6 - en - ROUTE - v7 - Ch06 PDF

Implementing Cisco IP Routing (ROUTE)
Chapter 6:
Enterprise Internet
Connectivity
Elaborated by: Ing. Ariel Germn

For: ITLA
Based on: Foundation Learning Guide
CCNP ROUTE 300-101
Diane Teare, Bob Vachon, Rick Graziani
2015
ROUTE v6 Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 6 Topics
Planning Enterprise Internet Connectivity
Establishing Single-Homed IPv4 Internet Connectivity
Establishing Single-Homed IPv6 Internet Connectivity

Improving Internet Connectivity Resilience
Summary
Chapter 6
Cisco Public
Planning Enterprise Internet

Connectivity
Chapter 6
Cisco Public
Upon completion of this section, you will be able to do the

following:
Identify the Internet connectivity needs of organizations
Identify the different types of ISP connectivity
Describe public IP address assignments and the need for providerindependent IP addressing.
Describe autonomous system numbers
Chapter 6
Cisco Public
Connecting Enterprise Networks to an ISP

Modern corporate IP networks connect to the global
Internet.
They use the Internet for some of their data transport
needs, and provide services via the Internet to customers
and business partners.
Chapter 6
Cisco Public
Enterprise Connectivity Requirements 1/2

Enterprise connectivity requirements can be categorized as:
Outbound:
Only one-way connectivity outbound from clients to the Internet is required.
Private IPv4 with NAT .
This situation is found in most homes.
Inbound:
Two-way connectivity is needed
Clients external to the enterprise network can access resources in the
enterprise network.
In this case, both public and private IPv4 address space is needed.
Routing and security consideration as well.
Chapter 6
Cisco Public
Enterprise Connectivity Requirements 2/2

The type of redundancy required includes:
Edge device redundancy
Link redundancy
ISP redundancy
Chapter 6
Cisco Public
ISP Redundancy
Chapter 6
Cisco Public
Public IP Address Assignment

The Internet Assigned Numbers Authority (IANA) and the
regional Internet registries (RIRs) are involved with public IP
address assignment.
Chapter 6
Cisco Public
The Internet Assigned Numbers Authority

The IANA is the umbrella organization responsible for
allocating the numbering systems that are used in the
technical standards.
IANA responsibilities include the following:
Coordinate the global pool of IPv4 and IPv6 addresses, and provide
them to RIRs.
Coordinate the global pool of autonomous system numbers and
provide them to RIRs.
Manage the Domain Name Service (DNS) root zone.
Manage the IP numbering systems (in conjunction with standards
bodies).
Chapter 6
Cisco Public
10
Regional Internet Registries

RIRs are nonprofit corporations established for the purpose of
administration and registration of IP address space and
autonomous system numbers.
There are five RIRs, as follows:
African Network Information Centre (AfriNIC)
Asia Pacific Network Information Centre (APNIC)
American Registry for Internet Numbers (ARIN)
Latin American and Caribbean IP Address Regional Registry
(LACNIC)
Resaux IP Europens Network Coordination Centre (RIPE NCC)
Chapter 6
Cisco Public
11
Public IP Address Space

SPs distribute addresses from their assigned address
space.
End users typically request a public address space from
their ISP.
In the IPv6 world, ISPs may assign /64 blocks of addresses
to home users.
ISPs usually assign /48 blocks to enterprise users.
Blocks of IP addresses can be provider independent (PI) or
provider aggregatable (PA).
Chapter 6
Cisco Public
12
Provider Aggregatable Address Space

A PA block of IP addresses is used in simple topologies,
where no redundancy is needed.
PA address space is assigned by the ISP to its customer.
If the customer changes its ISP, the new ISP will give the
customer a new PA address space.
All devices with public IP addresses will have to be
renumbered.
Chapter 6
Cisco Public
13
Provider-Independent Address Space

For a multihomed connection, a PI address space is
required.
The PI address space must be acquired from an RIR.
After successfully processing an address space request, the
RIR assigns the PI address space and a public autonomous
system number (ASN).
The enterprise then configures their Internet gateway
routers to advertise the newly assigned IP address space to
neighboring ISPs; the Border Gateway Protocol (BGP) is
typically used for this task.
Chapter 6
Cisco Public
14
Autonomous System Numbers

a set of routers under a single technical administration,
using an IGP and common metrics to determine how to
route packets within the autonomous system, and using an
inter-autonomous system routing protocol to determine how
to route packets to other autonomous systems. RFC 4271
The ASNs 0, 65,535, and 4,294,967,295 are reserved by
the IANA.
4,200,000,000 through 4,294,967,294 are private.
64,496 through 64,511 and 65,536 through 65,551 should
be used in samples and documentations
Chapter 6
Cisco Public
15
Establishing SingleHomed IPv4 Internet

Connectivity
Chapter 6
Cisco Public
16

following:
Describe how to configure your router with both a provider-assigned
static IPv4 address and a provider-assigned DHCP address.
Understand DHCP operation and describe how to use a router as a
DHCP server and relay agent.
Identify the various types of NAT.
Describe the NAT virtual interface (NVI) feature, configuration, and
verification
Chapter 6
Cisco Public
17
Configuring a Provider-Assigned IPv4 Address
Chapter 6
Cisco Public
18
DHCP Operation
Other possible messages are:

DHCPDECLINE: A message sent from a client to a server indicating that the address is already in
use.
DHCPNAK: A message sent from a server indicating that it is refusing a clients request for
configuration.
DHCPRELEASE: A message sent from a client indicating to a server that it is giving up a lease.
DHCPINFORM: A message sent from a client indicating that it already has an IPv4 address, but is
requesting other configuration parameters
Chapter 6
Cisco Public
19
Obtaining a Provider-Assigned IPv4 Address

with DHCP
Chapter 6
Cisco Public
20
Configuring a Router as a DHCP Server and

DHCP Relay Agent
Chapter 6
Cisco Public
21
NAT 1/3
NAT includes the following four types of addresses:
Inside local address: The IPv4 address assigned to a device on the
internal network.
Inside global address: The IPv4 address of an internal device as it
appears to the external network. This is the address to which the
inside local address is translated.
Outside local address: The IPv4 address of an external device as it
appears to the internal network.
Outside global address: The IPv4 address assigned to a device on

the external network.
Chapter 6
Cisco Public
22
NAT 2/3
When a packet travels from an inside domain to an outside
domain, it is routed first and then translated and forwarded
out the exit interface.
When a packet travels from an outside domain to an inside
domain, the process is reversed.
The three types of NAT are as follows:
Static NAT (one-to-one)
Dynamic NAT (many-to-many) Static NAT
Port Address Translation (PAT) (many-to-one)
Chapter 6
Cisco Public
23
NAT 3/3
The show ip nat translations command is used to verify
which addresses are currently being translated
255
Chapter 6
Cisco Public
24
Configuring Static NAT
Chapter 6
Cisco Public
25
Configuring Dynamic NAT
Chapter 6
Cisco Public
26
Configuring PAT
Also known as NAT overloading, is the most widely used
form of NAT.
Chapter 6
Cisco Public
27
Limitations of NAT
End-to-end visibility issues
Tunneling becomes more complex
In certain topologies, standard NAT may not work

correctly
Chapter 6
Cisco Public
28
NAT Virtual Interface

As of Cisco IOS Software Release 12.3(14)T Cisco
introduced a new feature, NAT virtual interface (NVI).
It removes the requirement to configure an interface as
inside or outside.
The NVI order of operations is also slightly different than
NAT.
NVI performs routing, translation, and routing again, no
matter which way the traffic is flowing.
Chapter 6
Cisco Public
29
Configuring NAT Virtual Interface 1/3
Chapter 6
Cisco Public
30
Chapter 6
Cisco Public
31
Chapter 6
Cisco Public
32
Verifying NAT Virtual Interface 1/3
Chapter 6
Cisco Public
33
Chapter 6
Cisco Public
34
Chapter 6
Cisco Public
35
Establishing
Single-Homed
IPv6 Internet
Connectivity
Chapter 6
Cisco Public
36

following:
Describe the various ways that your router can obtain an IPv6
address.
Understand DHCP for IPv6 (DHCPv6) operation and describe the use
of a router as a DHCPv6 server and relay agent.
Describe the use of NAT for IPv6
Identify how to configure IPv6 ACLs
Describe the need to secure IPv6 Internet connectivity
Chapter 6
Cisco Public
37
Obtaining a Provider-Assigned IPv6 Address

The IPv6 address assignment methods are as follows:
Manual assignment
Stateless address autoconfiguration (SLAAC)
Stateless DHCPv6
Stateful DHCPv6
DHCPv6 prefix delegation (DHCPv6-PD)
Chapter 6
Cisco Public
38
Manual Assignment
As with IPv4, an IPv6 address can be statically assigned by
a network administrator.
This assignment method can be error-prone and introduces
significant administrative overhead.
However, it is necessary in some cases.
For security, some recommendations include choosing
addresses that are not easily guessed and avoiding any
embedded existing IPv4 addresses.
Chapter 6
Cisco Public
39
Configuring Basic IPv6 Internet Connectivity 1/2
Chapter 6
Cisco Public
40
Configuring Basic IPv6 Internet Connectivity 2/2
Chapter 6
Cisco Public
41
Stateless Address Autoconfiguration

SLAAC provides the capability for a device to obtain IPv6
addressing information without any intervention from the
network administrator.
This is achieved with the help of RAs, which are sent by
routers on the local link.
IPv6 hosts listen for these RAs and use the advertised
prefix, which must be 64 bits long.
The host generates the remaining 64 host bits either by

using the IEEE EUI-64 format or by creating a random
sequence of bits.
Chapter 6
Cisco Public
42
IEEE EUI-64
IEEE EUI-64 format interface IDs are derived from an
interfaces 48-bit IEEE 802 MAC address using the
following process:
1. The MAC address is split into two 24-bit parts.
2. 0xFFFE is inserted between the two parts, resulting in a 64-bit
value.
3. The seventh bit of the first octet is inverted.
For example, MAC address of 00AA.BBBB.CCCC would

result in an IPv6 EUI-64 format interface ID of
02AA:BBFF:FEBB:CCCC.
Chapter 6
Cisco Public
43
Enabling SLAAC
Use the ipv6 address autoconfig [default] interface
configuration command.
If a default router is selected on this interface, the optional
default keyword causes a default route to be installed using
that default router.
You can specify the default keyword on only one interface.
Chapter 6
Cisco Public
44
DHCPv6 Operation
In the IPv6 world, there are two types of DHCPv6:
Stateless: Used to supply additional parameters to clients
that already have an IPv6 address.
Stateful: Similar to DHCP for IPv4 (DHCPv4).
Chapter 6
Cisco Public
45
Stateless DCHPv6 1/2

Stateless DHCPv6 works in combination with SLAAC.
An IPv6 host gets its addressing and default router

information using SLAAC.
However, the IPv6 host also queries a DHCPv6 server for
other information it needs, such as the DNS or NTP server
addresses.
Chapter 6
Cisco Public
46
Stateless DCHPv6 2/2
Chapter 6
Cisco Public
47
Stateful DHCPv6 1/2

RAs use the managed address configuration flag bit to tell
IPv6 hosts to get their addressing and additional information
only from the DHCPv6 server.
The DHCPv6 server then allocates addresses to the host
and tracks the allocated address.
To allow a router to acquire an IPv6 address on an interface
from a DHCPv6 server, use the ipv6 address dhcp
interface configuration command.
Chapter 6
Cisco Public
48
Stateful DHCPv6 2/2
Chapter 6
Cisco Public
49
NAT for IPv6

In IPv4, NAT is typically used to translate private addresses
to public addresses when communicating on the Internet.
In IPv6, we do not have to worry about private-to-public
address translation, but some forms of NAT are still used.
Chapter 6
Cisco Public
50
NAT64
NAT Protocol Translation (NAT-PT) was the initial
translation scheme for facilitating communication between
IPv6 and IPv4.
NAT-PT has been deprecated and replaced by NAT64.
With NAT64, one or multiple public IPv4 addresses are
shared by many IPv6-only devices, using overloading.
NAT64 performs both address and IP header translation.
An example use of NAT64 is to provide IPv4 Internet

connectivity to IPv6 devices, during the transition to a full
IPv6 Internet.
Chapter 6
Cisco Public
51
NPTv6
NPTv6 is described in RFC 6296, IPv6-to-IPv6 Network
Prefix Translation.
NPTv6 is a one-to-one stateless translation.
The idea for NPTv6 is that an organizations internal IPv6
addressing can be independent of its ISPs address space,
making it easier to change ISPs.
One use of NPTv6 is when an organization has connections
to two ISPs.
Chapter 6
Cisco Public
52
IPv6 ACLs
ACLs are often used for security purposes.
For IPv6 ACLs, some configuration commands and details
differ somewhat from IPv4 ACLs, but the concepts remain
the same.
Chapter 6
Cisco Public
53
IPv6 ACL Characteristics

One change from IPv4 is that IPv6 ACLs are always named
and extended.
For IPv6, there are three implicit rules at the end of each
ACL, as follows:
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
Chapter 6
Cisco Public
54
Configuring IPv6 ACLs 1/3
-The ACL should block all ICMP echo requests and Telnet requests to the
TFTP server.
-TFTP traffic from the Internet should only be allowed to the TFTP server,
not to other internal hosts.
Chapter 6
Cisco Public
55
Chapter 6
Cisco Public
56
-To apply an ACL to a vty line, use the ipv6 access-class ACL-name line
configuration command.
Chapter 6
Cisco Public
57
Securing IPv6 Internet Connectivity

Enabling IPv6 Internet connectivity results in several new
attack vulnerabilities in your infrastructure.
End hosts connected to the Internet are usually no longer
hidden behind the NAT as they typically are with IPv4.
To secure end hosts that are connected to the IPv6 Internet,
the use of a stateful firewall is recommended.
You should also harden the IPv6 protocols being used by
disabling unnecessary functions and optimizing default
settings.
Chapter 6
Cisco Public
58
Improving Internet Connectivity

Resilience
Chapter 6
Cisco Public
59

following:
Describe the disadvantages of single-homed Internet connectivity
Describe dual-homed Internet connectivity
Describe multihomed Internet connectivity
Chapter 6
Cisco Public
60
Drawbacks of a Single-Homed Internet

Connectivity
Chapter 6
Cisco Public
61
Dual-Homed Internet Connectivity
Chapter 6
Cisco Public
62
Configuring Best Path for Dual-Homed Internet

Connectivity 1/2
Either static routing toward the ISP or BGP with the ISP are
commonly used to route outbound traffic.
In simple networks, static routes with different ADs (called
floating static routes) can be used.
Alternatively, you can redistribute a default route or a subset
of Internet routes into your internal routing protocol.
First-hop redundancy protocols (FHRPs) can also be used
to properly route packets to the appropriate Internet
gateway.
Chapter 6
Cisco Public
63
Configuring Best Path for Dual-Homed Internet

Connectivity 2/2
Chapter 6
Cisco Public
64
Multihomed Internet Connectivity 1/2

Establishing a multihomed
environment involves
meeting some requirements:
You must have PI address
space and your own ASN.
You must establish connectivity
with two independent ISPs.
The Internet gateways use

BGP to advertise your PI
address space to both ISPs
and to learn routes from both
ISPs.
Chapter 6
Cisco Public
65
Multihomed Internet Connectivity 2/2

The ISPs can send the following to your network:
The ISPs can send only a default route.
The ISPs can send a partial routing table
The ISPs could also send you a full routing table
When configuring your border Internet gateways, be careful.

Route filtering is usually required both inbound and
outbound.
Your network might become a transit path.
BGP configuration can be complex, and full routing tables

consume a lot of router resources.
Estimated 2GB of RAM to store the full IPv4 routing table.
Chapter 6
Cisco Public
66
Summary
Chapter 6
Cisco Public
67
Read it in the book!
Chapter 6
Cisco Public
68
Chapter 6
Cisco Public
69

6 - en - ROUTE - v7 - Ch06 PDF

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

6 - en - ROUTE - v7 - Ch06 PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Implementing Cisco IP Routing (ROUTE)

Elaborated by: Ing. Ariel Germn

Establishing Single-Homed IPv6 Internet Connectivity

Planning Enterprise Internet

Upon completion of this section, you will be able to do the

Connecting Enterprise Networks to an ISP

Enterprise Connectivity Requirements 1/2

Enterprise Connectivity Requirements 2/2

Public IP Address Assignment

The Internet Assigned Numbers Authority

Regional Internet Registries

Public IP Address Space

Provider Aggregatable Address Space

Provider-Independent Address Space

Autonomous System Numbers

Establishing SingleHomed IPv4 Internet

Upon completion of this section, you will be able to do the

Configuring a Provider-Assigned IPv4 Address

Other possible messages are:

Obtaining a Provider-Assigned IPv4 Address

Configuring a Router as a DHCP Server and

Outside global address: The IPv4 address assigned to a device on

Configuring Static NAT

Configuring Dynamic NAT

In certain topologies, standard NAT may not work

NAT Virtual Interface

Configuring NAT Virtual Interface 1/3

Configuring NAT Virtual Interface 2/3

Configuring NAT Virtual Interface 3/3

Verifying NAT Virtual Interface 1/3

Verifying NAT Virtual Interface 2/3

Verifying NAT Virtual Interface 3/3

Upon completion of this section, you will be able to do the

Obtaining a Provider-Assigned IPv6 Address

Configuring Basic IPv6 Internet Connectivity 1/2

Configuring Basic IPv6 Internet Connectivity 2/2

Stateless Address Autoconfiguration

The host generates the remaining 64 host bits either by

For example, MAC address of 00AA.BBBB.CCCC would

Stateless DCHPv6 1/2

An IPv6 host gets its addressing and default router

Stateless DCHPv6 2/2

Stateful DHCPv6 1/2

Stateful DHCPv6 2/2

NAT for IPv6

An example use of NAT64 is to provide IPv4 Internet

IPv6 ACL Characteristics

Configuring IPv6 ACLs 1/3

Configuring IPv6 ACLs 2/3

Configuring IPv6 ACLs 3/3

Securing IPv6 Internet Connectivity

Improving Internet Connectivity

Upon completion of this section, you will be able to do the

Drawbacks of a Single-Homed Internet

Dual-Homed Internet Connectivity

Configuring Best Path for Dual-Homed Internet

Configuring Best Path for Dual-Homed Internet

Multihomed Internet Connectivity 1/2

The Internet gateways use

Multihomed Internet Connectivity 2/2

When configuring your border Internet gateways, be careful.

BGP configuration can be complex, and full routing tables