Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Chapter 6:
Enterprise Internet
Connectivity
Cisco Public
Chapter 6 Topics
Planning Enterprise Internet Connectivity
Establishing Single-Homed IPv4 Internet Connectivity
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Inbound:
Two-way connectivity is needed
Clients external to the enterprise network can access resources in the
enterprise network.
In this case, both public and private IPv4 address space is needed.
Routing and security consideration as well.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
ISP Redundancy
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Cisco Public
11
Cisco Public
12
If the customer changes its ISP, the new ISP will give the
customer a new PA address space.
All devices with public IP addresses will have to be
renumbered.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Cisco Public
14
Cisco Public
15
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
18
DHCP Operation
DHCPNAK: A message sent from a server indicating that it is refusing a clients request for
configuration.
DHCPRELEASE: A message sent from a client indicating to a server that it is giving up a lease.
DHCPINFORM: A message sent from a client indicating that it already has an IPv4 address, but is
requesting other configuration parameters
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
21
NAT 1/3
NAT includes the following four types of addresses:
Inside local address: The IPv4 address assigned to a device on the
internal network.
Inside global address: The IPv4 address of an internal device as it
appears to the external network. This is the address to which the
inside local address is translated.
Outside local address: The IPv4 address of an external device as it
appears to the internal network.
Cisco Public
22
NAT 2/3
When a packet travels from an inside domain to an outside
domain, it is routed first and then translated and forwarded
out the exit interface.
When a packet travels from an outside domain to an inside
domain, the process is reversed.
The three types of NAT are as follows:
Static NAT (one-to-one)
Dynamic NAT (many-to-many) Static NAT
Port Address Translation (PAT) (many-to-one)
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
23
NAT 3/3
The show ip nat translations command is used to verify
which addresses are currently being translated
255
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
25
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Configuring PAT
Also known as NAT overloading, is the most widely used
form of NAT.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Limitations of NAT
End-to-end visibility issues
Tunneling becomes more complex
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
28
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
29
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
30
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
31
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
32
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
33
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
34
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
35
Establishing
Single-Homed
IPv6 Internet
Connectivity
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
36
Cisco Public
37
Stateful DHCPv6
DHCPv6 prefix delegation (DHCPv6-PD)
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
38
Manual Assignment
As with IPv4, an IPv6 address can be statically assigned by
a network administrator.
This assignment method can be error-prone and introduces
significant administrative overhead.
However, it is necessary in some cases.
For security, some recommendations include choosing
addresses that are not easily guessed and avoiding any
embedded existing IPv4 addresses.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
39
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
40
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
41
Cisco Public
42
IEEE EUI-64
IEEE EUI-64 format interface IDs are derived from an
interfaces 48-bit IEEE 802 MAC address using the
following process:
1. The MAC address is split into two 24-bit parts.
2. 0xFFFE is inserted between the two parts, resulting in a 64-bit
value.
3. The seventh bit of the first octet is inverted.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
43
Enabling SLAAC
Use the ipv6 address autoconfig [default] interface
configuration command.
If a default router is selected on this interface, the optional
default keyword causes a default route to be installed using
that default router.
You can specify the default keyword on only one interface.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
44
DHCPv6 Operation
In the IPv6 world, there are two types of DHCPv6:
Stateless: Used to supply additional parameters to clients
that already have an IPv6 address.
Stateful: Similar to DHCP for IPv4 (DHCPv4).
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
45
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
46
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
47
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
48
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
49
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
50
NAT64
NAT Protocol Translation (NAT-PT) was the initial
translation scheme for facilitating communication between
IPv6 and IPv4.
NAT-PT has been deprecated and replaced by NAT64.
With NAT64, one or multiple public IPv4 addresses are
shared by many IPv6-only devices, using overloading.
NAT64 performs both address and IP header translation.
Cisco Public
51
NPTv6
NPTv6 is described in RFC 6296, IPv6-to-IPv6 Network
Prefix Translation.
NPTv6 is a one-to-one stateless translation.
The idea for NPTv6 is that an organizations internal IPv6
addressing can be independent of its ISPs address space,
making it easier to change ISPs.
One use of NPTv6 is when an organization has connections
to two ISPs.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
52
IPv6 ACLs
ACLs are often used for security purposes.
For IPv6 ACLs, some configuration commands and details
differ somewhat from IPv4 ACLs, but the concepts remain
the same.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
53
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
54
-The ACL should block all ICMP echo requests and Telnet requests to the
TFTP server.
-TFTP traffic from the Internet should only be allowed to the TFTP server,
not to other internal hosts.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
55
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
56
-To apply an ACL to a vty line, use the ipv6 access-class ACL-name line
configuration command.
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
57
Cisco Public
58
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
59
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
60
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
61
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
62
Cisco Public
63
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
64
Cisco Public
65
Cisco Public
66
Summary
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
67
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
68
Chapter 6
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
69