6- en_ROUTE_v7_Ch06.pdf
Transcript of 6- en_ROUTE_v7_Ch06.pdf
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
ROUTE v6 Chapter 6 1
Chapter 6: Enterprise Internet Connectivity
Implementing Cisco IP Routing (ROUTE)
Elaborated by: Ing. Ariel Germán For: ITLA Based on: Foundation Learning Guide CCNP ROUTE 300-101 Diane Teare, Bob Vachon, Rick Graziani 2015
Chapter 6 2 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 6 Topics
Planning Enterprise Internet Connectivity
Establishing Single-Homed IPv4 Internet Connectivity
Establishing Single-Homed IPv6 Internet Connectivity
Improving Internet Connectivity Resilience
Summary
Chapter 6 3 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Planning Enterprise Internet Connectivity
Chapter 6 4 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Upon completion of this section, you will be able to do the
following:
• Identify the Internet connectivity needs of organizations
• Identify the different types of ISP connectivity
• Describe public IP address assignments and the need for provider-
independent IP addressing.
• Describe autonomous system numbers
Chapter 6 5 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Connecting Enterprise Networks to an ISP
Modern corporate IP networks connect to the global
Internet.
They use the Internet for some of their data transport
needs, and provide services via the Internet to customers
and business partners.
Chapter 6 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Enterprise Connectivity Requirements 1/2
Enterprise connectivity requirements can be categorized as:
• Outbound:
• Only one-way connectivity outbound from clients to the Internet is required.
• Private IPv4 with NAT .
• This situation is found in most homes.
• Inbound:
• Two-way connectivity is needed
• Clients external to the enterprise network can access resources in the
enterprise network.
• In this case, both public and private IPv4 address space is needed.
• Routing and security consideration as well.
Chapter 6 7 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Enterprise Connectivity Requirements 2/2
The type of redundancy required includes:
• Edge device redundancy
• Link redundancy
• ISP redundancy
Chapter 6 8 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
ISP Redundancy
Chapter 6 9 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Public IP Address Assignment
The Internet Assigned Numbers Authority (IANA) and the
regional Internet registries (RIRs) are involved with public IP
address assignment.
Chapter 6 10 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
The Internet Assigned Numbers Authority
The IANA is the umbrella organization responsible for
allocating the numbering systems that are used in the
technical standards.
IANA responsibilities include the following:
• Coordinate the global pool of IPv4 and IPv6 addresses, and provide
them to RIRs.
• Coordinate the global pool of autonomous system numbers and
provide them to RIRs.
• Manage the Domain Name Service (DNS) root zone.
• Manage the IP numbering systems (in conjunction with standards
bodies).
Chapter 6 11 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Regional Internet Registries
RIRs are nonprofit corporations established for the purpose of administration and registration of IP address space and autonomous system numbers.
There are five RIRs, as follows:
• African Network Information Centre (AfriNIC)
• Asia Pacific Network Information Centre (APNIC)
• American Registry for Internet Numbers (ARIN)
• Latin American and Caribbean IP Address Regional Registry (LACNIC)
• Reséaux IP Européens Network Coordination Centre (RIPE NCC)
Chapter 6 12 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Public IP Address Space
SPs distribute addresses from their assigned address
space.
End users typically request a public address space from
their ISP.
In the IPv6 world, ISPs may assign /64 blocks of addresses
to home users.
ISPs usually assign /48 blocks to enterprise users.
Blocks of IP addresses can be provider independent (PI) or
provider aggregatable (PA).
Chapter 6 13 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Provider Aggregatable Address Space
A PA block of IP addresses is used in simple topologies,
where no redundancy is needed.
PA address space is assigned by the ISP to its customer.
If the customer changes its ISP, the new ISP will give the
customer a new PA address space.
All devices with public IP addresses will have to be
renumbered.
Chapter 6 14 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Provider-Independent Address Space
For a multihomed connection, a PI address space is
required.
The PI address space must be acquired from an RIR.
After successfully processing an address space request, the
RIR assigns the PI address space and a public autonomous
system number (ASN).
The enterprise then configures their Internet gateway
routers to advertise the newly assigned IP address space to
neighboring ISPs; the Border Gateway Protocol (BGP) is
typically used for this task.
Chapter 6 15 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Autonomous System Numbers
“a set of routers under a single technical administration,
using an IGP and common metrics to determine how to
route packets within the autonomous system, and using an
inter-autonomous system routing protocol to determine how
to route packets to other autonomous systems.” –RFC 4271
The ASNs 0, 65,535, and 4,294,967,295 are reserved by
the IANA.
4,200,000,000 through 4,294,967,294 are private.
64,496 through 64,511 and 65,536 through 65,551 should
be used in samples and documentations
Chapter 6 16 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Establishing Single-Homed IPv4 Internet Connectivity
Chapter 6 17 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Upon completion of this section, you will be able to do the
following:
• Describe how to configure your router with both a provider-assigned
static IPv4 address and a provider-assigned DHCP address.
• Understand DHCP operation and describe how to use a router as a
DHCP server and relay agent.
• Identify the various types of NAT.
• Describe the NAT virtual interface (NVI) feature, configuration, and
verification
Chapter 6 18 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring a Provider-Assigned IPv4 Address
Chapter 6 19 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
DHCP Operation
Other possible messages are:
• DHCPDECLINE: A message sent from a client to a server indicating that the address is already in use.
• DHCPNAK: A message sent from a server indicating that it is refusing a client’s request for configuration.
• DHCPRELEASE: A message sent from a client indicating to a server that it is giving up a lease.
• DHCPINFORM: A message sent from a client indicating that it already has an IPv4 address, but is requesting other configuration parameters
Chapter 6 20 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Obtaining a Provider-Assigned IPv4 Address with DHCP
Chapter 6 21 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring a Router as a DHCP Server and DHCP Relay Agent
Chapter 6 22 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
NAT 1/3
NAT includes the following four types of addresses:
• Inside local address: The IPv4 address assigned to a device on the
internal network.
• Inside global address: The IPv4 address of an internal device as it
appears to the external network. This is the address to which the
inside local address is translated.
• Outside local address: The IPv4 address of an external device as it
appears to the internal network.
• Outside global address: The IPv4 address assigned to a device on
the external network.
Chapter 6 23 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
NAT 2/3
When a packet travels from an inside domain to an outside
domain, it is routed first and then translated and forwarded
out the exit interface.
When a packet travels from an outside domain to an inside
domain, the process is reversed.
The three types of NAT are as follows:
• Static NAT (one-to-one)
• Dynamic NAT (many-to-many) Static NAT
• Port Address Translation (PAT) (many-to-one)
Chapter 6 24 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
NAT 3/3
The show ip nat translations command is used to verify
which addresses are currently being translated
255
Chapter 6 25 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Static NAT
Chapter 6 26 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Dynamic NAT
Chapter 6 27 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring PAT Also known as NAT overloading, is the most widely used
form of NAT.
Chapter 6 28 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Limitations of NAT
End-to-end visibility issues
Tunneling becomes more complex
In certain topologies, standard NAT may not work
correctly
Chapter 6 29 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
NAT Virtual Interface
As of Cisco IOS Software Release 12.3(14)T Cisco
introduced a new feature, NAT virtual interface (NVI).
It removes the requirement to configure an interface as
inside or outside.
The NVI order of operations is also slightly different than
NAT.
NVI performs routing, translation, and routing again, no
matter which way the traffic is flowing.
Chapter 6 30 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring NAT Virtual Interface 1/3
Chapter 6 31 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring NAT Virtual Interface 2/3
Chapter 6 32 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring NAT Virtual Interface 3/3
Chapter 6 33 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Verifying NAT Virtual Interface 1/3
Chapter 6 34 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Verifying NAT Virtual Interface 2/3
Chapter 6 35 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Verifying NAT Virtual Interface 3/3
Chapter 6 36 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Establishing Single-Homed IPv6 Internet Connectivity
Chapter 6 37 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Upon completion of this section, you will be able to do the
following:
• Describe the various ways that your router can obtain an IPv6
address.
• Understand DHCP for IPv6 (DHCPv6) operation and describe the use
of a router as a DHCPv6 server and relay agent.
• Describe the use of NAT for IPv6
• Identify how to configure IPv6 ACLs
• Describe the need to secure IPv6 Internet connectivity
Chapter 6 38 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Obtaining a Provider-Assigned IPv6 Address
The IPv6 address assignment methods are as follows:
• Manual assignment
• Stateless address autoconfiguration (SLAAC)
• Stateless DHCPv6
• Stateful DHCPv6
• DHCPv6 prefix delegation (DHCPv6-PD)
Chapter 6 39 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Manual Assignment
As with IPv4, an IPv6 address can be statically assigned by
a network administrator.
This assignment method can be error-prone and introduces
significant administrative overhead.
However, it is necessary in some cases.
For security, some recommendations include choosing
addresses that are not easily guessed and avoiding any
embedded existing IPv4 addresses.
Chapter 6 40 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Basic IPv6 Internet Connectivity 1/2
Chapter 6 41 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Basic IPv6 Internet Connectivity 2/2
Chapter 6 42 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Stateless Address Autoconfiguration
SLAAC provides the capability for a device to obtain IPv6
addressing information without any intervention from the
network administrator.
This is achieved with the help of RAs, which are sent by
routers on the local link.
IPv6 hosts listen for these RAs and use the advertised
prefix, which must be 64 bits long.
The host generates the remaining 64 host bits either by
using the IEEE EUI-64 format or by creating a random
sequence of bits.
Chapter 6 43 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
IEEE EUI-64
IEEE EUI-64 format interface IDs are derived from an
interface’s 48-bit IEEE 802 MAC address using the
following process:
1. The MAC address is split into two 24-bit parts.
2. 0xFFFE is inserted between the two parts, resulting in a 64-bit
value.
3. The seventh bit of the first octet is inverted.
For example, MAC address of 00AA.BBBB.CCCC would
result in an IPv6 EUI-64 format interface ID of
02AA:BBFF:FEBB:CCCC.
Chapter 6 44 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Enabling SLAAC
Use the ipv6 address autoconfig [default] interface
configuration command.
If a default router is selected on this interface, the optional
default keyword causes a default route to be installed using
that default router.
You can specify the default keyword on only one interface.
Chapter 6 45 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
DHCPv6 Operation
In the IPv6 world, there are two types of DHCPv6:
Stateless: Used to supply additional parameters to clients
that already have an IPv6 address.
Stateful: Similar to DHCP for IPv4 (DHCPv4).
Chapter 6 46 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Stateless DCHPv6 1/2
Stateless DHCPv6 works in combination with SLAAC.
An IPv6 host gets its addressing and default router
information using SLAAC.
However, the IPv6 host also queries a DHCPv6 server for
other information it needs, such as the DNS or NTP server
addresses.
Chapter 6 47 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Stateless DCHPv6 2/2
Chapter 6 48 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Stateful DHCPv6 1/2
RAs use the managed address configuration flag bit to tell
IPv6 hosts to get their addressing and additional information
only from the DHCPv6 server.
The DHCPv6 server then allocates addresses to the host
and tracks the allocated address.
To allow a router to acquire an IPv6 address on an interface
from a DHCPv6 server, use the ipv6 address dhcp
interface configuration command.
Chapter 6 49 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Stateful DHCPv6 2/2
Chapter 6 50 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
NAT for IPv6
In IPv4, NAT is typically used to translate private addresses
to public addresses when communicating on the Internet.
In IPv6, we do not have to worry about private-to-public
address translation, but some forms of NAT are still used.
Chapter 6 51 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
NAT64
NAT Protocol Translation (NAT-PT) was the initial translation scheme for facilitating communication between IPv6 and IPv4.
NAT-PT has been deprecated and replaced by NAT64.
With NAT64, one or multiple public IPv4 addresses are shared by many IPv6-only devices, using overloading.
NAT64 performs both address and IP header translation.
An example use of NAT64 is to provide IPv4 Internet connectivity to IPv6 devices, during the transition to a full IPv6 Internet.
Chapter 6 52 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
NPTv6
NPTv6 is described in RFC 6296, IPv6-to-IPv6 Network
Prefix Translation.
NPTv6 is a one-to-one stateless translation.
The idea for NPTv6 is that an organization’s internal IPv6
addressing can be independent of its ISP’s address space,
making it easier to change ISPs.
One use of NPTv6 is when an organization has connections
to two ISPs.
Chapter 6 53 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
IPv6 ACLs
ACLs are often used for security purposes.
For IPv6 ACLs, some configuration commands and details
differ somewhat from IPv4 ACLs, but the concepts remain
the same.
Chapter 6 54 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
IPv6 ACL Characteristics
One change from IPv4 is that IPv6 ACLs are always named
and extended.
For IPv6, there are three implicit rules at the end of each
ACL, as follows:
• permit icmp any any nd-na
• permit icmp any any nd-ns
• deny ipv6 any any
Chapter 6 55 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring IPv6 ACLs 1/3
-The ACL should block all ICMP echo requests and Telnet requests to the TFTP server. -TFTP traffic from the Internet should only be allowed to the TFTP server, not to other internal hosts.
Chapter 6 56 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring IPv6 ACLs 2/3
Chapter 6 57 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring IPv6 ACLs 3/3
-To apply an ACL to a vty line, use the ipv6 access-class ACL-name line configuration command.
Chapter 6 58 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Securing IPv6 Internet Connectivity
Enabling IPv6 Internet connectivity results in several new
attack vulnerabilities in your infrastructure.
End hosts connected to the Internet are usually no longer
hidden behind the NAT as they typically are with IPv4.
To secure end hosts that are connected to the IPv6 Internet,
the use of a stateful firewall is recommended.
You should also harden the IPv6 protocols being used by
disabling unnecessary functions and optimizing default
settings.
Chapter 6 59 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Improving Internet Connectivity Resilience
Chapter 6 60 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Upon completion of this section, you will be able to do the
following:
• Describe the disadvantages of single-homed Internet connectivity
• Describe dual-homed Internet connectivity
• Describe multihomed Internet connectivity
Chapter 6 61 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Drawbacks of a Single-Homed Internet Connectivity
Chapter 6 62 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Dual-Homed Internet Connectivity
Chapter 6 63 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Best Path for Dual-Homed Internet Connectivity 1/2
Either static routing toward the ISP or BGP with the ISP are commonly used to route outbound traffic.
In simple networks, static routes with different ADs (called floating static routes) can be used.
Alternatively, you can redistribute a default route or a subset of Internet routes into your internal routing protocol.
First-hop redundancy protocols (FHRPs) can also be used to properly route packets to the appropriate Internet gateway.
Chapter 6 64 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Best Path for Dual-Homed Internet Connectivity 2/2
Chapter 6 65 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Multihomed Internet Connectivity 1/2
Establishing a multihomed
environment involves
meeting some requirements:
• You must have PI address
space and your own ASN.
• You must establish connectivity
with two independent ISPs.
The Internet gateways use
BGP to advertise your PI
address space to both ISPs
and to learn routes from both
ISPs.
Chapter 6 66 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Multihomed Internet Connectivity 2/2
The ISPs can send the following to your network:
• The ISPs can send only a default route.
• The ISPs can send a partial routing table
• The ISPs could also send you a full routing table
When configuring your border Internet gateways, be careful. Route filtering is usually required both inbound and outbound.
• Your network might become a transit path.
BGP configuration can be complex, and full routing tables consume a lot of router resources.
• Estimated 2GB of RAM to store the full IPv4 routing table.
Chapter 6 67 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Summary
Chapter 6 68 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Read it in the book!
Chapter 6 69 © 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public