOnet的VDOLive、IOS版本11.3(4)/11.3(4)T及之後的版本
  • VXtreme的Web Theater、IOS版本11.3(4)/11.3(4)T及之後的版本
  • IP Multicast、IOS版本12.0(1)T(只具備原始地址轉換)

 Cisco IOS NAT does not support the following traffic types:

此外,思科IOS 的NAT並不支援下列的交通型態:

  • 路由表格更新
  • DNS區域轉換
  • BOOTP
  • alk和ntalk通訊協定
  • 簡易網路管理通訊協定(SNMP) 
1.2 DHCP 
   
1.2.1 Introducing DHCP

Administrators typically prefer a network server to offer DHCP services because these solutions are scalable and relatively easy to manage. Cisco routers can use a Cisco IOS feature set, Easy IP, to offer an optional, full-featured DHCP server. Easy IP leases configurations for 24 hours by default. This is useful in small offices and home offices where the home user can take advantage of DHCP and NAT without having an NT or UNIX server.

網路管理人員通常比較傾向採用一個網路伺服器來提供DHCP服務,因為此種服務通常是可延展性的,而且非常容易管理。但是在思科的路由器中,可以採用Cisco IOS中的Easy IP,提供一個可選擇且全功能的DHCP伺服器。Easy IP可以租用組態給一般用戶電腦,其有效期限通常內訂為24小時。這對一些SOHO族也就是小辦公室或者是家庭辦公室的用戶非常的方便,因為這些家庭用戶只是希望能夠用到DHCP和NAT的優點,但他們卻沒有專用的NT或Unix主機。

Administrators set up DHCP servers to assign addresses from predefined pools. DHCP servers can also offer other information, such as DNS server addresses, WINS server addresses, and domain names. Most DHCP servers also allow the administrator to define specifically what client MAC addresses can be serviced and automatically assign them the same IP address each time.

網路管理人員依據事前定義的地址群,來設定可供DHCP伺服器分配的地址範圍。除此之外,DHCP伺服器也可以供應其它的資訊,像是DNS伺服器的地址、WINS伺服器的地址和領域名稱。大多數的DHCP伺服器也允許網管人員可以明確設限只服務哪些特定MAC地址的用戶,並且可以每一次都分配相同的IP地址給同一用戶。

DHCP uses User Datagram Protocol (UDP) as its transport protocol. The client sends messages to the server on port 67. The server sends messages to the client on port 68.

DHCP採用使用者資料塊協定(UDP)作為它的傳輸層通訊協定,因此用戶端傳送資訊給DHCP伺服器,必須送到埠號為67的位址上,而伺服器送訊息給用戶端則需送到埠號為68的地址上。

 
1.2.2 BOOTP and DHCP differences

The Internet community first developed the BOOTP protocol to enable configuration of diskless workstations. BOOTP was originally defined in RFC 951 in 1985. As the predecessor of DHCP, BOOTP shares some operational characteristics. Both protocols are client/server based and use UDP ports 67 and 68. Those ports are still known as BOOTP ports.

為了要能夠為無硬碟的工作站進行組態,網際網路學會首先發展了BOOTP通訊協定。BOOTP協定原本是定義在1985年的RFC951的文件當中,它是DHCP的前身,但是BOOTP和DHCP具有許多相同的運作特性,此二種通訊協定都是主從式的運作模式,也都是使用UDP埠號67和68的地址,這倆個埠號目前仍然是稱為BOOTP。

The four basic IP parameters include:

此外它們也供應四種基本的IP參數,包括:

  • IP地址
  • 閘道地址
  • 子網遮罩
  • DHCP伺服器地址

BOOTP does not dynamically allocate IP addresses to a host. When a client requests an IP address, the BOOTP server searches a predefined table for an entry that matches the MAC address for the client. If an entry exists, then the corresponding IP address for that entry is returned to the client. This means that the binding between the MAC address and the IP address must have already been configured in the BOOTP server.

BOOTP並沒有辦法動態的分配IP地址給一台主機電腦。當一個用戶電腦提出IP地址的要求時,BOOTP伺服器會依照該用戶電腦的MAC地址,在事前定義好的表格當中尋找符合的項目。如果找到符合的項目,那麼該項目當中的對應IP地址,將回傳給該用戶端電腦。也就是說,在BOOTP伺服器中,已經將所有MAC地址及其對應IP地址於事前定義好了。

There are two primary differences between DHCP and BOOTP:

DHCP和BOOTP兩個協定當中有兩項主要的差異:

  • DHCP所定義的機制,讓用戶端電腦在使用IP地址時具有借用期限。由於有此借用期限,因此IP地址可在之後重新指定給其他用戶電腦,或者當某一用戶電腦移動到其他子網時,可以取得其他的IP地址。當然,用戶端電腦也可以更新租用期限,而持續採用相同的地址。
  • DHCP所提供的機制除了IP地址以外,用戶端電腦還可以獲得其他的IP組態參數,諸如像WINS和領域名稱。
 
1.2.3 Major DHCP features

There are three mechanisms used to assign an IP address to the client:

指定IP地址給用戶端電腦的方式有三種:

  • 自動分配:DHCP會指定永久的IP地址給用戶端電腦。
  • 手動分配:管理者為每一個用戶端電腦分配IP地址,而DHCP只是單純把地址傳送給用戶端電腦。
  • 動態分配:DHCP指定或借用有使用期限的IP地址給用戶端電腦。

 The focus of this section is the dynamic allocation mechanism. Some of the configuration parameters available are listed in IETF RFC 1533:

本節將專注於介紹動態分配的方法,其中一些重要的組態參數詳細記載在IETF RFC1533的文件當中,這些重要的參數有:

  • 子網遮罩
  • 路由器
  • 領域名稱
  • 領域名稱伺服器
  • WINS伺服器

The DHCP server creates pools of IP addresses and associated parameters. Pools are dedicated to an individual logical IP subnet. This allows multiple DHCP servers to respond and IP clients to be mobile. If multiple servers respond, a client can choose only one of the offers.

DHCP伺服器會建立一群的IP地址以及相關的參數。這一群IP住址可以專用於單一的邏輯IP子網路當中,如此將允許多台DHCP伺服器同時回應用戶端的要求,並且用戶電腦可以隨時移動。如果數個DHCP伺服器同時回應用戶電腦的要求時,用戶電腦可以選擇其中之一來設定自己的組態 。

 
1.2.4 DHCP operation

The DHCP client configuration process uses the following steps:

DHCP用戶端組態設定的程序是依下列的步驟進行:

  1. A client must have DHCP configured when starting the network membership process. The client sends a request to a server requesting an IP configuration. Sometimes the client may suggest the IP address it wants, such as when requesting an extension to a DHCP lease. The client locates a DHCP server by sending a broadcast called a DHCPDISCOVER.
  2. When the server receives the broadcast, it determines whether it can service the request from its own database. If it cannot, the server may forward the request on to another DHCP server. If it can, the DHCP server offers the client IP configuration information in the form of a unicast DHCPOFFER. The DHCPOFFER is a proposed configuration that may include IP address, DNS server address, and lease time.
  3. If the client finds the offer agreeable, it will send another broadcast, a DHCPREQUEST, specifically requesting those particular IP parameters. Why does the client broadcast the request instead of unicasting it to the server? A broadcast is used because the first message, the DHCPDISCOVER, may have reached more than one DHCP server. If more than one server makes an offer, the broadcasted DHCPREQUEST allows the other servers to know which offer was accepted. The offer accepted is usually the first offer received.
  4. The server that receives the DHCPREQUEST makes the configuration official by sending a unicast acknowledgment, the DHCPACK. It is possible, but highly unlikely, that the server will not send the DHCPACK. This may happen because the server may have leased that information to another client in the interim. Receipt of the DHCPACK message enables the client to begin using the assigned address immediately.
  5. If the client detects that the address is already in use on the local segment it will send a DHCPDECLINE message and the process starts again. If the client received a DHCPNACK from the server after sending the DHCPREQUEST, then it will restart the process again.
  6. If the client no longer needs the IP address, the client sends a DHCPRELEASE message to the server.

1.     當啟動網路成員程序時,一個用戶端電腦必須要具備DHCP的組態。用戶端電腦會發出一個要求給伺服器,請求一個IP的組態。有時候此用戶端電腦也會建立它想要的用戶端地址,譬如欲要求延長DHCP相關資訊的借用期限時。用戶端電腦會透過發出DHCPDISCOVER的廣播訊息來尋找DHCP伺服器。

2.     當伺服器收到此項廣播時,會依照自己的資料庫來決定是否可以服務此項要求。如果無法提供此項服務,伺服器會將此項要求轉送到其他的DHCP伺服器。如果它可以提供此項服務,DHCP伺服器將透過DHCPOFFER的單播(unicast)封包,來載送IP的組態資訊給用戶端電腦。DHCPOFFER單播封包中通常會載運IP地址、DNS伺服器地址和借用期限。

3.     當用戶端電腦收到可以接受的組態時,將回應一個DHCPREQUEST的廣播訊息,明確要求使用這些特定的IP參數。為什麼用戶端需要用廣播來傳送此項要求,而不是採用單播的方式傳送給伺服器呢?採用廣播的原因是,先前的DHCPDISCOVER訊息可能會傳送達到超過一個DHCP伺服器,此時如果超過一個伺服器,都同時提供適當的組態資料時,DHCPREQUEST的廣播訊息可以讓其他的伺服器知道用戶端電腦確切的選擇是什麼?一般來說用戶端所選用的都是第一個收到的回應或。

4.     伺服器收到DHCPREQUEST時,會回應一個單播的通知訊息,稱之為DHCPACK。這個伺服器也可能不會回傳DHCPACK訊息,這可能發生在當伺服器收到DHCPREQUEST時,已經將該組態資訊借用給其他的用戶電腦了。當用戶端收到DHCPACK的回應訊息時,就可以立即開始使用所分配的組態資訊和地址。

5.     如果用戶端電腦在所屬的本地網段當中,發現所分配的網路地址已被其他電腦所使用,它將會送出一個DHCPDECLINE的訊息,然後整個程序重新來過。如果用戶端電腦在送出DHCPREQUEST之後,收到來自伺服器的一個DHCPNACK訊息時,它也將會重新執行整個程序。

6.     當用戶端電腦不再需要使用IP地址時,用戶端電腦可以送出一個DHCPRELEASE訊息給伺服器。

Depending on an organization's policies, it may be possible for an end user or an administrator to statically assign a host an IP address that belongs in the DHCP servers address pool. Just in case, the Cisco IOS DHCP server always checks to make sure that an address is not in use before the server offers it to a client. The server will issue an ICMP echo request, or will ping, to a pool address before sending the DHCPOFFER to a client. Although configurable, the default number of pings used to check for a potential IP address conflict is two.

端視每一個組織政策而定,有可能一個終端使用者或者管理人員,因此,將隸屬於DHCP伺服器地址群的IP地址以靜態方式指定給一個主機電腦。因此,思科的IOS DHCP伺服器,在將地址提供給用戶端電腦之前,會先確認該地址是否正在使用當中,此伺服器會在送出DHCPOFFER給用戶端電腦之前,先發出ICMP回應要求或ping來查詢該地址。其詢問次數是可以事先設定,內定以ping來測試潛在IP地址的次數是兩次。

 
1.2.5 Configuring DHCP

Like NAT, a DHCP server requires that the administrator define a pool of addresses. The ip dhcp pool command defines which addresses will be assigned to hosts.

如同NAT,一個DHCP的伺服器也需要管理人員來定義一群IP地址。可以用ip dhcp pool命令來定義哪一群地址將要指定給主機電腦。

The first command, ip dhcp pool, creates a pool with the specified name and puts the router in a specialized DHCP configuration mode. In this mode, use the network statement to define the range of addresses to be leased. If specific addresses on the network are to be excluded, return to global configuration mode.

第一個命令,ip dhcp pool,可以建立一群具備名稱的地址,並且將路由器設定在一個特定的DHCP組態模式。在此種模式之下,使用network的敘述,來定義可以釋放出去的地址範圍。如果網路上的特定地址必須排除在釋放之列,則必須先回到總體組態模式。

The ip dhcp excluded-address command configures the router to exclude an individual address or range of addresses when assigning addresses to clients. The ip dhcp excluded-address command may be used to reserve addresses that are statically assigned to key hosts, for instance, the interface address on the router.

下達ip dhcp excluded-address命令,可以排除單一的IP地址或特定範圍的IP地址,以免將其指定給用戶端電腦。此ip dhcp excluded-address可以用來保留一些地址,以便靜態地指定給一些重要的主機電腦,例如:路由器上的界面地址。

Typically, a DHCP server will be configured to assign much more than an IP address. Other IP configuration values such as the default gateway can be set from the DHCP configuration mode. Using the default-router command sets the default gateway. The address of the DNS server, dns-server, and WINS server, netbios-name-server, can also be configured here. The IOS DHCP server can configure clients with virtually any TCP/IP information.

一般來說,我們可以指定許多個IP地址給DHCP伺服器來分配。此外,我們也可以在DHCP的組態模式之下,設定一些IP組態值,如預設閘道器。我們可以使用default-router命令來設定預設閘道器。DNS 伺服器的地址(dns-server),和WINS伺服器的地址(netbios-name-server),也都可以在這裡設定。IOS DHCP伺服器可以用任何的TCP/IP資訊來設定用戶端電腦。

A list of the key IOS DHCP server commands entered in the DHCP pool configuration mode are shown in Figure .

一系列可以在DHCP地址群組態模式裡可以下達的重要IOS DHCP伺服器命令,都列在圖3當中。

The DHCP service is enabled by default on versions of Cisco IOS that support it. To disable the service, use the no service dhcp command. Use the service dhcp global configuration command to re-enable the DHCP server process.

支援DHCP服務的各種思科IOS,在內定上都會啟用DHCP服務。如果要關閉此種服務可以採用no service dhcp命令來達成。此外,也可以用service dhcp>的總體性組態命令,來重新啟動DHCP伺服器的處理程序。

 
1.2.6 Verifying DHCP operation

To verify the operation of DHCP, the command show ip dhcp binding can be used. This displays a list of all bindings created by the DHCP service.

使用show ip dhcp binding 命令可以來驗證DHCP的運作。此命令會顯示DHCP服務的一系列組態設定。

To verify that messages are being received or sent by the router, use the command show ip dhcp server statistics. This will display count information regarding the number of DHCP messages that have been sent and received.

如果要驗證路由器所接收和送出的一些訊息概況,可以下達show ip dhcp server statistics命令,此命令會顯示送出和接收之DHCP訊息數目的一些資訊。

Lab Exercise: Configuring DHCP

In this lab, the student will configure a router for Dynamic Host Configuration Protocol (DHCP).

 
 
1.2.7 Troubleshooting DHCP

To troubleshoot the operation of the DHCP server, the command debug ip dhcp server events can be used. This command will show that the server periodically checks to see if any leases have expired. Also displayed are the processes of addresses being returned and addresses being allocated.

想要針對DHCP的動作進行錯誤排除,可以下達debug ip dhcp server events 命令。此項命令會顯示伺服週期性地檢視是否租約到期的一些訊息,同時也會顯示地址的歸還和地址的分配程序。

 
1.2.8 DHCP Relay

DHCP clients use IP broadcasts to find the DHCP server on the segment. What happens when the server and the client are not on the same segment and are separated by a router? Routers do not forward these broadcasts.

DHCP用戶端電腦,會在網段當中使用IP廣播來找尋DHCP伺服器。如果當伺服器和用戶端電腦並不是位在相同的網段中,而是被路由器所阻隔開來時,那會發生什麼事呢?一般來說,路由器並不會轉傳所謂的廣播封包。

Because some clients are useless without services such as DHCP, one of two choices must be implemented. The administrator will need to place servers on all subnets or use the Cisco IOS helper address feature. Running services such as DHCP or DNS on several computers creates overhead and administrative difficulties making the first option inefficient. When possible, administrators should use the ip helper-address command to relay broadcast requests for these key UDP services.

因為許多的用戶端電腦如果沒有DHCP服務將無法運作,而用戶端電腦接觸DHCP服務的方法有二種。管理人員可以將DHCP伺服器放在所有的子網路當中,或是採用思科的IOS協助地址特性。第一個方法在現實上是相當沒有效率,因為將DHCP或是DNS等服務,安裝在很多子網路上將會導致過多的虛工以及管理上的困難。因此如果可能的話,所有的管理人員將會選擇使用ip helper-address的命令,將重要的UTP服務的廣播要求從路由器轉送出去。

By using the helper address feature, a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP address. By default, the ip helper-address command forwards the following eight UDP services:

採用協助地址的特性,一個路由器可以設定成能夠接受UTP服務的廣播要求,並且將它當做是單一傳送(unicast)的封包轉傳到一個特定的IP地址。內定上ip helper-address命令可以轉傳下列八種UTP服務:

In the particular case of DHCP, a client broadcasts a DHCPDISCOVER packet on its local segment. This packet is picked up by the gateway. If a helper-address is configured, the DHCP packet is forwarded to the specified address. Before forwarding the packet, the router fills in the GIADDR field of the packet with the IP address of the router for that segment. This address will then be the gateway address for the DHCP client, when it gets the IP address.

在DHCP特殊的案例中,一個用戶端電腦在所屬的本地網段裡廣播一個DHCPDISCOVER的封包。這個封包將被閘道器所收到。如果有設定help-address時,此DHCP封包將被轉傳到特定的地址去。在轉傳此項封包之前,路由器會將該網段的IP地址來填入封包的機GIADDR欄位裡。當用戶端電腦獲得IP地址時,此地址將會成為該DHCP用戶電腦的閘道地址。

The DHCP server receives the discover packet. The server uses the GIADDR field to index into the list of address pools in order to find one which has the gateway address set to the value in GIADDR. This pool is then used to supply the client with its IP address.

當DHCP伺服器收到該探詢封包時,此伺服器將用GAIDDR欄位當做索引,在一系列的地址群當中尋找,此地址群的閘道伺服器必須和GAIDDR的值相同,此地址群中的地址將供應給用戶端電腦當作它的IP地址。

Lab Exercise: Configuring DHCP Relay

In this lab, a router will be configured for Dynamic Host Configuration Protocol (DHCP).