Académique Documents
Professionnel Documents
Culture Documents
Enterprise
Network
Infrastructure
A high-level overview of a
typical enterprise network, it
can be divided into two
major areas:
Enterprise Campus
Enterprise Edge
Enterprise Network
Infrastructure
Enterprise Campus:
Provides access to the network communications services and resources
to end users and devices.
Usually scalable hierarchical model
Access layer
Distribution layer
Core layer
4
Enterprise Network
Infrastructure
Enterprise Edge:
Provides:
Access to the Internet
Access to the same network services as users at the main site.
5
Role of Dynamic
Routing Protocols
Routing protocols provide:
Network reachability between routers
Dynamically adapt to network
changes
Best practice that you use one IP (IGP) routing protocol throughout the
enterprise.
OSPF or EIGRP
Multiple routing protocols (IGP and BGP) are used when the organization is
multihomed to two or more ISPs for Internet connectivity.
6
BGP with ISP
RIPv2
RIPng
EIGRP
EIGRP for
IPv6
Link State
Link State Routing
Protocols
OSPFv2
OSPFv3 *
IS-IS
IS-IS for
IPv6
Path Vector
Path Vector
BGP-4
BGP-4 for
IPv6 or
MP-BGP
10
Link-State Protocols
Link-state routing protocol can
create a complete view, or
topology, of the network.
Link-state protocols are associated
with Shortest Path First (SPF)
calculations.
A link-state router uses the linkstate information to:
Create a topology map
Select the best path to all
destination networks in the
topology.
Each router makes the decision!
OR
Link State routing protocols is like having a complete map of the network 11
topology
Convergence
Convergence is when a
network has complete and
accurate information
about the entire network
Convergence time is
how fast network devices
can reach the state of
convergence after a
topology change.
Convergence time
affected by:
Routing protocol
timers
Route summarization
13
IPv6
IPv4
Traffic Types
Destination IP address: A device can send traffic to one
recipient, to selected recipients, or to all devices within a
subnet at the same time.
Routing protocols use different traffic types to control how
routing information is exchanged.
Unicast: Unicast addresses are used in a one-to-one context.
Multicast: Multicast addresses identify a group of interfaces.
Traffic that is sent to a multicast address is sent to multiple
destinations at the same time.
Anycast: It is assigned to an interface on more than one node.
When a packet is sent to an anycast address, it is routed to
the nearest interface that has this address.
Broadcast: IPv4 broadcast addresses are used when sending
traffic to all devices in the subnet.
17
Network Types
Three general network types:
Point-to-point network: A network that connects a single
pair of routers. (Serial)
Broadcast network: A network that can connect many
routers along with the capability to address a single
message to all of the attached routers. (Ethernet)
NBMA network: A network that has single access to
multiple networks but no broadcast capability.
Sender needs to create an individual copy of the same
packet for each recipient.
NBMA networks introduce several challenges.
(Frame Relay and ATM)
Not all Layer 2 network topologies support all traffic types.
19
One connection to
provider
Alternative: Separate
leased lines for each
point-to-point
connection
20
Split horizon:
Prevents a routing update that is received on an interface from being
forwarded out of the same interface.
Hub router will not forward routing update learned from one spoke router to
other spoke routers.
Solution: Disable split horizon or subinterfaces
23
DR
Designated Router:
OSPF over NBMA networks works in a nonbroadcast network mode by default
The hub router will not forward broadcasts/multicasts received by one
spoke to other spokes.
Default, OSPF treats an NBMA network like Ethernet.
Requires a DR to exchange routing information between all routers on a
segment.
Solution: Configure the hub router can act as a DR because it is the only
router that has PVCs with all other routers.
24
Replicated Broadcasts
Broadcast replication:
The router must replicate broadcast (and multicast) packets, such as
routing update broadcasts, on each PVC to the remote routers.
Consume bandwidth and cause significant latency variations in user traffic.
25
By Rick Graziani
ISBN-10: 1-58720-457-6
Similar fields
IPv4
IPv6 Version
IPv6
IPv4
40 bytes =
8 bytes
8 bytes
8 bytes
IPv4
1
2
3
4
5
?
IPv4
IPv6
7
IP Precedence
Unsused
IP ECN
IPv4
New field in IPv6 not part of IPv4.
Flow label is used to identify the packets in a common stream or flow.
Traffic from source to destination share a common flow label.
RFC 6437 IPv6 Flow Label Specification
11001011000101100
10110010111000111
IPv6
IPv4 Header
IPv6 Extension
Header (Optional)
Data
IPv4
Data (Payload)
IPv4 Fragmentation
IPv4
IPv4 Fragmentation
PCA
MTU
MTU of
of outgoing
outgoing link
link
smaller
smaller than
than packet
packet size
size
fragment
fragment IPv4
IPv4 packet.
packet.
R1
R2
Link with
smaller MTU
It
It is
is my
my job
job to
to
reassemble
reassemble the
the packet
packet
fragments.
fragments.
PCB
R3
Destination
Source
2
IPv4 Packet
3
IPv4
Packet
IPv4
IPv4
Packet
Packet
IPv4
Packet
IPv4
Packet
IPv4
Packet
IPv4
Packet
IPv6 No Fragmentation
II will
will use
use MTU
MTU of
of the
the
interface.
interface.
PCA
Source
MTU = 1500
MTU
MTU of
of outgoing
outgoing link
link smaller
smaller
than
than packet
packet size.
size. Drop
Drop packet.
packet.
Send
Send ICMPv6
ICMPv6 Packet
Packet Too
Too Big
Big
message,
message, use
use MTU
MTU 1350.
1350.
MTU = 1500
R1
Link with
smaller MTU
R3
PCB
Destination
1
IPv6 Packet MTU 1500
ICMPv6 Packet Too Big
Use MTU 1350
MTU = 1500
MTU = 1350
R2
Packet
Packet received.
received.
No
reassembly
No reassembly
required.
required.
IPv6 Packet
MTU 1350
IPv4 Protocol
IPv6 Next Header
For both protocols, the field indicates the
type of header following the IP header.
Common values:
6 = TCP
17 = UDP
58 = ICMPv6
88 = EIGRP
89 = OSPF
IPv4
IPv6
IPv6
Header
Next
Header
Data
(Protocol: TCP, UDP, ICMPv6, etc.)
When 0, drop
packet.
IPv6
IPv6
IPv4
IPv4
IPv4
IPv6 Main
Header
Next
Header
Extension
Header
Next
Header
Data
(Protocol: TCP, UDP, ICMPv6, etc.)
Extension Header
Name
Hop-by-Hop Options
43
Routing
Allows the source of the packet to specify the path to the destination.
44
Fragment
50
Encapsulating
Security Payload
(ESP)
51
Authentication Header
(AH)
60
Destination Options
IPv6 Main
Header
Next
Header
Hop-by-Hop
Extension
Header
Next
Header
51
AH Extension
Header
Next
Header
TCP
Header
Data
MSS and
Avoiding
Fragmentation
TCP MSS (Maximum Segment Size) defines the largest amount of data that the
receiving device is able to accept in a single TCP segment.
To avoid fragmentation of an IPv4 packet, the selection of the TCP MSS is the
minimum buffer size and MTU of outgoing interface minus 40 bytes.
The 40 bytes takes into account the 20 byte IPv4 header and the 20 bytes TCP
header.
A TCP segment over IPv4 sent out an Ethernet interface will have a TCP MSS
of 1460, which is 1500 bytes for the Ethernet MTU, minus 20 bytes for the IPv4
header, and minus 20 bytes for the TCP header.
44
1 Gbps pipe
Long Fat Network (or long fat pipe) LFN ("elephan (t) ) - Network paths with
high bandwidth and long round-trip delays.
TCP can experience bottlenecks on LFNs (less than optimal use these paths)
Because of the increased bandwidth and the distance, we need to send more
data to keep the pipe full.
Increased bandwidth We can send more data
46 Acks
Increased distance Takes longer to send the data and get TCP
BDP is used to optimize the TCP window size to fully utilize the link.
BDP = Bandwidth (bps) * RTT in seconds
The TCP window size (amount of data that can be sent before requiring an
ACK) should then use the BDP.
The result is the maximum amount of data that can be transmitted on the link at
any given time.
http://www.speedguide.net/bdp.php
47
48
TCP Starvation
UDP
Wasted
bandwidth
WRED
Global or TCP synchronization TCP slow start, when all of our connections
do this together, routers ingress queue fills and drops new packets
Solution - RED or WRED, drops some packet sooner (minimum and max
thresholds)
Only a few TCP flows have to go into TCP slow start and not everyone
Good of the many outweigh the good of the few or one
Different thresholds for different priorities so higher priority packets have a less
likely chance of being dropped a lower priority packet will be dropped first.
50
ICMP Redirect
Network X
R1
R2
Destination:
Network
PCB
X Host
IPv6
Network A PCA
PCB
IPv6
Network B
Asymmetric Routing
6
ARP Cache
10.1.1.100 >
MacAdd
7
1
53
Solutions:
1. Change ARP timer (4 hours IOS) to be
less than MAC Address Table (5 minutes)
timer
DSW2 would need send ARP request
for 10.1.1.100
PC1 would send ARP Reply
ARP Reply in Ethernet frame, so
DSW2 can now add PC1s MAC
address to its MAC address table
DSW2 will now send packet for
10.1.1.100 only out the one port
2. Do not span VLAN across multiple
access layer switches
ARP Cache
10.1.1.100 >
MacAdd
54
G0/0
:1 R1
2001:DB8:CAFE:2::/64
S0/0/0
:1
S0/0/0
:2
Static Route
R2
57
58
Using VPNs
59
Types of VPNs
MPLS overview
VPN Overview
VPNs enable the exchange of information over a public (or private network)
as if remote hosts would be connected to the same private network.
Similar to leased lines.
The majority of VPN technologies also support routing protocols.
VPNs use tunnels.
64
Tunnels
67
68
VPN Security
provided by IPsec
IPsec
IP unicast only
IPsec with GRE
IP multicast
dynamic IGP routing protocols
non-IP protocols
IPsec has two encryption modes:
Tunnel mode
Transport mode
IPsec
Internet Key Exchange (IKE) is a framework for:
negotiation and exchange of security parameters and authentication keys
Authentication Header (AH) provides the framework for:
data integrity
data origin authentication
optional anti-replay features of IPsec
Encapsulating Security Payload (ESP) provides the framework for:
data confidentiality
data integrity
data origin authentication
optional anti-replay features of IPsec
ESP will do everything and more dont need to use both.
ESP is the only IPsec protocol that provides data encryption.
The following encryption methods are available to IPsec ESP:
Data Encryption Standard (DES)
Triple Data Encryption Standard (3DES
Advanced Encryption Standard (AES)
71
Host
IP
Host
IP
Transport mode:
When IPsec headers are simply inserted in an IP packet (after the IP header),
The original IP header is exposed and unprotected.
Data at the transport layer and higher layers benefits from the implemented IPsec
features.
73
Transport mode protects the transport layer and up.
Router
IP
Router
IP
Tunnel mode:
The actual IP addresses of the original IP header, along with all the data within the
packet, are protected.
Tunnel mode creates a new external IP header that contains the IP addresses of the
tunnel endpoints (such as routers or VPN Concentrators).
The exposed IP addresses are the tunnel endpoints, not the device IP addresses that
74
sit behind the tunnel end points.
DMVPN Theory
Requirement: Need to bring up and tear down VPN tunnel between two
spokes on an as needed basis.
Problem: Hub and spoke doesnt scale well when interconnecting spokes
and full mesh is expensive (Internet or MPLS cloud).
Solution: Multipoint GRE (MGRE) makes this possible
Single router interface can have multiple GRE tunnels on it.
Have MGRE on all branch/spoke routers so they can create GRE tunnel
to other routers on as-needed basis
One problem How does a spoke router determine the IP address at
76
the other end of the tunnel, the other spoke router?
My tunnel IP is
10.0.0.2 and my
physical IP
200.0.113.1
My tunnel IP is
10.0.0.3 and my
physical IP
is192.51.100.1
Checking my
NHRP database,
10.0.0.2 is at the
physical IP
address is
200.0.113.1
I know the IP
address of the
end-point tunnel
(10.0.0.2) but I
dont know its
physical interface
IP address
Unicast
Multicast
Assigned
FF00::/8
Anycast
Solicited-Node
FF02::1:FF00:0000/104
Global
Unicast
Link-Local
Loopback
Unspecified
2000::/3
3FFF::/3
FE80::/10
FEBF::/10
::1/128
::/128
Unique
Local
Embedded
IPv4
FC00::/7
FDFF::/7
::/80
Range:
to
2000::/3
3FFF::/3
Interface ID
/?
Subnet portion Host portion
32 bits
Interface ID
128 bits
16 bits
16 bits
/64
16 bits
16 bits
16 bits
16 bits
16 bits
Interface ID
Static GUA
Configuration
2001:DB8:CAFE:1::/64
:100
:100
A
B
G0/0
:1
:1
G0/0
2001:DB8:CAFE:3::/64
R1
:1
S0/0/0
2001:DB8:CAFE:2::/64
Unlike IPv4, IPv6 does not associate the all-zeroes and all-ones Interface-IDs
(host portion) to subnet/broadcast valid IPv6 device addresses.
/64
Subnet
Sub
ID
Interface ID
*RIR
*ISP Prefix
*Site Prefix
Possible Home Site Prefix
Subnet Prefix
* This is a minimum allocation. The prefix-length may be less if it can be justified.
/48
Subnet
ID
Interface ID
Range:
to
Remaining 54 bits
64-bit Interface ID
First 10 bits
Remaining 54 bits
64-bit Interface ID
FE80::Interface ID
Link-local addresses are created
Automatically :
FE80 (usually) First 10 bits
Interface ID
EUI-64 (Cisco routers)
Random 64 bits (many host operating systems)
Static (manual) configuration
G0/0
G0/1
S0/0/0
R1
FC
99
47
75
C3
E0
Insert FF-FE
FC
99
47
FF
FE
75
C3
E0
FC
99
47
FF
FE
75
C3
E0
FF
FE
75
C3
E0
1111 1110
1100
FE
99
47
G0/0
G0/1
S0/0/0
R1
EUI-64
Wait!
Wait! Two
Two
Link-locals
Link-locals
are
are the
the
same!
same!
be
be unique
unique
on
on the
the link.
link.
G0/0
FE80::1
G0/1 R1
FE80::1
S0/0/0
FE80::1
Link-Local
Addresses only
have to be unique
on the link!
Unicast Addresses
Loopback Address
::1/128
Used by a node to send an IPv6 packet to itself, typically when testing the
TCP/IP stack.
Same functionality as IPv4 loopback 127.0.0.1
Not routable.
Unspecified Address
:: (all-0s)
Indicates the absence or anonymity of an IPv6 address (RA source address)
Unicast Addresses
Note: Site local addresses (FEC0::/10)
has ben deprecated.
IPv6 Main
Header
Next
Header
58
ICMPv6
Header
Data
Router-Device
Router-Device
Messaging
Messaging
Device-Device
Device-Device
Messaging
Messaging
Redirect Message
Similar to ICMPv4 redirect message
Router-to-Device messaging
99
192.168.1.0/24
.1
G0/0
R1
DCE
S0/0/0
.1
S0/0/0
.2
192.168.2.0/30
.1 G0/0
DCE
S0/0/1
R2
.2
192.168.5.0/24
S0/0/1
.1
R3
.1
G0/0
192.168.4.0/30
100
Configuring RIPng
101
103
2nd hop
1st hop
Connected Routes
R2# show ipv6 route
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
<Output omitted>
R
R
C
L
C
L
L
2001:DB8:A01:100::/64 [120/2]
via FE80::A8BB:CCFF:FE00:130, Ethernet0/1
2001:DB8:A01:A00::/64 [120/2] [Administrative Distance/Metric]
via FE80::A8BB:CCFF:FE00:130, Ethernet0/1
2001:DB8:A01:1400::/64 [0/0]
via Ethernet0/1, directly connected
2001:DB8:A01:1400::2/128 [0/0]
via Ethernet0/1, receive
2001:DB8:A01:1E00::/64 [0/0]
via Loopback0, directly connected
2001:DB8:A01:1E00::1/128 [0/0]
via Loopback0, receive
ICMPv6
FF00::/8 [0/0]
via Null0, receive
Local Routes
R2# show ipv6 route
Local routes are /128 routes
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U (host
- Per-user
Static
route
routes)
for the
routers
<Output omitted>
R
R
C
L
C
L
L
2001:DB8:A01:100::/64 [120/2]
via FE80::A8BB:CCFF:FE00:130, Ethernet0/1
2001:DB8:A01:A00::/64 [120/2]
via FE80::A8BB:CCFF:FE00:130, Ethernet0/1
2001:DB8:A01:1400::/64 [0/0]
via Ethernet0/1, directly connected
2001:DB8:A01:1400::2/128 [0/0]
via Ethernet0/1, receive
2001:DB8:A01:1E00::/64 [0/0]
via Loopback0, directly connected
2001:DB8:A01:1E00::1/128 [0/0]
via Loopback0, receive
ICMPv6
FF00::/8 [0/0]
via Null0, receive
FF00::/8 to Null0
R1# show ipv6 route
By default multicast packets
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static,
U - Per-user
route
(FF00::/8)
are notStatic
forwarded.
<Output omitted>
R
R
C
L
C
L
L
108
originate option
::/0 [120/2]
via FE80::A8BB:CCFF:FE00:130, Ethernet0/1
2001:DB8:A01:100::/64 [120/2]
via FE80::A8BB:CCFF:FE00:130, Ethernet0/1
2001:DB8:A01:A00::/64 [120/2]
via FE80::A8BB:CCFF:FE00:130, Ethernet0/1
109
only option
::/0 [120/2]
via FE80::A8BB:CCFF:FE00:130, Ethernet0/1
110
The RIP routing protocol uses an internal database to store routes received
2001:DB8:A01:1400::/64, metric 2
from RIP neighbors.
ThisEthernet0/1/FE80::A8BB:CCFF:FE00:7430,
database is also used to generate outbound RIP
updates.
expires
in 155 secs
The RIP database is almost identical to the list of RIP routes in the main IP
R2#routing table, with the exception of the RIP summary routes which appear
only in the RIP database and not in the main IP routing table. 112
The routeomitted>
metric, destination network is 2 hops away, counting itself as a hop.
Installed and expired:
"installed" means the route is in the routing table as a RIPng route. Entries may not be
installed such a prefix that is directly connected.
If a network becomes unavailable, the route will become "expired" after the dead timer
expires (180 seconds).
Exit interface and next-hop link-local address
Expires in, in which if the countdown timer reaches 0, the route is removed from the routing table
and marked expired. This timer, the dead timer, is by default three times the hello timer180
seconds.
113
The show ipv6 rip next-hops lists RIPng processes and under each
process all next-hop addresses.
Includes a next-hop address and the associated exit interface where the
route was learned.
Displays information about the next hop addresses for the specified RIP
IPv6 process.
If no RIP process name is specified, the next-hop addresses for all RIP IPv6
processes are displayed.
114
Summary
RIP is a distance vector routing protocol
RIP comes in three flavors:
RIPv1 (IPv4 classful)
RIPv2 (IPv4 classless)
RIPng (IPv6)
RIPng configuration steps are:
Enable IPv6 routing
Start the RIPng routing process
Configure IPv6 address on the interfaces
Enable RIPng on the interfaces (creates RIPng process if doesnt exist)
Default routes are announced through RIPng using the command
ipv6 rip name default-information originate | only
115