Addressing in an Enterprise Network
Introducing Routing and Switching in the Enterprise – Chapter 4
1
Objectives
Analyze the features and benefits of a hierarchical IP addressing structure.
Plan and implement a VLSM IP addressing scheme.
Plan a network using classless routing and CIDR.
Configure and verify both static and dynamic NAT.
2
Features & Benefits of a Hierarchical IP Addressing Structure Implementing switches reduces the number of collisions that occur within a local network. However, having an all-switched network often creates a single broadcast domain. In a single broadcast domain, or flat network, every device is in the same network and receives each broadcast. In small networks, a single broadcast domain is acceptable. With large numbers of hosts, a flat network becomes less efficient. As the number of hosts increases in a switched network, so do the number of broadcasts sent and received. Broadcast packets take up a lot of bandwidth, causing traffic delays and timeouts.Two solutions: –Create VLANs –Use routers in a hierarchical network design
3
Features & Benefits of a Hierarchical IP Addressing Structure
A hierarchical addressing structure logically groups networks into smaller subnetworks Classful network address in the Core Layer Successively smaller subnets in the Distribution and Access Layers Route Summarization
4
Features & Benefits of a Hierarchical IP Addressing Structure Use subnetting to subdivide a network based on: Physical location or logical grouping Application and security requirements Broadcast containment Hierarchical network design
5
Features & Benefits of a Hierarchical IP Addressing Structure For example, if an organization uses a 10.0.0.0 network for the enterprise, they might use an addressing scheme such as 10.X.Y.0, where X represents a geographical location and Y represents a building or floor within that location. This addressing scheme allows for: 255 different geographical locations 255 buildings in each location 254 hosts within each building
6
Plan / Implement a VLSM Addressing Scheme Subnet mask: 32-bit value Slash notation (CIDR Notation) Distinguishes between network and host bits Can vary in length to accommodate number of hosts on LAN segment
7
Subnet Mask The subnet mask indicates whether hosts are in the same network. The subnet mask is a 32-bit value that distinguishes between the network bits and the host bits. It consists of a string of 1s followed by a string of 0s. The 1 bits represent the network portion and the 0 bits represent the host portion. Class A addresses use a default subnet mask of 255.0.0.0 or a slash notation of /8 Class B addresses use a default mask of 255.255.0.0 or /16 Class C addresses use a default mask of 255.255.255.0 or /24 8
Slash Notation The /x refers to the number of bits in the subnet mask that comprise the network portion of the address. In an enterprise network, subnet masks vary in length. LAN segments often contain varying numbers of hosts; therefore, it is not efficient to have the same subnet mask length for all subnets created.
9
Purpose of an IP Address and Subnet Mask When one host needs to communicate with another, it determines its network address and the destination network address by applying its subnet mask to both its IPv4 address and to the destination IPv4 address. This is done to determine if the two addresses are on the same local network.
10
Plan / Implement a VLSM Addressing Scheme Boolean ANDing compares bits in host address to bits in subnet mask 1 and 1 = 1 1 or 0 and 0 = 0 Resulting value is network address
11
Plan / Implement a VLSM Addressing Scheme Steps in basic subnetting: Borrow bits from the host side Add them to the network side Change mask to reflect additional bits
12
Plan / Implement a VLSM Addressing Scheme Elements of an addressing scheme: Subnet number Network address Host range Broadcast address
13
Implementation of IP Addressing in the LAN
14
Implementation of IP Addressing in the LAN
Five host bits mean that there can be 30 hosts per subnet, or 2^5 - 2. Remember that the all-zeros and all-ones host addresses are reserved for the network designation and the broadcast address. 15
Plan / Implement a VLSM Addressing Scheme Elements of an addressing scheme: Subnet number Network address Host range Broadcast address
16
VLSM Addressing Scheme Variable Length Subnet Masks (VLSM) provide for efficient use of address space. It also allows for hierarchal IP addressing which allows routers to take advantage of route summarization. Route summarization reduces the size of routing tables in distribution and core routers. Smaller routing tables require less CPU time for routing lookups. VLSM is the concept of subnetting a subnet. It was initially developed to maximize addressing efficiency. With the advent of private addressing, the primary advantage of VLSM now is organization and summarization.
17
VLSM Benefits of VLSM: Allows efficient use of address space Allows the use of multiple subnet mask lengths Breaks up an address block into smaller blocks Allows for route summarization Provides more flexibility in network design Supports hierarchical enterprise networks
Classless routing protocols support the use of VLSM because the subnet mask is sent with all routing update packets. Classless routing protocols include RIPv2, EIGRP, and OSPF.
18
Plan / Implement a VLSM Addressing Scheme Benefits of Variable Length Subnet Masks (VLSM): Flexibility Efficient use of address space Ability to use route summarization
19
Plan / Implement a VLSM Addressing Scheme
VLSM allows the use of different masks for each subnet. After a network address is subnetted, further division of those subnets creates sub-subnets.
20
Implement a VLSM Addressing Scheme Designing an IP addressing scheme with VLSM takes practice and planning.
21
Implement a VLSM Addressing Scheme When implementing a VLSM subnetting scheme, always allow for some growth in the number of hosts when planning subnet requirements.
22
Plan / Implement a VLSM Addressing Scheme Apply masks from largest group to smallest Avoid assigning addresses that are already allocated Allow for some growth in numbers of hosts on each subnet
23
Classful and Classless Routing Technology such as VLSM enables the classful IPv4 addressing system to evolve into a classless system. Classless addressing has made the exponential growth of the Internet possible. In classful IP addresses, the value of the first octet, or the first three bits, determines whether the major network is a Class A, B, or C. Each major network has a default subnet mask of 255.0.0.0, 255.255.0.0, or 255.255.255.0 respectively.
24
Classful and Classless Routing Classful routing protocols, such as RIPv1, do not include the subnet mask in routing updates. Since the subnet mask is not included, the receiving router makes certain assumptions. The sending router advertises the major classful network address only, not the subnetted address. In this case, the address advertised is 172.16.0.0. The receiving router assumes the default subnet mask for this network. The default subnet mask for a class B address is 255.255.0.0.
25
Classful and Classless Routing With the rapid depletion of IPv4 addresses, the Internet Engineering Task Force (IETF) developed Classless InterDomain Routing (CIDR). CIDR uses IPv4 address space more efficiently and for network address aggregation or summarizing, which reduces the size of routing tables. The use of CIDR requires a classless routing protocol, such as RIPv2 or EIGRP or static routing. To CIDR-compliant routers, address class is meaningless. The network subnet mask determines the network portion of the address. This is also known as the network prefix, or prefix length. The class of the address no longer determines the network address.
26
Classful and Classless Routing Classless routing protocols that can support VLSM and CIDR include interior gateway protocols (IGPs) RIPv2, EIGRP, OSPF, and IS-IS. ISPs also use exterior gateway protocols (EGPs) such as Border Gateway Protocol (BGP). The difference between the classful routing protocols and classless routing protocols is that the classless routing protocols include subnet mask information with the network address information in the routing updates. Classless routing protocols are necessary when the mask cannot be assumed or determined by the value of the first octet. The sending router advertises all subnetworks with subnet mask information.
27
Classful and Classless Routing The sending router, by default, summarizes all of the subnets and advertises the major classful network along with the summarized subnet mask information. This process is often referred to as summarizing on a network boundary. While most classless routing protocols enable summarization on the network boundary by default, the process of summarizing can be disabled. When summarization is disabled, the sending router advertises all subnetworks with subnet mask information.
28
Plan a Network Using Classless Routing and CIDR Classful routing
Classless routing
Default subnet masks
Network prefix
Class determined by first octet
Slash (/) mask
No subnet mask information exchanged in routing updates
Subnet mask information exchanged in routing updates
29
Plan a Network Using Classless Routing and CIDR Classless Inter-Domain Routing (CIDR) Uses address space efficiently Used for network address aggregation or summarizing
30
Creating Custom Subnet Masks One useful tool in this address planning process is a network diagram. A diagram allows to see the networks and make a more accurate count. Start with the locations that require the most hosts and work down to the point-to-point links. This process ensures that large enough blocks of addresses are made available to accommodate the hosts and networks for these locations. Also, plan carefully to ensure that the address blocks assigned to the subnet do not overlap.
31
Creating Custom Subnet Masks Another helpful tool in this planning process is a spreadsheet. Place the addresses in columns to visualize the allocation of the addresses. This further division of the addresses is often called subnetting the subnets.
32
Subnetting a subnet
33
Subnetting a subnet Case Study
34
Subnetting a subnet
35
Subnetting a subnet
36
Example No 1
37
Example 2
38
Implementation of IP Addressing in the LAN A general list of improvements that IPv6 proposes are: More address space Better address space management Easier TCP/IP administration Modernized routing capabilities Improved support for multicasting, security, and mobility
39
Route Summarisation Route summarization, or supernetting, is needed to reduce the number of routes that a router advertises to its neighbor. Remember that for every route that is advertised, the size of the update grows. It has been said that if there were no route summarization, the Internet backbone would have collapsed from the sheer size of its own routing tables back in 1997!
40
Route Summarisation
Winnipeg, Calgary, and Edmonton each have to advertise internal networks to the main router located in Vancouver. Without route summarization, Vancouver would have to advertise 16 networks to Seattle. To mitigate this problem, it is recommended to use route summarization to reduce the burden on this upstream router. 41
Route Summarisation - Summarize Winnipeg’s Routes
172.16.64.0 = 10101100.00010000.01000000.00000000 172.16.65.0 = 10101100.00010000.01000001.00000000 172.16.66.0 = 10101100.00010000.01000010.00000000 172.16.67.0 = 10101100.00010000.01000011.00000000 Common bits: 10101100.00010000.010000xx.xxxxxxxx The first 22 bits of the four networks are common. the summarized address of 172.16.64.0/22
42
Route Summarisation - Summarize Edmonton’s Routes 172.16.72.0 = 10101100.00010000.01001000.00000000 172.16.73.0 = 10101100.00010000.01001001.00000000 172.16.74.0 = 10101100.00010000 01001010.00000000 172.16.75.0 = 10101100.00010000 01001011.00000000 172.16.76.0 = 10101100.00010000.01001100.00000000 172.16.77.0 = 10101100.00010000.01001101.00000000 172.16.78.0 = 10101100.00010000.01001110.00000000 172.16.79.0 = 10101100.00010000.01001111.00000000 Common bits: 10101100.00010000.01001xxx For Edmonton, the first 21 bits are common. The summarized route is therefore 172.16.72.0/21 43
Route Summarisation To create route summarization, there are some necessary requirements: • Routers need to be running a classless routing protocol, as they carry subnet mask information with them in routing updates. (Examples are RIP v2, OSPF, EIGRP, IS-IS, and BGP.) • Addresses need to be assigned in a hierarchical fashion for the summarized address to have the same high-order bits. It does no good if Winnipeg has network 172.16.64.0 and 172.16.67.0 while 172.16.65.0 resides in Calgary and 172.16.66.0 is assigned in Edmonton. No summarization could take place from the edge routers to Vancouver. 44
Plan a Network Using Classless Routing and CIDR Route summarization: Use single address to represent group of contiguous subnets Occurs at network boundary Smaller routing table, faster lookups
45
Example
46
Plan a Network Using Classless Routing and CIDR Classful routing results in each router advertising the major Class C network without a subnet mask. As a result, the middle router receives advertisements about the same network from two different directions. This scenario is called a discontiguous network. Discontiguous subnets cause unreliable routing Avoid separating subnets with a different network
47
Discontiguous networks
Discontiguous networks cause unreliable or suboptimal routing. To avoid this condition, an administrator can: Modify the addressing scheme, if possible Use a classless routing protocol, such as RIPv2 or OSPF Turn automatic summarization off Manually summarize at the classful boundary
48
Plan a Network Using Classless Routing and CIDR Use routing protocols that support VLSM Plan subnetting to complement hierarchical design Disable auto-summarization if necessary Update router IOS Allow for future growth
49
VLSM Best Practices Use newer routing protocols that support VLSM and discontiguous subnets. Disable auto-summarization if necessary. Use the same routing protocol throughout the network. Keep the router IOS up-to-date to support the use of subnet zero. Avoid intermixing private network address ranges in the same internetwork. Avoid discontiguous subnets where possible. Use VLSM to maximize address efficiency. Assign VLSM ranges based on requirements from the largest to the smallest. Plan for summarization using hierarchical network design and contiguous addressing design. Summarize at network boundaries. Use /30 ranges for WAN links. Allow for future growth when planning for the number of subnets and hosts supported. 50
Configure and Verify Static and Dynamic NAT RFC 1918: private IP address space - Private addresses are available for anyone to use in their enterprise networks because private addresses route internally, they never appear on the Internet. Routed internally, never on the Internet “Hides” internal addresses from other networks
51
Private addressing Class A: 10.0.0.0 - 10.255.255.255 Class B: 172.16.0.0 - 172.31.255.255 Class C: 192.168.0.0 - 192.168.255.255 Using private addressing has these benefits: It alleviates the high cost associated with the purchase of public addresses for each host. It allows thousands of internal employees to use a few public addresses. It provides a level of security, because users from other networks or organizations cannot see the internal addresses. 52
Configure and Verify Static and Dynamic NAT Organizations create huge LANs and WANs with private addressing and connect to the Internet using Network Address Translation (NAT). NAT translates internal private addresses into one or more public addresses for routing onto the Internet. NAT changes the private IP source address inside each packet to a publicly registered IP address before sending it out onto the Internet.
Using NAT on boundary routers improves security. Internal private addresses translate to different public addresses each time. This hides the actual address of hosts and servers in the enterprise. 53
Configure and Verify Static and Dynamic NAT Static NAT: map single inside local address to single public address Dynamic NAT: use a pool of public addresses to assign as needed
54
Configure and Verify Static and Dynamic NAT Static NAT maps a single inside local address to a single global, or public address. This mapping ensures that a particular inside local address always associates with the same public address. Dynamic NAT uses an available pool of Internet public addresses and assigns them to inside local addresses. Dynamic NAT assigns the first available IP address in the pool of public addresses to an inside device. The address that one internal host uses to connect to another internal host is the inside local address. The public address assigned to the organization is called the inside global address. The NAT router manages the translations between the inside local addresses and the inside global addresses by maintaining a table that lists each address pair. 55
Configure and Verify Static and Dynamic NAT Port Address Translation (PAT) Dynamically translate multiple inside local addresses to one public address
56
Summary Hierarchical network design groups users into subnets VLSM enables different masks for each subnet VLSM requires classless routing protocols CIDR network addresses are determined by prefix length Route summarization, route aggregation, or supernetting, is done on a boundary router NAT translates private addresses into public addresses that route over the Internet PAT translates multiple local addresses into a single public address 57
Using Network Address Translation in a Network Network Address Translation (NAT) allows a large group of private users to access the Internet by sharing a small pool of public IP addresses. NAT can also provide security to PCs, servers, and networking devices by withholding their actual IP host addresses from direct Internet access.
58
Using Network Address Translation in a Network The main advantage of NAT is IP address reuse, and the sharing of globally unique IP addresses between many hosts from a single LAN. NAT also serves users transparently. In other words, they do not need to know about NAT to get on the Internet from a private network. NAT helps shield users of a private network against access from the outside.
59
Using Network Address Translation in a Network The outside global network is any network attached to the router that is external to the LAN and that does not recognize the private addresses assigned to hosts on the LAN. An inside local address is the private IP address configured on a host on an inside network. It is an address that must be translated before it can travel outside the local network addressing structure.
60
Using Network Address Translation in a Network
An inside global address is the IP address of an inside host as it appears to the outside network. This is the translated IP address.
61
Using Network Address Translation in a Network The outside local address is the destination address of the packet while it is on the local network. Usually this address is the same as the outside global address. An outside global address is the actual public IP address of an external host. The address is allocated from a globally routable address or network space.
62
Using Network Address Translation in a Network One way to provide access to a local host from the Internet is to assign that device a static address translation.
63
Static and Dynamic Nat One way to provide access to a local host from the Internet is to assign that device a static address translation. Static translations ensure that an individual host private IP address is always translated to the same registered global IP address. It also ensures that no other local host will be translated to the same registered address. Dynamic NAT occurs when a router is configured to assign an IP address from an available pool of outside global addresses to an inside private network device. As long as the session is open, the router watches for that inside global address and sends acknowledgments to the initiating inside device. When the session ends, the router simply returns the inside global address to the pool.
64
Configuration - NAT
When configuring either static or dynamic NAT. List any servers that require a permanent outside address. Determine which internal hosts require translation. Determine which interfaces source the internal traffic. These will become the inside interfaces. Determine which interface sends traffic to the Internet. This will become the outside interface. Determine the range of public addresses available. 65
Configuration – Static NAT 1. Determine the public IP address that outside users should use to access the inside device/server. Administrators tend to use addresses from either the beginning or end of the range for static NAT. Map the inside, or private address to the public address. 2. Configure the inside and outside interfaces.
66
Configuration – Dynamic NAT
1. Identify the pool of public IP addresses available for use.
2. Create an access control list (ACL) to identify hosts that require translation.
3. Assign interfaces as either inside or outside.
4. Link the access list with the address pool.
67
NAT Issues Most of the time, NAT operates invisibly. The big issue with NAT is the additional work load necessary to support IP address and port translations. Some applications increase the work load of the router because they embed an IP address as part of the encapsulated data. The router must replace the source IP addresses and port combinations that are contained within the data, as well as the source addresses in the IP header. With all this activity taking place in a router because of NAT, its implementation in a network requires good network design, careful selection of equipment, accurate configuration and regularly scheduled maintenance. Users on the outside network cannot reliably initiate a connection to a host on a network that uses PAT. Not only is it impossible to predict the local or global port number of the host, but a gateway does not even create a translation unless a host on the inside network initiates the communication. 68
Using Network Address Translation in a Network When an organization has a very small registered IP address pool, or perhaps even just a single IP address, it can still enable multiple users to simultaneously access the public network with a mechanism called NAT overload, or port address translation (PAT). It uses an IP address and port number combination to keep track of each individual conversation with the destination host. In PAT, the gateway translates the local source address and port combination in the packet to a single global IP address and a unique port number above 1024.
69
Using Network Address Translation in a Network Since the translation is specific to the local address and local port, each connection, which generates a new source port, requires a separate translation. Users on the outside network cannot reliably initiate a connection to a host on a network that uses PAT.
70
Configuration – PAT
Configuring PAT requires the same basic steps and commands as configuring NAT. However, instead of translating to a pool of addresses, PAT translates to a single address. The following command translates the inside addresses to the IP address of the serial interface:
ip nat inside source list 1 interface serial 0/0/0 overload
71
NAT and PAT Troubleshooting commands Verfiy NAT and PAT functionality with the following commands. show ip nat translations This command displays active translations. If the translation is not used, it ages out after a period of time. Static NAT entries remain in the table permanently. A dynamic NAT entry requires some action from the host to a destination on the outside of the network. If configured correctly, a simple ping or trace creates an entry in the NAT table. show ip nat statistics This command displays translation statistics, including the number of addresses used and the number of hits and misses. The output also includes the access list that specifies internal addresses, the global address pool, and the range of addresses defined.
72
Summary IP addressing can be tailored to the needs of the network design through the use of custom subnet masks. Classless subnetting gives classful IP addressing schemes more flexibility through the use of variable length subnet masks. Network Address Translation (NAT) is a way to shield private addresses from outside users. Port Address Translation (PAT) translates multiple local addresses to a single global IP address, maximizing the use of both private and public IP addresses. 73