tcp/ip addressing design. objectives choose an appropriate ip addressing scheme based on business...
TRANSCRIPT
Objectives
• Choose an appropriate IP addressing scheme based on business and technical requirements
• Identify IP addressing problems and describe strategies for resolving them
• Describe different address management tools
-Secondary addressing
-DHCP/DNS
-Address translation
• Describe methods for implementing TCP/IP security features
Hierarcical Addressing
• Does a telephone switch in California know how to
reach a specific line in Virginia? (1-703-555-1212)
Local
Office
California
Long
Distance
Local
Office
Virginia
Long
Distance
Path to 703Path to 555
Path to 1212
Path to non- local carrier
Prefix Length Determined from Context
• Variable-length prefixes are not a new invention
– Prefix field identifies a network number
– Host field identifies a device number
32 bits
Prefix length = 8 Host
Prefix length = 16 Host
Prefix length = 24 Host
Class A
Class B
Class C
Prefix Length for classful & classless Routing• “Classful” routers accept only a few prefix lengths
10.0.0.0/8
172.10.0.0/16
192.10.10.0/24
Class A
Class B
Class C
192.10.168.0/21Class C
• “Classless” routers accept any prefix length
• Prefix length is carried with an IP address
Subnetting Extends Prefix to the Right
32 bits
Prefix
Prefix length
Host172. 16. 0. 0
255. 255. 254 . 0
Assigned network ad dress
Subnet ma sk
255.255.254.0 11111111 . 11111111 . 1111111 0 . 00000000510 Hosts126 Subnets
172.16. 2.0 Need 510 Hosts
Need 510 Hosts
Need 2 Hosts
172.16. 4.0
172.16. 6.0
Good address utilization
Good address utilization
Poor address utilization
• RIP and IGRP require the same subnet mask on all interfaces
Classful Routing Protocols Do Not Advertise Prefix Length
• Subnets must be contiguous when using classful routing protocols
192.168.1.0/16
131.108.1.0/24 131.108.2.0/24
A advertises131.108.0.0
B advertises131.108.0.0
A
C
B
Router C:Where is network
131.108.0.0?
Classless Routing Protocols Allow Flexible Addressing
• Link-state and hybrid protocols understand VLS
• Discontiguous subnets do not present a connectivity issue
for advanced routing protocols
192.168.1.0/16131.108.13.4/30131.108.13.8/30
131.108.1.0/24 131.108.2.0/24
A advertises
131.108.1.0/24
131.108.13.8/30
B advertises
131.108.2.0/24
131.108.13.4/30
A
C
B
131.108.1.0/24131.108.2.0/24131.108.13.4/30131.108.13.8/30
VLSM Saves Subnets in the WAN
131.108.13.8/30255.255.255.252
131.108.13.16/30255.255.255.252
131.108.13.12/30255.255.255.252
131.108.13.4/30255.255.255.252
131.108.15.0/24255.255.255.0
Route Summarization (Aggregation)
• Subnetting extends prefix to the right
Prefix
Prefix length
Host
• Summarization collapses prefix to the left
Prefix
Prefix length
Host
Classless Routing and Prefix Routing
I will just tell you about a summary route to 192.108.168.0/21.
• CIDR used by BGP4
• Prefix routing used by EIGRP and OSPF
192.108.168.0
192.108.169.0
192.108.170.0
192.108.171.0
192.108.172.0
192.108.173.0
192.108.174.0
192.108.175.0
A Classless Routing Protocol Looks for the Longest Match202.222.5.33/32 host
202.222.5.32/27 subnet
202.222.5.0/24 network
202.222.0.0/16 block of networks
0.0.0.0/0 default
• IP routers support host-specific routes, blocks ofnetworks, default routes
Secondary Addressing
• Useful in switched networks
– Router may relay packets, acting as a default gateway
– Host may communicate directly, using ARP for learning
172.16.2.2172.16.1.2
172.16.1.1172.16.2.1
Host Address Assignment
• Static
• Dynamic
– BOOTP
– DHCP
131.108.6.3
255.255.255.0
Address request
Address response
Name-to-Address Translation
• Cisco DNS/DHCP Manager
– Manages domain names
– Synchronizes IP addresses
– Supports secondary addressing
172.16.2.2172.16.1.2
172.16.1.1172.16.2.1
Client_1 Client_2
DNS/DHCPServer Client_1 172.16.1.2
Client_2 172.16.2.2: : : : : : : :
Next avail.172.16.1.3
DNS Table
DHCP Table
Private versus Registered Addresses
• Three address blocks reserved for private networks
– 10.0.0.0 (1 Class A)
– 172.16.0.0 to 172.31.0.0 (16 Class B)
– 192.168.0.0 to 192.168.255.0 (256 Class C)
• Address translation must occur to reach the Internet
Private network(for example,
10.0.0.0)
Public network(for example,
Internet)
Addresstranslation
gateway
Network Address Translation
• Cisco router provides
– Network address translation only
Private network(for example,
10.0.0.0)
Public network(for example,
Internet)
Cisco Private Internet Exchange
• Private Internet Exchange platform provides
– Address translation
– Firewall service
Private network(for example,
10.0.0.0)
Public network(for example,
Internet)PIX
Private servers
Public servers
IP Security Considerations
PrivateNetwork
PublicNetwork
Policy
• Establish a security policy
• Implement firewall features
• Control access
– Local
–Remote
Implementing IP Security
• Policy drives implementation choices
Private network(for example,
10.0.0.0)
Public network(for example,
Internet)
FirewallSystem
Policy
Policy Considerations for Security
• Determine how much security you need
• Trade off ease of use and configuration with security demands
• Determine what data outsiders need to reach
• Quantify the cost of the proposed security system
• Implement a simple, robust design
Many Aspects of Security
• Authorization, authentication, data integrity, privacy issues• Firewalls are just one piece of the puzzle
Firewalls Access
ManagementHost
Security Encryption
Policy
Firewall System with Isolated LANs
• prevent unauthorized and improper access from external networks• Public servers on outside LAN
I cannot access the private network.
Untrusted User
PublicFirewallSystem
Private servers
Public servers
Private
Additional Firewall Functionality
• Network address translation
• Application proxy
• Packet filter
• Audit trail
• Login protection
InternetFirewallSystem
10.0.0.0
InterNICregistered address
Disable All Unnecessary Features
• Disable Telnet, TFTP, and proxy services
Outside filter
FTP, WWW,
Internet
No VTYs
No TFTP
No finger
Physical console
portPublic server
FirewallSystem
Be Specific About Access Allowed
• Allow specific services to specific hosts on DMZ LAN only
HTTP to host B only
FTP to host A only
DNS to host C only
Block Traffic from Firewall Routers, Hosts
I have cracked the firewall! Where can I get to from here?
• Do not trust Telnet from firewall systems
I am getting a Telnet from the firewall! I guess that’s OK!
Telnet
Untrusted User