Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
CCIE Self Study CCIE Security Exam Certification Guide - Cisco press.pdf
10.23 Mб

110 Chapter 3: Application Protocols

Foundation Topics

Domain Name System

This section covers Domain Name System (DNS) and sample configurations used on Cisco IOS routers.

DNS’s primary use is to manage Internet names across the World Wide Web. For users or clients to use names instead of 32-bit IP addresses, the TCP/IP model designers developed DNS to translate names into IP addresses.

DNS uses TCP and UDP port number 53.

In a large IP environment, network users need an easier way to connect to hosts without having to remember 32-bit IP addresses—that’s where DNS comes into play. DNS provides a service that allows users to use a host’s name in place of an IP Address to connect to hosts. When DNS services are running, the host’s name is used to request its IP address from a DNS server. The DNS server is a host running the DNS service, and it is configured to do the translation for the user transparently. In other words, the user never sees the DNS request and host-to-IP address translation. The client simply connects to a host name, and the DNS server does the translation.

For example, the website www.cisco.com is translated to the IP address

DNS is a distributed database where organizations can use a predefined name or extension to all their devices. Nations can use extensions to define hosts residing in their country. For example, the extension for Australia is defined as .au. To reach the Cisco website in Australia, a user would type www.cisco.com.au in a web browser.

A regulatory body called the Internet Registration Authority manages domain names.

Similar to DNS, Cisco routers can be configured to locally look up names so network administrator can simply type a name rather than an IP address. Local names can also be configured for devices.

To illustrate a local DNS lookup on a Cisco IOS router, look at the following Cisco router command that provides a host lookup. (Note: a router will not provide DNS server responses to client devices such as PCs or UNIX hosts.)

The following IOS command defines a local name to IP address:

ip host name [tcp-port-number] ip address1 [ip address2...ip address8]

You can assign more than one IP address to any given name.

Example 3-1 displays three hosts and their corresponding IP addresses.

Domain Name System 111

Example 3-1 Local IP Host Configuration on a Cisco Router

ip host Router1 ip host Router2 ip host Router3

The three hosts, named Router1, Router2, and Router3 in Example 3-1, are translated into IP addresses,, and

When a network administrator types in the host name, the router translates the name to an IP address. Example 3-2 displays a network administrator Telneting from router, R1, to the remote host, Router2.

Example 3-2 Local DNS Translation


Translating "router2"

Trying Router2 ( Open

User Access Verification

Password: *****


When the network administrator types the name router2 (DNS names are not case-sensitive) at the exec prompt, the Cisco IOS router does a local host lookup for the name router2 and translates the address to

What would happen if you typed a name that was not configured locally? Example 3-3 displays the sample output from a Cisco router when an unknown name (ccie, in this case) is typed at the exec prompt.

Example 3-3 Name Translation for ccie


Translating "ccie"

Translating "ccie"

% Unknown command or computer name, or unable to find computer address


From the privileged exec prompt on Router R1 in Example 3-3, R1 does a local DNS lookup, discovers there is no DNS translation, and provides the shaded error message.

Scalability issues with local host configuration can become a nightmare with a large network. Thankfully, DNS servers can be placed around the network (typically in the core infrastructure) to ensure that only a few devices in the network require the full table of names and IP address translations. The World Wide Web has DNS servers that provide DNS mapping for websites.

112 Chapter 3: Application Protocols


By default, Cisco routers search for a DNS server. To disable this feature, use the IOS command


no ip domain-lookup. This stops the router from querying a DNS server whenever a name


translation is required. This command is a definite time saver for the CCIE Security Lab exam.



To enable a Cisco IOS router to perform DNS lookup to a remote DNS server, the following steps are required:

Step 1 For local DNS entries, you must specify any local host mapping with the following IOS command (note that the tcp-port-number is used for connections on a different TCP port number other than the default, 23):

ip host name [tcp-port-number] ip address1 [ip address2...ip address8]

Step 2 Specify the domain name or a domain list (Cisco routers can be configured with multiple domain names) with the following IOS commands:

ip domain-name name defines a default domain name that the Cisco IOS Software uses to complete unqualified host names.

ip domain-list name defines a list of default domain names to complete unqualified host names.

Step 3 Specify the DNS server or servers with the following IOS command:

ip name-server server-address1 [server-address2...server-address6]

Devices such as PCs can also be configured for DNS servers and domain names. Example 3-4 configures a router named R1 with the domain name cisco.com. The domain name servers are and

Example 3-4 DNS Configuration

R1(config)#ip domain-name cisco.com

R1(config)#ip name-server

R1(config)#ip name-server

When a network administrator types a name (not a valid IOS command, of course), the Cisco router attempts to translate the name into an IP address, first from the DNS server with the IP address, and then from the DNS server

Example 3-5 displays a successful DNS query and translation to the host named ccie (another Cisco router) from the DNS server

Trivial File Transfer Protocol 113

Example 3-5 DNS Query from the Exec Prompt


!Administrator types ccie Translating "ccie"

!Query is sent to first configured DNS server Trying CCIE ( Open

User Access Verification Password: ****


NOTE In Example 3-5, a Telnet connection requires a password authentication phase (and for all Telnet-based connections, for that matter). You can disable the Telnet login password on Cisco routers with the command no login under the VTY line configuration, as follows:

line vty 0 4 no login

Trivial File Transfer Protocol

Trivial File Transfer Protocol (TFTP) is a protocol that allows data files to be transferred from one device to another using the connectionless protocol, UDP. TFTP uses UDP port number 69.

TFTP is typically used in environments where bandwidth is not a major concern and IP packets that are lost can be resent by the higher layers (typically the application layer). TFTP has little security. In fact, the only security available to TFTP transfer is defining the directory on the host TFTP device and the filenames that will be transferred.

1TFTP has no method to authenticate username or password; the TFTP packet has no field enabling the exchange of username or password between two TCP/IP hosts.

2TFTP directory security (configurable on UNIX and Windows platforms) on the TFTP server is accomplished by allowing a predefined file on the server access. This allows the remote hosts to TFTP the file from the remote TFTP client. For example, to copy a configuration file from a Cisco router to a UNIX or Windows host, the file must be predefined on the TFTP server with the appropriate access rights defined.

Upgrading Cisco IOS images is a great example of when TFTP is useful; IOS images can be downloaded from a TFTP server to the Cisco router’s system flash.

Cisco offers a free TFTP application protocol, available at the following URL:


Now, configure the Cisco application software, Cisco TFTP, to enable a Cisco router to download a version of IOS code.

114 Chapter 3: Application Protocols

Figure 3-1 displays the available options when configuring the TFTP application software.

Figure 3-1 Cisco TFTP Application Software Options

Includes logging of all

TFTP transfers

Defines from where files are to be downloaded

The TFTP directory in Figure 3-1 is defined as c:\tftpboot. On the host TFTP server (in this case a Windows 2000 PC), the IOS images reside in the tftpboot directory at c:\tftpboot. This download directory option is a configurable option, and you can select any valid directory on the host TFTP server.

The file is located in the tftpboot directory. In this example, the IOS image is named c2600-js-mz.121-5.T10.bin.

To copy an IOS image from a TFTP server, the IOS command is copy tftp flash. Example 3-6 displays a TFTP request for the file c2600-js-mz.121-5.T10.bin from a TFTP server with an IP address of

Example 3-6 TFTP File Transfer

R1#copy tftp flash

Address or name of remote host []?

Source filename []? c2600-js-mz.121-5.T10.bin

Destination filename [c2600-js-mz.121-5.T10.bin]? c2600-js-mz.121-5.T10.bin Erase flash: before copying? [confirm]Y

Erasing the flash filesystem will remove all files! Continue? [confirm]Y Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

eeeeee ...erased Erase of flash: complete

Loading c2600-js-mz.121-5.T10.bin from (via Ethernet0/0):






Соседние файлы в предмете Сети и Телекоммуникации