Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 192 – Lesson 7 Lesson Module Status Slides – draft Properties - done Flashcards - 1 st minute quiz – done Web Calendar summary – done Web book pages.

Published byAlfred Hampton Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS 192 – Lesson 7 Lesson Module Status Slides – draft Properties - done Flashcards - 1 st minute quiz – done Web Calendar summary – done Web book pages."— Presentation transcript:

1 CIS 192 – Lesson 7 Lesson Module Status Slides – draft Properties - done Flashcards - 1 st minute quiz – done Web Calendar summary – done Web book pages – done Commands – Howtos – Skills pacing -na Lab – done Depot (VMs) – restored 1

2 CIS 192 - Lesson 7 Quiz Please take out a blank piece of paper, switch off your monitor, close your books, put away your notes and answer these questions: How do you display the current filter table chains? How do you display the current nat table chains? How do set the FORWARD chain policy to ACCEPT?

3 CIS 192 – Lesson 7 ObjectivesAgenda Install and configure a DHCP server Configure a client to get a DHCP address Implement DHCP relay agent Quiz Questions on previous material Housekeeping FTP (more) Firewalls and FTP DHCP Lab Prep DHCP client configuration DHCP DHCP server configuration DHCP relay agent configuration Lease tracking files Wrap Dynamic Host Configuration 3

4 Questions on previous material 4

5 CIS 192 - Lesson 7 Questions? Previous lesson material Lab assignment 5

6 Housekeeping 6

7 CIS 192 - Lesson 7 Lab 5 due today! Hands-on cabling using system pods 7

8 FTP (more) 8

9 Two sockets are used Commands (requests and responses) Data transfer Active mode Server initiates new connection for data transfer Client firewall must allow incoming connection Passive mode Client initiates new connection for data transfer Server firewall must allow incoming connection CIS 192 – Lesson 7 FTP 9

10 Active mode Client sends PORT command to indicate port it will listen on Server initiates new connection to that port for data transfer CIS 192 – Lesson 7 FTP 10 PORT 172, 30,4, 83, 166, 75 166 decimal = A6 hex 75 decimal = 4b hex A64B hex = 42571 (decimal) ClientServer 172.30.4.83192.168.2.150 4285521 ClientServer 172.30.4.83192.168.2.150 4257120 Socket for commands Socket for data transfer

11 Active mode Client sends PORT command to indicate port it will listen on Server initiates new connection for data transfer to that port CIS 192 – Lesson 7 FTP 11 PORT command to listen on port 166, 75 166 decimal = A6 hex 75 decimal = 4b hex A64B hex = 42571 (decimal) Retrieve legolas file 3 way handshake initiated by server File transfer 4 way handshake to close connection

12 Passive mode Client send PASV request Server replies with port it will listen on Client initiates new connection to that port for data transfer CIS 192 – Lesson 7 FTP 12 Response 192, 168, 2, 150, 200, 83 200 decimal = C8 hex 83 decimal = 53 hex C853 hex = 51283 (decimal) ClientServer 172.30.4.83192.168.2.150 4285521 Socket for commands ClientServer 172.30.4.83192.168.2.150 4102551283 Passive command to listen on 200, 83 = C853 = 51283 Socket for data transfer

13 Passive mode Client send PASV request Server replies with port it will listen on Client initiates new connection to that port for data transfer CIS 192 – Lesson 7 FTP 13 Passive command to listen on 200, 83 = C853 = 51283 Retrieve legolas file 3 way handshake initiated by client File transfer 4 way handshake to close connection

14 CIS 192 - Lesson 7 14 root@frodo:~# ftp legolas Connected to legolas. 220 (vsFTPd 2.0.5) Name (legolas:cis192): cis192 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> get legolas local: legolas remote: legolas 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.04 secs (0.5 kB/s) ftp> passive Passive mode on. ftp> get legolas local: legolas remote: legolas 227 Entering Passive Mode (192,168,2,150,200,83) 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.00 secs (5.1 kB/s) ftp> passive Passive mode off. ftp> get legolas local: legolas remote: legolas 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.00 secs (23.8 kB/s) ftp> bye 221 Goodbye. root@frodo:~# Get legolas file using active mode Login Initialize Get legolas file using passive mode Get legolas file using active mode Connect to server End Example FTP Session

15 CIS 192 - Lesson 7 15 root@frodo:~# ftp legolas Connected to legolas. 220 (vsFTPd 2.0.5) 3 way handshake New connection initiated by client ClientServer 172.30.4.83192.168.2.150 4285521 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell 3 way handshake initiated by client Frodo FTP's into Legolas Socket for commands

16 CIS 192 - Lesson 7 16 Name (legolas:cis192): cis192 331 Please specify the password. Password: 230 Login successful. Login with username and password. Note the reverse DNS lookup attempt by the FTP server ClientServer 172.30.4.83192.168.2.150 4285521 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell Note the login happens over the wire in clear "sniffable" text username password Socket for commands

17 CIS 192 - Lesson 7 17 Remote system type is UNIX. Using binary mode to transfer files. Client requests system type and server replies UNIX. Client requests binary mode (Type I) transfers and server changes to binary mode ClientServer 172.30.4.83192.168.2.150 4285521 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell Socket for commands

18 CIS 192 - Lesson 7 18 ftp> get legolas local: legolas remote: legolas 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.04 secs (0.5 kB/s) ClientServer 172.30.4.83192.168.2.150 4285521 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell ClientServer 172.30.4.83192.168.2.150 4257120 PORT command to listen on 166, 75 = A64B = 42571 Socket for commands Socket for data transfer Retrieve legolas file Active Mode is when server initiates new connection for data transfer 3 way handshake initiated by server File transfer 4 way handshake to close connection

19 CIS 192 - Lesson 7 19 ftp> passive Passive mode on. ftp> get legolas local: legolas remote: legolas 227 Entering Passive Mode (192,168,2,150,200,83) 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.00 secs (5.1 kB/s) ClientServer 172.30.4.83192.168.2.150 4285521 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell ClientServer 172.30.4.83192.168.2.150 4102551283 Passive reply to listen on 200, 83 = C853 = 51283 Socket for commands Socket for data transfer Retrieve legolas file Passive Mode is when client initiates new connection for data transfer 3 way handshake initiated by client File transfer 4 way handshake to close connection

20 CIS 192 - Lesson 7 20 ftp> passive Passive mode off. ftp> get legolas local: legolas remote: legolas 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.00 secs (23.8 kB/s) ClientServer 172.30.4.83192.168.2.150 4285521 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell ClientServer 172.30.4.83192.168.2.150 3409820 PORT command to listen on 133, 50 = 8532 = 34098 Socket for commands Socket for data transfer Retrieve legolas file Active Mode is when server initiates new connection for data transfer 3 way handshake initiated by server File transfer 4 way handshake to close connection

21 CIS 192 - Lesson 7 21 ftp> bye 221 Goodbye. ClientServer 172.30.4.83192.168.2.150 4285521 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell Socket for commands 4 way handshake to close connection

22 Firewalls and FTP 22

23 CIS 192 - Lesson 7 23 [root@elrond pub]# iptables -I RH-Firewall-1-INPUT 9 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT [root@elrond pub]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited [root@elrond pub]# iptables-save > /etc/sysconfig/iptables [root@elrond pub]# Open TCP port 21 for FTP Save to make changes persist across restarts Firewall - FTP Command port

24 CIS 192 - Lesson 7 24 [root@elrond pub]# cat /etc/sysconfig/iptables-config # Load additional iptables modules (nat helpers) # Default: -none- # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp" Add [root@elrond pub]# [root@elrond pub]# service iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]ntrack_ftp [root@elrond pub]# In passive mode, the client initiates the connection for the data transfer. The ip_conntrack_ftp module must be loaded so the firewall will allow the passive connections to random ports Add this to load the module to track related FTP connections Firewall - passive mode

25 CIS 192 - Lesson 7 25 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell [root@elrond ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 Chain OUTPUT (policy DROP) target prot opt source destination [root@elrond ~]# This firewall setting allows external clients (Frodo) to access the FTP server (Legolas) Note: The FTP data port 20 is not specified For DNS lookups by FTP server

26 CIS 192 - Lesson 7 26 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell root@frodo:~# ftp legolas Connected to legolas. 220 (vsFTPd 2.0.5) Name (legolas:cis192): cis192 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> get legolas local: legolas remote: legolas 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.00 secs (15.1 kB/s) ftp> passive Passive mode on. ftp> get legolas local: legolas remote: legolas 227 Entering Passive Mode (192,168,2,150,224,164) 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.00 secs (8.6 kB/s) ftp> bye 221 Goodbye. root@frodo:~# Successful downloads using both active and passive mode using the firewall settings in previous slide

27 CIS 192 - Lesson 7 27 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell [root@elrond ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 Chain OUTPUT (policy DROP) target prot opt source destination [root@elrond ~]# [root@elrond ~]# iptables -D FORWARD 1 What If? We remove firewall opening for the DNS lookups sent by the FTP server Now DNS lookups are blocked

28 CIS 192 - Lesson 7 28 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell root@frodo:~# ftp legolas Connected to legolas. 220 (vsFTPd 2.0.5) Name (legolas:cis192): cis192 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> get legolas local: legolas remote: legolas 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.00 secs (15.1 kB/s) ftp> passive Passive mode on. ftp> get legolas local: legolas remote: legolas 227 Entering Passive Mode (192,168,2,150,224,164) 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0.00 secs (8.6 kB/s) ftp> bye 221 Goodbye. root@frodo:~# Result: Instead of a fast login, now there is a delay of about 15 seconds before the successful login messages and ftp prompt are displayed

29 CIS 192 - Lesson 7 29 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell root@frodo:~# ftp legolas Connected to legolas. 220 (vsFTPd 2.0.5) Name (legolas:cis192): cis192 331 Please specify the password. Password: 230 Login successful. Delay encountered (~15 seconds) here after dropping DNS lookups in firewall The login is delayed while the two DNS requests time-out.

30 CIS 192 - Lesson 7 30 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell [root@elrond ~]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 Chain OUTPUT (policy DROP) target prot opt source destination [root@elrond ~]# [root@elrond ~]# iptables -D FORWARD 1 [root@elrond ~]# iptables -I FORWARD 1 -m state --state ESTABLISHED -j ACCEPT What If? We next remove the related state condition from the firewall?

31 CIS 192 - Lesson 7 31 eth0.107 eth1.107 eth0.150 Elrond Frodo Legolas FirewallFTP Server 172.30.4.0 /24192.168.2.0 /24 eth0.83 ShireRivendell root@frodo:~# ftp legolas Connected to legolas. 220 (vsFTPd 2.0.5) Name (legolas:cis192): cis192 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> get legolas local: legolas remote: legolas 200 PORT command successful. Consider using PASV. 425 Failed to establish connection. ftp> Hangs up here, because the related connection for the data transfer is now blocked by the firewall. Gives up after 5 tries of attempting to do a 3-way handshake

32 DHCP Lab Prep 32

33 CIS 192 - Lesson 7 33 nosmo 207.62.187.54 Internet.1 DNS.10 snickers DHCP buttercup eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client This is what we build for the DHCP lab

34 CIS 192 - Lesson 7 34 eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client VM preparation: Revert VMs to the original state Cabling Use VM settings to connect with bridged or specific VMnets

35 CIS 192 - Lesson 7 35 eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client NIC Configuration: Frodo, William and Sauron – no changes Configure Elrond eth0 and eth1 as shown Configure Legolas eth0 as dhcp and eth1 as shown Add static routes to get to private networks Add default gateways /etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg-eth* /etc/sysconfig/network-scripts/route-eth* /etc/resolv.conf /etc/sysctl.conf service network restart sysctl –p ifconfig route –n cat /proc/sys/net/ipv4/ip_forward

36 CIS 192 - Lesson 7 36 eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client NIC Configuration: Frodo, William and Sauron – no changes Configure Elrond eth0 and eth1 as shown Configure Legolas eth0 as dhcp and eth1 as shown Add static routes to get to private networks Add default gateways Ubuntu/Debian: /etc/network/interfaces /etc/resolv.conf /etc/init.d/networking restart ifconfig route –n

37 CIS 192 - Lesson 7 37 eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client Software Installation: Install the dhcp package on Elrond Temporarily cable Legolas eth0 to Shire and install dhcp package Temporary hookups: Use bridged connection use dhclient (to get an IP) Install software dhclient –r (to release IP) yum install xxxxx rpm –qa | grep xxxxx

38 CIS 192 - Lesson 7 38 eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client Configure service: Edit /etc/dhcpd.conf on Elrond Edit /etc/sysconfig/dhcrelay on Legolas Start services vi /etc/xxxx.xxxx service xxxx start chkconfig xxxxx on service xxxxx status chkconfig --list

39 CIS 192 - Lesson 7 39 eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client Configure security: Firewalls SELinux setting lokkit iptables –F iptables –L Graphical security utility When doing lab assignments it may be helpful to temporarily disable security settings while you initially implement a new service. If real life this may not be possible!

40 CIS 192 - Lesson 7 40 eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client Test new service: Power up Frodo, William and Sauron and check if they get IP and related settings via your DHCP service Check that Legolas eth0 got it's reserved IP address

41 CIS 192 - Lesson 7 41 eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client Troubleshoot: Cabling NIC configuration Routing tables and IP forwarding Firewall/SELinux Configuration files edits /var/log messages Rogue Nosmos Duplicate IP addresses Incomplete ARP tables (arp –n)

42 CIS 192 - Lesson 7 42 eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client Document: Network map NIC configuration files ifconfig and route –n output Service configuration files Specific files for the lab Red Hat server /var/lib/dhcpd/dhcpd.leases Red Hat client /var/lib/dhclient/dhclient.leases Ubuntu client /var/lib/dhcp3/dhclient.leases

43 43 CIS 192 - Lesson 7 Exercise Revert Elrond to it's snapshot Power up Elrond Login as root, startx & (for graphical desktop) Graphical terminal, use vmware-toolbox & Configure Elrond (use following slides) service network restart (enable configured network settings) sysctl –p (enable forwarding) Install the dhcp server with yum install dhcp DHCP elrond eth0.1XX eth1.1XX elrond DHCP 172.30.N.0 /24 Use 1 for the classroom Lookup in the Classroom Static IP Table

44 44 CIS 192 - Lesson 7 Exercise DHCP elrond [root@elrond ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 ONBOOT=yes HWADDR=00:0c:29:4e:21:9b BOOTPROTO=static IPADDR=172.30.N.1XX NETMASK=255.255.255.0 BROADCAST=172.30.N.255 [root@elrond ~]# [root@elrond ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth1 ONBOOT=yes HWADDR=00:0c:29:4e:21:a5 BOOTPROTO=static IPADDR=192.168.2.1XX NETMASK=255.255.255.0 BROADCAST=192.168.2.255 [root@elrond ~]#.1XX is based on your station number and the Classroom IP Table N=1 for the classroom and N=4 for the CIS lab or CTC Use you own MAC addresses!

45 StationIPStatic 1 Instructor172.30.1.100172.30.1.125 Station-01172.30.1.101172.30.1.126 Station-02172.30.1.102172.30.1.127 Station-03172.30.1.103172.30.1.128 Station-04172.30.1.104172.30.1.129 Station-05172.30.1.105172.30.1.130 Station-06172.30.1.106172.30.1.131 Station-07172.30.1.107172.30.1.132 Station-08172.30.1.108172.30.1.133 Station-09172.30.1.109172.30.1.134 Station-10172.30.1.110172.30.1.135 Station-11172.30.1.111172.30.1.136 Station-12172.30.1.112172.30.1.137 StationIPStatic 1 Station-13172.30.1.113172.30.1.138 Station-14172.30.1.114172.30.1.139 Station-15172.30.1.115172.30.1.140 Station-16172.30.1.116172.30.1.141 Station-17172.30.1.117172.30.1.142 Station-18172.30.1.118172.30.1.143 Station-19172.30.1.119172.30.1.144 Station-20172.30.1.120172.30.1.145 Station-21172.30.1.121172.30.1.146 Station-22172.30.1.122172.30.1.147 Station-23172.30.1.123172.30.1.148 Station-24172.30.1.124172.30.1.149 CIS 192 - Lesson 7 IP addresses for VM's in the classroom Only use the static IP address shown in this table for your classroom PC VM to avoid IP address conflicts

46 46 CIS 192 - Lesson 7 Exercise DHCP elrond [root@elrond ~]# cat /etc/sysconfig/network-scripts/route-eth1 192.168.3.0/24 via 192.168.2.150 [root@elrond ~]# [root@elrond ~]# cat /etc/resolv.conf nameserver 207.62.187.54 [root@elrond ~]# [root@elrond ~]# cat /etc/sysconfig/network NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=elrond.localdomain GATEWAY=172.30.N.1 [root@elrond ~]# [root@elrond ~]# cat /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1 [root@elrond ~]# N=1 for the classroom and N=4 for the CIS lab or CTC

47 47 CIS 192 - Lesson 7 Exercise Revert Legolas to it's snapshot Power up Legolas Login as root, startx & (for graphical desktop) Graphical terminal, use vmware-toolbox & Temporarily cable eth0 to the classroom network (bridged) Temporarily connect with dhclient eth0 Install the dhcp server with yum install dhcp Recable and finish configuring Legolas (use following slides) service network restart (enable configured network settings) sysctl –p (enable forwarding) legolas eth0.150 eth1.150 legolas DHCP Relay Agent DHCP Reservation 192.168.3.0 /24 Mordor For now, eth0 will lose it's IP address until we set up Elrond 's DHCP service

48 48 CIS 192 - Lesson 7 Exercise legolas [root@legolas ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 HWADDR=00:0C:29:7C:18:F5 ONBOOT=yes BOOTPROTO=dhcp [root@legolas ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth1 HWADDR=00:0C:29:7C:18:FF ONBOOT=yes BOOTPROTO=static IPADDR=192.168.3.150 NETMASK=255.255.255.0 BROADCAST=192.168.3.255 Use you own MAC addresses!

49 49 CIS 192 - Lesson 7 Exercise legolas [root@legolas ~]# cat /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1 [root@elrond ~]# Don't configure /etc/sysconfig/network or /etc/resolv.conf We will get default route, DNS settings using DHCP instead

50 DHCP Client Configuration 50

51 root@frodo:~# cat /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp up route add -net 192.0.0.0/8 gw 172.30.4.107 root@frodo:~# /etc/init.d/networking restart [root@legolas ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0 HWADDR=00:0C:29:7C:18:F5 ONBOOT=yes BOOTPROTO=dhcp [root@legolas ~]# service network restart CIS 192 – Lesson 7 DHCP 51 Red Hat Family DHCP client example Ubuntu/Debian DHCP client example

52 DHCP 52

53 Dynamic Host Configuration Protocol Defined by RFC 1541 Extension of the bootstrap (bootp) protocol Updated by RFC 2131 adds DHCPINFORM and vendor specific options Benefits: Solution for mobile computers Helps when too few IP addresses to go around Centralizes network configuration Minimizes network support and maintenance CIS 192 – Lesson 7 DHCP 53

54 DHCP Architecture DHCP Servers Scopes and exclusions Reservations Leases Options ‒ IP Address and Netmask ‒ Gateway ‒ DNS Server ‒ Domain name ‒ others DHCP Relay Agents DHCP Clients CIS 192 – Lesson 7 DHCP 54 DHCP Clients lease IP addresses from DHCP Servers. DHCP Relay agents lets one DHCP server service non-connected subnets

55 DHCP Architecture DHCP Servers Scopes and exclusions Reservations Leases Options ‒ IP Address and Netmask ‒ Gateway ‒ DNS Server ‒ Domain name ‒ others DHCP Relay Agents DHCP Clients CIS 192 – Lesson 7 DHCP 55 A pool of IP addresses that can be assigned to clients

56 DHCP Architecture DHCP Servers Scopes and exclusions Reservations Leases Options ‒ IP Address and Netmask ‒ Gateway ‒ DNS Server ‒ Domain name ‒ others DHCP Relay Agents DHCP Clients CIS 192 – Lesson 7 DHCP 56 IP addresses can be reserved for specific computers using MAC addresses

57 DHCP Architecture DHCP Servers Scopes and exclusions Reservations Leases Options ‒ IP Address and Netmask ‒ Gateway ‒ DNS Server ‒ Domain name ‒ others DHCP Relay Agents DHCP Clients CIS 192 – Lesson 7 DHCP 57 Clients no longer own their own IP address and instead lease one from a DHCP server. The lease has a time limit but can be renewed

58 DHCP Architecture DHCP Servers Scopes and exclusions Reservations Leases Options ‒ IP Address and Netmask ‒ Gateway ‒ DNS Server ‒ Domain name ‒ others DHCP Relay Agents DHCP Clients CIS 192 – Lesson 7 DHCP 58 The DHCP server can configure more than just the IP address and mask

59 CIS 192 – Lesson 7 DHCP 59 DHCP Server DHCP Clients DHCP Relay Agent (Linux Router)

60 CIS 192 – Lesson 7 DHCP 60 DHCP Server DHCP Clients DHCP Relay Agent (Built into most routers)

61 DHCP Protocol DORA Discover Offer Request Acknowledge And Release, Decline, NAck CIS 192 – Lesson 7 DHCP 61

62 CIS 192 – Lesson 7 DHCP 62 DHCPDISCOVER DHCPOFFER DHCPREQUEST DHCPACK DHCPRELEASE DORA

63 CIS 192 – Lesson 7 DHCP 63 DHCPDISCOVER DHCPOFFER DHCPREQUEST DHCPACK DHCPRELEASE DORA root@frodo:~# dhclient Internet Systems Consortium DHCP Client V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/00:0c:29:6f:53:d9 Sending on LPF/eth0/00:0c:29:6f:53:d9 Sending on Socket/fallback DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 DHCPOFFER of 172.30.4.195 from 172.30.4.1 DHCPREQUEST of 172.30.4.195 on eth0 to 255.255.255.255 port 67 DHCPACK of 172.30.4.195 from 172.30.4.1 bound to 172.30.4.195 -- renewal in 9509 seconds. root@frodo:~#

64 CIS 192 – Lesson 7 DHCP 64 DHCPDISCOVER DHCPOFFER DHCPREQUEST DHCPACK DHCPRELEASE DORA root@frodo:~# dhclient -r There is already a pid file /var/run/dhclient.pid with pid 9823 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/00:0c:29:6f:53:d9 Sending on LPF/eth0/00:0c:29:6f:53:d9 Sending on Socket/fallback DHCPRELEASE on eth0 to 172.30.4.1 port 67 root@frodo:~#

65 CIS 192 – Lesson 7 DHCP 65 frodo elrond DHCP Sniffer Wireshark view of example DHCP operations 172.30.4.0/24 DHCP ServerDHCP Client

66 CIS 192 – Lesson 7 66 frodo elrond DHCP Sniffer 172.30.4.0/24 DHCP ServerDHCP Client Frodo starting up (needs IP address)

67 CIS 192 – Lesson 7 67 DHCPDISCOVER (broadcast) frodo UDP datagram is broadcast SIP = 0.0.0.0 Help, I need an IP address!

68 CIS 192 – Lesson 7 68 DHCPDISCOVER (broadcast) frodo Includes host name Help, I need an IP address!

69 CIS 192 – Lesson 7 69 DHCPDISCOVER (broadcast) frodo The request list of various options Help, I need an IP address!

70 CIS 192 – Lesson 7 70 elrond DHCP DHCPOFFER (unicast) Offer of an IP address is sent to Frodo's MAC Address Here is an IP address, want it?

71 CIS 192 – Lesson 7 71 elrond DHCP DHCPOFFER (unicast) Additional network configuration is included in the offer Here is an IP address, want it?

72 CIS 192 – Lesson 7 72 DHCPREQUEST (broadcast) frodo Request is broadcast back Yes, I want that one

73 CIS 192 – Lesson 7 73 DHCPREQUEST (broadcast) frodo Includes IP address and DHCP server that made the offer Yes, I want that one

74 CIS 192 – Lesson 7 74 elrond DHCP DHCPACK (unicast) IP address is confirmed You got it!

75 CIS 192 – Lesson 7 75 elrond DHCP DHCPACK (unicast) Lease time is 6 hours You got it!

76 CIS 192 – Lesson 7 76 frodo elrond DHCP Sniffer 172.30.4.0/24 DHCP ServerDHCP Client Half of the lease time has expired. Frodo wants to renew the lease.

77 CIS 192 – Lesson 7 77 DHCPREQUEST (unicast) frodo I want to renew the lease! Request is sent directly to the DHCP sever IP address

78 CIS 192 – Lesson 7 78 I want to renew the lease! DHCPREQUEST (unicast) frodo

79 CIS 192 – Lesson 7 79 elrond DHCP DHCPACK (unicast) You got it! IP address is confirmed

80 CIS 192 – Lesson 7 80 elrond DHCP DHCPACK (unicast) You got it! Lease time is 6 hours

81 CIS 192 – Lesson 7 81 frodo elrond DHCP Sniffer 172.30.4.0/24 DHCP ServerDHCP Client Frodo is done and wants to end the lease

82 CIS 192 – Lesson 7 82 I want out! DHCPRELEASE (unicast) frodo IP Address to release

83 CIS 192 – Lesson 7 83 I want out! frodo DHCPRELEASE (unicast) DHCP server and client hostname

84 DHCP installation and configuration yum install dhcp Edit /etc/dhcpd.conf For details use man dhcpd.conf See (CentOS) example in: /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample service dhcpd start Monitor leases in: /var/lib/dhcpd/dhcpd.leases CIS 192 – Lesson 7 DHCP 84

85 [root@elrond ~]# rpm -qa | grep dhcp dhcp-3.0.5-13.el5 dhcpv6-client-1.0.10-4.el5_2.3 [root@elrond ~]#[root@elrond ~]# ps -ef | grep dhc root 5587 1 0 15:50 ? 00:00:00 /usr/sbin/dhcpd root 9911 5505 0 18:18 pts/0 00:00:00 grep dhc [root@elrond ~]# [root@elrond ~]# service dhcpd status dhcpd (pid 5587) is running... [root@elrond ~]# CIS 192 – Lesson 7 DHCP 85 Is it installed? Is it running?

86 Sample dhcpd.conf CIS 192 – Lesson 7 86

87 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 87 Global settings

88 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 88 Subnet specific settings

89 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 89 DHCP options that can be assigned to clients

90 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 90 Which method to use to dynamically update the DNS (Ad-hoc or interim)

91 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 91 Either allow or ignore the clients intention to update its own DNS A record

92 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 92 Subnet specific settings. Everything enclosed within the { } applies to just this specific subnet.

93 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 93 Default gateway to assign for this subnet

94 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 94 Default netmask to assign for this subnet

95 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 95 domain names to assign. NIS is a UNIX only domain used within an organization. DNS supports all OS's and spans the Internet

96 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 96 The DNS server to assign

97 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 97 Offset in seconds from GMT -18000 = 5 hours (EST) -25200 = 7 hours (PDT) -28800 = 8 hours (PST)

98 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 98 Pool of IP addresses to assign

99 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 99 Time when client should attempt to renew the lease

100 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 100 Time when lease expires

101 [root@elrond ~]# cat /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.0.1; option subnet-mask 255.255.255.0; option nis-domain "domain.org"; option domain-name "domain.org"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.0.128 192.168.0.254; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD; fixed-address 207.175.42.254; } [root@elrond ~]# CIS 192 – Lesson 7 101 IP reservation based on MAC address

102 DHCP Lab dhcpd.conf CIS 192 – Lesson 7 102

103 [root@elrond ~]# cat /etc/dhcpd.conf ddns-update-style interim; ignore client-updates; option time-offset -25200; # Pacific Daylight Time (-7 HR) # # R I V E N D E L L # subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.1XX; # Default GW option subnet-mask 255.255.255.0; option domain-name "rivendell"; option domain-name-servers 207.62.187.54; range dynamic-bootp 192.168.2.50 192.168.2.99; default-lease-time 21600; # 6 hours max-lease-time 43200; # 12 hours # reservations host legolas { hardware ethernet 00:0C:29:7C:18:F5; fixed-address 192.168.2.150; } CIS 192 – Lesson 7 103 Global and specific settings for DHCP Lab Rivendell subnet Will be the eth1 interface on your station's Elrond DHCP elrond DHCP

104 # # M O R D O R # subnet 192.168.3.0 netmask 255.255.255.0 { option routers 192.168.3.150; # Default GW option subnet-mask 255.255.255.0; option domain-name "mordor"; option domain-name-servers 207.62.187.54; range dynamic-bootp 192.168.3.50 192.168.3.99; default-lease-time 21600; # 6 hours max-lease-time 43200; # 12 hours } CIS 192 – Lesson 7 104 Settings for DHCP Lab Mordor subnet in /etc/dhcpd.conf DHCP elrond DHCP

105 # # S H I R E # subnet 172.30.4.0 netmask 255.255.255.0 { option routers 172.30.N.1; option subnet-mask 255.255.255.0; option domain-name "shire"; option domain-name-servers 207.62.187.54; range dynamic-bootp 172.30.4.80 172.30.4.84; default-lease-time 21600; max-lease-time 43200; } [root@elrond ~]# CIS 192 – Lesson 7 105 Settings for DHCP Lab Shire subnet in /etc/dhcpd.conf Use the pool of addresses based on your station number to avoid conflicts! N=1 for the classroom and N=4 for the lab DHCP elrond DHCP

106 CIS 192 - Lesson 7 Classroom DHCP IP allocation pools table by station number Use these pools of addresses based on your station number to avoid conflicts on the classroom network StationIPStartEnd 01172.30.1.101172.30.1.50172.30.1.54 02172.30.1.102172.30.1.55172.30.1.59 03172.30.1.103172.30.1.60172.30.1.64 04172.30.1.104172.30.1.65172.30.1.69 05172.30.1.105172.30.1.70172.30.1.74 06172.30.1.106172.30.1.75172.30.1.79 07172.30.1.107172.30.1.80172.30.1.84 08172.30.1.108172.30.1.85172.30.1.89 09172.30.1.109172.30.1.90172.30.1.94 10172.30.1.110172.30.1.95172.30.1.99 11172.30.1.111172.30.1.200172.30.1.204 12172.30.1.112172.30.1.205172.30.1.209 StationIPStartEnd 13172.30.1.101172.30.1.210172.30.1.214 14172.30.1.102172.30.1.215172.30.1.219 15172.30.1.103172.30.1.220172.30.1.224 16172.30.1.104172.30.1.225172.30.1.229 17172.30.1.105172.30.1.230172.30.1.234 18172.30.1.106172.30.1.235172.30.1.239 19172.30.1.107172.30.1.240172.30.1.244 20172.30.1.108172.30.1.245172.30.1.249 21172.30.1.109172.30.1.250172.30.1.254 22172.30.1.110172.30.1.30172.30.1.34 23172.30.1.111172.30.1.35172.30.1.39 24172.30.1.112172.30.1.20172.30.1.44 Instruct 172.30.1.100 172.30.1.45172.30.1.49

107 107 CIS 192 - Lesson 7 Exercise Configure /etc/dhcpd.conf on Elrond Use service dhcpd start for settings to take effect Test by: Power on Frodo, check ifconfig and route –n Power on William, check ipconfig, try ipconfig /release and ipconfig /renew service network restart on Legolas, check ifconfig and route -n to see if it got the reservation DHCP elrond eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas william eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell DHCP Reservation

108 DHCP Relay Agent installation and configuration yum install dhcp Edit /etc/sysconfig/dhcrelay For details use man dhcrelay service dhcrelay start CIS 192 – Lesson 7 DHCP Relay Agent 108 legolas

109 [root@legolas ~]# rpm -qa | grep dhcp dhcp-3.0.5-13.el5 dhcpv6-client-1.0.10-4.el5_2.3 [root@legolas ~]# ps -ef | grep dhc root 5250 1 0 16:57 ? 00:00:00 dhclient eth0 root 9614 1 0 19:13 ? 00:00:00 /usr/sbin/dhcrelay -i eth0 -i eth1 192.168.2.107 root 10015 9925 0 19:19 pts/0 00:00:00 grep dhc [root@legolas ~]# [root@legolas ~]# service dhcrelay status dhcrelay (pid 9614) is running... [root@legolas ~]# CIS 192 – Lesson 7 DHCP Relay Agent 109 legolas Is it installed? Is it running?

110 [root@legolas ~]# cat /etc/sysconfig/dhcrelay # Command line options here INTERFACES="eth0 eth1" DHCPSERVERS="192.168.2.107" CIS 192 – Lesson 7 DHCP Relay Agent 110 Must monitor interface that listens for new clients needing DHCP services as well as the interface that communicates to the DHCP server eth0.1XX eth1.1XX eth0.150 eth1.150 elrond legolas sauron eth0 dhcp DHCP Server DHCP Relay Agent 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation

111 # # M O R D O R # subnet 192.168.3.0 netmask 255.255.255.0 { option routers 192.168.3.150; # Default GW option subnet-mask 255.255.255.0; option domain-name "mordor"; option domain-name-servers 207.62.187.54; range dynamic-bootp 192.168.3.50 192.168.3.99; default-lease-time 21600; # 6 hours max-lease-time 43200; # 12 hours } CIS 192 – Lesson 7 111 Need to add settings for the DHCP Lab Mordor subnet in /etc/dhcpd.conf on the DHCP server elrond DHCP

112 112 CIS 192 - Lesson 7 Exercise Configure relay agent on Legolas in /etc/sysconfig/dhcrelay Add new scope for Mordor to /etc/dhcpd.conf on Elrond Test by powering on Sauron and checking it is configured properly by DHCP DHCP elrond legolas eth0.1XX eth1.1XX eth0.150 eth1.150 elrond legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client

113 lease files 113

114 [root@elrond ~]# cat /var/lib/dhcpd/dhcpd.leases # All times in this file are in UTC (GMT), not your local timezone. This is # not a bug, so please don't ask about it. There is no portable way to # store leases in the local timezone, so please don't request this as a # feature. If this is inconvenient or confusing to you, we sincerely # apologize. Seriously, though - don't ask. # The format of this file is documented in the dhcpd.leases(5) manual page. # This lease file was written by isc-dhcp-V3.0.5-RedHat lease 172.30.4.83 { starts 5 2009/03/20 18:24:00; ends 5 2009/03/20 18:33:55; tstp 5 2009/03/20 18:33:55; binding state free; hardware ethernet 00:0c:29:6f:53:d9; } lease 172.30.4.83 { starts 5 2009/03/20 18:34:02; ends 6 2009/03/21 00:34:02; binding state active; next binding state free; hardware ethernet 00:0c:29:6f:53:d9; client-hostname "frodo"; CIS 192 – Lesson 7 114 DHCP Lease tracking on the DHCP server DHCP elrond

115 root@frodo:~# cat /var/lib/dhcp3/dhclient.leases lease { interface "eth0"; fixed-address 172.30.4.83; option subnet-mask 255.255.255.0; option time-offset -25200; option routers 192.168.2.107; option dhcp-lease-time 21600; option dhcp-message-type 5; option domain-name-servers 207.62.187.54; option dhcp-server-identifier 172.30.4.107; option domain-name "shire"; renew 6 2009/03/21 19:08:50; rebind 6 2009/03/21 19:08:50; expire 6 2009/03/21 19:08:50; } lease { interface "eth0"; fixed-address 172.30.4.83; option subnet-mask 255.255.255.0; option time-offset -25200; option routers 192.168.2.107; CIS 192 – Lesson 7 115 DHCP Lease tracking on Ubuntu client frodo

116 [root@legolas ~]# cat /var/lib/dhclient/dhclient.leases lease { interface "eth0"; fixed-address 192.168.2.150; option subnet-mask 255.255.255.0; option time-offset -25200; option routers 192.168.2.107; option dhcp-lease-time 21600; option dhcp-message-type 5; option domain-name-servers 207.62.187.54; option dhcp-server-identifier 192.168.2.107; option domain-name "rivendell"; renew 5 2009/3/20 20:05:02; rebind 5 2009/3/20 20:05:02; expire 5 2009/3/20 20:05:02; } lease { interface "eth0"; fixed-address 192.168.2.150; option subnet-mask 255.255.255.0; option time-offset -25200; option routers 192.168.2.107; option dhcp-lease-time 21600; option dhcp-message-type 5; CIS 192 – Lesson 7 116 DHCP Lease tracking on Red Hat client legolas

117 Wrap 117

118 CIS 192 - Lesson 7 New commands, daemons: service dhcpd restart service dhcrelay restart Daemons and related configuration files /etc/dhcpd.conf /etc/sysconfig/dhcrelay /var/lib/dhcpd/dhcpd.leases /var/lib/dhclient/dhclient.leases /var/lib/dhcp3/dhclient.leases (ubuntu) 118

119 Assignment: Check Calendar Page http://simms-teach.com/cis192calendar.php http://simms-teach.com/cis192calendar.php Quiz questions for next class: What is the Wireshark filter string to view only DHCP transactions? What is the DHCP service configuration file on CentOS (Red Hat) family of servers? When a client wishes to renew a lease does it initially send the DHCPREQUEST as a broadcast or a unicast? CIS 192 – Lesson 7 Next Class 119

120 Backup 120

121 StationIPStatic 1 Instructor172.30.1.100172.30.1.125 Station-01172.30.1.101172.30.1.126 Station-02172.30.1.102172.30.1.127 Station-03172.30.1.103172.30.1.128 Station-04172.30.1.104172.30.1.129 Station-05172.30.1.105172.30.1.130 Station-06172.30.1.106172.30.1.131 Station-07172.30.1.107172.30.1.132 Station-08172.30.1.108172.30.1.133 Station-09172.30.1.109172.30.1.134 Station-10172.30.1.110172.30.1.135 Station-11172.30.1.111172.30.1.136 Station-12172.30.1.112172.30.1.137 StationIPStatic 1 Station-13172.30.1.113172.30.1.138 Station-14172.30.1.114172.30.1.139 Station-15172.30.1.115172.30.1.140 Station-16172.30.1.116172.30.1.141 Station-17172.30.1.117172.30.1.142 Station-18172.30.1.118172.30.1.143 Station-19172.30.1.119172.30.1.144 Station-20172.30.1.120172.30.1.145 Station-21172.30.1.121172.30.1.146 Station-22172.30.1.122172.30.1.147 Station-23172.30.1.123172.30.1.148 Station-24172.30.1.124172.30.1.149 CIS 192 - Lesson 7 Classroom Static IP addresses for VM's Note the static IP address for your station to use in the next class exercise

122 CIS 192 - Lesson 7 Classroom DHCP IP allocation pools table by station number StationIPStartEnd 01172.30.1.101172.30.1.50172.30.1.54 02172.30.1.102172.30.1.55172.30.1.59 03172.30.1.103172.30.1.60172.30.1.64 04172.30.1.104172.30.1.65172.30.1.69 05172.30.1.105172.30.1.70172.30.1.74 06172.30.1.106172.30.1.75172.30.1.79 07172.30.1.107172.30.1.80172.30.1.84 08172.30.1.108172.30.1.85172.30.1.89 09172.30.1.109172.30.1.90172.30.1.94 10172.30.1.110172.30.1.95172.30.1.99 11172.30.1.111172.30.1.200172.30.1.204 12172.30.1.112172.30.1.205172.30.1.209 StationIPStartEnd 13172.30.1.101172.30.1.210172.30.1.214 14172.30.1.102172.30.1.215172.30.1.219 15172.30.1.103172.30.1.220172.30.1.224 16172.30.1.104172.30.1.225172.30.1.229 17172.30.1.105172.30.1.230172.30.1.234 18172.30.1.106172.30.1.235172.30.1.239 19172.30.1.107172.30.1.240172.30.1.244 20172.30.1.108172.30.1.245172.30.1.249 21172.30.1.109172.30.1.250172.30.1.254 22172.30.1.110172.30.1.30172.30.1.34 23172.30.1.111172.30.1.35172.30.1.39 24172.30.1.112172.30.1.20172.30.1.44 Instruct 172.30.1.100 172.30.1.45172.30.1.49 Use these pools of addresses based on your station number to avoid conflicts on the classroom network

123 123 nosmo 207.62.187.54 Internet.1 DNS.10 snickers DHCP buttercup eth0.1XX eth1.1XX eth0 dhcp eth0.150 eth1.150 elrond frodo legolas sauronwilliam eth0 dhcp DHCP Server DHCP Relay Agent 172.30.N.0 /24 Shire 192.168.2.0 /24 Rivendell 192.168.3.0 /24 Mordor DHCP Reservation client

Download ppt "CIS 192 – Lesson 7 Lesson Module Status Slides – draft Properties - done Flashcards - 1 st minute quiz – done Web Calendar summary – done Web book pages."

Similar presentations

TCP-IP Primer David Cozens. Targets Have a basic understanding of Ethernet network technology Be aware of how this technology is applied on the 5000 series.

TCP-IP Primer David Cozens. Targets Have a basic understanding of Ethernet network technology Be aware of how this technology is applied on the 5000 series.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Chapter 11 Configuring Dynamic Host Configuration Protocol

Chapter 11 Configuring Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP)
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CMPSC-358 (CCNA 4 ) Spring 2007.

Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CMPSC-358 (CCNA 4 ) Spring 2007.
BOOTP and DHCP Shivkumar Kalyanaraman Rensselaer Polytechnic Institute

BOOTP and DHCP Shivkumar Kalyanaraman Rensselaer Polytechnic Institute
Lesson 11: Deploying and Configuring the DHCP Service

Lesson 11: Deploying and Configuring the DHCP Service
Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.

Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.
DHCP (Dynamic Host Configuration Protocol) RD-CSY2001-2008/09.

DHCP (Dynamic Host Configuration Protocol) RD-CSY /09.
1 CMPT 471 Networking II DHCP © Janice Regan, 2006-2013.

1 CMPT 471 Networking II DHCP © Janice Regan,
1 Dynamic Host Configuration Protocol (DHCP). 2 Dynamic Assignment of IP addresses Dynamic assignment of IP addresses is desirable for several reasons:

1 Dynamic Host Configuration Protocol (DHCP). 2 Dynamic Assignment of IP addresses Dynamic assignment of IP addresses is desirable for several reasons:
Chapter Overview Understanding DHCP Configuring a DHCP Server

Chapter Overview Understanding DHCP Configuring a DHCP Server
DHCP Dynamic Host Configuration Protocol.

DHCP Dynamic Host Configuration Protocol.
Managing DHCP. 2 DHCP Overview Is a protocol that allows client computers to automatically receive an IP address and TCP/IP settings from a Server Reduces.

Managing DHCP. 2 DHCP Overview Is a protocol that allows client computers to automatically receive an IP address and TCP/IP settings from a Server Reduces.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
DHCP. DHCP (Dynamic Host Configuration Protocol) is a network service that enables clients to obtain network settings (IP Address, Subnet Mask, Default.

DHCP. DHCP (Dynamic Host Configuration Protocol) is a network service that enables clients to obtain network settings (IP Address, Subnet Mask, Default.
Lesson 3 Introduction to Networking Concepts Lesson 3.

Lesson 3 Introduction to Networking Concepts Lesson 3.
Implementing Dynamic Host Configuration Protocol

Implementing Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP)
1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

1 Lab 3 Transport Layer T.A. Youngjoo Han. 2 Transport Layer  Providing logical communication b/w application processes running on different hosts 

Similar presentations

Ads by Google