Objectifs de certification

CCNA 200-301

  • 4.3 Expliquer le rôle de DHCP et de DNS au sein du réseau

  • 3.2 Déterminer comment un routeur prend une décision de transfert par défaut

    • 3.2.a Longest match
    • 3.2.b Administrative distance
    • 3.2.c Routing protocol metric
  • 3.1 Interpréter les composants d’une table de routage

    • 3.1.a Routing protocol code
    • 3.1.b Prefix
    • 3.1.c Network mask
    • 3.1.d Next hop
    • 3.1.e Administrative distance
    • 3.1.f Metric
    • 3.1.g Gateway of last resort
  • 3.3 Configurer et vérifier le routage statique IPv4 et IPv6

    • 3.3.a Default route
    • 3.3.b Network route
    • 3.3.c Host route
    • 3.3.d Floating static
  • 4.1 Configurer et vérifier inside source NAT (static et pools)

  • 1.7 Décrire la nécessité d’un adressage IPv4 privé

  • 1.6 Configurer et vérifier l’adressage et le sous-réseautage (subnetting) IPv4

  • 1.8 Configurer et vérifier l’adressage et les préfixes IPv6

  • 1.9 Comparer les types d’adresses IPv6

    • 1.9.a Global unicast
    • 1.9.b Unique local
    • 1.9.c Link local
    • 1.9.d Anycast
    • 1.9.e Multicast
    • 1.9.f Modified EUI 64
  • 1.10 Vérifier les paramètres IP des OS clients (Windows, Mac OS, Linux)


Lab passerelle Internet

Cet exercice pratique vise à configurer le routeur Cisco d’une toute petite infrastructure qui pourrait ressembler à un bureau distant, une situation domestique, une très petite entreprise. Il s’agit de déployer tous les services que l’on peut utiliser nativement avec une passerelle domestique bon marché : auto-configuration IPv6, DHCP, DNS, NAT44. Il ne manque que le pare-feu.

1. Topologie de lab

Topologie de lab

1.1. Composants

ComposantNomImageRôle
Routeurgatewayvios-adventerprisek9-m.vmdk.SPA.156-2.TPasserelle IPv4 entre l’Internet et le LAN avec services DHCP, DHCPv6, SLAAC, DNS Forwarder
NuageInternetIntégré au logicielSimule un Internet IPv4
CommutateurSW1Intégré au logicielCommutateur du LAN
OrdinateurPC1ubuntu1604.qcow2PC client TCP/IP dans le LAN
OrdinateurPC2ubuntu1604.qcow2PC client TCP/IP dans le LAN

1.2. Connexions

Périphérique 1InterfaceInterfacePériphérique 2Réseau partagé
Internetnat0G0/1--
gatewayG0/1nat0InternetWAN
gatewayG0/0e0SW1LAN
SW1e0G0/0GatewayLAN
SW1e1ens3PC1LAN
SW1e1ens3PC2LAN

1.3. Plan d’adressage

Une seule interface dispose de paramètres IPv4 et IPv6 statiques : l’interface G0/0 du routeur “gateway”

  • Adresse IPv4 privée : 192.168.1.254 255.255.255.0
  • Adresse IPv6 Link-Local : fe80::1/64
  • Adresse IPv6 privée : fd00:192:168:1::/64

1.4. Services à déployer

En IPv4, le routeur “Gateway” connecte l’Internet et fait office de routeur NAT44. Un service DHCP distribue les adresses dans cette plage de 192.168.1.1 à 192.168.1.199. Celui-ci s’annonce en DHCP comme passerelle et comme résolveur de noms DNS dans le réseau local.

En IPv6, l’autoconfiguration automatique sans état et un service DHCPv6 Stateful sont activés pour le préfixe fd00:192:168:1::/64. Le routeur fait office de passerelle IPv6 et de résolveur DNS.

2. Démarrage du routeur

  Booting `IOSv'

Booted IOSv. Boot args: [/vios-adventerprisek9-m]

Smart Init is enabled

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 22-Mar-16 16:19 by prod_rel_team




This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco IOSv (revision 1.0) with  with 460033K/62464K bytes of memory.Installed image archive

Processor board ID 9LZIT3F3H77XUDNPC6QD9
4 Gigabit Ethernet interfaces
DRAM configuration is 72 bits wide with parity disabled.
256K bytes of non-volatile configuration memory.
2097152K bytes of ATA System CompactFlash 0 (Read/Write)
0K bytes of ATA CompactFlash 1 (Read/Write)
1024K bytes of ATA CompactFlash 2 (Read/Write)
0K bytes of ATA CompactFlash 3 (Read/Write)

SETUP: new interface GigabitEthernet0/0 placed in "shutdown" state
SETUP: new interface GigabitEthernet0/1 placed in "shutdown" state
SETUP: new interface GigabitEthernet0/2 placed in "shutdown" state
SETUP: new interface GigabitEthernet0/3 placed in "shutdown" state
% Applying bootstrap config from flash2:...
Building configuration...
[OK]


Press RETURN to get started!


*Mar  1 00:00:00.647: %ATA-6-DEV_FOUND: device 0x1F0
*Mar  1 00:00:02.830: %ATA-6-DEV_FOUND: device 0x1F1
*Mar  1 00:00:06.412: %NVRAM-5-CONFIG_NVRAM_NOT_FOUND: NVRAM configuration 'flash:/nvram' could not be found on disk.
*Apr 21 17:37:52.928: %PA-3-PA_INIT_FAILED: Performance Agent failed to initialize (Missing Data License)
*Apr 21 17:37:54.797: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Apr 21 17:37:54.798: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Apr 21 17:37:54.798: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
*Apr 21 17:37:54.799: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
*Apr 21 17:37:55.170: %CVAC-7-CONFIG_FOUND: Configuration file flash2:/ios_config.txt was found and will be applied to NVRAM.
*Apr 21 17:37:55.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
*Apr 21 17:37:55.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
*Apr 21 17:37:55.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
*Apr 21 17:37:55.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
*Apr 21 17:37:55.947: %CVAC-7-CONFIG_FOUND: Configuration file flash2:/ios_config.txt was found and will be applied to NVRAM.
*Apr 21 17:37:57.366: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
*Apr 21 17:37:57.367: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down
*Apr 21 17:37:57.367: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down
*Apr 21 17:37:57.367: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
*Apr 21 17:38:00.884: %GRUB-5-CONFIG_WRITING: GRUB configuration is being updated on disk. Please wait...
*Apr 21 17:38:02.132: %GRUB-5-CONFIG_WRITTEN: GRUB configuration was written to disk successfully.
*Apr 21 17:38:02.132: %CVAC-4-CONFIG_DONE: Configuration generated from file flash2:/ios_config.txt was applied and saved to NVRAM. See 'show running-config' or 'show startup-config' for more details.
*Apr 21 17:38:04.397: %SYS-5-RESTART: System restarted --
Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 22-Mar-16 16:19 by prod_rel_team
*Apr 21 17:38:04.420: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Apr 21 17:38:04.420: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Apr 21 17:38:10.517: %PLATFORM-5-SIGNATURE_VERIFIED: Image 'flash0:/vios-adventerprisek9-m' passed code signing verification
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS    *
* education. IOSv is provided as-is and is not supported by Cisco's        *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any         *
* purposes is expressly prohibited except as otherwise authorized by       *
* Cisco in writing.                                                        *
**************************************************************************

3. Configuration IPv4

La procédure de configuration comporte quelques étapes logiques :

  • Définition du nom d’hôte
  • Configuration de l’interface G0/0 (LAN)
  • Configuration de l’interface G0/1 (WAN)
  • Création d’une ACL IPv4 standard nommé “lan”
  • Création d’une règle NAT overload
  • Activation de la résolution de nom et du service DNS en IPv4
  • Création du pool DHCP
  • Enregistrement de la configuration

On sera attentif aux “logs”, aux événements qui apparaîteront dans la console.

3.1. Procédure de configuration IPv4

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#

3.2. Définition du nom d’hôte

Router(config)#hostname gateway
gateway(config)#

3.3. Configuration de l’interface G0/0 (LAN)

gateway(config)#interface GigabitEthernet0/0
gateway(config-if)# description LAN interface
gateway(config-if)# ip address 192.168.1.254 255.255.255.0
gateway(config-if)# ip nat inside
gateway(config-if)# no shutdown
gateway(config-if)# exit

3.4. Configuration de l’interface G0/1 (WAN)

gateway(config)#interface GigabitEthernet0/1
gateway(config-if)# description WAN interface
gateway(config-if)# ip address dhcp
gateway(config-if)# ip nat outside
gateway(config-if)# no shutdown
gateway(config-if)# exit

3.5. Création d’une ACL IPv4 standard nommé “lan”

gateway(config)#ip access-list standard lan
gateway(config-std-nacl)# permit 192.168.1.0 0.0.0.255
gateway(config-std-nacl)# exit

3.6. Création d’une règle NAT overload

gateway(config)#ip nat inside source list lan interface GigabitEthernet0/1 overload

3.7. Activation de la résolution de nom et du service DNS en IPv4

gateway(config)#ip domain lookup
gateway(config)#ip name-server 8.8.8.8
gateway(config)#ip dns server

3.8. Création du pool DHCP

gateway(config)#ip dhcp pool DHCP-LAN
gateway(dhcp-config)# network 192.168.1.0 255.255.255.0
gateway(dhcp-config)# default-router 192.168.1.254
gateway(dhcp-config)# dns-server 192.168.1.254
gateway(dhcp-config)# exit
gateway(config)#ip dhcp excluded-address 192.168.1.200 192.168.1.254

3.9. Enregistrement de la configuration

gateway(config)#end
gateway#wr
Building configuration...
[OK]

3.10. Evénements

*Apr 22 13:58:38.104: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Apr 22 13:58:38.344: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Apr 22 13:58:39.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
gateway#
*Apr 22 13:58:39.344: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
gateway#
*Apr 22 13:58:52.701: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/1 assigned DHCP address 192.168.122.124, mask 255.255.255.0, hostname gateway

3.11. Configuration résumée IPv4

configure terminal
hostname gateway
interface GigabitEthernet0/0
 description LAN interface
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 no shutdown
interface GigabitEthernet0/1
 description WAN interface
 ip address dhcp
 ip nat outside
 no shutdown
ip access-list standard lan
 permit 192.168.1.0 0.0.0.255
ip nat inside source list lan interface GigabitEthernet0/1 overload
ip domain lookup
ip name-server 8.8.8.8
ip dns server
ip dhcp pool DHCP-LAN
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.254
 dns-server 192.168.1.254
ip dhcp excluded-address 192.168.1.200 192.168.1.254
end
wr

4. Configuration IPv6

La configuration d’IPv6 nécessite des activations explicites :

  • Activation du routage IPv6
  • Création du pool DHCPv6
  • Configuration de l’interface G0/0 (LAN)
  • Enregistrement de la configuration

4.1. Procédure de configuration IPv6

gateway#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
gateway(config)#hostname gateway
gateway(config)#

4.2. Activation du routage IPv6

gateway(config)#ipv6 unicast-routing

4.3. Création du pool DHCPv6

gateway(config)#ipv6 dhcp pool DHCPv6-LAN
gateway(config-dhcpv6)# address prefix FD00:192:168:1::/64
gateway(config-dhcpv6)# dns-server FD00:192:168:1::1
gateway(config-dhcpv6)# exit

4.4. Configuration de l’interface G0/0 (LAN)

gateway(config)#interface GigabitEthernet0/0
gateway(config-if)# description LAN interface
gateway(config-if)# ipv6 address FE80::1 link-local
gateway(config-if)# ipv6 address FD00:192:168:1::1/64
gateway(config-if)# ipv6 nd managed-config-flag
gateway(config-if)# ipv6 nd other-config-flag
gateway(config-if)# ipv6 dhcp server DHCPv6-LAN
gateway(config-if)# no shutdown
gateway(config-if)# exit

4.5. Configuration de l’interface G0/1 (WAN)

gateway(config)#interface GigabitEthernet0/1
gateway(config-if)# description WAN interface
gateway(config-if)# ipv6 address dhcp
gateway(config-if)# no shutdown
gateway(config-if)# exit
gateway(config)#

4.6. Enregistrement de la configuration

gateway(config)#end
gateway#
gateway#wr
Building configuration...

*Apr 22 14:04:30.918: %SYS-5-CONFIG_I: Configured from console by console[OK]
gateway#
*Apr 22 14:04:33.009: %GRUB-5-CONFIG_WRITING: GRUB configuration is being updated on disk. Please wait...
*Apr 22 14:04:33.641: %GRUB-5-CONFIG_WRITTEN: GRUB configuration was written to disk successfully.

4.7. Configuration résumée IPv6

configure terminal
hostname gateway
ipv6 unicast-routing
ipv6 dhcp pool DHCPv6-LAN
 address prefix FD00:192:168:1::/64
 dns-server FD00:192:168:1::1
interface GigabitEthernet0/0
 description LAN interface
 ipv6 address FE80::1 link-local
 ipv6 address FD00:192:168:1::1/64
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ipv6 dhcp server DHCPv6-LAN
 no shutdown
interface GigabitEthernet0/1
 description WAN interface
 ipv6 address dhcp
 no shutdown
end
wr

5. Vérifications IPv4 sur le routeur

On peut réaliser une série de vérifications sur IPv4 sur le routeur :

  • Vérifications des interfaces IPv4
  • Vérifications des L2 interfaces
  • Vérifications des L3 interfaces
  • Table de routage IPv4
  • Ping IPv4 vers le WAN
  • Ping IPv4 vers le LAN
  • Ping IPv4 étendu
  • Vérification du NAT
  • Vérification des access-lists
  • Vérification des baux DHCP

5.1. Vérifications des interfaces IPv4

# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.1.254   YES NVRAM  up                    up
GigabitEthernet0/1         192.168.122.204 YES DHCP   up                    up
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down
GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down
NVI0                       192.168.1.254   YES unset  up                    up

5.2. Vérifications des L2 interfaces

# show interface g0/0
GigabitEthernet0/0 is up, line protocol is up
  Hardware is iGbE, address is 0059.fedc.e100 (bia 0059.fedc.e100)
  Description: LAN interface
  Internet address is 192.168.1.254/24
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Unknown, Unknown, link type is auto, media type is RJ45
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:04, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 675
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 7000 bits/sec, 8 packets/sec
  5 minute output rate 130000 bits/sec, 10 packets/sec
     3649 packets input, 428002 bytes, 0 no buffer
     Received 111 Broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     4533 packets output, 5922027 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     37 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

5.3. Vérifications des L3 interfaces

# show ip interface g0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 192.168.1.254/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed Broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain inside
  BGP Policy Mapping is disabled
  Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
  Output features: NAT Inside, Common Flow Table, Stateful Inspection, NAT ALG proxy
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

5.4. Table de routage IPv4

# show ip route

Pour chaque réseau directement connecté (192.168.1.0/24 et 192.168.122.0/24), on trouve une route “C” et une route “L” locale qui désigne l’interface elle-même comme destination.

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.122.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 192.168.122.1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
L        192.168.1.254/32 is directly connected, GigabitEthernet0/0
      192.168.122.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.122.0/24 is directly connected, GigabitEthernet0/1
L        192.168.122.204/32 is directly connected, GigabitEthernet0/1

5.5. Ping IPv4 vers le WAN

La commande ping vérifie la connectivité IP entre deux hôtes. Ici une adresse IPv4 publique bien connue :

#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms

5.6. Ping IPv4 vers le LAN

#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/5 ms

5.7. Ping IPv4 étendu

Un ping dit “étendu” permet de préciser les paquets ICMP envoyés et, notamment, l’adresse IP source que le routeur va utilisé. Cette pratique permet de vérifier la fonctionnalité du routage.

#ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Ingress ping [n]:
Source address or interface: 192.168.1.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0x0000ABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/17 ms

5.8. Vérification du NAT

La commande show ip nat translations permet de visualiser la table de traduction NAT.

#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
udp 192.168.122.204:60171 192.168.1.2:60171 213.136.0.252:123 213.136.0.252:123
udp 192.168.122.204:60196 192.168.1.2:60196 217.77.132.1:123 217.77.132.1:123
udp 192.168.122.204:60486 192.168.1.2:60486 87.233.197.123:123 87.233.197.123:123
tcp 192.168.122.204:49673 192.168.1.3:49673 40.77.229.47:443 40.77.229.47:443
tcp 192.168.122.204:49685 192.168.1.3:49685 40.77.229.43:443 40.77.229.43:443
tcp 192.168.122.204:49690 192.168.1.3:49690 40.77.229.36:443 40.77.229.36:443
tcp 192.168.122.204:49703 192.168.1.3:49703 40.77.229.54:443 40.77.229.54:443
udp 192.168.122.204:62735 192.168.1.3:62735 157.56.144.215:3544 157.56.144.215:3544
icmp 192.168.122.204:5 192.168.1.254:5    8.8.8.8:5          8.8.8.8:5

5.9. Vérification des access-lists

#show access-lists
Standard IP access list lan
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (105 matches)

5.10. Vérification des baux DHCP

#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/	 	    Lease expiration        Type
		    Hardware address/
		    User name
192.168.1.1         0059.fe99.af00          Apr 23 2017 03:02 PM    Automatic
192.168.1.2         0059.fe6d.3b00          Apr 23 2017 03:02 PM    Automatic
192.168.1.3         0100.59fe.c24c.00       Apr 23 2017 03:03 PM    Automatic

6. Vérifications à partir des clients TCP/IPv4

6.1. Paramètres IPv4

Il sera utile de vérifier :

  • Les paramètres d’interface
  • La table de routage
  • Les paramètres DNS

6.2. Paramètres d’interface

user@ubuntu1604:~$ ip -4 add show dev ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global ens3
       valid_lft forever preferred_lft forever

6.3. Table de routage

user@ubuntu1604:~$ ip route
default via 192.168.1.254 dev ens3
192.168.1.0/24 dev ens3  proto kernel  scope link  src 192.168.1.2

6.4. Paramètres DNS

user@ubuntu1604:~$ cat /etc/resolv.conf
#Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.1.254

6.5. Vérification de la connectivité

On peut vérifier avec la commande ping :

  • La connectivité vers la passerelle
  • La connectivité vers une adresse IP publique
  • La connectivité vers un nom résolu en adresse IP (UDP/DNS, L4)

6.6. Connectivité vers la passerelle

user@ubuntu1604:~$ ping -c 1 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=3.83 ms

--- 192.168.1.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.836/3.836/3.836/0.000 ms

6.7. Connectivité vers une adresse IP publique

user@ubuntu1604:~$ ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=41 time=18.5 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 18.576/18.576/18.576/0.000 ms

6.8. Connectivité vers un nom résolu

user@ubuntu1604:~$ ping -c 1 www.google.com
PING www.google.com (172.217.20.68) 56(84) bytes of data.
64 bytes from www.google.com (172.217.20.68): icmp_seq=1 ttl=48 time=12.5 ms

--- www.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 12.517/12.517/12.517/0.000 ms

6.9. Vérification L7 résolution de noms DNS

On peut confirmer la fonction DNS avec les commandes dig ou nslookup.

user@ubuntu1604:~$ dig www.google.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63245
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		290	IN	A	172.217.20.68

;; Query time: 7 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Sat Apr 22 16:24:08 CEST 2017
;; MSG SIZE  rcvd: 48

user@ubuntu1604:~$ dig @8.8.8.8 www.google.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43348
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		203	IN	A	172.217.17.68

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 22 16:24:18 CEST 2017
;; MSG SIZE  rcvd: 59

6.4. Vérification de la connectivité L7 HTTP

curl http://ipinfo.io/ip

6.5. Vérifications ARP

user@ubuntu1604:~$ arp -a
? (192.168.1.254) at 00:59:fe:dc:e1:00 [ether] on ens3
user@ubuntu1604:~$ ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=6.63 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 6.636/6.636/6.636/0.000 ms
user@ubuntu1604:~$ arp -a
? (192.168.1.1) at 00:59:fe:99:af:00 [ether] on ens3
? (192.168.1.254) at 00:59:fe:dc:e1:00 [ether] on ens3

7. Vérifications IPv6 sur le routeur

8. Vérifications IPv6 à partir des clients