1 / 28

TCP/IP Addressing Design

TCP/IP Addressing Design. Objectives. Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems and describe strategies for resolving them Describe different address management tools Secondary addressing DHCP/DNS

morse
Télécharger la présentation

TCP/IP Addressing Design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TCP/IP Addressing Design

  2. Objectives • Choose an appropriate IP addressing scheme based on business and technical requirements • Identify IP addressing problems and describe strategies for resolving them • Describe different address management tools • Secondary addressing • DHCP/DNS • Address translation • Describe methods for implementing TCP/IP security features

  3. Long Long Distance Distance Path to 703 Path to 555 Path to non- local carrier Local Local Office Office Path to 1212 California Virginia • Does a telephone switch in California know how to reach a specific line in Virginia? (1-703-555-1212) Hierarcical Addressing

  4. Prefix Length Determined from Context 32 bits Class A Prefix length = 8 Host Class B Prefix length = 16 Host Class C Prefix length = 24 Host • Variable-length prefixes are not a new invention • Prefix field identifies a network number • Host field identifies a device number

  5. Prefix Length for classful & classless Routing • “Classful” routers accept only a few prefix lengths Class A 10.0.0.0/8 Class B 172.10.0.0/16 Class C 192.10.10.0/24 • “Classless” routers accept any prefix length • Prefix length is carried with an IP address Class C 192.10.168.0/21

  6. Subnetting Extends Prefix to the Right 32 bits Prefix Assigned network Host 172. 16. 0. 0 ad dress 255. 255. 254 . 0 Subnet ma sk Prefix length 11111111 . 11111111 . 1111111 0 . 00000000 255.255.254.0 126 Subnets 510 Hosts Good address utilization 172.16. 2 .0 Need 510 Hosts Good address utilization 172.16. 4 .0 Need 510 Hosts Poor address utilization 172.16. 6 .0 Need 2 Hosts • RIP and IGRP require the same subnet mask on all interfaces

  7. Classful Routing Protocols Do Not Advertise Prefix Length Router C: Where is network 131.108.0.0 ? 131.108.1.0/24 131.108.2.0/24 A advertises B advertises C 131.108.0.0 131.108.0.0 A B 192.168.1.0/16 • Su bnets must be contiguous when using classful routing p rotocols

  8. 131.108.1.0/24 131.108.2.0/24 131.108.13.4/30 131.108.13.8/30 131.108.1.0/24 131.108.2.0/24 A advertises B advertises 131.108.1.0/24 131.108.2.0/24 C 131.108.13.8/30 131.108.13.4/30 A B 192.168.1.0/16 131.108.13.8/30 131.108.13.4/30 • Link-state and hybrid protocols understand VLS • Discontiguous subnets do not present a connectivity issue for advanced routing protocols Classless Routing Protocols Allow Flexible Addressing

  9. VLSM Saves Subnets in the WAN 131.108.13.4 /30 131.108.13.8 /30 255.255.255.252 255.255.255.252 131.108.15.0 /24 255.255.255.0 131.108.13.12 /30 131.108.13.16 /30 255.255.255.252 255.255.255.252

  10. Route Summarization (Aggregation) • Subnetting extends prefix Prefix Host to the right Prefix length • Summarization collapses prefix to Prefix Host the left Prefix length

  11. Classless Routing and Prefix Routing 192.108.168.0 I will just tell you 192.108.169.0 about a summary 192.108.170.0 route to 192.108.168.0/21 . 192.108.171.0 192.108.172.0 192.108.173.0 192.108.174.0 192.108.175.0 • CIDR used by BGP4 • Prefix routing used by EIGRP and OSPF

  12. A Classless Routing Protocol Looks for the Longest Match 202.222.5.33 /32 host 202.222.5.32 /27 subnet 202.222.5.0 /24 network 202.222.0.0 /16 block of networks 0.0.0.0 /0 default • IP routers su pport host-specific routes, blocks of networks, default routes

  13. Secondary Addressing 172.16.1.1 172.16.2.1 1 72.16.1.2 172.16.2.2 • Useful in switched networks • Router may relay packets, acting as a default gateway • Host may communicate directly, using ARP for learning

  14. Host Address Assignment • Static Address request • Dynamic • BOOTP • DHCP 131.108.6. 3 Address re sponse 255.255.255.0

  15. Name-to-Address Translation DNS Table DNS/DHCP Client_1 172.16.1.2 Server 172.16.1.1 Client_2 172.16.2. 2 172.16.2.1 : : : : : : : : DHCP Table Next avail. 172.16.1.3 Client_1 Client_2 1 72.16.1.2 172.16.2.2 • Cisco DNS/DHCP Manager • Manages domain names • Synchronize s IP addresses • Supports secondary addressing

  16. Private versus Registered Addresses Private network Address Public network ( for example, translation ( for example, 1 0.0.0.0) gateway I nternet) • Three address blocks reserved for private networks • 10.0.0.0 (1 Class A) • 172.16.0.0 to 172.31.0.0 (16 Class B) • 192.168.0.0 to 192.168.255.0 (256 Class C) • Address translation must occur to reach the Internet

  17. Network Address Translation Private network Public network (for example, (for example, 1 0.0.0.0) I nternet) • Cisco router provides • Network address translation only

  18. Cisco Private Internet Exchange Privat e P ublic servers servers Private network Public network PIX (for example, (for example, 1 0.0.0.0) I nternet) • Private Internet Exchange platform provides • Address translation • Firewall service

  19. IP Security Considerations • Establish a security policy • Implement firewall features • Control access • Local • Remote Policy Private Public Network Network

  20. Implementing IP Security Policy Private network Public network Firewall (for example, (for example, System 1 0.0.0.0) I nternet) • Policy drives implementation choices

  21. Policy Considerations for Security • Determine how much security you need • Trade off ease of use and configuration with security demands • Determine what data outsiders need to reach • Quantify the cost of the proposed security system • Implement a simple, robust design

  22. Many Aspects of Security Policy Access H ost Firewalls Encryption Management Security • Authorization, authentication, data integrity, privacy issues • Firewalls are just one piece of the puzzle

  23. Firewall System with Isolated LANs Privat e P ublic servers servers I cannot access the private network. Firewall Private Public System Untrusted User • prevent unauthorized and improper access from external networks • Public servers on outside LAN

  24. Additional Firewall Functionality InterNIC registered address 10.0.0.0 Firewall Internet System • Network address translation • Application proxy • Packet filter • Audit trail • Login protection

  25. Disable All Unnecessary Features Physical console P ublic port server No VTYs FTP, • Disable WWW, Telnet, TFTP, and proxy Internet services No TFTP Outside filter Firewall System No finger

  26. Be Specific About Access Allowed FTP to host A only HTTP to host B only • Allow specific services to specific hosts on DMZ LAN only DNS to host C only

  27. Block Traffic from Firewall Routers, Hosts I a m getting a T elnet I ha ve cracked the from the firewall! I firewall! Where c an I Telnet guess that’s OK! get to from here? Untrusted User • Do not trust Telnet from firewall systems

  28. Avoid IP Spoofing Filter source 131.108.X.X Untrusted User 131.108.0.0 • Deny packets from outside your network that claim to have a source address inside your network

More Related