Tài liệu DNS, DHCP, and IP Address Management Session 806 doc

COM root WWW CISCO RTP TIMSPC How DNS Works DNS Namespace domain/subdomain as zones name server responsible for all lower nodes for each node pointer PTR, mail exchange MX, name server N

Trang 1

2 806

DNS, DHCP, and IP Address Management

Session 806

Trang 2

3 806

Intelligent Network

Manual Processes

Manual Processes Public

Domain Software

Public Domain Software

Automated Network Addressing

Policies Based on

IP Addresses

Policies Based on

IP Addresses

User-Based Policy Networking

Scalable Reliable DNS/DHCP Services

User Provisioning

DNS and DHCP Challenges

Application

Custom Application

Managing Names and Addresses

Trang 3

5 806

DHCP

1970’s

Multiple Sources

of Data

Multiple Sources

of Data

Few Users

Many Users

of Data

Single Source

of DataMigrating to Directories

6 806

Protocol Overview

DNS and DHCP

Trang 4

7 806

COM (root)

WWW

CISCO

RTP TIMSPC

How DNS Works DNS Namespace

domain/subdomain

as zones

name server responsible for all lower nodes

for each node

pointer (PTR), mail exchange (MX), name server (NS), start of

authority (SOA)

timspc.cisco.com cisco.com zone

DNS Client Outside

of Cisco Network

Root Name Server

.COM Name Server

CISCO.COM Name Server Local

DNS Server www.cisco.com

Q What Is the IP Address for www.cisco.com?

How DNS Works DNS Queries

• Clients query local DNS server for IP addresses

• Local server starts with the root name server and recursively queries DNS servers until it finds a server that has the answer

• Local servers send answers back to the clients and cache the answers

A 161.44.10.9

Trang 5

9 806

Primary Name Server for CISCO.COM

Secondary DNS Server for CISCO.COM

Secondary DNS Server for CISCO.COM DNS Client

DNS Redundancy

• Redundancy is built into DNS

• Secondary servers automatically backup primary servers

• Secondary servers check the primary for changes in the zone serial number

• Updates controlled by the refresh rate in SOA record for zone

• Use Notify and Incremental Zone Transfers to reduce propagation delay and bandwidth utilization

• Spread secondary and caching DNS servers liberally

throughout the network

Old Zone Transfer

1 Secondary Checks the Serial Number of the Zone

2 If It Has Changed, Secondary Requests a Zone Transfer

3 Primary Sends the Entire Zone to Secondary

Old Zone Transfer

1 Secondary Checks the Serial Number of the Zone

2 If It Has Changed, Secondary Requests a Zone Transfer

3 Primary Sends the Entire Zone to Secondary

New Zone Transfer

1 Primary DNS Server Sends a NOTIFY Message to Secondary When the Zone Data Changes

2 Secondary Requests an Incremental Zone Transfer

Changes to Secondary Server

New Zone Transfer

1 Primary DNS Server Sends a NOTIFY Message to Secondary When the Zone Data Changes

2 Secondary Requests an Incremental Zone Transfer

Changes to Secondary Server

10 806

Here is your configuration:

IP Address: 192.204.18.7 Subnet Mask: 255.255.255.0 Default Routers: 192.204.18.1, 192.204.18.3 DNS Servers: 192.204.18.8, 192.204.18.9 WINS Server: 192.204.18.9

Lease Time: 5 days

Here is your configuration:

IP Address: 192.204.18.7 Subnet Mask: 255.255.255.0 Default Routers: 192.204.18.1, 192.204.18.3 DNS Servers: 192.204.18.8, 192.204.18.9 WINS Server: 192.204.18.9

Lease Time: 5 days

DHCP Server

DHCP Client

Send My Configuration Information

How DHCP Works Obtaining a Lease

• Dynamically assigns configuration information

• Creates IP address pools

to conserve addresses and support mobile users

• Clients broadcasts DHCP Discover packet on local subnet

• Multiple servers can respond

• Client chooses first

or best response

Trang 6

11 806

OFFER

ACK

(Unicast )

(Broadcast)

(Unicast )

(Broadcast)

How DHCP Works DHCP Discover Process

• DHCP client broadcasts DHCP DISCOVER packet

on local subnet

• DHCP servers send OFFER packet with lease information

• DHCP client selects lease and broadcasts DHCP REQUEST packet

• Selected DHCP server sends DHCP ACK packet

OP Code

Transaction ID (XID)

Hardware Type

Hardware Length

Hardware Length HOPS

Your IP Address (YIADDR)

Seconds Client IP Address (CIADDR)

Server IP Address (SIADDR) Gateway IP Address (GIADDR)

Flags

Server Name (SNAME)—64 bytes Filename—128 bytes DHCP Options Client Hardware Address (CHADDR)—16 bytes

How DHCP Works DHCP Packet

Trang 7

13 806

• Server passes configuration options

to client

• Over 100 options defined

• Most DHCP clients support approximately 10 options

• Custom and vendor options available

14 806

What’s New in DNS and DHCP

Dynamic DNS updates (RFC 2136) Incremental Zone Transfers (RFC 1995) Notify (RFC 1996)

DHCP Safe Failover (Internet draft)

Trang 8

15 806

WAN

Secondary DNS Server

DHCP Client

Cisco Network Registrar DHCP Server

Cisco Network Registrar Primary DNS Server

sbombay-172.16.18.74

pc.cisco.com IP:

sbombay-172.16.18.74

Host:

sbombay-pc Host:

sbombay-pc

Notify Message Notify Message

IXFR Request IXFR Request Only changed information is sent

sbombay-pc.cisco.com 172.16.18.74

Only changed information is sent sbombay-pc.cisco.com 172.16.18.74

Dynamic DNS Updates, Notify, and Incremental Zone Transfers

• Dramatically reduces propagation delay

• Dramatically reduces WAN bandwidth utilization

• Integrates DHCP and DNS

Primary DHCP Server

Backup DHCP Server

Backup Address Pool 172.16.18.191-200 Backup Address Pool 172.16.18.191-200

DHCP Safe Failover Protocol

to both servers

with lease information

primary fails

dedicated pool of addresses allocated by the primary to prevent duplicate IP address

primary is up

Primary Address Pool 172.16.18.101-200 Primary Address Pool 172.16.18.101-200

Trang 9

17 806

DNS Issues

17 806

18 806

Internal Network

External DNS Server

Internal DNS Server

www.cisco.com mail.cisco.com ftp.cisco.com

www.cisco.com mail.cisco.com ftp.cisco.com wwwin.cisco.com callmanager.cisco.com erpserver.cisco.com timspc.cisco.com eng-web.cisco.com

Split DNS

• Two “primary” DNS servers for the domain

• Hides the structure of the internal network

• Internal clients point to internal DNS servers

• External server publishes web, mail, ftp and other external servers

• Internet DNS servers delegate to external primary DNS server

Internet

Trang 10

19 806

Small.com Big.com

Internet

Internal DNS Server

External DNS Server

erp.small.com

Root DNS Server

Selective Forwarders

Connect to erp.small.com

WINS

• Windows Internet Names Service (WINS)

NetBIOS Names Service (NBNS) Windows NT file and print services Flat name space

• Coexists with DNS

• Scaling problems in large networks

• Going away with Windows 2000!

Trang 11

21 806

Windows 2000 and Active Directory

Dynamic DNS updates (RFC 2136)

SRV records

• Active directory is dependent on DNS

• WINS is phased out

22 806

DHCP Issues

22 806

Trang 12

23 806

DHCP Server 161.44.54.7

DHCP Client

GIADDR

DHCP Packet

DHCP Server 161.44.54.8

Physical Network 161.44.18.0

Physical Network 161.44.18.0 161.44.18.1

DHCP in a Routed Network

• DHCP clients broadcasts

a DHCP discover packet

• DHCP relay (ip helper address)

on the router hears the DHCP Discover packet and forwards (unicast) the packet to the DHCP server

• DHCP relay fills in the GIADDR field with IP address of the primary interface of router

• DHCP relay can be configured to forward the packet to multiple DHCP servers Client will choose the “best” server

• DHCP servers use GIADDR field of DHCP Discover packet as an index

in to the list of address pools

Router with DHCP Relay interface se0

IP address of interface

in GIADDR field

create an address pools with multiple logical networks This is also known as super scopes

DHCP Server

DHCP Client

Router with DHCP Relay

192.204.19.0 192.204.20.0 192.204.21.0

One Physical Network Four Logical Networks 192.204.18.0

192.204.19.0 192.204.20.0 192.204.21.0

192.204.18.1 Primary 192.204.19.1 Secondary 192.204.20.1 Secondary 192.204.21.1 Secondary

Trang 13

25 806

DHCP Security

Any client can get an address Any server can allocate an address

Create list of authorized MAC addresses

26 806

IP Address Management Issues

26 806

Trang 14

27 806

Private Network Numbers (RFC 1918)

Internet

Private Network 10.0.0.0/8

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

• Difficult to obtain new network numbers

• Unlimited addresses with private network numbers

• Allows for flexible addressing schemes

• Requires NAT/PAT to access Internet

Private Network Numbers

Private Network 10.0.0.0/8

10.0.0.7

10.0.100.151 172.16.4.57

Translation Static NAT Dynamic NAT Dynamic—1 to 1

Pool of External Addresses Dynamically Assigned to Internal Clients for Duration

of Session

Pool of External Addresses Dynamically Assigned to Internal Clients for Duration

of Session

Permanent—1 to 1 Permanent Mappings between Internal Servers to external addresses Permanent Mappings between Internal Servers to external addresses

PAT Dynamic—Many to 1 Multiple Internal Clients Share Single

External Address Multiple Internal Clients Share Single External Address

NAT, PAT, and Dynamic NAT

Internal Add External Add Translation Note

Mail Server 10.0.100.151 161.44.16.105 Dynamic NAT VoIP Phone Calling on

the Internet

Trang 15

29 806

Translation Easy Difficult Multimedia, H.323, NetBIOS, DNS, Dual NAT, SQL*NET, Dynamic Port Negotiation Multimedia, H.323, NetBIOS, DNS, Dual NAT, SQL*NET, Dynamic Port Negotiation

Telnet, FTP, HTTP, Simple C/S Apps Yes

Impossible SNMP

Cisco IOS

Yes

-

-Most Yes

Packet with Embedded IP Address

10.0.5.8

DA: 161.44.8.9 SA: 10.0.5.8

Translated Packet

10.0.5.8

161.44.8.9 NAT Mappings

10.0.5.8 -> 171.68.10.5

NAT Mappings 10.0.5.8 -> 171.68.10.5

Pool of NAT Addresses 171.68.10.2-100

NAT in PIX, and Cisco IOS

SA: 171.68.10.5 DA: 161.44.8.9

171.68.10.5

30 806

Directory Services Standard Schemas

• Directory Enabled Networks (DEN)

Started by Cisco/Microsoft, now owned by DMTF

Proposals from Microsoft, Novell, and IETF

Trang 16

31 806

100 Option 1: Cisco IOS DHCP Server on Any Platform 1600, 2500, 3600, Etc.

Provide DNS Service Remotely Across WAN Option 2: CNR on a Small Windows NT System to Provide DNS & DHCP

Option 1: Cisco IOS DHCP Server on Any Platform 1600, 2500, 3600, Etc.

Provide DNS Service Remotely Across WAN Option 2: CNR on a Small Windows NT System to Provide DNS & DHCP

Option 1: Two Servers Running DNS/DHCP (Low-end UNIX Servers—Raid Disks, 256 MB RAM) Option 2: Two Servers Running DNS/DHCP (Mid-range NT Servers—Raid Disks, 256 MB RAM) Distribute Secondary and Caching DNS Servers Throughout Network

Option 1: Redundant DHCP Servers (Mid-Range UNIX Servers, 384 MB RAM) Option 2: Redundant DHCP Servers (High-End NT Servers, 384 MB RAM) Primary DNS Server (Mid-range UNIX Server—Sun Ultra 250E, Raid Disks,512 MB RAM) Distribute Secondary and Caching DNS Servers Throughout Network

Performance Factors Number of Nodes, Number of Queries, DHCP Lease Time, and Disk I/O Performance

Performance Factors

Number of Nodes, Number of Queries, DHCP Lease Time, and Disk I/O Performance

Server Sizing (100K, 10K, 1K, 100 Clients)

Example Network Designs

Trang 17

33 806

Corporate Data Center

Large Campus

• Large campus networks require high-performance, redundant DNS and DHCP servers to support multiple 10,000s of nodes

• The server functions need to be split across multiple servers in

a cluster

• Build a cluster with at least three servers, one primary DNS and two redundant DHCP servers An additional DNS server can used to provide secondary DNS service

• DNS servers need high performance disk I/O (preferably a RAID system) to keep up with dynamic DNS updates

• Each major location around the world—U.S., Europe and Asia needs a cluster

Primary DNS Server

DHCP Server 1

34 806

Primary DNS Server for Company Zone Bigco.Com

Corporate Headquarters

DNS and DHCP Servers

DNS and DHCP Servers DNS and

DHCP Servers

Large Branch Offices

• Organizations with a large number of remote branch offices with a UNIX or NT server at each remote site.

Typically 20-200 nodes/site

• At each of the remote sites,

an organization should deploy at least one DNS and DHCP server, two for redundancy The redundant DHCP server could be at HQ

• Each location could have a separate domain for the site and a primary DNS server at the location This depends

on the WAN bandwidth

• This configuration survives WAN outages

Corporate WAN

Store Number: 1007 Zone: st1007.bigco.com Store Number: 1007 Zone: st1007.bigco.com

DNS and DHCP Servers DNS and DHCP Servers

Trang 18

35 806

Small Branch Offices

• Organization has a large number of remote sites and less than 20 nodes per site.

Remote sites should have dial-backup connections for redundancy DHCP/Bootp relay is enabled on router

• At HQ deploy cluster of redundant DNS and DHCP servers to provide service

to remote sites

• Each location could have a separate domain Primary DNS server for each remote site zone is in HQ If available, run a secondary DNS server in the remote site for the remote site zone using IXFR and NOTIFY

Redundant DHCP Servers

Primary DNS Server for Store Zones

Corporate Headquarters

Corporate WAN

Store Number: 1007 Zone: st1007.bigco.com Store Number: 1007 Zone: st1007.bigco.com

DHCP/Bootp Relay (aka IP Helper)

Corporate WAN

Cisco Cisco IOS DHCP Serve Port Address Translation

Small Office/Home Office

• SOHO users can connect to the corporate network using ISDN, DSL or Frame Relay

• Use the Cisco IOS DHCP server

to provide addresses for devices in the SOHO Use a private, unregistered

Tiêu đề	Dns, Dhcp, and Ip Address Management
Trường học	Cisco Systems, Inc.
Chuyên ngành	Networking
Thể loại	Manual
Năm xuất bản	1999
Thành phố	USA

Định dạng
Số trang	29
Dung lượng	1,69 MB