1- en_ROUTE_v7_Ch01.pdf

(1)

Chapter 1:

Basic Network and

Routing Concepts

Implementing Cisco IP Routing (ROUTE)

Elaborated by: Ing. Ariel Germán For: ITLA

Based on: Foundation Learning Guide

CCNP ROUTE 300-101

(2)

Chapter 1 Topics

 Differentiating Routing Protocols

 Understanding Network Technologies

 Connecting Remote Locations with Headquarter

 Routing and TCP/IP operations

 Implementing RIPng

(3)

Differentiating

Routing

(4)

Enterprise Network Infrastructure

 Enterprise Campus

(5)

(6)

Choosing a Dynamic Routing Protocol

 Input requirements:

• Size of the network

• Multivendor support

• Knowledge level of specific protocol

 Protocol characteristics:

• Type of routing algorithm

• Speed of convergence

(7)

IGP versus EGP

 (Autonomous system (AS) represents a collection of

network devices under a common administration).

 Interior Gateway Protocols (IGPs):

• Are used within the organization, and exchange routes within an AS.

• Fast convergence, not complex to configure.

• RIP, EIGRP, OSPF, IS-IS

 Exterior Gateway Protocols (EGPs):

• Exchange routes between different ASs.

• Border Gateway Protocol (BGP) is the only EGP used today.

(8)

Types of Routing Protocol 1/2

 Distance vector protocols:

• Determines the direction (vector) and distance (link cost or number of hops) to any link in the network.

• Router only knows the distance or metric and the interface to get there.

• RIPv1 and IGRP used only the periodic exchange of routing information for a topology change

• EIGRP and RIPv2, used triggered updates.

 Link-state protocols:

• Use the Shortest Path First (SPF) to create an abstract of the topology of the entire network or a area.

• All link-state routers have an identical “map” of the topology.

(9)

Types of Routing Protocol 2/2

 Path Vector Protocols:

• Exchange information about destination networks, and the path on how to reach them.

• Don’t have an abstract of the network topology.

(10)

Convergence

 Process of when routers notice a change in the network, exchange information and recalculate the best routes.

 Converged network: All routers have the same view on the network topology.

 Convergence time can be influenced:

• Fine-tuning routing protocols timers (increases traffic, overhead, CPU utilization in routers).

(11)

Route Summarization

 Group several subnets into one aggregate entry that describes all of them.

 Reduce overhead and improve stability and scalability by reducing amount of routing information exchanged.

 Distance vector protocols support summarization in any interface, but link states support it only at area boundaries.

 IP addressing must be hierarchically assigned in contiguous blocks across the network.

What is the summarized

(12)

Routing Protocol Scalability

 Scalability describes the ability of a routing protocol to support further network growth.

 Scalability factors:

• Number of routes

• Number of adjacent neighbors • Number of routers in the network • Network design

• Frequency changes

• Available resources (CPU and memory)

 Hierarchical addressing, structured address assignment, and route summarization improves the overall scalability.

 Routing protocols have their own mechanisms:

• OSPF: hierarchical areas • EIGRP: stubs routers

(13)

Understanding

(14)

Traffic Types 1/2

 Unicast:

• Exchanged only between one sender and one receiver.

• Most used traffic type

 Multicast:

• Traffic sent to a multicast address is sent to multiple destinations at the same time.

• An interface my belong to any number of multicast groups

• IPv4: 224.0.0.0 – 239.255.255.255

(15)

Traffic Types 2/2

 Anycast:

• Traffic sent to anycast address is routed to the nearest interface that has this particular address.

• Nearest interface is found according the measure of distance of the routing protocol used.

• Example: DNS

 Broadcast:

• Only used in IPv4

• Information is transmitted from one sender to all connected receivers.

• Local broadcast address: 255.255.255.255

(16)

(17)

IPv6 Address Types 2/2

 Global Unicast: equivalent to public IP address in IPv4.

 Link Local: automatically or manually configured. Not

routable.

 Assigned Multicast: Similar to well-known multicast

addresses in IPv4.

 Solicited node Multicast: Used by ICMPv6 Neighbor

Discovery. Similar to ARP for IPv4.

 Loopback: Used for testing.

 Unspecified: Used as source IPv6 address indicating

absence of Global Unicast address.

 Unique Local: equivalent to private IP address un IPv4

 Embedded IPv4: Used to represent the IPv6 equivalent of

(18)

ICMPv6 Neighbor Discovery

 ICMPv6 is similar to ICMPv4

 ICMPv6 provides automatic address allocation, address resolution, and duplicate address detection.

 ICMPv6 Neighbor Discovery includes five messages:

• Router Solicitation (RS): Multicast sent to all IPv6 routers requesting

a Router Advertisement message.

• Router Advertisement (RA): Response to a RS Indicating prefix,

prefix-length and default gateway address.

• Neighbor Solicitation (NS): Similar to ARP for IPv4.

• Neighbor Advertisement (NA): Response of a NS message.

• Redirect: Sent by a router to inform a better next-hop router on the

(19)

Network Types 1/2

 Point-to-point network:

• Connects a single pair of routers

• Example: A serial link

 Broadcast network:

• Connects many routers

• All are reachable through one single address

(20)

Network Types 2/2

 Nonbroadcast Multiaccess (NBMA) networks:

• Support many routers.

• Does not have broadcast capabilities.

• Sender needs to create an individual copy of the same packet for each router.

• Introduce several challenges.

(21)

NBMA Networks 1/3

 Can use a variety of topologies. Hub-and-spoke or partial mesh is the most common.

 Frame Relay is the most common example of NBMA technology.

 If multipoint interface is used to connect multiple sites, some issues arise:

• Split Horizon: In distance vector protocols, the hub receives the

update in its physical interface but cannot forward it through the same interface to the other spokes.

(22)

NBMA Networks 2/3

• Neighbor discovery: OSPF over NBMA does not discover neighbors by default. You have to configure them and manually establish the hub as the Designated Router (DR).

• Broadcast replication: The hub router must replicate broadcast packets on each PVC to the remote routes.

(23)

NBMA Networks 3/3

 Subinterfaces overcome these limitations. There are two types:

• Point-to-point subinterfaces: Each subinterface provides connectivity between two routers, using its own subnet.

• Point-to-multipoint subinterfaces: One single subnet is used. EIGRP and OSPF need additional configuration. Point-to-point are preferred.

(24)

Routing over the Internet

 IGP are not used to establish connections over the Internet for the following reasons:

• All IGPs need to establish adjacencies with directly connected neighbors.

• Organizations typically use private IP addressing.

• Internet is insecure by nature.

 To overcome these limitations, tunneling techniques can be used. They´re generally named Virtual Private Networks

(VPNs).

 Most VPN technologies support routing protocols.

(25)

Connecting

Remote Locations

with Headquarters

(26)

 To connect remote locations, leased lines and Frame Relay are not longer needed.

 Multiprotocol Label Switching (MPLS) VPNs and Dynamic Multipoint Virtual Private Network (DMVPN) are

widespread.

 MPLS and DMVPN offer greater flexibility at a lower cost.

(27)

Principles of Static Routing 1/2

 A static route can be used when:

• Routing updates are undesirables, such as in dialup link.

• Administrator needs total control over the routes.

• Backup to a dynamically recognized route.

• Is necessary to reach a network accessible by only one path (stub network).

• Router connects to a ISP and needs to have only a default route pointing to it.

(28)

Principles of Static Routing 2/2

 What are the drawbacks of static routing?

 Configuring IPv4 Static Route:

• ip route prefix mask {address | interface [address]} [dhcp] [distance]

[name next-hop-name] [permanent| track number] [tag tag]

• Prior to IOS 12.0 it was more efficient to use the exit interface.

• After IOS 12.0 (with the implementation of CEF)is now recommended to use the next-hop IP address.

(29)

(30)

Basic PPP Overview

R1# configure terminal

R1(config)# interface serial 0/0/0 R1(config-if)# encapsulation ppp

 PPP has some advantages over its predecessor HLDC (default encapsulation method in serial interfaces of Cisco routers).

 PPP is configured on a interface

 Additional options can be used after it´s activated

hostname R1 !

interface Serial 0/0/0

(31)

PPP Authentication Overview 1/3

 Authentication is optional.

 PPP can use PAP and CHAP.

 PAP is very basic two-way process with no encryption.

 CHAP involve a three-way exchange of a shared secret.

 You can configure either PAP, or CHAP or both:

• Router(config-if)# ppp authentication {chap | chap pap | pap chap |

pap} [if-needed] [list-name | default] [callin]

 PAP authentication requires the remote device to send a name and password to be checked against its user

(32)

PPP Authentication Overview 2/3

 The hostname on one router must match the username the other router has configured for PPP.

 Password must also match. hostname R1

username R2 password sameone !

ip address 10.0.1.1 255.255.255.252 ipv6 address 2001:db8:cafe:1::1/64 encapsulation ppp

ppp authentication pap

ppp pap sent-username R1 password sameone

hostname R2

ppp authentication pap

(33)

PPP Authentication Overview 3/3

 In CHAP, the local device sends a challenge to the remote.

 The remote encrypts the challenge and its name, and return it.

 Local router uses the configured name of the remote, encrypt it with the challenge, and verify if the calculated and received

values match.

 Unlike PAP, CHAP authenticates periodically. hostname R1

ppp authentication chap

hostname R2

(34)

PPPoE 1/2

 ISPs value PPP because of the authentication, accounting and link management features.

 Ethernet links does not support PPP, that´s why PPPoE was created.

 PPPoE creates a PPP tunnel over the Ethernet connection.

 The modem convers the Ethernet frames to PPP frames by stripping the Ethernet headers.

(35)

PPPoE 2/2

 Configuration:

• Create a dialer interface (which is virtual).

• Configure the dialer interface encapsulation PPP and IP address by DHCP

• Enable PPPoE in the ethernet interface that faces the client. • Link the dialer interface to the ethernet

(36)

Basic Frame Relay Overview

 Frame Relay is a high-performance WAN protocol that operates at the physical and data link layer of OSI model.

 One single physical connection is needed.

 SP creates virtual circuits (VC), which are normally PVC, identified by a DLCI.

 DLCI are locally significant.

 A mapping between IP address and DLCI must be established.

 By default, Frame Relay is NBMA. But subinterfaces are normally used.

(37)

VPN Connectivity Overview

 Frame Relay is being considered deprecated, for the following factors:

• Cost

• Deployed services

• Scalability

 Next generation of VPNs support quick and easy

provisioning of full mesh topologies without compromising security and scalability.

(38)

MPLS-based VPN

 MPLS is used to build tunnels through the service provider core network.

 Traffic forwarding through the MPLS backbone is based o labels assigned by the SP.

 Layer 3 MPLS:

• SP participates in customer routing.

• Customer routes are redistributed into MP-BGP

• On the other end, are redistributed back from MP-BGP to the routing protocol used.

• Routing protocols on the local and remote sites, may be different  Layer 2 MPLS:

• Interconnects PE and CE at layer 2 using a pseudowire • Two types:

(39)

Tunneling VPNs

 GRE

• Tunneling protocol developed by Cisco

• Enables encapsulation of L3 protocols inside point-to-point, tunnel-over-IP network.

• Traffic is not encrypted.

 IPsec

• Framework that uses a set of cryptographic protocols to secure L3 traffic .

• Works with any application that uses IP as a transport protocol.

 DMVPN

• Used to scale IPsec hub-to-spoke and spoke-to-spoke designs in large networks.

(40)

Hybrid VPNs

 MPLS-based VPNs and tunnel VPNs are not mutually exclusive.

 Is possible to combine them and encrypt (or tunnel) the data across the service provider network. (Tunnel over a tunnel).

 Examples:

• Layer 3 MPLS VPN over GRE

• Layer 3 MPLS over DMVPN (over IPsec).

 Provides a greater level of security.

 Several layers of encapsulation increase latency and complexity.

(41)

Routing Across MPLS VPNs 1/2

 Depends on whether it´s L2 MPLS VPN or L3 MPLS VPN

 L2 MPLS VPN:

• Customer selects the routing protocol.

• Customer routers (CE) establish adjacencies.

(42)

Routing Across MPLS VPNs 2/2

 L3 MPLS VPN:

• Customer and SP must agreed routing protocol(s).

• Each customer router establish adjacency with a SP router (PE).

(43)

Routing Over a GRE Tunnel 1/2

 A tunnel is a logical interface that provides a way to

encapsulate passenger packets inside a transport protocol.

 A tunnel have three main parts:

• A passenger protocol, that is being encapsulated.

• A carrier protocol. (GRE in for GRE tunnels).

(44)

Routing Over a GRE Tunnel 2/2

 GRE tunnels offer the possibility to connect branch offices across Internet or WAN.

 Its main benefit: support multicast, and therefore is appropriate for routing protocols.

 Does not encrypt the traffic.

(45)

Dynamic Multipoint Virtual Private Network

 Statics tunnels may be and appropriate solution for small networks, but it´s not scalable.

 The Cisco DMVPN feature enables better scaling for large (and small) IPsec VPNs.

 DMVPN combines multipoint GRE (mGRE), IPsec

encryption and Next Hop Resolution Protocol (NHRP).

 Benefits:

• Not reconfiguration needed in the hub router when a new spoke is added.

• IPsec is immediately triggered to create the point-to-point tunnel with no peering configuration needed.

(46)

Multipoint GRE

 mGRE enables a single GRE interface to support multiple GRE tunnels and simplifies the complexity of the configuration.

 Only one tunnel interface needs to be configured on a router to support multiple remote GRE peers.

 Devices using mGRE require NHRP to build dynamic GRE tunnels.

(47)

NHRP

 NHRP is used by routers to determine the IP address of the next hop in IP tunneling networks.

 When a spoke initially connects to a DMVPN network, it registers its inner (tunnel) and outer (physical interface) address with the hub router.

 This registration enables the mGRE interface on the hub

router to build a dynamic GRE tunnel back to the registering spoke.

 NHRP creates a mapping for a tunnel IP address to the physical interface IP address for each spoke at the hub.

(48)

(49)

IPsec

 Is a framework of open standards that define how to provide secure communications.

 Provides four security services:

• Confidentiality (encryption): The sender can encrypt the packets

before transmitting them across a network.

• Data Integrity: The receiver can verify that the data was not altered

or changed during the transmission. Checksum is used.

• Authentication: Ensures the communication is made with the desired

partner. Devices and users are authenticated, by using Internet Key Exchange (IKE). IKE uses username/password, OTP, biometrics, PSK and digital certificates.

• Antireplay protection: Verifies each packet is unique and not

duplicated, by comparing the sequence number of the received packet. Late and duplicate packets are dropped.

(50)

Routing and

TCP/IP

(51)

MSS, Fragmentation and PMTUD 1/3

 An IPv4 packet has a maximum size of 65,535 bytes, whereas an IPv6 packet can support up to 4,294,967,295 bytes.

 Most transmission links enforces a smaller Maximum Transmission Unit (MTU).

 When a router receives an IPv4 larger the MTU of the interface, it must fragment the packet, unless the DF (Don´t Fragment) bit is set.

 Fragmentation cause several issues:

• CPU and memory overhead in the origin.

• CPU and memory overhead in the destination, due to reassembly. • Retransmission of the entire packet if one fragment is dropped.

(52)

MSS, Fragmentation and PMTUD 2/3

 To avoid fragmentation, the TCP Maximum Segment Size (MSS) defines the largest amount of data the receiving device is able to accept in a single TCP segment.

 The sending device is required to send segments equal to or less than the reported MSS.

 TCP MSS should be the minimum buffer size, minus 40 bytes (20 bytes TCP header, 20 bytes of IP header).

• Example, Ethernet MTU is 1500 bytes. MSS should be 1460.

(53)

MSS, Fragmentation and PMTUD 3/3

 Path MTU Discovery (PMTUD) was developed to determine the lowest MTU along a path.

 Is performed by a host using MSS and setting the TCP DF bit.

 If a router along the path needs to fragment the segment (due to smaller MTU size), it will drop the packet and send an ICMP

Destination Unreachable message with the code indicating

“fragmentation needed and DF set” and the MTU for the interface that caused the drop.

 Source receives the ICMP message and reduce the MSS to be within the MTU and retransmit the message.

 If the ICMP unreachable message is blocked, issues may occur. Be sure to allow them in routers and firewalls along the patch.

(54)

IPv6 Fragmentation and PMTUD

 IPv6 routers don´t fragment a packet unless it is the source of the packet.

 If an IPv6 router receives a packet larger the MTU of the outgoing interface, it will drop the packet and send an ICMPv6 Packet Too Big message back to the source, including the smaller MTU.

 PMTUD operation for IPv6 are similar to the PMTUD for IPv4.

(55)

Bandwidth Delay Product

 TCP can experience bottlenecks on paths with high bandwidth and long round-trip delays.

• These are known as LFN, long fat networks.

 Bandwidth Delay product (BDP) is the product of the bandwidth (bps) times the round-trip delay (RTT in seconds).

 BDP is the amount of unacknowledged data that TCP must handle to keep the connection full.

 BDP is used to optimize the TCP Windows size to fully utilize the link.

 The result is the maximum of data can be transmitted on the link at any given time.

(56)

TCP Starvation

 TCP have mechanism for reliability, flow control and congestion avoidance, whereas UDP doesn’t have these features.

 When TCP and UDP flows are mixed during a period of congestion, TCP cooperate by backing off on bandwidth.

However, UDP doesn’t even notice the congestion and keep using the available bandwidth given up by TCP.

 This is known as TCP starvation/UDP dominance.

 Is not always possible to separate TCP / UDP based flows, but should be kept in mind this behavior when mixing applications.

(57)

Latency

 Latency is the amount of time for a message to go from ne point to another.

 Can be caused by several factors: propagation delay,

serialization, data protocols, routing, switching, queuing, and buffering.

 TCP requires a established virtual connection and bidirectional communication ACKs, windows size, congestion control and so on, which has a effect on latency.

 UDP does not include reliability, and is used for streaming media that requires minimum delay.

(58)

ICMP Redirects 1/2

 These messages are used by routers to notify the sender of a packet that there is a better route available for a particular destination.

(59)

ICMP Redirects 2/2

 ICMPv6 Redirect message works the same way as the

Redirect message for ICMpv4, with one additional feature:

• If PCA wants to communicate with PCB (same segment, different networks), it will use its default gateway, R1.

• R1 will send a redirect message.

(60)

(61)

RIP overview

 One of the oldest routing protocol.

 Standard IGP, works in mixed-vendor router environment.

 Easy to configure.

 Good choice for small networks

 Distance vector protocol, uses hop count as the metric.

 Maximum hops: 15

 If a network is 16 hops or more, the router consider it unreachable.

 Implements split horizon with poison reverse. Prefers a notification rather than just ignoring.

 Support load balancing over equal-cost paths.

(62)

RIPv2 Overview 1/2

(63)

RIPv2 Overview 2/2

 By default RIPv2 automatically summarizes at major

network boundaries. Summarizing routes to the classful network address.

 If discontinuous subnets are used, automatic summarization must be disabled.

• Router(config-router)# no auto-summary

 The ip summary-address rip ip-address network-mask

(64)

Configuring RIPng

 RIPng is already preconfigured in R1.

 There is a static default route pointing to internet in R1.

 R1 will be configured to share this default route with R2 using RIPng.

(65)

Basic RIPng Configuration 1/8

 Enable IPv6 routing using ipv6 unicast-routing command on R2.

 Enable RIPng using ipv router rip name command.Set the process name to CCNP_RIP

(66)

Basic RIPng Configuration 2/8

 On R2, enable IPv6 in interface configuration mode:

• ipv6 address ipv6_address/prefix or

• ipv6 enable

 Use show ipv6 interface brief to validate interfaces are up and correctly configured.

(67)

Basic RIPng Configuration 3/8

 On R2, enable RIPng on interface Ethernet 0/1 (connects to R1) and Loopback0 (simulates LAN).

• If you forgot to create the RIP process name, the router will automatically create one.

 Use the show ipv6 protocols to validate RIPng is correctly configured.

(68)

Basic RIPng Configuration 4/8

 Inspect the routing table on R2. Notice two IPv6 routes learned from R1.

(69)

(70)

Basic RIPng Configuration 6/8

 In RIPng, the sending router consider itself to be one hop away. Therefore, R2 considers the R1 LAN to be two hops away.

 The concept of classful network doesn´t exist in IPv6, so there isn´t any automatic route summarization in RIPng. It must be done manually.

(71)

Basic RIPng Configuration 7/8

 Propagate the default route of R1 to R2

(72)

Basic RIPng Configuration 8/8

 Another option is using the keyword only instead of

originate.

(73)

Investigating the RIPng Database 1/3

 show ipv6 rip

• RIP process (es)

• Port number

• Hello and dead timer

(74)

Investigating the RIPng Database 2/3

 show ipv6 rip database

• Route prefix and metric

• “Installed” (in the routing table) and “expired” (unavailable).

• “Expires in” (dead timer countdown typically three times the hello timer)

(75)

Investigating the RIPng Database 3/3

 show ipv6 next-hops

• Next hop router IP address.

• Interface in which it´s connected.

• Number of path (routes) in the IPv6 RIP routing table using that next hop

(76)

Summary

• The role of static routes and dynamic routing protocols in enterprise networks. • The differences between IGP and EGP routing protocols.

• The three types of routing protocols: distance vector, link-state and path vector.

• The importance of convergence time and how route summarization reduced convergence time and improves scalability. • The four traffic types: unicast, multicast, anycast, and broadcast.

• The differences between point-to-point, broadcast, and NBMA networks.

• How point-to-point subinterfaces are used to overcome the limitations of NBMA networks.

• How VPNs are used to provide security of a public Internet.

(77)

• How static GRE tunnels can establish virtual point-to-point links and support dynamic routing protocols.

• Using DMVPN to provide fully meshed VPN connectivity with a simple hub-and spoke configuration.

• How DMVPN relies on NHRP, mGRE, and IPsec.

• The differences and similarities between RIPv2 and RIPng. • How to configure RIPng.

• How to propagate a default route in RIPng.

• Some key points in this chapter are that convergence time, support for

summarization, and ability to scale impact selection of a suitable routing protocol. It is recommended that you use point-to-point subinterfaces when establishing routing protocols over NBMA networks. DMVPN can be used as a scalable solution. RIPng is asimple IGP protocol that supports IPv6.

(78)