En Route v7 Ch06

Implementing Cisco IP Routing (ROUTE)
Chapter 6:
Enterprise Internet
Connectivity
Elaborated by: Ing. Ariel Germn

For: ITLA
Based on: Foundation Learning Guide
CCNP ROUTE 300-101
Diane Teare, Bob Vachon, Rick Graziani
2015
ROUTE v6 Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 1
Chapter 6 Topics
Planning Enterprise Internet Connectivity
Establishing Single-Homed IPv4 Internet Connectivity
Establishing Single-Homed IPv6 Internet Connectivity
Improving Internet Connectivity Resilience
Summary
Chapter 6
Planning Enterprise Internet
Connectivity
Chapter 6
Upon completion of this section, you will be able to do the
following:
Identify the Internet connectivity needs of organizations
Identify the different types of ISP connectivity
Describe public IP address assignments and the need for provider-

independent IP addressing.
Describe autonomous system numbers
Chapter 6
Connecting Enterprise Networks to an ISP
Modern corporate IP networks connect to the global
Internet.
They use the Internet for some of their data transport

needs, and provide services via the Internet to customers
and business partners.
Chapter 6
Enterprise Connectivity Requirements 1/2
Enterprise connectivity requirements can be categorized as:
Outbound:
Only one-way connectivity outbound from clients to the Internet is required.
Private IPv4 with NAT .
This situation is found in most homes.
Inbound:
Two-way connectivity is needed
Clients external to the enterprise network can access resources in the
enterprise network.
In this case, both public and private IPv4 address space is needed.
Routing and security consideration as well.
Chapter 6
Enterprise Connectivity Requirements 2/2
The type of redundancy required includes:
Edge device redundancy
Link redundancy
ISP redundancy
Chapter 6
ISP Redundancy
Chapter 6
Public IP Address Assignment
The Internet Assigned Numbers Authority (IANA) and the
regional Internet registries (RIRs) are involved with public IP
address assignment.
Chapter 6
The Internet Assigned Numbers Authority
The IANA is the umbrella organization responsible for
allocating the numbering systems that are used in the
technical standards.
IANA responsibilities include the following:
Coordinate the global pool of IPv4 and IPv6 addresses, and provide
them to RIRs.
Coordinate the global pool of autonomous system numbers and
provide them to RIRs.
Manage the Domain Name Service (DNS) root zone.
Manage the IP numbering systems (in conjunction with standards
bodies).
Chapter 6
Regional Internet Registries
RIRs are nonprofit corporations established for the purpose of
administration and registration of IP address space and
autonomous system numbers.
There are five RIRs, as follows:
African Network Information Centre (AfriNIC)
Asia Pacific Network Information Centre (APNIC)
American Registry for Internet Numbers (ARIN)
Latin American and Caribbean IP Address Regional Registry

(LACNIC)
Resaux IP Europens Network Coordination Centre (RIPE NCC)

Chapter 6
Public IP Address Space
SPs distribute addresses from their assigned address
space.
End users typically request a public address space from

their ISP.
In the IPv6 world, ISPs may assign /64 blocks of addresses

to home users.
ISPs usually assign /48 blocks to enterprise users.
Blocks of IP addresses can be provider independent (PI) or

provider aggregatable (PA).
Chapter 6
Provider Aggregatable Address Space
A PA block of IP addresses is used in simple topologies,
where no redundancy is needed.
PA address space is assigned by the ISP to its customer.
If the customer changes its ISP, the new ISP will give the
customer a new PA address space.
All devices with public IP addresses will have to be

renumbered.
Chapter 6
Provider-Independent Address Space
For a multihomed connection, a PI address space is
required.
The PI address space must be acquired from an RIR.
After successfully processing an address space request, the

RIR assigns the PI address space and a public autonomous
system number (ASN).
The enterprise then configures their Internet gateway

routers to advertise the newly assigned IP address space to
neighboring ISPs; the Border Gateway Protocol (BGP) is
typically used for this task.
Chapter 6
Autonomous System Numbers
a set of routers under a single technical administration,
using an IGP and common metrics to determine how to
route packets within the autonomous system, and using an
inter-autonomous system routing protocol to determine how
to route packets to other autonomous systems. RFC 4271
The ASNs 0, 65,535, and 4,294,967,295 are reserved by

the IANA.
4,200,000,000 through 4,294,967,294 are private.
64,496 through 64,511 and 65,536 through 65,551 should

be used in samples and documentations
Chapter 6
Establishing Single-
Homed IPv4 Internet
Connectivity
Chapter 6
following:
Describe how to configure your router with both a provider-assigned

static IPv4 address and a provider-assigned DHCP address.
Understand DHCP operation and describe how to use a router as a

DHCP server and relay agent.
Identify the various types of NAT.
Describe the NAT virtual interface (NVI) feature, configuration, and

verification
Chapter 6
Configuring a Provider-Assigned IPv4 Address
Chapter 6
DHCP Operation
Other possible messages are:
DHCPDECLINE: A message sent from a client to a server indicating that the address is already in
use.
DHCPNAK: A message sent from a server indicating that it is refusing a clients request for
configuration.
DHCPRELEASE: A message sent from a client indicating to a server that it is giving up a lease.
DHCPINFORM: A message sent from a client indicating that it already has an IPv4 address, but is
requesting other configuration parameters
Chapter 6
Obtaining a Provider-Assigned IPv4 Address
with DHCP
Chapter 6
Configuring a Router as a DHCP Server and
DHCP Relay Agent
Chapter 6
NAT 1/3
NAT includes the following four types of addresses:
Inside local address: The IPv4 address assigned to a device on the

internal network.
Inside global address: The IPv4 address of an internal device as it

appears to the external network. This is the address to which the
inside local address is translated.
Outside local address: The IPv4 address of an external device as it

appears to the internal network.
Outside global address: The IPv4 address assigned to a device on

the external network.
Chapter 6
NAT 2/3
When a packet travels from an inside domain to an outside
domain, it is routed first and then translated and forwarded
out the exit interface.
When a packet travels from an outside domain to an inside

domain, the process is reversed.
The three types of NAT are as follows:
Static NAT (one-to-one)

Dynamic NAT (many-to-many) Static NAT
Port Address Translation (PAT) (many-to-one)
Chapter 6
NAT 3/3
The show ip nat translations command is used to verify
which addresses are currently being translated
255
Chapter 6
Configuring Static NAT
Chapter 6
Configuring Dynamic NAT
Chap
ter 6 26
Configuring PAT
Also known as NAT overloading, is the most widely used
form of NAT.
Chapter
6 7
Limitations of NAT
End-to-end visibility issues
Tunneling becomes more complex
In certain topologies, standard NAT may not work

correctly
Chapter 6
NAT Virtual Interface
As of Cisco IOS Software Release 12.3(14)T Cisco
introduced a new feature, NAT virtual interface (NVI).
It removes the requirement to configure an interface as

inside or outside.
The NVI order of operations is also slightly different than

NAT.
NVI performs routing, translation, and routing again, no

matter which way the traffic is flowing.
Chapter 6
Configuring NAT Virtual Interface 1/3
Chapter 6
Chapter 6
Chapter 6
Verifying NAT Virtual Interface 1/3
Chapter
6 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 33
Chapter 6
Chapter
6 35
Establishing
Single-Homed
IPv6 Internet
Connectivity
Chapter 6
following:
Describe the various ways that your router can obtain an IPv6
address.
Understand DHCP for IPv6 (DHCPv6) operation and describe the use
of a router as a DHCPv6 server and relay agent.
Describe the use of NAT for IPv6
Identify how to configure IPv6 ACLs
Describe the need to secure IPv6 Internet connectivity

Chapter 6
Obtaining a Provider-Assigned IPv6 Address
The IPv6 address assignment methods are as follows:
Manual assignment
Stateless address autoconfiguration (SLAAC)
Stateless DHCPv6
Stateful DHCPv6
DHCPv6 prefix delegation (DHCPv6-PD)
Chapter 6
Manual Assignment
As with IPv4, an IPv6 address can be statically assigned by
a network administrator.
This assignment method can be error-prone and introduces

significant administrative overhead.
However, it is necessary in some cases.
For security, some recommendations include choosing

addresses that are not easily guessed and avoiding any
embedded existing IPv4 addresses.
Chapter 6
Configuring Basic IPv6 Internet Connectivity 1/2
Chapter 6
Configuring Basic IPv6 Internet Connectivity 2/2
Chapter 6 1
Stateless Address Autoconfiguration
SLAAC provides the capability for a device to obtain IPv6
addressing information without any intervention from the
network administrator.
This is achieved with the help of RAs, which are sent by

routers on the local link.
IPv6 hosts listen for these RAs and use the advertised
prefix, which must be 64 bits long.
The host generates the remaining 64 host bits either by

using the IEEE EUI-64 format or by creating a random
sequence of bits.
Chapter 6
IEEE EUI-64
IEEE EUI-64 format interface IDs are derived from an
interfaces 48-bit IEEE 802 MAC address using the
following process:
1. The MAC address is split into two 24-bit parts.

2. 0xFFFE is inserted between the two parts, resulting in a 64-bit
value.
3. The seventh bit of the first octet is inverted.
For example, MAC address of 00AA.BBBB.CCCC would

result in an IPv6 EUI-64 format interface ID of
02AA:BBFF:FEBB:CCCC.
Chapter 6
Enabling SLAAC
Use the ipv6 address autoconfig [default] interface
configuration command.
If a default router is selected on this interface, the optional

default keyword causes a default route to be installed using
that default router.
You can specify the default keyword on only one interface.
Chapter 6
DHCPv6 Operation
In the IPv6 world, there are two types of DHCPv6:
Stateless: Used to supply additional parameters to clients

that already have an IPv6 address.
Stateful: Similar to DHCP for IPv4 (DHCPv4).
Chapter 6
Stateless DCHPv6 1/2
Stateless DHCPv6 works in combination with SLAAC.
An IPv6 host gets its addressing and default router

information using SLAAC.
However, the IPv6 host also queries a DHCPv6 server for

other information it needs, such as the DNS or NTP server
addresses.
Chapter 6
Stateless DCHPv6 2/2
Chapter 6
Stateful DHCPv6 1/2
RAs use the managed address configuration flag bit to tell

IPv6 hosts to get their addressing and additional information
only from the DHCPv6 server.
The DHCPv6 server then allocates addresses to the host

and tracks the allocated address.
To allow a router to acquire an IPv6 address on an interface

from a DHCPv6 server, use the ipv6 address dhcp
interface configuration command.
Chapter 6
Stateful DHCPv6 2/2
Chapter 6
NAT for IPv6
In IPv4, NAT is typically used to translate private addresses
to public addresses when communicating on the Internet.
In IPv6, we do not have to worry about private-to-public

address translation, but some forms of NAT are still used.
Chapter 6
NAT64
NAT Protocol Translation (NAT-PT) was the initial
translation scheme for facilitating communication between
IPv6 and IPv4.
NAT-PT has been deprecated and replaced by NAT64.
With NAT64, one or multiple public IPv4 addresses are

shared by many IPv6-only devices, using overloading.
NAT64 performs both address and IP header translation.
An example use of NAT64 is to provide IPv4 Internet

connectivity to IPv6 devices, during the transition to a full
IPv6 Internet.
Chapter 6
NPTv6
NPTv6 is described in RFC 6296, IPv6-to-IPv6 Network
Prefix Translation.
NPTv6 is a one-to-one stateless translation.
The idea for NPTv6 is that an organizations internal IPv6

addressing can be independent of its ISPs address space,
making it easier to change ISPs.
One use of NPTv6 is when an organization has connections

to two ISPs.
Chapter 6
IPv6 ACLs
ACLs are often used for security purposes.
For IPv6 ACLs, some configuration commands and details

differ somewhat from IPv4 ACLs, but the concepts remain
the same.
Chapter 6
IPv6 ACL Characteristics
One change from IPv4 is that IPv6 ACLs are always named
and extended.
For IPv6, there are three implicit rules at the end of each
ACL, as follows:
permit icmp any any nd-na

permit icmp any any nd-ns
deny ipv6 any any
Chapter 6
Configuring IPv6 ACLs 1/3
-The ACL should block all ICMP echo requests and Telnet requests to the
TFTP server.
-TFTP traffic from the Internet should only be allowed to the TFTP server,
not to other internal hosts.
Chapter 6
Chapter 6
-To apply an ACL to a vty line, use the ipv6 access-class ACL-name line
configuration command.
Chapter 6
Securing IPv6 Internet Connectivity
Enabling IPv6 Internet connectivity results in several new
attack vulnerabilities in your infrastructure.
End hosts connected to the Internet are usually no longer

hidden behind the NAT as they typically are with IPv4.
To secure end hosts that are connected to the IPv6 Internet,

the use of a stateful firewall is recommended.
You should also harden the IPv6 protocols being used by

disabling unnecessary functions and optimizing default
settings.
Chapter 6
Improving Internet Connectivity
Resilience
Chapter 6
following:
Describe the disadvantages of single-homed Internet connectivity
Describe dual-homed Internet connectivity
Describe multihomed Internet connectivity
Chapter 6
Drawbacks of a Single-Homed Internet
Connectivity
Chapter 6
Dual-Homed Internet Connectivity
Chapter 6
Configuring Best Path for Dual-Homed Internet
Connectivity 1/2
Either static routing toward the ISP or BGP with the ISP are
commonly used to route outbound traffic.
In simple networks, static routes with different ADs (called

floating static routes) can be used.
Alternatively, you can redistribute a default route or a subset

of Internet routes into your internal routing protocol.
First-hop redundancy protocols (FHRPs) can also be used

to properly route packets to the appropriate Internet
gateway.
Chapter 6
Configuring Best Path for Dual-Homed Internet
Connectivity 2/2
Chapter 6
Multihomed Internet Connectivity 1/2
Establishing a multihomed
environment involves
meeting some requirements:
You must have PI address

space and your own ASN.
You must establish connectivity

with two independent ISPs.
The Internet gateways use

BGP to advertise your PI
address space to both ISPs
and to learn routes from both
ISPs.
Chapter 6
Multihomed Internet Connectivity 2/2
The ISPs can send the following to your network:
The ISPs can send only a default route.

The ISPs can send a partial routing table
The ISPs could also send you a full routing table
When configuring your border Internet gateways, be careful.

Route filtering is usually required both inbound and
outbound.
Your network might become a transit path.
BGP configuration can be complex, and full routing tables

consume a lot of router resources.
Estimated 2GB of RAM to store the full IPv4 routing table.
Chapter 6
Summary
Chapter 6
Read it in the book!
Chapter 6
Chapter 6

En Route v7 Ch06

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

En Route v7 Ch06

Uploaded by

Copyright:

Available Formats

Implementing Cisco IP Routing (ROUTE)

Elaborated by: Ing. Ariel Germn

Establishing Single-Homed IPv4 Internet Connectivity

Establishing Single-Homed IPv6 Internet Connectivity

Improving Internet Connectivity Resilience

Identify the Internet connectivity needs of organizations

Identify the different types of ISP connectivity

Describe public IP address assignments and the need for provider-

Describe autonomous system numbers

They use the Internet for some of their data transport

Edge device redundancy

IANA responsibilities include the following:

There are five RIRs, as follows:

African Network Information Centre (AfriNIC)

Asia Pacific Network Information Centre (APNIC)

American Registry for Internet Numbers (ARIN)

Latin American and Caribbean IP Address Regional Registry

Resaux IP Europens Network Coordination Centre (RIPE NCC)

End users typically request a public address space from

In the IPv6 world, ISPs may assign /64 blocks of addresses

ISPs usually assign /48 blocks to enterprise users.

Blocks of IP addresses can be provider independent (PI) or

PA address space is assigned by the ISP to its customer.

All devices with public IP addresses will have to be

The PI address space must be acquired from an RIR.

After successfully processing an address space request, the

The enterprise then configures their Internet gateway

The ASNs 0, 65,535, and 4,294,967,295 are reserved by

4,200,000,000 through 4,294,967,294 are private.

64,496 through 64,511 and 65,536 through 65,551 should

Describe how to configure your router with both a provider-assigned

Understand DHCP operation and describe how to use a router as a

Identify the various types of NAT.

Describe the NAT virtual interface (NVI) feature, configuration, and

Other possible messages are:

Inside local address: The IPv4 address assigned to a device on the

Inside global address: The IPv4 address of an internal device as it

Outside local address: The IPv4 address of an external device as it

Outside global address: The IPv4 address assigned to a device on

When a packet travels from an outside domain to an inside

The three types of NAT are as follows:

Static NAT (one-to-one)

Tunneling becomes more complex

In certain topologies, standard NAT may not work

It removes the requirement to configure an interface as

The NVI order of operations is also slightly different than

NVI performs routing, translation, and routing again, no

Describe the use of NAT for IPv6

Identify how to configure IPv6 ACLs

Describe the need to secure IPv6 Internet connectivity

Stateless address autoconfiguration (SLAAC)

DHCPv6 prefix delegation (DHCPv6-PD)

This assignment method can be error-prone and introduces

However, it is necessary in some cases.

For security, some recommendations include choosing

This is achieved with the help of RAs, which are sent by

The host generates the remaining 64 host bits either by

1. The MAC address is split into two 24-bit parts.

For example, MAC address of 00AA.BBBB.CCCC would

If a default router is selected on this interface, the optional

You can specify the default keyword on only one interface.

Stateless: Used to supply additional parameters to clients

Stateful: Similar to DHCP for IPv4 (DHCPv4).

Stateless DHCPv6 works in combination with SLAAC.