110 Chapter 3: Application Protocols
Foundation Topics
Domain Name System
This section covers Domain Name System (DNS) and sample configurations used on Cisco IOS routers.
DNS’s primary use is to manage Internet names across the World Wide Web. For users or clients to use names instead of 32-bit IP addresses, the TCP/IP model designers developed DNS to translate names into IP addresses.
DNS uses TCP and UDP port number 53.
In a large IP environment, network users need an easier way to connect to hosts without having to remember 32-bit IP addresses—that’s where DNS comes into play. DNS provides a service that allows users to use a host’s name in place of an IP Address to connect to hosts. When DNS services are running, the host’s name is used to request its IP address from a DNS server. The DNS server is a host running the DNS service, and it is configured to do the translation for the user transparently. In other words, the user never sees the DNS request and host-to-IP address translation. The client simply connects to a host name, and the DNS server does the translation.
For example, the website www.cisco.com is translated to the IP address 198.133.129.25.
DNS is a distributed database where organizations can use a predefined name or extension to all their devices. Nations can use extensions to define hosts residing in their country. For example, the extension for Australia is defined as .au. To reach the Cisco website in Australia, a user would type www.cisco.com.au in a web browser.
A regulatory body called the Internet Registration Authority manages domain names.
Similar to DNS, Cisco routers can be configured to locally look up names so network administrator can simply type a name rather than an IP address. Local names can also be configured for devices.
To illustrate a local DNS lookup on a Cisco IOS router, look at the following Cisco router command that provides a host lookup. (Note: a router will not provide DNS server responses to client devices such as PCs or UNIX hosts.)
The following IOS command defines a local name to IP address:
ip host name [tcp-port-number] ip address1 [ip address2...ip address8]
You can assign more than one IP address to any given name.
Example 3-1 displays three hosts and their corresponding IP addresses.
Domain Name System 111
Example 3-1 Local IP Host Configuration on a Cisco Router
ip host Router1 131.108.1.1 ip host Router2 131.108.1.2 ip host Router3 131.108.1.3
The three hosts, named Router1, Router2, and Router3 in Example 3-1, are translated into IP addresses 131.108.1.1, 131.108.1.2, and 131.108.1.3.
When a network administrator types in the host name, the router translates the name to an IP address. Example 3-2 displays a network administrator Telneting from router, R1, to the remote host, Router2.
Example 3-2 Local DNS Translation
R1#router2
Translating "router2"
Trying Router2 (131.108.1.2)... Open
User Access Verification
Password: *****
Router2>
When the network administrator types the name router2 (DNS names are not case-sensitive) at the exec prompt, the Cisco IOS router does a local host lookup for the name router2 and translates the address to 131.108.1.2.
What would happen if you typed a name that was not configured locally? Example 3-3 displays the sample output from a Cisco router when an unknown name (ccie, in this case) is typed at the exec prompt.
Example 3-3 Name Translation for ccie
R1#ccie
Translating "ccie"
Translating "ccie"
% Unknown command or computer name, or unable to find computer address
R1#
From the privileged exec prompt on Router R1 in Example 3-3, R1 does a local DNS lookup, discovers there is no DNS translation, and provides the shaded error message.
Scalability issues with local host configuration can become a nightmare with a large network. Thankfully, DNS servers can be placed around the network (typically in the core infrastructure) to ensure that only a few devices in the network require the full table of names and IP address translations. The World Wide Web has DNS servers that provide DNS mapping for websites.
112 Chapter 3: Application Protocols
NOTE |
By default, Cisco routers search for a DNS server. To disable this feature, use the IOS command |
|
no ip domain-lookup. This stops the router from querying a DNS server whenever a name |
|
translation is required. This command is a definite time saver for the CCIE Security Lab exam. |
|
|
To enable a Cisco IOS router to perform DNS lookup to a remote DNS server, the following steps are required:
Step 1 For local DNS entries, you must specify any local host mapping with the following IOS command (note that the tcp-port-number is used for connections on a different TCP port number other than the default, 23):
ip host name [tcp-port-number] ip address1 [ip address2...ip address8]
Step 2 Specify the domain name or a domain list (Cisco routers can be configured with multiple domain names) with the following IOS commands:
—ip domain-name name defines a default domain name that the Cisco IOS Software uses to complete unqualified host names.
—ip domain-list name defines a list of default domain names to complete unqualified host names.
Step 3 Specify the DNS server or servers with the following IOS command:
ip name-server server-address1 [server-address2...server-address6]
Devices such as PCs can also be configured for DNS servers and domain names. Example 3-4 configures a router named R1 with the domain name cisco.com. The domain name servers are 131.108.255.1 and 131.108.255.2.
Example 3-4 DNS Configuration
R1(config)#ip domain-name cisco.com
R1(config)#ip name-server 131.108.255.1
R1(config)#ip name-server 131.108.255.2
When a network administrator types a name (not a valid IOS command, of course), the Cisco router attempts to translate the name into an IP address, first from the DNS server with the IP address 131.108.255.1, and then from the DNS server 131.108.255.2.
Example 3-5 displays a successful DNS query and translation to the host named ccie (another Cisco router) from the DNS server 131.108.255.1.
Trivial File Transfer Protocol 113
Example 3-5 DNS Query from the Exec Prompt
R1#ccie
!Administrator types ccie Translating "ccie"
!Query is sent to first configured DNS server Trying CCIE (131.108.255.1)... Open
User Access Verification Password: ****
CCIE>
NOTE In Example 3-5, a Telnet connection requires a password authentication phase (and for all Telnet-based connections, for that matter). You can disable the Telnet login password on Cisco routers with the command no login under the VTY line configuration, as follows:
line vty 0 4 no login
Trivial File Transfer Protocol
Trivial File Transfer Protocol (TFTP) is a protocol that allows data files to be transferred from one device to another using the connectionless protocol, UDP. TFTP uses UDP port number 69.
TFTP is typically used in environments where bandwidth is not a major concern and IP packets that are lost can be resent by the higher layers (typically the application layer). TFTP has little security. In fact, the only security available to TFTP transfer is defining the directory on the host TFTP device and the filenames that will be transferred.
1TFTP has no method to authenticate username or password; the TFTP packet has no field enabling the exchange of username or password between two TCP/IP hosts.
2TFTP directory security (configurable on UNIX and Windows platforms) on the TFTP server is accomplished by allowing a predefined file on the server access. This allows the remote hosts to TFTP the file from the remote TFTP client. For example, to copy a configuration file from a Cisco router to a UNIX or Windows host, the file must be predefined on the TFTP server with the appropriate access rights defined.
Upgrading Cisco IOS images is a great example of when TFTP is useful; IOS images can be downloaded from a TFTP server to the Cisco router’s system flash.
Cisco offers a free TFTP application protocol, available at the following URL:
www.cisco.com/public/sw-center/sw-web.shtml
Now, configure the Cisco application software, Cisco TFTP, to enable a Cisco router to download a version of IOS code.
114 Chapter 3: Application Protocols
Figure 3-1 displays the available options when configuring the TFTP application software.
Figure 3-1 Cisco TFTP Application Software Options
Includes logging of all
TFTP transfers
Defines from where files are to be downloaded
The TFTP directory in Figure 3-1 is defined as c:\tftpboot. On the host TFTP server (in this case a Windows 2000 PC), the IOS images reside in the tftpboot directory at c:\tftpboot. This download directory option is a configurable option, and you can select any valid directory on the host TFTP server.
The file is located in the tftpboot directory. In this example, the IOS image is named c2600-js-mz.121-5.T10.bin.
To copy an IOS image from a TFTP server, the IOS command is copy tftp flash. Example 3-6 displays a TFTP request for the file c2600-js-mz.121-5.T10.bin from a TFTP server with an IP address of 150.100.1.253.
Example 3-6 TFTP File Transfer
R1#copy tftp flash
Address or name of remote host []? 150.100.1.253
Source filename []? c2600-js-mz.121-5.T10.bin
Destination filename [c2600-js-mz.121-5.T10.bin]? c2600-js-mz.121-5.T10.bin Erase flash: before copying? [confirm]Y
Erasing the flash filesystem will remove all files! Continue? [confirm]Y Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeee ...erased Erase of flash: complete
Loading c2600-js-mz.121-5.T10.bin from 150.100.1.253 (via Ethernet0/0):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!