Cis 185 CCNP Route Chapter 1: Basic Network and Routing Concepts

CIS 185 CCNP ROUTE
Chapter 1: Basic Network and Routing

Concepts
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Spring 2015
Ch. 1 Basic Network and Routing Concepts

Differentiating Routing Protocols
Enterprise Network Architecture
Routing Protocols
Understanding Network Technologies
Traffic Types
Network Types and Frame Relay
Challenges
TCP/IP
IPv4 and IPv6 Headers
TCP MSS
Path MTU Discovery
TCP BDP
TCP Starvation
ICMP Redirect
Asymmetric Routing
Connecting Remote Locations

Static Routing
PPP Overview
Frame Relay Overview
Types of VPNs
MPLS Overview
Virtual Routing and Forwarding (VRF) and
Cisco EVN
VPN Overview
Tunnels
Characteristics of a Secure VPN
DMVPN and NHRP Concepts
IPv6 Overview
GUA
Link-local address
ICMPv6 ND
Implementing RIPng
2
Enterprise
Network
Infrastructure
A high-level overview of a
typical enterprise network, it
can be divided into two
major areas:
Enterprise Campus
Enterprise Edge
Enterprise Network
Infrastructure
Enterprise Campus:
Provides access to the network communications services and resources
to end users and devices.
Usually scalable hierarchical model
Access layer
Distribution layer
Core layer
4
Enterprise Network
Infrastructure
Enterprise Edge:
Provides:
Access to the Internet
Access to the same network services as users at the main site.
5
Role of Dynamic
Routing Protocols
Routing protocols provide:
Network reachability between routers
Dynamically adapt to network
changes
Best practice that you use one IP (IGP) routing protocol throughout the
enterprise.
OSPF or EIGRP
Multiple routing protocols (IGP and BGP) are used when the organization is
multihomed to two or more ISPs for Internet connectivity.
6
BGP with ISP
Choosing a Dynamic Routing Protocol

Input (network) requirements
Size of the network (scalability)
Vendor interoperability
Familiarity
Whats currently being used
Protocol characteristics:
IGP or EGP
Type of routing algorithm
Speed of convergence
Scalability
Summarization
IGP versus EGP

Interior Gateway Protocols
(IGP): These are used within
the organization, and they
exchange the routes within
an AS.
RIP
EIGRP
OSPF
IS-IS
Exterior Gateway Protocols (EGP): Used to exchange routes
between different ASs.
BGP is the only EGP that is used today.
8
Types of Routing Protocols

Exterior
Gateway
Protocols
Interior Gateway Protocols

Distance Vector
Distance Vector Routing
Protocols
IPv4
IPv6
RIPv2
RIPng
EIGRP
EIGRP for
IPv6
Link State
Link State Routing
Protocols
OSPFv2
OSPFv3 *
IS-IS
IS-IS for
IPv6
Path Vector
Path Vector
BGP-4
BGP-4 for
IPv6 or
MP-BGP
* OSPFv3 supports routing both IPv4 and IPv6.
Distance Vector Routing Protocols

What does a street sign like this tell you?
How far (distance)
Which way (direction)
Distance vector
Routes are advertised as vectors of
distance and direction.
Distance is defined in terms of a metric
Such as hop count
Direction is simply the:
Next-hop router or
Exit interface
Typically use the Bellman-Ford algorithm for
the best-path (shortest) route determination
10
Link-State Protocols
Link-state routing protocol can
create a complete view, or
topology, of the network.
Link-state protocols are associated
with Shortest Path First (SPF)
calculations.
A link-state router uses the linkstate information to:
Create a topology map
Select the best path to all
destination networks in the
topology.
Each router makes the decision!
OR
Link State routing protocols is like having a complete map of the network 11
topology
Path vector protocols
Path vector protocols:

Exchanges information about:
The existence of destination networks
The path on how to reach the destination
Path information is used to determine the best paths and to prevent
routing loops.
12
Convergence
Convergence is when a
network has complete and
accurate information
about the entire network
Convergence time is
how fast network devices
can reach the state of
convergence after a
topology change.
Convergence time
affected by:
Routing protocol
timers
Route summarization
13
Route Protocol Scalability

Scalability describes the ability of a routing
protocol to support further network growth.
Scalability factors include:
Number of routes
Number of adjacent neighbors
Number of routers in the network
Addressing scheme
Network design
Frequency of changes
Available resources (CPU and memory)
Hierarchical addressing, structured address
assignment, and route summarization improve
the overall scalability regardless of routing protocol
type.
14

Routing Protocols
Traffic Types
Challenges
TCP/IP
TCP MSS
Path MTU Discovery
TCP BDP
TCP Starvation
ICMP Redirect
Asymmetric Routing

Static Routing
PPP Overview
Types of VPNs
MPLS Overview
Cisco EVN
VPN Overview
Tunnels
IPv6 Overview
GUA
Link-local address
ICMPv6 ND
Implementing RIPng
15
IP Source and Destination

Addresses
IP Source Always a unicast

IP Destination Unicast, multicast, anycast
(or broadcast for IPv4).
IPv6
IPv4
Traffic Types
Destination IP address: A device can send traffic to one
recipient, to selected recipients, or to all devices within a
subnet at the same time.
Routing protocols use different traffic types to control how
routing information is exchanged.
Unicast: Unicast addresses are used in a one-to-one context.
Multicast: Multicast addresses identify a group of interfaces.
Traffic that is sent to a multicast address is sent to multiple
destinations at the same time.
Anycast: It is assigned to an interface on more than one node.
When a packet is sent to an anycast address, it is routed to
the nearest interface that has this address.
Broadcast: IPv4 broadcast addresses are used when sending
traffic to all devices in the subnet.
17
Well-known IPv4 and IPv6 multicast addresses used by

routers
Notice the relationship between IPv4 and IPv6 multicast 18

addresses.
Network Types
Three general network types:
Point-to-point network: A network that connects a single
pair of routers. (Serial)
Broadcast network: A network that can connect many
routers along with the capability to address a single
message to all of the attached routers. (Ethernet)
NBMA network: A network that has single access to
multiple networks but no broadcast capability.
Sender needs to create an individual copy of the same
packet for each recipient.
NBMA networks introduce several challenges.
(Frame Relay and ATM)
Not all Layer 2 network topologies support all traffic types.
19
Frame Relay Point-to-Point

Physical interface: Same Network
One connection to
provider
Alternative: Separate
leased lines for each
point-to-point
connection
Sub-interface: Sub-interface for each separate network
20
Point-to-point subinterfaces are logical interfaces:

Emulates a leased line network
Provide a routing equivalent to point-to-point physical interfaces
As with physical point-to-point interfaces, each interface requires its own
subnet.
Frame Relay point-to point is applicable to hub and spoke topologies.
21
Nonbroadcast Multiple-Access Networks
NBMA networks introduce several challenges.

Distance vector (RIP and EIGRP): Split horizon
Link-state (OSPF): DR (Designated Router)
22
Split horizon:
Prevents a routing update that is received on an interface from being
forwarded out of the same interface.
Hub router will not forward routing update learned from one spoke router to
other spoke routers.
Solution: Disable split horizon or subinterfaces
23
DR
Designated Router:
OSPF over NBMA networks works in a nonbroadcast network mode by default
The hub router will not forward broadcasts/multicasts received by one
spoke to other spokes.
Default, OSPF treats an NBMA network like Ethernet.
Requires a DR to exchange routing information between all routers on a
segment.
Solution: Configure the hub router can act as a DR because it is the only
router that has PVCs with all other routers.
24
Replicated Broadcasts
Broadcast replication:
The router must replicate broadcast (and multicast) packets, such as
routing update broadcasts, on each PVC to the remote routers.
Consume bandwidth and cause significant latency variations in user traffic.
25

Routing Protocols
Traffic Types
Challenges
TCP/IP
TCP MSS
Path MTU Discovery
TCP BDP
TCP Starvation
ICMP Redirect
Asymmetric Routing
Virtual Routing and Forwarding (VRF)
and Cisco EVN

Static Routing
PPP Overview
Types of VPNs
MPLS Overview
VPN Overview
Tunnels
IPv6 Overview
GUA
Link-local address
ICMPv6 ND
Implementing RIPng
26
From: 2.1: Comparing the IPv4 and IPv6 Headers

IPv6 Fundamentals LiveLessons: A
Straightforward Approach to Understanding IPv6
By Rick Graziani
ISBN-10: 1-58720-457-6
The following slides are from my IPv6 LiveLessons video series.

Check out my IPv6 Resource Page for more information including
PowerPoint presentations, videos and links
http://www.cabrillo.edu/~rgraziani/ipv6.html
Similar fields
Lets Begin with looking at IP Headers
Understanding IPv6 begins with the IPv6

header.
IPv6 takes advantage of 64-bit CPUs.
Several differences between IPv4 and IPv6
headers.
Simpler IPv6
header.
IPv6
Fixed 40 byte
IPv6 header.
Lets look at the
differences
IPv4
64-bit memory word
IPv6 Version
IPv4 Version contains 4.

IPv6 Version contains 6.
Version 5?
Internet Stream Protocol (ST2)
IPv6
IPv4
IPv4 Internet Header Length
IPv4 Internet Header Length (IHL)

Length of IPv4 header in 32-bit
words including any Options or
Padding.
IPv6
IHL for IPv6 is not needed.
IPv6 header is fixed at 40 bytes.
IPv6
8 bytes
8 bytes
40 bytes =
8 bytes
8 bytes
8 bytes
IPv4
1
2
3
4
5
?
IPv6 Traffic Class
IPv4 Type of Service

IPv6 Traffic Class
Not mandated by any IPv6 RFCs.
Same functionality as IPv4.
Uses same Differentiated Services
technique (RFC 2474) as IPv4.
IPv4
IPv6
7
IP Precedence
Unsused
DiffServ Code Point (DSCP)
IP ECN
IPv6 Flow Label
IPv4
New field in IPv6 not part of IPv4.
Flow label is used to identify the packets in a common stream or flow.
Traffic from source to destination share a common flow label.
RFC 6437 IPv6 Flow Label Specification
11001011000101100
10110010111000111
IPv6
IPv6 Payload Length
IPv4 Header
IPv4 Total Length Number of bytes of

the IPv4 header (options) + data.
IPv6 Payload Length Number of bytes
of the payload.
Does not include the main IPv6
header.
Includes extension headers + data
IPv6
Payload
IPv6 Header
IPv6 Extension
Header (Optional)
Data
IPv4
Data (Payload)
IPv4 Fragmentation
IPv4 fields used for fragmentation and

reassembly.
Intermediate devices such as IPv6
routers do not perform fragmentation.
Any fragmentation needed will be
handled by the source using an
extension header.
IPv6
IPv4
IPv4 Fragmentation
PCA
MTU
MTU of
of outgoing
outgoing link
link
smaller
smaller than
than packet
packet size
size
fragment
fragment IPv4
IPv4 packet.
packet.
R1
R2
Link with
smaller MTU
It
It is
is my
my job
job to
to
reassemble
reassemble the
the packet
packet
fragments.
fragments.
PCB
R3
Destination
Source
2
IPv4 Packet
3
IPv4
Packet
IPv4
IPv4
Packet
Packet
IPv4
Packet
IPv4
Packet
IPv4
Packet
IPv4
Packet
IPv6 No Fragmentation
II will
will use
use MTU
MTU of
of the
the
interface.
interface.
PCA
Source
MTU = 1500
MTU
MTU of
of outgoing
outgoing link
link smaller
smaller
than
than packet
packet size.
size. Drop
Drop packet.
packet.
Send
Send ICMPv6
ICMPv6 Packet
Packet Too
Too Big
Big
message,
message, use
use MTU
MTU 1350.
1350.
MTU = 1500
R1
Link with
smaller MTU
R3
PCB
Destination
1
IPv6 Packet MTU 1500
ICMPv6 Packet Too Big
Use MTU 1350
MTU = 1500
MTU = 1350
R2
Packet
Packet received.
received.
No
reassembly
No reassembly
required.
required.
IPv6 Packet
MTU 1350
IPv6 Next Header
IPv4 Protocol
IPv6 Next Header
For both protocols, the field indicates the
type of header following the IP header.
Common values:
6 = TCP
17 = UDP
58 = ICMPv6
88 = EIGRP
89 = OSPF
IPv4
IPv6
IPv6
Header
Next
Header
Data
(Protocol: TCP, UDP, ICMPv6, etc.)
IPv6 Hop Limit
IPv4 TTL (Time to Live)

IPv4
IPv6 Hop Limit
Renamed to more accurately reflect process.
Set by source, every router in path
decrements hop limit by 1.
When 0, drop
packet.
IPv6
IPv6 Source and Destination Addresses
IPv6 Source and Destination addresses

have the same basic functionality as IPv4.
IPv4 32-bit addresses.
IPv6 128-bit addresses.
Some significant changes in IPv6.
IPv6
IPv4
IPv4 Header Checksum
IPv4 Header Checksum

Not used in IPv6.
Upper-layer protocols generally have a
checksum (UDP and TCP).
So, in IPv4 the UDP checksum is optional.
Because its not

in IPv6, the
IPv6
UDP checksum
is now
mandatory.
IPv4
IPv4 Options and Padding
IPv4 Options and Padding

Not used in IPv6.
Variable length, optional.
IPv4 Options are handled using
extension headers in IPv6.
Padding makes
sure IPv4 options
fall on a 32-bit
IPv6
boundary.
IPv6 header is
fixed at 40 bytes.
40 bytes =
IPv4
IPv6 Extension Header
Next Header identifies:

The protocol carried in the data
portion of the packet.
The presence of an extension header.
Extension headers are optional and follow the main IPv6 header.
Provide flexibility and features to the main IPv6 header for future enhancements
without having to redesign the entire protocol.
Allows the main IPv6 header to have a fixed size for more efficient processing.
IPv6 Main
Header
Next
Header
Extension
Header
Next
Header
Data
(Protocol: TCP, UDP, ICMPv6, etc.)
IPv6 Extension Header

Next Header Value
(Decimal)
Extension Header
Name
Extension Header Description
Hop-by-Hop Options
Used to carry optional information, which must be examined by every

router along the path of the packet.
43
Routing
Allows the source of the packet to specify the path to the destination.
44
Fragment
Used to fragment IPv6 packets.
50
Encapsulating
Security Payload
(ESP)
Used to provide authentication, integrity, and encryption.
51
Authentication Header
(AH)
Used to provide authentication and integrity.
60
Destination Options
Used to carry optional information that only needs to be examined by a

packets destination node(s).
IPv6 Main
Header
Next
Header
Hop-by-Hop
Extension
Header
Next
Header
51
AH Extension
Header
Next
Header
TCP
Header
Data
MSS and
Avoiding
Fragmentation
TCP MSS (Maximum Segment Size) defines the largest amount of data that the
receiving device is able to accept in a single TCP segment.
To avoid fragmentation of an IPv4 packet, the selection of the TCP MSS is the
minimum buffer size and MTU of outgoing interface minus 40 bytes.
The 40 bytes takes into account the 20 byte IPv4 header and the 20 bytes TCP
header.
A TCP segment over IPv4 sent out an Ethernet interface will have a TCP MSS
of 1460, which is 1500 bytes for the Ethernet MTU, minus 20 bytes for the IPv4
header, and minus 20 bytes for the TCP header.
44
Path MTU Discovery (PMTUD)
Used to determine the lowest MTU along a path

1. IPv4 host uses full TCP MSS determined by the outgoing interface
2. Sets the TCP DF (Dont Fragment) bit
3. If an IPv4 router along the path needs to fragment the packet because of a
lower MTU link on the egress interface:
a. Drop the packet due to the DF bit being set
b. Sends an ICMP Destination Unreachable message back to the originator of
the packet with egress interface MTU.
. The PMTUD operations for IPv6 are similar to that of PMTUD45for IPv4.
Bandwidth Delay Product (BDP)

100 Mbps pipe
More data is required to

keep this pipe full of data
1 Gbps pipe
Long Fat Network (or long fat pipe) LFN ("elephan (t) ) - Network paths with
high bandwidth and long round-trip delays.
TCP can experience bottlenecks on LFNs (less than optimal use these paths)
Because of the increased bandwidth and the distance, we need to send more
data to keep the pipe full.
Increased bandwidth We can send more data
46 Acks
Increased distance Takes longer to send the data and get TCP
BDP is used to optimize the TCP window size to fully utilize the link.
BDP = Bandwidth (bps) * RTT in seconds
The TCP window size (amount of data that can be sent before requiring an
ACK) should then use the BDP.
The result is the maximum amount of data that can be transmitted on the link at
any given time.
http://www.speedguide.net/bdp.php
47
48
TCP Starvation
UDP
Wasted
bandwidth
Not always possible to separate TCP and

UDP-based flows, important to be aware of
this behavior when mixing applications using
both UDP and TCP.
TCP
Combination of TCP and UDP flows during a period of congestion:

TCP backs off on bandwidth (window size) known as slow start
Then begins to increase windows size
All devices begin to have the same experience and synchronization
happens.
UDP has no flow control mechanisms continues
UDP has the potential of using up the available bandwidth given up by TCP.
This is known as TCP starvation/UDP dominance.
49
WRED
Global or TCP synchronization TCP slow start, when all of our connections
do this together, routers ingress queue fills and drops new packets
Solution - RED or WRED, drops some packet sooner (minimum and max
thresholds)
Only a few TCP flows have to go into TCP slow start and not everyone
Good of the many outweigh the good of the few or one
Different thresholds for different priorities so higher priority packets have a less
likely chance of being dropped a lower priority packet will be dropped first.
50
ICMP Redirect
Network X
R1
R2
Destination:
Network
PCB
X Host
IPv6
Network A PCA
PCB
IPv6
Network B
Similar functionality as ICMPv4.

Like IPv4, a router informs an originating host of the IP address of a router that
is on the local link and is closer to the destination.
Unlike IPv4, a router informs an originating host that the destination host (on a
different prefix/network) is on the same link as itself.
Asymmetric Routing
Asymmetric routing - A packet traverses from a source to a destination in one

path and takes a different path when it returns to the source.
This is commonly seen in Layer-3 routed networks.
Not necessarily a bad thing Internet and BGP.
1 3: DSW1 (Active HSRP routers) is

default gateway for PC1
4 - 5: CSW1 load balances sending
return traffic to DSW2 (not a bad thing)
6: DSW2 ARP table (4 hour default) has
entry for PC1 10.1.1.100
7: But there is no entry in its MAC table
(times out 5 min)
Both access layer switches are on same
VLAN (not a best practice).
8: So, DSW2 floods frames out all ports
on that VLAN (unicast flooding)
Because DSW2 never sees traffic
sourced from PC1 (10.1.1.100) it never
updates is MAC address table and
unicast flooding always occurs.
6
ARP Cache
10.1.1.100 >
MacAdd
7
1
53
Mac Add Table

FLOOD No entry
Solutions:
1. Change ARP timer (4 hours IOS) to be
less than MAC Address Table (5 minutes)
timer
DSW2 would need send ARP request
for 10.1.1.100
PC1 would send ARP Reply
ARP Reply in Ethernet frame, so
DSW2 can now add PC1s MAC
address to its MAC address table
DSW2 will now send packet for
10.1.1.100 only out the one port
2. Do not span VLAN across multiple
access layer switches
ARP Cache
10.1.1.100 >
MacAdd
Mac Add Table

No entry
PC1 MAC = Port
54

Routing Protocols
Traffic Types
Challenges
TCP/IP
TCP MSS
Path MTU Discovery
TCP BDP
TCP Starvation
ICMP Redirect
Asymmetric Routing

Static Routing
PPP Overview
Types of VPNs
MPLS Overview
Cisco EVN
VPN Overview
Tunnels
IPv6 Overview
GUA
Link-local address
ICMPv6 ND
Implementing RIPng
55
Principles of Static Routing

2001:DB8:CAFE:1::/64
G0/0
:1 R1
2001:DB8:CAFE:2::/64
S0/0/0
:1
S0/0/0
:2
Static Route
R2
Please read on your own

2001:DB8:FEED:1::/64
2001:DB8:FEED:2::/64
2001:DB8:FEED:3::/64
2001:DB8:FEED:4::/64
2001:DB8:FEED:5::/64
R2(config)# ipv6 route 2001:db8:cafe:1::/64 2001:db8:cafe:2::1

A static route can be used in the following circumstances:
Undesirable to have dynamic routing updates forwarded across slow bandwidth links.
Administrator needs total control over the routes used by the router.
Floating static route: Backup to a dynamically recognized route is necessary.
Necessary to reach a network accessible by only one path (a stub network).
Router connects to a single ISP and needs to have only a default route pointing
toward the ISP router, rather than learning many routes from the ISP.
Router is underpowered and does not have the CPU or memory resources necessary
to handle a dynamic routing protocol.
56
Basic PPP Overview

R1#configureterminal
R1(config)#interfaceserial0/0/0
R1(configif)#ipaddress192.168.1.1255.255.255.0
R1(configif)#encapsulationppp
HDLC is the default serial encapsulation method when connecting

two Cisco routers.
PPP has several advantages over its predecessor HDLC including
authentication.
57
Basic Frame Relay Overview

R1#configureterminal
R1(config)#interfaceserial0/0/0
R1(configif)#ipaddress192.168.1.1255.255.255.0
R1(configif)#encapsulationframerelay
Split horizon is disabled by default on Frame Relay physical

interfaces.
Various Frame Relay configurations are discussed in later chapters.
58
Using VPNs
What kind of connection?

Traditionally leased lines or frame relay.
Takes time to provision
VPNs
Easy to provision
Used over different technologies
DSL, cable, DS/gig circuits
Can provide security
59
Types of VPNs
Types of VPNs used for remote access:

MPLS-based VPN
Tunnel-based VPN (sometimes referred to as IPsec VPNs, but
doesnt have to be IPsec)
Hybrid VPN (combination)
Focus on VPN tunnels
60
MPLS overview
MPLS (Multi-protocol label switching) is a

switching mechanism.
A 32 bit header (label) is inserted by the
provider (PE) router.
Packets are switched through the MPLS
network.
The label is removed by the PE at the other
end of the MPLS network.
To the customer, it looks like a Layer 2 or
Layer 3 connection.
61
Cisco EVN (Easy Virtual Network)
Pure IP alternative to MPLS is VRFs

Virtual Routing and Forwarding (VRF) is a technology that
allows the device to have multiple but separate instances of routing
tables exist and work simultaneously.
VRF-Lite makes it easier
EVN (Easy Virtual Network) is easier and more scalable
More in Chapter 8 including a cool simple lab!
62

Routing Protocols
Traffic Types
Challenges
TCP/IP
TCP MSS
Path MTU Discovery
TCP BDP
TCP Starvation
ICMP Redirect
Asymmetric Routing

Static Routing
PPP Overview
Types of VPNs
MPLS Overview
Cisco EVN
VPN Overview
Tunnels
IPv6 Overview
GUA
Link-local address
ICMPv6 ND
Implementing RIPng
63
VPN Overview
VPNs enable the exchange of information over a public (or private network)
as if remote hosts would be connected to the same private network.
Similar to leased lines.
The majority of VPN technologies also support routing protocols.
VPNs use tunnels.
64
Tunnels
Tunnels encapsulate a protocol inside another protocol

Example: Encapsulating an IP packet inside another IP packet
Why? Perhaps to hide/protect/encrypt the inner packet.
Tunnels are created using either:
IPsec
Generic Routing Encapsulation (GRE) - Cisco
Point to Point Tunneling Protocol (PPTP) - Microsoft
Layer 2 Tunnel Protocol (L2TP)
Layer 2 Forwarding (L2F) Protocol - Cisco
65
GRE tunnel Can appears to be Layer 2 (switch in the middle) or Layer 3

adjacent (router in the middle)
Packets are sent out logical tunnel interface instead of physical interface
Encapsulates almost anything including multicast (for routing protocols) but no
security
Need IPsec for security
Why not use IPsec only?
IPsec is unicast only
66
Demo: Configuring a GRE Tunnel
67

Authentication
Ensures that a message:
Comes from an authentic source and
Goes to an authentic destination
Data confidentiality
Protecting data from eavesdroppers (encryption)
Aims at protecting the message contents from
being intercepted by unauthenticated or
unauthorized sources.
Data integrity
Across the Internet, there is always the possibility
that the data has been modified.
Antireplay protection:
Antireplay protection verifies that each packet is
unique and not duplicated.
68
VPN Security
provided by IPsec
IPsec
IP unicast only
IPsec with GRE
IP multicast
dynamic IGP routing protocols
non-IP protocols
IPsec has two encryption modes:
Tunnel mode
Transport mode
Securing the information with IPsec (IP

Security)
IPsec is best thought of as a set of features that protects IP data as it

travels from one location to another.
IPsec can protect only the IP layer and up (transport layer and
userdata).
IPsec cannot extend its services to the data link layer.
If protection of the data link layer is needed, then some form of link
encryption is needed.
Often, the use of encryption is assumed to be a requirement of IPsec.
In reality, encryption, or data confidentiality, is an optional (although
70
heavily implemented) feature of IPsec.
IPsec
Internet Key Exchange (IKE) is a framework for:
negotiation and exchange of security parameters and authentication keys
Authentication Header (AH) provides the framework for:
data integrity
data origin authentication
optional anti-replay features of IPsec
Encapsulating Security Payload (ESP) provides the framework for:
data confidentiality
data integrity
data origin authentication
optional anti-replay features of IPsec
ESP will do everything and more dont need to use both.
ESP is the only IPsec protocol that provides data encryption.
The following encryption methods are available to IPsec ESP:
Data Encryption Standard (DES)
Triple Data Encryption Standard (3DES
Advanced Encryption Standard (AES)
71
VPN Security: Encapsulation
Three different protocols that tunneling uses:

Carrier protocol:
The protocol the information is traveling over.
Frame Relay, PPP, ATM, etc.
Encapsulating protocol:
The protocol that is wrapped around the original data.
GRE, IPsec, L2F, PPTP, L2TP
Not all protocols offer the same level of security.
Passenger protocol:
The original data (IPv4, IPv6).
Host
IP
Host
IP
Transport mode:
When IPsec headers are simply inserted in an IP packet (after the IP header),
The original IP header is exposed and unprotected.
Data at the transport layer and higher layers benefits from the implemented IPsec
features.
73
Transport mode protects the transport layer and up.
Router
IP
Router
IP
Tunnel mode:
The actual IP addresses of the original IP header, along with all the data within the
packet, are protected.
Tunnel mode creates a new external IP header that contains the IP addresses of the
tunnel endpoints (such as routers or VPN Concentrators).
The exposed IP addresses are the tunnel endpoints, not the device IP addresses that
74
sit behind the tunnel end points.
VPN technologies that use virtual tunnels

GRE (appear Layer 2adjacent)
DMVPN Dynamic Mulitpoint VPN
Good for hub spoke communications between spokes
without going thru hub
Uses multipoint GRE
GRE by itself doesnt encrypt but can use IPsec
75
DMVPN Theory
Requirement: Need to bring up and tear down VPN tunnel between two
spokes on an as needed basis.
Problem: Hub and spoke doesnt scale well when interconnecting spokes
and full mesh is expensive (Internet or MPLS cloud).
Solution: Multipoint GRE (MGRE) makes this possible
Single router interface can have multiple GRE tunnels on it.
Have MGRE on all branch/spoke routers so they can create GRE tunnel
to other routers on as-needed basis
One problem How does a spoke router determine the IP address at
76
the other end of the tunnel, the other spoke router?
My tunnel IP is
10.0.0.2 and my
physical IP
200.0.113.1
My tunnel IP is
10.0.0.3 and my
physical IP
is192.51.100.1
Next-Hop Resolution Protocol (NHRP)

NHRP is used by the router to determine the IP address of physical
interface of other end of the tunnel
Similar to DNS. client-server model
Hub is the server and the spokes are the clients
Clients (spokes) tell server (hub) their physical IP address that correspond
77
to a specific tunnel interface
Checking my
NHRP database,
10.0.0.2 is at the
physical IP
address is
200.0.113.1
I know the IP
address of the
end-point tunnel
(10.0.0.2) but I
dont know its
physical interface
IP address
DMVPN with the assistance of NHRP

Branch C (spoke) queries HQ (hub) to say it wants to set up a tunnel with
another spoke, Branch B
Branch C queries HQ asking for Branch Bs physical interface IP address.
NHRP receives query and replies
Branch C can now create a GRE tunnel with Branch B.
78

Routing Protocols
Traffic Types
Challenges
TCP/IP
TCP MSS
Path MTU Discovery
TCP BDP
TCP Starvation
ICMP Redirect
Asymmetric Routing

Static Routing
PPP Overview
Types of VPNs
MPLS Overview
Cisco EVN
VPN Overview
Tunnels
IPv6 Overview
GUA
Link-local address
ICMPv6 ND
Implementing RIPng
79
IPv6 Address Types

IPv6 Addresses
Unicast
Multicast
Assigned
FF00::/8
Anycast
Solicited-Node
FF02::1:FF00:0000/104
Global
Unicast
Link-Local
Loopback
Unspecified
2000::/3
3FFF::/3
FE80::/10
FEBF::/10
::1/128
::/128
Unique
Local
Embedded
IPv4
FC00::/7
FDFF::/7
::/80
IPv6 does not have a broadcast address.
Global Unicast Address Range

Global Routing Prefix Subnet ID
001
Range:
to
2000::/3
3FFF::/3
Interface ID
0010 0000 0000 0000 ::

0011 1111 1111 1111 ::
Global Unicast Address (GUA)

2000::/3 (2000::/3 to 3FFF::/3)
1/8th of IPv6 address space
IANAs allocation of IPv6
address space in 1/8th sections
Parts of a Global Unicast Address

IPv4 Unicast Address
Network portion
/?
Subnet portion Host portion
32 bits
IPv6 Global Unicast Address

/64
/48
16-bit Fixed
Global Routing Prefix
Subnet ID
Interface ID
128 bits
64-bit Interface ID = 18 quintillion (18,446,744,073,709,551,616) devices/subnet

16-bit Subnet ID = 65,536 subnets
/64 Global Unicast Address and the 3-1-4 Rule

/48
16 bits
16 bits
16 bits
/64
16 bits
Global Routing Prefix Subnet ID
16 bits
16 bits
16 bits
16 bits
Interface ID
2001 : 0DB8 : CAFE : 0001 : 0000 : 0000 : 0000 : 0100

3 + 1 = 4 (/64) :
4
2001:0DB8:CAFE:0001:0000:0000:0000:0100/64
2001:0DB8:CAFE:0001::100/64
Static GUA
Configuration
2001:DB8:CAFE:1::/64
:100
:100
A
B
G0/0
:1
:1
G0/0
2001:DB8:CAFE:3::/64
R1
:1
S0/0/0
2001:DB8:CAFE:2::/64
R1(config)#interface gigabitethernet 0/1

R1(config-if)#ipv6 address 2001:db8:cafe:2::1/64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ipv6 address 2001:db8:cafe:3::1/64
R1(config-if)#no shutdown
R1(config-if)#exit
I love the 3-1-4

rule and
subnetting IPv6!
Unlike IPv4, IPv6 does not associate the all-zeroes and all-ones Interface-IDs
(host portion) to subnet/broadcast valid IPv6 device addresses.
IPv6 Address Allocation

/23 /32
I am getting a /64 at home

/48 /56
/64
Subnet
Sub
ID
Interface ID
*RIR
*ISP Prefix
*Site Prefix
Possible Home Site Prefix
Subnet Prefix
* This is a minimum allocation. The prefix-length may be less if it can be justified.
PI versus PA Address Space

/32
/48
Subnet
ID
Interface ID
Provider Independent (PI) Address Space

Address space that is assigned by the RIR.
Remains assigned to the customer regardless of provider
No prefix renumbering needed if change providers
Provider Aggregatable (PA) Address Space
Address space that is typically assigned by an ISP to a customer.
Change provider, must get new address space
Customer must do prefix renumbering (Helpful IETF RFCs)
Link-Local Unicast Range

First 10 bits
1111 1110 10xx xxxx
Range:
to
Remaining 54 bits
64-bit Interface ID
FE80::/10 1111 1110 1000 0000 ::

FEBF::/10 1111 1110 1011 1111 ::
Link-local Unicast
Link Network segment

Link-local means, local to that
link or network.
Link-Local Unicast Address

Link-Local
Link-Local Communications
Communications
Used to communicate with other devices on the link.

Are NOT routable off the link (network).
Only have to be unique on the link.
Not included in the IPv6 routing table.
An IPv6 device must have at least a link-local address.
First 10 bits
Link-Local Unicast Address
1111 1110 10xx xxxx
Remaining 54 bits
64-bit Interface ID
FE80::Interface ID
Link-local addresses are created
Automatically :
FE80 (usually) First 10 bits
Interface ID
EUI-64 (Cisco routers)
Random 64 bits (many host operating systems)
Static (manual) configuration
Automatic Link-Local Address

using EUI-64
G0/0
G0/1
S0/0/0
R1
R1# show interface gigabitethernet 0/0

GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is fc99.4775.c3e0 (bia
fc99.4775.c3e0)
<Output Omitted>
Link-local address: FE80:: 64-bit Interface ID

A 64-bit Interface ID is created with EUI-64 using:
48-bt MAC address
Inserting 16 bits: FF-FE
Flipping the U/L (Universal/Local) bit
Modified EUI-64 Format (Extended Unique Identifier64)

OUI (24 bits)
FC
99
Device Identifier (24 bits)
47
75
C3
E0
Insert FF-FE
FC
99
47
FF
FE
75
C3
E0
FC
99
47
FF
FE
75
C3
E0
FF
FE
75
C3
E0
1111 1110
1100
U/L bit flipped
FE
99
47
G0/0
Verifying the Routers

Link-Local Address
G0/1
S0/0/0
R1
R1# show interface gigabitethernet 0/0

GigabitEthernet0/0 is up, line protocol is up
Link-local
Hardware is CN Gigabit Ethernet, address is fc99.4775.c3e0 (bia Link-local
addresses
addresses
fc99.4775.c3e0)
only
<Output Omitted>
only have
have to
to
R1#show ipv6 interface brief
GigabitEthernet0/0
[up/up]
FE80::FE99:47FF:FE75:C3E0
2001:DB8:CAFE:1::1
GigabitEthernet0/1
[up/up]
2001:DB8:CAFE:2::1
Serial0/0/0
[up/up]
2001:DB8:CAFE:3::1
R1#
EUI-64
Wait!
Wait! Two
Two
Link-locals
Link-locals
are
are the
the
same!
same!
FF:FE = EUI-64 (most likely)

Serial interfaces will use a MAC
address of an Ethernet interface.
be
be unique
unique
on
on the
the link.
link.
Static Link-Local Addresses

Static addresses are more easily remembered
and recognizable.
G0/0
FE80::1
G0/1 R1
FE80::1
S0/0/0
FE80::1

R1(config-if)#ipv6 address fe80::1 ?
link-local Use link-local address
R1(config-if)#ipv6 address fe80::1 link-local
R1(config-if)#exit
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#
Link-Local
Addresses only
have to be unique
on the link!
Unicast Addresses
Loopback Address
::1/128
Used by a node to send an IPv6 packet to itself, typically when testing the
TCP/IP stack.
Same functionality as IPv4 loopback 127.0.0.1
Not routable.
Unspecified Address
:: (all-0s)
Indicates the absence or anonymity of an IPv6 address (RA source address)
Unicast Addresses
Note: Site local addresses (FEC0::/10)
has ben deprecated.
Unique Local Address

FC00::/7 (FC00::7 to FDFF::/7)
Similar to RFC 1918 IPv4 addresses but
Not meant to be translated to a global unicast (for security purposes)
IETF does not support the concept of translating a private IPv6 address
to a public IPv6 address... but there are exceptions
Should not be routable in the global Internet.
To be used in a more limited area such as within a site or devices inaccessible
from the global Internet.
FC00::/7 1111 110x (x = local flag bit)
FC00::/8 (x = 0) - /48 prefix assigned using RFC 4193 algorithm (dormant)
FD00::/8 (x = 1) - /48 prefix locally locally assigned.
ICMPv6 and ICMPv6-ND

Internet Control Message Protocol for IPv6
ICMPv6 is defined in RFC 4443.

ICMPv6 Neighbor Discovery is described in
RFC 4861.
Much more robust than ICMP for IPv4.
Contains new functionality and
improvements.
More than just messaging but how IPv6
conducts business.
All ICMPv6
messages
IPv6 Main
Header
Next
Header
58
ICMPv6
Header
Data
ICMPv6 Neighbor Discover Protocol

ICMPv6 Neighbor Discovery defines 5 different packet types:
Router Solicitation Message
Router Advertisement Message
Used with dynamic address allocation
Router-Device
Router-Device
Messaging
Messaging
Neighbor Solicitation Message

Neighbor Advertisement Message
Used with address resolution (IPv4 ARP)
Device-Device
Device-Device
Messaging
Messaging
Redirect Message
Similar to ICMPv4 redirect message
Router-to-Device messaging

Routing Protocols
Traffic Types
Challenges
TCP/IP
TCP MSS
Path MTU Discovery
TCP BDP
TCP Starvation
ICMP Redirect
Asymmetric Routing

Static Routing
PPP Overview
Types of VPNs
MPLS Overview
Cisco EVN
VPN Overview
Tunnels
IPv6 Overview
GUA
Link-local address
ICMPv6 ND
Implementing RIPng
98
Comparing RIPv2 and RIPng
99
Configuring RIP (IPv4)

192.168.3.0/24
192.168.1.0/24
.1
G0/0
R1
DCE
S0/0/0
.1
S0/0/0
.2
192.168.2.0/30
.1 G0/0
DCE
S0/0/1
R2
.2
192.168.5.0/24
S0/0/1
.1
R3
.1
G0/0
192.168.4.0/30
R1(config)# router rip

R1(config-router)# network 192.168.1.0
R1(config-router)# network 192.168.2.0
R1(config-router)#
100
Configuring RIPng
101
Similar configuration made on R1s

Eth0/3, Lo0 and Lo1
R2(config)# ipv6 router rip CCNP_RIP

% IPv6 routing not enabled
R2(config)# ipv6 unicast-routing
R2(config)# ipv6 router rip CCNP_RIP ! Created automatically if
enabled on the interface first
R2(config)# interface ethernet 0/1
R2(config-if)# ipv6 rip CCNP_RIP enable
R2(config-if)# exit
R2(config)# interface loopback 0
102
R2(config-if)# ipv6 rip CCNP_RIP enable
R2# show ipv6 protocols

IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "ND"
IPv6 Routing Protocol is "rip CCNP_RIP"
Interfaces:
Loopback0
Ethernet0/1
Redistribution:
None
103
2nd hop
1st hop
R2# show ipv6 route

IPv6 Routing Table - default - 7 entries
<output omitted>
R
2001:DB8:A01:100::/64 [120/2]
via FE80::A8BB:CCFF:FE00:130, Ethernet0/1
R
2001:DB8:A01:A00::/64 [120/2]
C
2001:DB8:A01:1400::/64 [0/0]
RIPng routers add one hop to
via Ethernet0/1, directly connected
the metric when it receives the
L
2001:DB8:A01:1400::2/128 [0/0]
RIPng update.
via Ethernet0/1, receive
In effect, including itself as one
C
2001:DB8:A01:1E00::/64 [0/0]
hop.
via Loopback0, directly connected
RIP and RIPv2 routers do not
L
2001:DB8:A01:1E00::1/128 [0/0]
include themselves in the
number of hops to the
via Loopback0, receive
destination network.
L
FF00::/8 [0/0]
via Null0, receive
104
Connected Routes
R2# show ipv6 route
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
<Output omitted>
R
R
C
L
C
L
L
2001:DB8:A01:100::/64 [120/2]
2001:DB8:A01:A00::/64 [120/2] [Administrative Distance/Metric]
2001:DB8:A01:1400::/64 [0/0]
2001:DB8:A01:1400::2/128 [0/0]
2001:DB8:A01:1E00::/64 [0/0]
2001:DB8:A01:1E00::1/128 [0/0]
ICMPv6
FF00::/8 [0/0]
via Null0, receive
Local Routes
R2# show ipv6 route
Local routes are /128 routes
Codes: C - Connected, L - Local, S - Static, U (host
- Per-user
Static
route
routes)
for the
routers
<Output omitted>
R
R
C
L
C
L
L
2001:DB8:A01:100::/64 [120/2]
2001:DB8:A01:A00::/64 [120/2]
2001:DB8:A01:1400::/64 [0/0]
2001:DB8:A01:1400::2/128 [0/0]
2001:DB8:A01:1E00::/64 [0/0]
2001:DB8:A01:1E00::1/128 [0/0]
ICMPv6
FF00::/8 [0/0]
via Null0, receive
IPv6 unicast addresses.

Allows the router to more
efficiently process packets
directed to the router itself
rather than for packet
forwarding.
FF00::/8 to Null0
R1# show ipv6 route
By default multicast packets
Codes: C - Connected, L - Local, S - Static,
U - Per-user
route
(FF00::/8)
are notStatic
forwarded.
<Output omitted>
Any more specific multicast

packets (such as FF05::1:3 All2001:DB8:A01:100::/64 [120/2]
DHCPv6 servers) would take
precedence.
2001:DB8:A01:A00::/64 [120/2]
ipv6multicastrouting
2001:DB8:A01:1400::/64 [0/0]
would need to be configured
2001:DB8:A01:1400::2/128 [0/0]
Link-local multicast (FF02) are
never forwarded off the link.
2001:DB8:A01:1E00::/64 [0/0]
R
R
C
L
C
L
L

2001:DB8:A01:1E00::1/128 [0/0]
ICMPv6
FF00::/8 [0/0]
via Null0, receive
Propagating a Default Route

originate keyword originates
the default route (::/0) in
addition to all other routes in
the updates sent on this
interface.
only keyword originates the
default route (::/0) but
suppresses all other routes in
the updates sent on this
interface.
R1(config-if)# ipv6 rip name default-information originate | only
108
originate option
R1(config)# ipv6 route ::/0 2001:DB8:FEED:1::1

R1(config)# interface Ethernet 0/3
R1(config-if)# ipv6 rip CCNP_RIP default-information originate
R2# show ipv6 route rip
<output omitted>
R
R
R
::/0 [120/2]
2001:DB8:A01:100::/64 [120/2]
2001:DB8:A01:A00::/64 [120/2]
109
only option
R1(config)# ipv6 route ::/0 2001:DB8:FEED:1::1

R1(config)# interface Ethernet 0/3
R1(config-if)# ipv6 rip CCNP_RIP default-information only
R2# show ipv6 route rip
<output omitted>
R
::/0 [120/2]
110
Investigating the RIPng Process

R2# show ipv6 rip
RIP process "CCNP_RIP", port 521, multicast-group FF02::9, pid
138
Administrative distance is 120. Maximum paths is 16
Updates every 30 seconds, expire after 180
Holddown lasts 0 seconds, garbage collect after 120
Split horizon is on; poison reverse is off
Default routes are not generated
The show ipv6 rip command shows information
about all RIPng
routing
Periodic updates 308, trigger
updates
1 processes on the router.
There can be mulitple RIPng processes on a
single router
Full Advertisement 0, Delayed
Events 0
111
Investigating the RIPng Database

R2# show ipv6 rip database
RIP process "CCNP_RIP", local RIB
2001:DB8:A01:100::/64, metric 2, installed
Ethernet0/1/FE80::A8BB:CCFF:FE00:7430, expires in 155 secs
2001:DB8:A01:A00::/64, metric 2, installed
Ethernet0/1/FE80::A8BB:CCFF:FE00:7430, expires in 155 secs
The RIP routing protocol uses an internal database to store routes received
2001:DB8:A01:1400::/64, metric 2
from RIP neighbors.
ThisEthernet0/1/FE80::A8BB:CCFF:FE00:7430,
database is also used to generate outbound RIP
updates.
expires
in 155 secs
The RIP database is almost identical to the list of RIP routes in the main IP
R2#routing table, with the exception of the RIP summary routes which appear
only in the RIP database and not in the main IP routing table. 112

R2# show ipv6 rip database
RIP process "CCNP_RIP", local RIB
2001:DB8:A01:100::/64, metric 2, installed
expires
The Ethernet0/1/FE80::A8BB:CCFF:FE00:7430,
RIP process (there can be mulitple RIPng processes on a single
router). in 155 secs
The route prefix.
<output
The routeomitted>
metric, destination network is 2 hops away, counting itself as a hop.
Installed and expired:
"installed" means the route is in the routing table as a RIPng route. Entries may not be
installed such a prefix that is directly connected.
If a network becomes unavailable, the route will become "expired" after the dead timer
expires (180 seconds).
Exit interface and next-hop link-local address
Expires in, in which if the countdown timer reaches 0, the route is removed from the routing table
and marked expired. This timer, the dead timer, is by default three times the hello timer180
seconds.
113

R2# show ipv6 rip next-hops
RIP process "CCNP_RIP", Next Hops
FE80::A8BB:CCFF:FE00:7430/Ethernet0/1 [3 paths]
R2#
The show ipv6 rip next-hops lists RIPng processes and under each
process all next-hop addresses.
Includes a next-hop address and the associated exit interface where the
route was learned.
Displays information about the next hop addresses for the specified RIP
IPv6 process.
If no RIP process name is specified, the next-hop addresses for all RIP IPv6
processes are displayed.
114
Summary
RIP is a distance vector routing protocol
RIP comes in three flavors:
RIPv1 (IPv4 classful)
RIPv2 (IPv4 classless)
RIPng (IPv6)
RIPng configuration steps are:
Enable IPv6 routing
Start the RIPng routing process
Configure IPv6 address on the interfaces
Enable RIPng on the interfaces (creates RIPng process if doesnt exist)
Default routes are announced through RIPng using the command
ipv6 rip name default-information originate | only
115
CIS 185 CCNP ROUTE

Chapter 1: Basic Network and Routing
Concepts
Rick Graziani
Cabrillo College
graziani@cabrillo.edu

Cis 185 CCNP Route Chapter 1: Basic Network and Routing Concepts

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cis 185 CCNP Route Chapter 1: Basic Network and Routing Concepts

Transféré par

Droits d'auteur :

Formats disponibles

CIS 185 CCNP ROUTE

Chapter 1: Basic Network and Routing

Ch. 1 Basic Network and Routing Concepts

Connecting Remote Locations

Choosing a Dynamic Routing Protocol

IGP versus EGP

Types of Routing Protocols

Interior Gateway Protocols

* OSPFv3 supports routing both IPv4 and IPv6.

Distance Vector Routing Protocols

Path vector protocols

Path vector protocols:

Route Protocol Scalability

Ch. 1 Basic Network and Routing Concepts

Connecting Remote Locations

IP Source and Destination

IP Source Always a unicast

Well-known IPv4 and IPv6 multicast addresses used by

Notice the relationship between IPv4 and IPv6 multicast 18

Frame Relay Point-to-Point

Sub-interface: Sub-interface for each separate network

Point-to-point subinterfaces are logical interfaces:

Nonbroadcast Multiple-Access Networks

NBMA networks introduce several challenges.

Ch. 1 Basic Network and Routing Concepts

Connecting Remote Locations

From: 2.1: Comparing the IPv4 and IPv6 Headers

The following slides are from my IPv6 LiveLessons video series.

Lets Begin with looking at IP Headers

Understanding IPv6 begins with the IPv6

64-bit memory word

IPv4 Version contains 4.

IPv4 Internet Header Length

IPv4 Internet Header Length (IHL)

IPv6 Traffic Class

IPv4 Type of Service

DiffServ Code Point (DSCP)

IPv6 Flow Label

IPv6 Payload Length

IPv4 Total Length Number of bytes of

IPv4 fields used for fragmentation and

IPv6 Next Header

IPv6 Hop Limit

IPv4 TTL (Time to Live)

IPv6 Source and Destination Addresses

IPv6 Source and Destination addresses

IPv4 Header Checksum

IPv4 Header Checksum

Because its not

IPv4 Options and Padding

IPv4 Options and Padding

IPv6 Extension Header

Next Header identifies:

IPv6 Extension Header

Extension Header Description

Used to carry optional information, which must be examined by every

Used to fragment IPv6 packets.

Used to provide authentication, integrity, and encryption.

Used to provide authentication and integrity.

Used to carry optional information that only needs to be examined by a

Path MTU Discovery (PMTUD)

Used to determine the lowest MTU along a path