CIS 185 CCNP ROUTE Chapter 1: Basic Network and Routing Concepts Rick Graziani Cabrillo College
[email protected] Spring 2015
Ch. 1 Basic Network and Routing Concepts
Differentiating Routing Protocols Enterprise Network Architecture Routing Protocols Understanding Network Technologies Traffic Types Network Types and Frame Relay Challenges TCP/IP IPv4 and IPv6 Headers TCP MSS Path MTU Discovery TCP BDP TCP Starvation ICMP Redirect Asymmetric Routing
Connecting Remote Locations Static Routing PPP Overview Frame Relay Overview Types of VPNs MPLS Overview Virtual Routing and Forwarding (VRF) and Cisco EVN VPN Overview Tunnels Characteristics of a Secure VPN DMVPN and NHRP Concepts IPv6 Overview GUA Link-local address ICMPv6 ND Implementing RIPng 2
Enterprise Network Infrastructure A high-level overview of a typical enterprise network, it can be divided into two major areas: Enterprise Campus Enterprise Edge
3
Enterprise Network Infrastructure
Enterprise Campus: Provides access to the network communications services and resources to end users and devices. Usually scalable hierarchical model Access layer Distribution layer Core layer 4
Enterprise Network Infrastructure
Enterprise Edge: Provides: Access to the Internet Access to the same network services as users at the main site. 5
Role of Dynamic Routing Protocols Routing protocols provide: Network reachability between routers Dynamically adapt to network changes
Best practice that you use one IP (IGP) routing protocol throughout the enterprise. OSPF or EIGRP Multiple routing protocols (IGP and BGP) are used when the organization is multihomed to two or more ISPs for Internet connectivity. BGP with ISP
6
Choosing a Dynamic Routing Protocol Input (network) requirements Size of the network (scalability) Vendor interoperability Familiarity What’s currently being used Protocol characteristics: IGP or EGP Type of routing algorithm Speed of convergence Scalability Summarization
7
IGP versus EGP Interior Gateway Protocols (IGP): These are used within the organization, and they exchange the routes within an AS. RIP EIGRP OSPF IS-IS Exterior Gateway Protocols (EGP): Used to exchange routes between different ASs. BGP is the only EGP that is used today.
8
Types of Routing Protocols Exterior Gateway Protocols
Interior Gateway Protocols Distance Vector Distance Vector Routing Protocols IPv4 IPv6
Link State Link State Routing Protocols
Path Vector Path Vector
RIPv2
EIGRP
OSPFv2
IS-IS
BGP-4
RIPng
EIGRP for IPv6
OSPFv3 *
IS-IS for IPv6
BGP-4 for IPv6 or MP-BGP
* OSPFv3 supports routing both IPv4 and IPv6.
9
Distance Vector Routing Protocols What does a street sign like this tell you? How far (distance) Which way (direction) Distance vector Routes are advertised as vectors of distance and direction. Distance is defined in terms of a metric Such as hop count Direction is simply the: Next-hop router or Exit interface Typically use the Bellman-Ford algorithm for the best-path (shortest) route determination
10
Link-State Protocols Link-state routing protocol can create a “complete view,” or topology, of the network. Link-state protocols are associated with Shortest Path First (SPF) calculations. A link-state router uses the linkstate information to: Create a topology map Select the best path to all destination networks in the topology. Each router makes the decision!
OR
Link State routing protocols is like having a complete map of the network topology
11
Path vector protocols
Path vector protocols: Exchanges information about: The existence of destination networks The path on how to reach the destination Path information is used to determine the best paths and to prevent routing loops.
12
Convergence Convergence is when a network has complete and accurate information about the entire network Convergence time is how fast network devices can reach the state of convergence after a topology change. Convergence time affected by: Routing protocol timers Route summarization
13
Route Protocol Scalability Scalability describes the ability of a routing protocol to support further network growth. Scalability factors include: Number of routes Number of adjacent neighbors Number of routers in the network Addressing scheme Network design Frequency of changes Available resources (CPU and memory) Hierarchical addressing, structured address assignment, and route summarization improve the overall scalability regardless of routing protocol type. 14
Ch. 1 Basic Network and Routing Concepts
Differentiating Routing Protocols Enterprise Network Architecture Routing Protocols Understanding Network Technologies Traffic Types Network Types and Frame Relay Challenges TCP/IP IPv4 and IPv6 Headers TCP MSS Path MTU Discovery TCP BDP TCP Starvation ICMP Redirect Asymmetric Routing
Connecting Remote Locations Static Routing PPP Overview Frame Relay Overview Types of VPNs MPLS Overview Virtual Routing and Forwarding (VRF) and Cisco EVN VPN Overview Tunnels Characteristics of a Secure VPN DMVPN and NHRP Concepts IPv6 Overview GUA Link-local address ICMPv6 ND Implementing RIPng
15
IP Source and Destination Addresses • •
IP Source – Always a unicast IP Destination – Unicast, multicast, anycast (or broadcast for IPv4).
IPv6
IPv4
Traffic Types Destination IP address: A device can send traffic to one recipient, to selected recipients, or to all devices within a subnet at the same time. Routing protocols use different traffic types to control how routing information is exchanged. Unicast: Unicast addresses are used in a one-to-one context. Multicast: Multicast addresses identify a group of interfaces. Traffic that is sent to a multicast address is sent to multiple destinations at the same time. Anycast: It is assigned to an interface on more than one node. When a packet is sent to an anycast address, it is routed to the nearest interface that has this address. Broadcast: IPv4 broadcast addresses are used when sending traffic to all devices in the subnet. 17
Well-known IPv4 and IPv6 multicast addresses used by routers
Notice the relationship between IPv4 and IPv6 multicast addresses.
18
Network Types Three general network types: Point-to-point network: A network that connects a single pair of routers. (Serial) Broadcast network: A network that can connect many routers along with the capability to address a single message to all of the attached routers. (Ethernet) NBMA network: A network that has single access to multiple networks but no broadcast capability. Sender needs to create an individual copy of the same packet for each recipient. NBMA networks introduce several challenges. (Frame Relay and ATM) Not all Layer 2 network topologies support all traffic types.
19
Frame Relay Point-to-Point Physical interface: Same Network
One connection to provider Alternative: Separate leased lines for each point-to-point connection
Sub-interface: Sub-interface for each separate network
20
Point-to-point subinterfaces are logical interfaces: Emulates a leased line network Provide a routing equivalent to point-to-point physical interfaces As with physical point-to-point interfaces, each interface requires its own subnet. Frame Relay point-to point is applicable to hub and spoke topologies. 21
Nonbroadcast Multiple-Access Networks
NBMA networks introduce several challenges. Distance vector (RIP and EIGRP): Split horizon Link-state (OSPF): DR (Designated Router) 22
Split horizon: Prevents a routing update that is received on an interface from being forwarded out of the same interface. Hub router will not forward routing update learned from one spoke router to other spoke routers. Solution: Disable split horizon or subinterfaces 23
DR
Designated Router: OSPF over NBMA networks works in a nonbroadcast network mode by default The hub router will not forward broadcasts/multicasts received by one spoke to other spokes. Default, OSPF treats an NBMA network like Ethernet. Requires a DR to exchange routing information between all routers on a segment. Solution: Configure the hub router can act as a DR because it is the only router that has PVCs with all other routers.
24
Replicated Broadcasts
Broadcast replication: The router must replicate broadcast (and multicast) packets, such as routing update broadcasts, on each PVC to the remote routers. Consume bandwidth and cause significant latency variations in user traffic.
25
Ch. 1 Basic Network and Routing Concepts
Differentiating Routing Protocols Enterprise Network Architecture Routing Protocols Understanding Network Technologies Traffic Types Network Types and Frame Relay Challenges TCP/IP IPv4 and IPv6 Headers TCP MSS Path MTU Discovery TCP BDP TCP Starvation ICMP Redirect Asymmetric Routing Virtual Routing and Forwarding (VRF) and Cisco EVN
Connecting Remote Locations Static Routing PPP Overview Frame Relay Overview Types of VPNs MPLS Overview VPN Overview Tunnels Characteristics of a Secure VPN DMVPN and NHRP Concepts IPv6 Overview GUA Link-local address ICMPv6 ND Implementing RIPng 26
From: 2.1: Comparing the IPv4 and IPv6 Headers IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6 • By Rick Graziani • ISBN-10: 1-58720-457-6
• • •
The following slides are from my IPv6 LiveLessons video series. Check out my IPv6 Resource Page for more information including PowerPoint presentations, videos and links http://www.cabrillo.edu/~rgraziani/ipv6.html
Similar fields
Let’s Begin with looking at IP Headers • • •
• • •
Understanding IPv6 begins with the IPv6 header. IPv6 takes advantage of 64-bit CPUs. Several differences between IPv4 and IPv6 headers. Simpler IPv6 header. IPv6 Fixed 40 byte IPv6 header. Lets look at the differences…
IPv4
64-bit memory word
IPv6 Version • • • •
IPv4 Version contains 4. IPv6 Version contains 6. Version 5? Internet Stream Protocol (ST2)
IPv6
IPv4
IPv4 Internet Header Length • IPv4 Internet Header Length (IHL) • Length of IPv4 header in 32-bit words including any Options or Padding. • IPv6 • IHL for IPv6 is not needed. • IPv6 header is fixed at 40 bytes. IPv6 8 bytes 8 bytes 40 bytes =
8 bytes 8 bytes 8 bytes
IPv4 1 2 3 4 5 ?
IPv6 Traffic Class • IPv4 Type of Service • IPv6 Traffic Class • Not mandated by any IPv6 RFCs. • Same functionality as IPv4. • Uses same Differentiated Services technique (RFC 2474) as IPv4.
IPv4
IPv6 7
6
5
IP Precedence
4
3
2
1
0
Unsused
DiffServ Code Point (DSCP)
IP ECN
IPv6 Flow Label • • • •
IPv4 New field in IPv6 – not part of IPv4. Flow label is used to identify the packets in a common stream or flow. Traffic from source to destination share a common flow label. RFC 6437 IPv6 Flow Label Specification 11001011000101100 10110010111000111
IPv6
IPv6 Payload Length
IPv4 Header
• IPv4 Total Length – Number of bytes of the IPv4 header (options) + data. • IPv6 Payload Length – Number of bytes of the payload. • Does not include the main IPv6 header. • Includes extension headers + data IPv6 Payload IPv6 Header
IPv6 Extension Header (Optional)
Data
IPv4
Data (Payload)
IPv4 Fragmentation • IPv4 fields used for fragmentation and reassembly. • Intermediate devices such as IPv6 routers do not perform fragmentation. • Any fragmentation needed will be handled by the source using an extension header. IPv6
IPv4
IPv4 Fragmentation
PCA
MTU MTU of of outgoing outgoing link link smaller smaller than than packet packet size size – – fragment fragment IPv4 IPv4 packet. packet.
R1
R2
Link with smaller MTU
It It is is my my job job to to reassemble reassemble the the packet packet fragments. fragments.
PCB
R3
Destination
Source
1
2 IPv4 Packet
3 IPv4 Packet IPv4 Packet IPv4 Packet
IPv4
IPv4 Packet Packet IPv4 Packet IPv4 Packet
IPv6 No Fragmentation II will will use use MTU MTU of of the the interface. interface.
PCA
Source
MTU = 1500
MTU MTU of of outgoing outgoing link link smaller smaller than than packet packet size. size. Drop Drop packet. packet. Send Send ICMPv6 ICMPv6 Packet Packet Too Too Big Big message, message, use use MTU MTU 1350. 1350.
MTU = 1500 R1
Link with smaller MTU
R3
PCB Destination
1 IPv6 Packet – MTU 1500 ICMPv6 Packet Too Big Use MTU 1350
3
MTU = 1500
MTU = 1350 R2
Packet Packet received. received. No reassembly No reassembly required. required.
IPv6 Packet MTU 1350
2
IPv6 Next Header • • •
IPv4 Protocol IPv6 Next Header For both protocols, the field indicates the type of header following the IP header.
•
Common values:
• • • • •
6 = TCP 17 = UDP 58 = ICMPv6 88 = EIGRP 89 = OSPF
IPv4
IPv6
IPv6 Header
Next Header
Data (Protocol: TCP, UDP, ICMPv6, etc.)
IPv6 Hop Limit • • • •
IPv4 TTL (Time to Live) IPv4 IPv6 Hop Limit Renamed to more accurately reflect process. Set by source, every router in path decrements hop limit by 1.
•
When 0, drop packet.
IPv6
IPv6 Source and Destination Addresses • • • •
IPv6 Source and Destination addresses have the same basic functionality as IPv4. IPv4 – 32-bit addresses. IPv6 – 128-bit addresses. Some significant changes in IPv6.
IPv6
IPv4
IPv4 Header Checksum • • • •
•
IPv4 Header Checksum Not used in IPv6. Upper-layer protocols generally have a checksum (UDP and TCP). So, in IPv4 the UDP checksum is optional.
Because it’s not in IPv6, the IPv6 UDP checksum is now mandatory.
IPv4
IPv4 Options and Padding • • • •
IPv4 Options and Padding Not used in IPv6. Variable length, optional. IPv4 Options are handled using extension headers in IPv6. • Padding makes sure IPv4 options fall on a 32-bit IPv6 boundary. • IPv6 header is fixed at 40 bytes. 40 bytes =
IPv4
IPv6 Extension Header •
• • •
Next Header identifies: • The protocol carried in the data portion of the packet. • The presence of an extension header. Extension headers are optional and follow the main IPv6 header. Provide flexibility and features to the main IPv6 header for future enhancements without having to redesign the entire protocol. Allows the main IPv6 header to have a fixed size for more efficient processing.
IPv6 Main Header
Next Header
Extension Header
Next Header
Data (Protocol: TCP, UDP, ICMPv6, etc.)
IPv6 Extension Header Next Header Value (Decimal)
Extension Header Name
Extension Header Description
0
Hop-by-Hop Options
Used to carry optional information, which must be examined by every router along the path of the packet.
43
Routing
Allows the source of the packet to specify the path to the destination.
44
Fragment
Used to fragment IPv6 packets.
50
Encapsulating Security Payload (ESP)
Used to provide authentication, integrity, and encryption.
51
Authentication Header (AH)
Used to provide authentication and integrity.
60
Destination Options
Used to carry optional information that only needs to be examined by a packet’s destination node(s).
IPv6 Main Header
Next Header
0
Hop-by-Hop Extension Header
Next Header
51
AH Extension Header
Next Header
6
TCP Header
Data
MSS and Avoiding Fragmentation
TCP MSS (Maximum Segment Size) defines the largest amount of data that the receiving device is able to accept in a single TCP segment. To avoid fragmentation of an IPv4 packet, the selection of the TCP MSS is the minimum buffer size and MTU of outgoing interface minus 40 bytes. The 40 bytes takes into account the 20 byte IPv4 header and the 20 bytes TCP header. A TCP segment over IPv4 sent out an Ethernet interface will have a TCP MSS of 1460, which is 1500 bytes for the Ethernet MTU, minus 20 bytes for the IPv4 header, and minus 20 bytes for the TCP header. 44
Path MTU Discovery (PMTUD)
Used to determine the lowest MTU along a path 1. IPv4 host uses full TCP MSS determined by the outgoing interface 2. Sets the TCP DF (Don’t Fragment) bit 3. If an IPv4 router along the path needs to fragment the packet because of a lower MTU link on the egress interface: a. Drop the packet due to the DF bit being set b. Sends an ICMP Destination Unreachable message back to the originator of the packet with egress interface MTU. The PMTUD operations for IPv6 are similar to that of PMTUD for IPv4.
45
Bandwidth Delay Product (BDP) 100 Mbps pipe
More data is required to keep this pipe full of data
1 Gbps pipe
Long Fat Network (or long fat pipe) LFN ("elephan (t) )” - Network paths with high bandwidth and long round-trip delays. TCP can experience bottlenecks on LFNs (less than optimal use these paths) Because of the increased bandwidth and the distance, we need to send more data to keep the pipe full. Increased bandwidth – We can send more data Increased distance – Takes longer to send the data and get TCP Acks
46
BDP is used to optimize the TCP window size to fully utilize the link. BDP = Bandwidth (bps) * RTT in seconds The TCP window size (amount of data that can be sent before requiring an ACK) should then use the BDP. The result is the maximum amount of data that can be transmitted on the link at any given time. http://www.speedguide.net/bdp.php
47
48
TCP Starvation UDP
Wasted bandwidt h
Not always possible to separate TCP and UDP-based flows, important to be aware of this behavior when mixing applications using both UDP and TCP. TCP
Combination of TCP and UDP flows during a period of congestion: TCP backs off on bandwidth (window size) known as slow start Then begins to increase windows size All devices begin to have the same experience and synchronization happens. UDP has no flow control mechanisms continues UDP has the potential of using up the available bandwidth given up by TCP. This is known as TCP starvation/UDP dominance.
49
WRED
Global or TCP synchronization – TCP slow start, when all of our connections do this together, router’s ingress queue fills and drops new packets Solution - RED or WRED, drops some packet sooner (minimum and max thresholds) Only a few TCP flows have to go into TCP slow start and not everyone “Good of the many outweigh the good of the few or one” Different thresholds for different priorities so higher priority packets have a less likely chance of being dropped – a lower priority packet will be dropped first. 50
ICMP Redirect
Network X R1
R2
Destination: Network PCB X Host
IPv6 Network A PCA
• • •
PCB
IPv6 Network B
Similar functionality as ICMPv4. Like IPv4, a router informs an originating host of the IP address of a router that is on the local link and is closer to the destination. Unlike IPv4, a router informs an originating host that the destination host (on a different prefix/network) is on the same link as itself.
Asymmetric Routing
Asymmetric routing - A packet traverses from a source to a destination in one path and takes a different path when it returns to the source. This is commonly seen in Layer-3 routed networks. Not necessarily a bad thing – Internet and BGP.
1 – 3: DSW1 (Active HSRP routers) is default gateway for PC1 4 - 5: CSW1 load balances sending return traffic to DSW2 (not a bad thing) 6: DSW2 ARP table (4 hour default) has entry for PC1 10.1.1.100… 7: But there is no entry in its MAC table (times out 5 min) Both access layer switches are on same VLAN (not a best practice). 8: So, DSW2 floods “frames” out all ports on that VLAN (unicast flooding) Because DSW2 never sees traffic sourced from PC1 (10.1.1.100) it never updates is MAC address table and unicast flooding always occurs.
3
4
2
5
6 ARP Cache 10.1.1.100 > MacAdd
7 1
8
Mac Add Table FLOOD No entry
53
Solutions: 1. Change ARP timer (4 hours IOS) to be less than MAC Address Table (5 minutes) timer DSW2 would need send ARP request for 10.1.1.100 PC1 would send ARP Reply ARP Reply in Ethernet frame, so DSW2 can now add PC1’s MAC address to its MAC address table DSW2 will now send packet for 10.1.1.100 only out the one port 2. Do not span VLAN across multiple access layer switches
ARP Cache 10.1.1.100 > MacAdd
X
Mac Add Table No entry PC1 MAC = Port
54
Ch. 1 Basic Network and Routing Concepts
Differentiating Routing Protocols Enterprise Network Architecture Routing Protocols Understanding Network Technologies Traffic Types Network Types and Frame Relay Challenges TCP/IP IPv4 and IPv6 Headers TCP MSS Path MTU Discovery TCP BDP TCP Starvation ICMP Redirect Asymmetric Routing
Connecting Remote Locations Static Routing PPP Overview Frame Relay Overview Types of VPNs MPLS Overview Virtual Routing and Forwarding (VRF) and Cisco EVN VPN Overview Tunnels Characteristics of a Secure VPN DMVPN and NHRP Concepts IPv6 Overview GUA Link-local address ICMPv6 ND Implementing RIPng
55
Principles of Static Routing 2001:DB8:CAFE:1::/64
G0/0 :1 R1
2001:DB8:CAFE:2::/64
S0/0/0 :1
S0/0/0 :2
Static Route
R2
Please read on your own 2001:DB8:FEED:1::/64 2001:DB8:FEED:2::/64 2001:DB8:FEED:3::/64 2001:DB8:FEED:4::/64 2001:DB8:FEED:5::/64
R2(config)# ipv6 route 2001:db8:cafe:1::/64 2001:db8:cafe:2::1 A static route can be used in the following circumstances: Undesirable to have dynamic routing updates forwarded across slow bandwidth links. Administrator needs total control over the routes used by the router. Floating static route: Backup to a dynamically recognized route is necessary. Necessary to reach a network accessible by only one path (a stub network). Router connects to a single ISP and needs to have only a default route pointing toward the ISP router, rather than learning many routes from the ISP. Router is underpowered and does not have the CPU or memory resources necessary to handle a dynamic routing protocol. 56
Basic PPP Overview R1# configure terminal R1(config)# interface serial 0/0/0 R1(config-if)# ip address 192.168.1.1 255.255.255.0 R1(config-if)# encapsulation ppp
HDLC is the default serial encapsulation method when connecting two Cisco routers. PPP has several advantages over its predecessor HDLC including authentication.
57
Basic Frame Relay Overview R1# configure terminal R1(config)# interface serial 0/0/0 R1(config-if)# ip address 192.168.1.1 255.255.255.0 R1(config-if)# encapsulation frame-relay
Split horizon is disabled by default on Frame Relay physical interfaces. Various Frame Relay configurations are discussed in later chapters.
58
Using VPNs
What kind of connection? Traditionally leased lines or frame relay. Takes time to provision VPNs Easy to provision Used over different technologies – DSL, cable, DS/gig circuits Can provide security
59
Types of VPNs
Types of VPNs used for remote access: MPLS-based VPN Tunnel-based VPN (sometimes referred to as IPsec VPNs, but doesn’t have to be IPsec) Hybrid VPN (combination) Focus on VPN tunnels
60
MPLS overview
MPLS (Multi-protocol label switching) is a switching mechanism. A 32 bit header (label) is inserted by the provider (PE) router. Packets are switched through the MPLS network. The label is removed by the PE at the other end of the MPLS network. To the customer, it looks like a Layer 2 or Layer 3 connection. 61
Cisco EVN (Easy Virtual Network)
Pure IP alternative to MPLS is VRFs Virtual Routing and Forwarding (VRF) is a technology that allows the device to have multiple but separate instances of routing tables exist and work simultaneously. VRF-Lite makes it easier EVN (Easy Virtual Network) is easier and more scalable More in Chapter 8 including a cool simple lab!
62
Ch. 1 Basic Network and Routing Concepts
Differentiating Routing Protocols Enterprise Network Architecture Routing Protocols Understanding Network Technologies Traffic Types Network Types and Frame Relay Challenges TCP/IP IPv4 and IPv6 Headers TCP MSS Path MTU Discovery TCP BDP TCP Starvation ICMP Redirect Asymmetric Routing
Connecting Remote Locations Static Routing PPP Overview Frame Relay Overview Types of VPNs MPLS Overview Virtual Routing and Forwarding (VRF) and Cisco EVN VPN Overview Tunnels Characteristics of a Secure VPN DMVPN and NHRP Concepts IPv6 Overview GUA Link-local address ICMPv6 ND Implementing RIPng 63
VPN Overview
VPNs enable the exchange of information over a public (or private network) as if remote hosts would be connected to the same private network. Similar to leased lines. The majority of VPN technologies also support routing protocols. VPNs use tunnels. 64
Tunnels
Tunnels encapsulate a protocol inside another protocol Example: Encapsulating an IP packet inside another IP packet Why? Perhaps to hide/protect/encrypt the inner packet. Tunnels are created using either: IPsec Generic Routing Encapsulation (GRE) - Cisco Point to Point Tunneling Protocol (PPTP) - Microsoft Layer 2 Tunnel Protocol (L2TP) Layer 2 Forwarding (L2F) Protocol - Cisco
65
GRE tunnel – Can appears to be Layer 2 (switch in the middle) or Layer 3 adjacent (router in the middle) Packets are sent out logical tunnel interface instead of physical interface Encapsulates almost anything including multicast (for routing protocols) but no security Need IPsec for security Why not use IPsec only? IPsec is unicast only
66
Demo: Configuring a GRE Tunnel
67
Characteristics of a Secure VPN Authentication Ensures that a message: Comes from an authentic source and Goes to an authentic destination Data confidentiality Protecting data from eavesdroppers (encryption) Aims at protecting the message contents from being intercepted by unauthenticated or unauthorized sources. Data integrity Across the Internet, there is always the possibility that the data has been modified. Antireplay protection: Antireplay protection verifies that each packet is unique and not duplicated.
68
VPN Security provided by IPsec IPsec IP unicast only IPsec with GRE IP multicast dynamic IGP routing protocols non-IP protocols IPsec has two encryption modes: Tunnel mode Transport mode
Securing the information with IPsec (IP Security)
IPsec is best thought of as a set of features that protects IP data as it travels from one location to another. IPsec can protect only the IP layer and up (transport layer and userdata). IPsec cannot extend its services to the data link layer. If protection of the data link layer is needed, then some form of link encryption is needed. Often, the use of encryption is assumed to be a requirement of IPsec. In reality, encryption, or data confidentiality, is an optional (although heavily implemented) feature of IPsec.
70
IPsec
Internet Key Exchange (IKE) is a framework for: negotiation and exchange of security parameters and authentication keys Authentication Header (AH) provides the framework for: data integrity data origin authentication optional anti-replay features of IPsec Encapsulating Security Payload (ESP) provides the framework for: data confidentiality data integrity data origin authentication optional anti-replay features of IPsec ESP will do everything and more – don’t need to use both. ESP is the only IPsec protocol that provides data encryption. The following encryption methods are available to IPsec ESP: Data Encryption Standard (DES) Triple Data Encryption Standard (3DES Advanced Encryption Standard (AES)
71
VPN Security: Encapsulation
Three different protocols that tunneling uses: Carrier protocol: The protocol the information is traveling over. Frame Relay, PPP, ATM, etc. Encapsulating protocol: The protocol that is wrapped around the original data. GRE, IPsec, L2F, PPTP, L2TP Not all protocols offer the same level of security. Passenger protocol: The original data (IPv4, IPv6).
Host IP
Host IP
Transport mode: When IPsec headers are simply inserted in an IP packet (after the IP header), The original IP header is exposed and unprotected. Data at the transport layer and higher layers benefits from the implemented IPsec features. 73 Transport mode protects the transport layer and up.
Router IP
Router IP
Tunnel mode: The actual IP addresses of the original IP header, along with all the data within the packet, are protected. Tunnel mode creates a new external IP header that contains the IP addresses of the tunnel endpoints (such as routers or VPN Concentrators). The exposed IP addresses are the tunnel endpoints, not the device IP addresses that 74 sit behind the tunnel end points.
VPN technologies that use virtual tunnels GRE (appear Layer 2adjacent) DMVPN – Dynamic Mulitpoint VPN Good for hub spoke – communications between spokes without going thru hub Uses multipoint GRE GRE by itself doesn’t encrypt but can use IPsec
75
DMVPN Theory
Requirement: Need to bring up and tear down VPN tunnel between two spokes on an as needed basis. Problem: Hub and spoke doesn’t scale well when interconnecting spokes and full mesh is expensive (Internet or MPLS cloud). Solution: Multipoint GRE (MGRE) makes this possible Single router interface can have multiple GRE tunnels on it. Have MGRE on all branch/spoke routers so they can create GRE tunnel to other routers on as-needed basis One problem – How does a spoke router determine the IP address at the other end of the tunnel, the other spoke router?
76
My tunnel IP is 10.0.0.2 and my physical IP 200.0.113.1
My tunnel IP is 10.0.0.3 and my physical IP is192.51.100.1
Next-Hop Resolution Protocol (NHRP) NHRP is used by the router to determine the IP address of physical interface of other end of the tunnel Similar to DNS…. client-server model Hub is the server and the spokes are the clients Clients (spokes) tell server (hub) their physical IP address that correspond to a specific tunnel interface
77
Checking my NHRP database, 10.0.0.2 is at the physical IP address is 200.0.113.1 “I know the IP address of the end-point tunnel (10.0.0.2) but I don’t know it’s physical interface IP address”
DMVPN with the assistance of NHRP Branch C (spoke) queries HQ (hub) to say it wants to set up a tunnel with another spoke, Branch B Branch C queries HQ asking for Branch B’s physical interface IP address. NHRP receives query and replies Branch C can now create a GRE tunnel with Branch B.
78
Ch. 1 Basic Network and Routing Concepts
Differentiating Routing Protocols Enterprise Network Architecture Routing Protocols Understanding Network Technologies Traffic Types Network Types and Frame Relay Challenges TCP/IP IPv4 and IPv6 Headers TCP MSS Path MTU Discovery TCP BDP TCP Starvation ICMP Redirect Asymmetric Routing
Connecting Remote Locations Static Routing PPP Overview Frame Relay Overview Types of VPNs MPLS Overview Virtual Routing and Forwarding (VRF) and Cisco EVN VPN Overview Tunnels Characteristics of a Secure VPN DMVPN and NHRP Concepts IPv6 Overview GUA Link-local address ICMPv6 ND Implementing RIPng 79
IPv6 Address Types IPv6 Addresses
Unicast
Multicast Assigned FF00::/8
Anycast
Solicited-Node FF02::1:FF00:0000/104
Global Unicast
Link-Local
Loopback
Unspecified
2000::/3 3FFF::/3
FE80::/10 FEBF::/10
::1/128
::/128
Unique Local
Embedded IPv4
FC00::/7 FDFF::/7
::/80
IPv6 does not have a “broadcast” address.
Global Unicast Address Range Global Routing Prefix Subnet ID 001
•
Range: to
2000::/3 3FFF::/3
Interface ID
0010 0000 0000 0000 :: 0011 1111 1111 1111 ::
Global Unicast Address (GUA) • 2000::/3 (2000::/3 to 3FFF::/3) • 1/8th of IPv6 address space IANA’s allocation of IPv6 address space in 1/8th sections
Parts of a Global Unicast Address IPv4 Unicast Address Network portion
/? Subnet portion Host portion 32 bits
IPv6 Global Unicast Address /64 /48 16-bit Fixed Global Routing Prefix Subnet ID
Interface ID
128 bits • •
64-bit Interface ID = 18 quintillion (18,446,744,073,709,551,616) devices/subnet 16-bit Subnet ID = 65,536 subnets
/64 Global Unicast Address and the 3-1-4 Rule /48 16 bits
16 bits
16 bits
/64 16 bits
Global Routing Prefix Subnet ID
3
1
16 bits
16 bits
16 bits
16 bits
Interface ID
4
2001 : 0DB8 : CAFE : 0001 : 0000 : 0000 : 0000 : 0100 3 + 1 = 4 (/64) : 4 2001:0DB8:CAFE:0001:0000:0000:0000:0100/64 2001:0DB8:CAFE:0001::100/64
Static GUA Configuration
2001:DB8:CAFE:1::/64 :100
:100
A B
G0/0 :1 :1 G0/0
2001:DB8:CAFE:3::/64 R1
:1 S0/0/0
2001:DB8:CAFE:2::/64
R1(config)#interface gigabitethernet 0/1 R1(config-if)#ipv6 address 2001:db8:cafe:2::1/64 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ipv6 address 2001:db8:cafe:3::1/64 R1(config-if)#no shutdown R1(config-if)#exit
I love the 3-1-4 rule and subnetting IPv6!
Unlike IPv4, IPv6 does not associate the all-zeroes and all-ones Interface-IDs (host portion) to subnet/broadcast – valid IPv6 device addresses.
IPv6 Address Allocation Global Routing Prefix /23 /32
I am getting a /64 at home /48 /56
/64
Subnet Sub ID
Interface ID
*RIR *ISP Prefix *Site Prefix Possible Home Site Prefix Subnet Prefix * This is a minimum allocation. The prefix-length may be less if it can be justified.
PI versus PA Address Space /32 Global Routing Prefix
/48 Subnet ID
Interface ID
Provider Independent (PI) Address Space • Address space that is assigned by the RIR. • Remains assigned to the customer regardless of provider • No prefix renumbering needed if change providers Provider Aggregatable (PA) Address Space • Address space that is typically assigned by an ISP to a customer. • Change provider, must get new address space • Customer must do prefix renumbering (Helpful IETF RFCs)
Link-Local Unicast Range First 10 bits 1111 1110 10xx xxxx
Range: to
Remaining 54 bits
64-bit Interface ID
FE80::/10 1111 1110 1000 0000 :: FEBF::/10 1111 1110 1011 1111 :: Link-local Unicast
• •
Link – Network segment Link-local means, local to that link or network.
Link-Local Unicast Address Link-Local Link-Local Communications Communications
• • • • •
Used to communicate with other devices on the link. Are NOT routable off the link (network). Only have to be unique on the link. Not included in the IPv6 routing table. An IPv6 device must have at least a link-local address.
First 10 bits
Link-Local Unicast Address
1111 1110 10xx xxxx
Remaining 54 bits
64-bit Interface ID
FE80::Interface ID Link-local addresses are created • Automatically : • FE80 (usually) – First 10 bits • Interface ID • EUI-64 (Cisco routers) • Random 64 bits (many host operating systems) • Static (manual) configuration
Automatic Link-Local Address using EUI-64
G0/0 G0/1
S0/0/0 R1
R1# show interface gigabitethernet 0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is fc99.4775.c3e0 (bia fc99.4775.c3e0)