TCP/IP Addressing Design

Objectives

• Choose an appropriate IP addressing scheme based on business and technical requirements

• Identify IP addressing problems and describe strategies for resolving them

• Describe different address management tools

-Secondary addressing

-DHCP/DNS

-Address translation

• Describe methods for implementing TCP/IP security features

Hierarcical Addressing

• Does a telephone switch in California know how to

reach a specific line in Virginia? (1-703-555-1212)

Local

Office

California

Long

Distance

Local

Office

Virginia

Long

Distance

Path to 703Path to 555

Path to 1212

Path to non- local carrier

Prefix Length Determined from Context

• Variable-length prefixes are not a new invention

– Prefix field identifies a network number

– Host field identifies a device number

32 bits

Prefix length = 8 Host

Prefix length = 16 Host

Prefix length = 24 Host

Class A

Class B

Class C

Prefix Length for classful & classless Routing• “Classful” routers accept only a few prefix lengths

10.0.0.0/8

172.10.0.0/16

192.10.10.0/24

Class A

Class B

Class C

192.10.168.0/21Class C

• “Classless” routers accept any prefix length

• Prefix length is carried with an IP address

Subnetting Extends Prefix to the Right

32 bits

Prefix

Prefix length

Host172. 16. 0. 0

255. 255. 254 . 0

Assigned network ad dress

Subnet ma sk

255.255.254.0 11111111 . 11111111 . 1111111 0 . 00000000510 Hosts126 Subnets

172.16. 2.0 Need 510 Hosts

Need 510 Hosts

Need 2 Hosts

172.16. 4.0

172.16. 6.0

Good address utilization

Good address utilization

Poor address utilization

• RIP and IGRP require the same subnet mask on all interfaces

Classful Routing Protocols Do Not Advertise Prefix Length

• Subnets must be contiguous when using classful routing protocols

192.168.1.0/16

131.108.1.0/24 131.108.2.0/24

A advertises131.108.0.0

B advertises131.108.0.0

A

C

B

Router C:Where is network

131.108.0.0?

Classless Routing Protocols Allow Flexible Addressing

• Link-state and hybrid protocols understand VLS

• Discontiguous subnets do not present a connectivity issue

for advanced routing protocols

192.168.1.0/16131.108.13.4/30131.108.13.8/30

131.108.1.0/24 131.108.2.0/24

A advertises

131.108.1.0/24

131.108.13.8/30

B advertises

131.108.2.0/24

131.108.13.4/30

A

C

B

131.108.1.0/24131.108.2.0/24131.108.13.4/30131.108.13.8/30

VLSM Saves Subnets in the WAN

131.108.13.8/30255.255.255.252

131.108.13.16/30255.255.255.252

131.108.13.12/30255.255.255.252

131.108.13.4/30255.255.255.252

131.108.15.0/24255.255.255.0

Route Summarization (Aggregation)

• Subnetting extends prefix to the right

Prefix

Prefix length

Host

• Summarization collapses prefix to the left

Prefix

Prefix length

Host

Classless Routing and Prefix Routing

I will just tell you about a summary route to 192.108.168.0/21.

• CIDR used by BGP4

• Prefix routing used by EIGRP and OSPF

192.108.168.0

192.108.169.0

192.108.170.0

192.108.171.0

192.108.172.0

192.108.173.0

192.108.174.0

192.108.175.0

A Classless Routing Protocol Looks for the Longest Match202.222.5.33/32 host

202.222.5.32/27 subnet

202.222.5.0/24 network

202.222.0.0/16 block of networks

0.0.0.0/0 default

• IP routers support host-specific routes, blocks ofnetworks, default routes

Secondary Addressing

• Useful in switched networks

– Router may relay packets, acting as a default gateway

– Host may communicate directly, using ARP for learning

172.16.2.2172.16.1.2

172.16.1.1172.16.2.1

Host Address Assignment

• Static

• Dynamic

– BOOTP

– DHCP

131.108.6.3

255.255.255.0

Address request

Address response

Name-to-Address Translation

• Cisco DNS/DHCP Manager

– Manages domain names

– Synchronizes IP addresses

– Supports secondary addressing

172.16.2.2172.16.1.2

172.16.1.1172.16.2.1

Client_1 Client_2

DNS/DHCPServer Client_1 172.16.1.2

Client_2 172.16.2.2: : : : : : : :

Next avail.172.16.1.3

DNS Table

DHCP Table

Private versus Registered Addresses

• Three address blocks reserved for private networks

– 10.0.0.0 (1 Class A)

– 172.16.0.0 to 172.31.0.0 (16 Class B)

– 192.168.0.0 to 192.168.255.0 (256 Class C)

• Address translation must occur to reach the Internet

Private network(for example,

10.0.0.0)

Public network(for example,

Internet)

Addresstranslation

gateway

Network Address Translation

• Cisco router provides

– Network address translation only

Private network(for example,

10.0.0.0)

Public network(for example,

Internet)

Cisco Private Internet Exchange

• Private Internet Exchange platform provides

– Address translation

– Firewall service

Private network(for example,

10.0.0.0)

Public network(for example,

Internet)PIX

Private servers

Public servers

IP Security Considerations

PrivateNetwork

PublicNetwork

Policy

• Establish a security policy

• Implement firewall features

• Control access

– Local

–Remote

Implementing IP Security

• Policy drives implementation choices

Private network(for example,

10.0.0.0)

Public network(for example,

Internet)

FirewallSystem

Policy

Policy Considerations for Security

• Determine how much security you need

• Trade off ease of use and configuration with security demands

• Determine what data outsiders need to reach

• Quantify the cost of the proposed security system

• Implement a simple, robust design

Many Aspects of Security

• Authorization, authentication, data integrity, privacy issues• Firewalls are just one piece of the puzzle

Firewalls Access

ManagementHost

Security Encryption

Policy

Firewall System with Isolated LANs

• prevent unauthorized and improper access from external networks• Public servers on outside LAN

I cannot access the private network.

Untrusted User

PublicFirewallSystem

Private servers

Public servers

Private

Additional Firewall Functionality

• Network address translation

• Application proxy

• Packet filter

• Audit trail

• Login protection

InternetFirewallSystem

10.0.0.0

InterNICregistered address

Disable All Unnecessary Features

• Disable Telnet, TFTP, and proxy services

Outside filter

FTP, WWW,

Internet

No VTYs

No TFTP

No finger

Physical console

portPublic server

FirewallSystem

Be Specific About Access Allowed

• Allow specific services to specific hosts on DMZ LAN only

HTTP to host B only

FTP to host A only

DNS to host C only

Block Traffic from Firewall Routers, Hosts

I have cracked the firewall! Where can I get to from here?

• Do not trust Telnet from firewall systems

I am getting a Telnet from the firewall! I guess that’s OK!

Telnet

Untrusted User

Avoid IP Spoofing

• Deny packets from outside your network that claim to have a source address inside your network

Filter source 131.108.X.X

131.108.0.0

Untrusted User