6- en_ROUTE_v7_Ch06.pdf

Implementing Cisco IP Routing (ROUTE)

Chapter 6: Enterprise Internet Connectivity

Elaborated by: Ing. Ariel Germán For: ITLA Based on: Foundation Learning Guide CCNP ROUTE 300-101 Diane Teare, Bob Vachon, Rick Graziani 2015 ROUTE v6 Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

1

Chapter 6 Topics  Planning Enterprise Internet Connectivity  Establishing Single-Homed IPv4 Internet Connectivity

 Establishing Single-Homed IPv6 Internet Connectivity  Improving Internet Connectivity Resilience  Summary

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

2

Planning Enterprise Internet Connectivity

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

3

 Upon completion of this section, you will be able to do the following: • Identify the Internet connectivity needs of organizations • Identify the different types of ISP connectivity • Describe public IP address assignments and the need for providerindependent IP addressing. • Describe autonomous system numbers

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

4

Connecting Enterprise Networks to an ISP  Modern corporate IP networks connect to the global Internet.  They use the Internet for some of their data transport needs, and provide services via the Internet to customers and business partners.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

5

Enterprise Connectivity Requirements 1/2  Enterprise connectivity requirements can be categorized as: • Outbound: • Only one-way connectivity outbound from clients to the Internet is required. • Private IPv4 with NAT . • This situation is found in most homes.

• Inbound: • Two-way connectivity is needed • Clients external to the enterprise network can access resources in the enterprise network. • In this case, both public and private IPv4 address space is needed. • Routing and security consideration as well.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

6

Enterprise Connectivity Requirements 2/2  The type of redundancy required includes: • Edge device redundancy • Link redundancy • ISP redundancy

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

7

ISP Redundancy

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

8

Public IP Address Assignment  The Internet Assigned Numbers Authority (IANA) and the regional Internet registries (RIRs) are involved with public IP address assignment.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

9

The Internet Assigned Numbers Authority  The IANA is the umbrella organization responsible for allocating the numbering systems that are used in the technical standards.  IANA responsibilities include the following: • Coordinate the global pool of IPv4 and IPv6 addresses, and provide them to RIRs. • Coordinate the global pool of autonomous system numbers and provide them to RIRs. • Manage the Domain Name Service (DNS) root zone. • Manage the IP numbering systems (in conjunction with standards bodies).

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

10

Regional Internet Registries  RIRs are nonprofit corporations established for the purpose of administration and registration of IP address space and autonomous system numbers.  There are five RIRs, as follows: • African Network Information Centre (AfriNIC) • Asia Pacific Network Information Centre (APNIC) • American Registry for Internet Numbers (ARIN) • Latin American and Caribbean IP Address Regional Registry (LACNIC) • Reséaux IP Européens Network Coordination Centre (RIPE NCC) Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Public IP Address Space  SPs distribute addresses from their assigned address space.  End users typically request a public address space from their ISP.  In the IPv6 world, ISPs may assign /64 blocks of addresses to home users.  ISPs usually assign /48 blocks to enterprise users.  Blocks of IP addresses can be provider independent (PI) or provider aggregatable (PA). Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

12

Provider Aggregatable Address Space  A PA block of IP addresses is used in simple topologies, where no redundancy is needed.  PA address space is assigned by the ISP to its customer.

 If the customer changes its ISP, the new ISP will give the customer a new PA address space.  All devices with public IP addresses will have to be renumbered.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

13

Provider-Independent Address Space  For a multihomed connection, a PI address space is required.  The PI address space must be acquired from an RIR.  After successfully processing an address space request, the RIR assigns the PI address space and a public autonomous system number (ASN).  The enterprise then configures their Internet gateway routers to advertise the newly assigned IP address space to neighboring ISPs; the Border Gateway Protocol (BGP) is typically used for this task. Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

14

Autonomous System Numbers  “a set of routers under a single technical administration, using an IGP and common metrics to determine how to route packets within the autonomous system, and using an inter-autonomous system routing protocol to determine how to route packets to other autonomous systems.” –RFC 4271  The ASNs 0, 65,535, and 4,294,967,295 are reserved by the IANA.  4,200,000,000 through 4,294,967,294 are private.  64,496 through 64,511 and 65,536 through 65,551 should be used in samples and documentations Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

15

Establishing SingleHomed IPv4 Internet Connectivity

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

16

 Upon completion of this section, you will be able to do the following: • Describe how to configure your router with both a provider-assigned static IPv4 address and a provider-assigned DHCP address. • Understand DHCP operation and describe how to use a router as a DHCP server and relay agent. • Identify the various types of NAT. • Describe the NAT virtual interface (NVI) feature, configuration, and verification

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Configuring a Provider-Assigned IPv4 Address

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

18

DHCP Operation

 Other possible messages are: • DHCPDECLINE: A message sent from a client to a server indicating that the address is already in use.

• DHCPNAK: A message sent from a server indicating that it is refusing a client’s request for configuration. • DHCPRELEASE: A message sent from a client indicating to a server that it is giving up a lease.

• DHCPINFORM: A message sent from a client indicating that it already has an IPv4 address, but is requesting other configuration parameters Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Obtaining a Provider-Assigned IPv4 Address with DHCP

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

20

Configuring a Router as a DHCP Server and DHCP Relay Agent

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

21

NAT 1/3  NAT includes the following four types of addresses: • Inside local address: The IPv4 address assigned to a device on the internal network. • Inside global address: The IPv4 address of an internal device as it appears to the external network. This is the address to which the inside local address is translated. • Outside local address: The IPv4 address of an external device as it appears to the internal network.

• Outside global address: The IPv4 address assigned to a device on the external network. Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

22

NAT 2/3  When a packet travels from an inside domain to an outside domain, it is routed first and then translated and forwarded out the exit interface.  When a packet travels from an outside domain to an inside domain, the process is reversed.  The three types of NAT are as follows: • Static NAT (one-to-one) • Dynamic NAT (many-to-many) Static NAT • Port Address Translation (PAT) (many-to-one)

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

23

NAT 3/3  The show ip nat translations command is used to verify which addresses are currently being translated

255

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

24

Configuring Static NAT

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Configuring Dynamic NAT

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

26

Configuring PAT  Also known as NAT overloading, is the most widely used form of NAT.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Limitations of NAT  End-to-end visibility issues  Tunneling becomes more complex

 In certain topologies, standard NAT may not work correctly

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

28

NAT Virtual Interface  As of Cisco IOS Software Release 12.3(14)T Cisco introduced a new feature, NAT virtual interface (NVI).  It removes the requirement to configure an interface as inside or outside.  The NVI order of operations is also slightly different than NAT.  NVI performs routing, translation, and routing again, no matter which way the traffic is flowing.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

29

Configuring NAT Virtual Interface 1/3

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

30

Configuring NAT Virtual Interface 2/3

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

31

Configuring NAT Virtual Interface 3/3

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

32

Verifying NAT Virtual Interface 1/3

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

33

Verifying NAT Virtual Interface 2/3

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

34

Verifying NAT Virtual Interface 3/3

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

35

Establishing Single-Homed IPv6 Internet Connectivity

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

36

 Upon completion of this section, you will be able to do the following: • Describe the various ways that your router can obtain an IPv6 address. • Understand DHCP for IPv6 (DHCPv6) operation and describe the use of a router as a DHCPv6 server and relay agent. • Describe the use of NAT for IPv6 • Identify how to configure IPv6 ACLs • Describe the need to secure IPv6 Internet connectivity Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

37

Obtaining a Provider-Assigned IPv6 Address  The IPv6 address assignment methods are as follows: • Manual assignment • Stateless address autoconfiguration (SLAAC) • Stateless DHCPv6

• Stateful DHCPv6 • DHCPv6 prefix delegation (DHCPv6-PD)

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

38

Manual Assignment  As with IPv4, an IPv6 address can be statically assigned by a network administrator.  This assignment method can be error-prone and introduces significant administrative overhead.  However, it is necessary in some cases.  For security, some recommendations include choosing addresses that are not easily guessed and avoiding any embedded existing IPv4 addresses.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

39

Configuring Basic IPv6 Internet Connectivity 1/2

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

40

Configuring Basic IPv6 Internet Connectivity 2/2

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

41

Stateless Address Autoconfiguration  SLAAC provides the capability for a device to obtain IPv6 addressing information without any intervention from the network administrator.  This is achieved with the help of RAs, which are sent by routers on the local link.  IPv6 hosts listen for these RAs and use the advertised prefix, which must be 64 bits long.

 The host generates the remaining 64 host bits either by using the IEEE EUI-64 format or by creating a random sequence of bits. Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

42

IEEE EUI-64  IEEE EUI-64 format interface IDs are derived from an interface’s 48-bit IEEE 802 MAC address using the following process: 1. The MAC address is split into two 24-bit parts. 2. 0xFFFE is inserted between the two parts, resulting in a 64-bit value. 3. The seventh bit of the first octet is inverted.

 For example, MAC address of 00AA.BBBB.CCCC would result in an IPv6 EUI-64 format interface ID of 02AA:BBFF:FEBB:CCCC.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

43

Enabling SLAAC  Use the ipv6 address autoconfig [default] interface configuration command.  If a default router is selected on this interface, the optional default keyword causes a default route to be installed using that default router.  You can specify the default keyword on only one interface.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

44

DHCPv6 Operation  In the IPv6 world, there are two types of DHCPv6:  Stateless: Used to supply additional parameters to clients that already have an IPv6 address.  Stateful: Similar to DHCP for IPv4 (DHCPv4).

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

45

Stateless DCHPv6 1/2  Stateless DHCPv6 works in combination with SLAAC.

 An IPv6 host gets its addressing and default router information using SLAAC.  However, the IPv6 host also queries a DHCPv6 server for other information it needs, such as the DNS or NTP server addresses.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

46

Stateless DCHPv6 2/2

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

47

Stateful DHCPv6 1/2  RAs use the managed address configuration flag bit to tell IPv6 hosts to get their addressing and additional information only from the DHCPv6 server.  The DHCPv6 server then allocates addresses to the host and tracks the allocated address.  To allow a router to acquire an IPv6 address on an interface from a DHCPv6 server, use the ipv6 address dhcp interface configuration command.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

48

Stateful DHCPv6 2/2

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

49

NAT for IPv6  In IPv4, NAT is typically used to translate private addresses to public addresses when communicating on the Internet.  In IPv6, we do not have to worry about private-to-public address translation, but some forms of NAT are still used.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

50

NAT64  NAT Protocol Translation (NAT-PT) was the initial translation scheme for facilitating communication between IPv6 and IPv4.  NAT-PT has been deprecated and replaced by NAT64.  With NAT64, one or multiple public IPv4 addresses are shared by many IPv6-only devices, using overloading.  NAT64 performs both address and IP header translation.

 An example use of NAT64 is to provide IPv4 Internet connectivity to IPv6 devices, during the transition to a full IPv6 Internet. Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

51

NPTv6  NPTv6 is described in RFC 6296, IPv6-to-IPv6 Network Prefix Translation.  NPTv6 is a one-to-one stateless translation.  The idea for NPTv6 is that an organization’s internal IPv6 addressing can be independent of its ISP’s address space, making it easier to change ISPs.  One use of NPTv6 is when an organization has connections to two ISPs.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

52

IPv6 ACLs  ACLs are often used for security purposes.  For IPv6 ACLs, some configuration commands and details differ somewhat from IPv4 ACLs, but the concepts remain the same.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

53

IPv6 ACL Characteristics  One change from IPv4 is that IPv6 ACLs are always named and extended.  For IPv6, there are three implicit rules at the end of each ACL, as follows: • permit icmp any any nd-na • permit icmp any any nd-ns • deny ipv6 any any

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

54

Configuring IPv6 ACLs 1/3

-The ACL should block all ICMP echo requests and Telnet requests to the TFTP server. -TFTP traffic from the Internet should only be allowed to the TFTP server, not to other internal hosts. Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

55

Configuring IPv6 ACLs 2/3

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

56

Configuring IPv6 ACLs 3/3

-To apply an ACL to a vty line, use the ipv6 access-class ACL-name line configuration command.

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Securing IPv6 Internet Connectivity  Enabling IPv6 Internet connectivity results in several new attack vulnerabilities in your infrastructure.  End hosts connected to the Internet are usually no longer hidden behind the NAT as they typically are with IPv4.  To secure end hosts that are connected to the IPv6 Internet, the use of a stateful firewall is recommended.  You should also harden the IPv6 protocols being used by disabling unnecessary functions and optimizing default settings. Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

58

Improving Internet Connectivity Resilience

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

59

 Upon completion of this section, you will be able to do the following: • Describe the disadvantages of single-homed Internet connectivity • Describe dual-homed Internet connectivity • Describe multihomed Internet connectivity

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

60

Drawbacks of a Single-Homed Internet Connectivity

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

61

Dual-Homed Internet Connectivity

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

62

Configuring Best Path for Dual-Homed Internet Connectivity 1/2  Either static routing toward the ISP or BGP with the ISP are commonly used to route outbound traffic.  In simple networks, static routes with different ADs (called floating static routes) can be used.  Alternatively, you can redistribute a default route or a subset of Internet routes into your internal routing protocol.  First-hop redundancy protocols (FHRPs) can also be used to properly route packets to the appropriate Internet gateway. Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

63

Configuring Best Path for Dual-Homed Internet Connectivity 2/2

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

64

Multihomed Internet Connectivity 1/2  Establishing a multihomed environment involves meeting some requirements: • You must have PI address space and your own ASN. • You must establish connectivity with two independent ISPs.

 The Internet gateways use BGP to advertise your PI address space to both ISPs and to learn routes from both ISPs. Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

65

Multihomed Internet Connectivity 2/2  The ISPs can send the following to your network: • The ISPs can send only a default route. • The ISPs can send a partial routing table • The ISPs could also send you a full routing table

 When configuring your border Internet gateways, be careful. Route filtering is usually required both inbound and outbound. • Your network might become a transit path.

 BGP configuration can be complex, and full routing tables consume a lot of router resources. • Estimated 2GB of RAM to store the full IPv4 routing table. Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

66

Summary

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

67

Read it in the book!

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

68

Chapter 6 © 2007 – 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

69