Embed Size (px)
Citation preview
The Bryant Advantage CCNP ROUTE Study Guide
Chris Bryant, CCIE #12933 www.thebryantadvantage.com Back To Index
The Remote Workplace, Part II Overview
Whether they're working from a "spoke office" or "branch office", or from non-fixed locations on the road, the ever-increasing number of mobile workers poses a real challenge for today's network admins.
And that's us!
A few of those challenges....
Providing enough bandwidth for the workers to get their jobs done in an efficient manner
Security, security, security (addressed in Part 1)
Integrating the mobile users' operating systems and applications with those used at HQ
Let's take a look at that first challenge - and at broadband.
Dialup connections are pretty much a thing of the past for today's mobile workers, thanks to broadband.
We know that broadband brings us a lot more speed than the dialup connections used to, and if you've ever paid a hotel bill where the dialup connection has been used even a little - well, suffice to say that broadband helps bring our overall costs down as well.
Upstream, Downstream
These seemingly innocent terms can actually be a little confusing - after all, the meaning of the terms can depend on which angle you're looking at things! For terms of our discussion and your Cisco exams, upstream traffic is traffic going from a host device to the cable company and/or ISP, and downstream traffic is traffic going from the ISP to the host device.
Broadband
DSL
Introduction To PPPoE
NAT
Broadband Delivery Options
The most common broadband delivery method in use today is the good old cable modem. The end user's connection is carried through a preexisting cable TV connection, enabling many cable companies to offer "do-it-yourself" broadband connectivity kits.
Ever notice how the lights on the front of a typical cable modem flash quite a bit on startup, but some of them become solid green (we hope) ? That's because when a cable modem is powered on or reloaded, it begins to look for a signal from the service provider as it boots up.
When that signal is found, the cable modem synchronizes its timing with the downstream provider device, and the connection procedure continues from there.
The potential drawback is that the end user is sharing bandwidth with a lot of other users, which can be a problem if the provider doesn't have enough bandwidth to go around.
The end user can simultaneously access the Internet while watching cable television due to the Data Over Cable Service Interface Specification (DOCSIS) standards. Here's a great definition of just what DOCSIS is from Wikipedia:
"Data Over Cable Service Interface Specification is an international telecommunications standard that permits the addition of high-speed data transfer to an existing Cable TV (CATV) system. It is employed by many cable television operators to provide Internet access over their existing hybrid fiber coaxial (HFC) infrastructure.)
By using the specific bandwidths outlined by DOCSIS, the same cable can be used to deliver cable television service, transmit data to the client, and receive data from the client simultaneously.
Our friends at the cable company use one of three sets of modulation standards:
� National Television Standards Committee (NTSC) is used in primarily in North American and Japan.
� Phase Alternating Line (PAL) is used, well, almost everywhere else. � Sequential Color Memory (SECAM) is used primarily in France,
Africa, and Eastern Europe.
One step up from the cable modem, we have Digital Subscriber Line, or DSL. DSL uses a preexisting phone line for broadband delivery. There are several different kinds of DSL, though...
Asymmetrical DSL (ADSL) works under the assumption that the user will download more information than they send, and for the average Internet user, that's a safe assumption. The connection speed from the provider to the user is going to be 3 - 4 times faster than the speed from the user to the provider.
For example, an ADSL connection of 512 kbps will give the user 384 KBPS download capabilities, but only 128 KBPS uploading capability. ADSL actually offers download speeds of up to 8 MBPS and upload speeds of up to 1 MBPS or 1.5 MBPS, depending on whose sales propaganda you're reading.
Regardless of the sales department, though, ADSL is susceptible to that 18,000-feet distance limitation.
The Original High Data-Rate DSL (HDSL) has the capability to deliver T1 (1.544 MBPS) or E1 (2.048 MBPS) speed over copper, and this service is symmetrical - the download and upload capabilities are the same. Unlike ADSL, you cannot use the phone while you're using the HDSL connection.
Second-generation HDSL (HDSL2) does allow for Voice Over IP (VOIP) and video to be carried along with data.
Rate-Adaptive DSL (RADSL) is just what it sounds like - the software calculates the maximum download and upload speeds on the customer's preexisting phone line and dynamically adjusts those rates.
G.SHDSL provides symmetric tranmission for upstream and downstream data rates of anywhere from 192 kbps to 2.3 MBPS. Estimates of G.SHDSL's maximum distance range from 20,000 feet to 28,000 feet, depending on whose documentation you're reading.
Anyone who lives or has lived in a rural area knows the challenge of trying to get a broadband connection. Satellite Broadband certainly sounds like a technology that could meet that challenge, and theoretically it does just that.
Satellite broadband is more reliable than it used to be - much more reliable - but your connectivity can still be affected by the weather.
DSL Drawbacks
As mentioned earlier, there is an 18,000-foot limitation on DSL services. However, attenuation - the gradual weakening of a signal - occurs before the actual distance limitation is reached.
A bad splice or overall corrosion can lead to an impedance mismatch. As with attenuation, the signal isn't totally lost, but it is degraded. Those impedance mismatches can be introduced by using wires with different wire gauges. The American wire gauge (sometimes called the Brown & Sharp wire gauge, according to Wikipedia) refers to a standardized system of measuring wire and cable thickness.
Signal interference can come from "inside" and "outside" our network as well. The "inside" interference can result from crosstalk, the result of a signal "crossing over" and interfering with another signal.
The "outside" source, I kid you not, is AM radio. Certain AM frequencies can interfere with the DSL signals.
Data Transport Over ATM
There's an unusual type of Asynchronous Transfer Mode (ATM) switch as use in this type of network, a DSLAM. DSLAMs are just ATM switches with DSL cards in them.
Nothing to it, right? :) It's not as complex as it seems.
When it comes to transporting data over this setup, we've got three choices:
� PPP over Ethernet (PPPoE)
� PPP over ATM (PPPoA)
� RFC 1483/2684 Bridging
RFC 1483 Bridging has some advantages and some serious drawbacks.
Advantages:
� Easy to set up, install, and configure
� Offers multiprotocol support � Excellent for single-user environments
Disadvantages:
� Uses a lot of broadcasts, which can quickly use most or all available bandwidth.
� Not a scalable solution. � Wide open to intruder attacks, including ARP spoofing, IP address
hijacking, and broadcast attacks
Other than that, Mrs. Lincoln, how did you enjoy the play?
More likely, you'll use Point-to-Point Protocol over Ethernet (PPPoE). Defined in RFC 2516, this process involves bridging an Ethernet frame from the host PC to an aggregation router such as the Cisco 6400 series.
However, the Ethernet frame will actually contain a PPP frame, enabling a PPP session to be built between the host device and the aggregation router. While the PAP / CHAP PPP option is there, CHAP will typically be used due to its encryption options.
There are actually two encapsulations taking place. First, the host data is placed into a PPP frame, and then that PPP frame is placed into an Ethernet frame. Finally, the "frame inside a frame" is ready to transmit.
At the very beginning of the PPPoE process, the host device will perform Discovery - and what the host needs to discover is the MAC address of the PPPoE server. That server will be the aggregation router. This establishes the client-server relationship, identified by a PPPoE SESSION_ID value. Once Discovery has concluded, the PPP process can continue as it normally would over an ISDN link.
Configuring PPPoE
Here's the network we'll be working with in the following section. We'll assume the interface closest to the PCs is Ethernet1, and the interface facing the DSLAM is Ethernet0.
Cisco 800 Router:
Ethernet interface facing the hosts (Ethernet1)
int e1
ip address 172.1.1.1 255.255.255.0
Ethernet interface facing the DSLAM (Ethernet 0)
int e0
no ip address
pppoe enable
pppoe-client dial-pool-number 1
For you ISDN fans (and non-fans), the dial-pool-number command sounds like it links to a dialer profile. The pppoe-client dial-pool-number statement binds the physical interface - in this case, the Ethernet0 interface - to the dialer interface.
Here's a typical dialer profile, along with the necessary access-list and dialer-list statements.
access-list 1 permit 172.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
interface Dialer1
ip address negotiated
ip mtu 1492 (required for PPPoE configuration; must be placed on dialer interface)
dialer pool 1
encapsulation ppp
ppp authentication pap
ppp pap sent-username CCNP password ISCW
I configured PAP here, but remember that PAP sends passwords in clear text. I personally prefer to use CHAP, which sends a hash result rather than a clear-text password.
Those first two commands may be new to you:
ip address negotiated - This allows this interface to obtain its address during PPP address negotiation.
Another command you may see there is ip address dhcp command allows an interface to acquire an address via DHCP.
ip mtu 1492 - Due to the additional overhead associated with PPPoE, the MTU should be reduced to 1492. The overhead results from the PPPoE header (6 octets) and the PPP Protocol ID (2 octets).
Why A Static Route?
We spend time in both the OSPF and EIGRP sections talking about stub areas, and how they really just need a single default route in many cases.
A home worker is the ultimate stub area - when the router receives the data from the subscriber, there's only one possible exit interface for it to use, and that's the dialer profile on the way back to HQ.
There's no need to run a routing protocol, since the exit interface will remain the same and we'll have the additional overhead associated with a dynamic protocol. Instead, just write a default static route using the dialer profile interface as the local exit interface.
ip route 0.0.0.0 0.0.0.0 interface dialer0
You also learned all about NAT and PAT during your CCNA studies, and we're going to configure PAT here as well. The commands are the same as the ones you learned during your NA studies, but watch where you put the ip nat inside and ip nat outside commands!
ip nat inside source list 1 interface dialer 1 overload
int e1
ip nat inside
int dialer0
ip nat outside
As you know, the overload option enables PAT, allowing us to use a single routable IP address for multiple inside hosts. Also note that while the ip nat inside command is configured where we'd expect it, on the inside physical interface, the ip nat outside command is applied on the dialer profile.
If you like, you can also configure DHCP on this router, and allow it to serve as the DHCP server for the inside hosts. Configuring a Cisco router as a DHCP server offers too many options to see them all here, but let's assume we want to assign addresses from the network 172.1.1.0 /24, but no addresses with the last octet of 1 - 100. Also, we'll assign a 30-day lease.
ip dhcp excluded-address 172.1.1.1 172.1.1.100
ip dhcp pool 1
network 172.1.1.0 255.255.255.0
lease 30
To reiterate, you'll have many options with DHCP on Cisco routers, so just do your homework on Cisco's website before jumping in and configuring!
Network Address Translation
NAT will be a thing of the past one day.
Today is not that day.
Network Address Translation (NAT) allows a network host with a private
IP address to have the source IP address of their packets "translated" into a routable address.
Port Address Translation (PAT) allows a single routable IP address to be used by multiple inside private IP hosts. The private IP addresses are translated to the same public IP, but each host will use a different port number. PAT is commonly referred to as "overloading".
The private IP address ranges are defined by RFC 1918, and they fall into these ranges:
� Class A: 10.0.0.0 /8 � Class B: 172.16.0.0 /12 � Class C: 192.168.0.0 /16
Note that the masks that accompany these private address ranges are not the network masks for the classes (/8, /16, /24).
There are four terms used to describe these addresses at different points in the entire NAT process.
Inside local addresses are used by hosts on the inside network to communicate with other hosts on that same network. These are the addresses that are actually configured on the hosts.
These inside local addresses are translated into inside global addresses. Inside global addresses are routable addresses.
Outside global addresses are the addresses that are configured on the outside hosts. These are fully routable addresses used by Internet-based hosts.
Finally, outside local addresses are the actual addresses of remote hosts. This can be, and probably is, an RFC 1918 address as well.
From the 10.1.1.1 host's point of view, these are the NAT addresses:
Inside Local: 10.1.1.1 /8
Inside Global: 210.1.1.1 /24
Outside Global: IP Address of web server.
Outside Local: If web server is using an RFC 1918 address and the remote router is also using NAT, that 1918 address would be the outside local address.
Static NAT
If a limited number of hosts on a private network need Internet access, static NAT may be the appropriate choice. Static NAT maps a private address to a public one.
There are three internal PCs on an RFC 1918 private network, using addresses 10.5.5.5, 10.5.5.6, and 10.5.5.7. The router’s Ethernet0 interface is connected to this network, and the Internet is reachable via the Serial0 interface. The IP address of the Serial network is 210.1.1.1 /24, with all other addresses on the 210.1.1.0/24 network
available.
Three static mappings are needed to use Static NAT. The interfaces must be configured for NAT as well.
R3(config)#interface ethernet0 R3(config-if)#ip address 10.5.5.100 255.0.0.0 R3(config-if)#ip nat inside R3(config-if)#interface serial0 R3(config-if)#ip address 210.1.1.1 255.255.255.0 R3(config-if)#ip nat outside
R3#conf t R3(config)#ip nat inside source static 10.5.5.5 210.1.1.2 R3(config)#ip nat inside source static 10.5.5.6 210.1.1.3 R3(config)#ip nat inside source static 10.5.5.7 210.1.1.4
R3#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 210.1.1.2 10.5.5.5 --- --- --- 210.1.1.3 10.5.5.6 --- --- --- 210.1.1.4 10.5.5.7 --- ---
R3#show ip nat statistics Total active translations: 3 (3 static, 0 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet0 Hits: 0 Misses: 0 Expired translations: 0
Dynamic NAT Static NAT is fine for a few hosts, but consider a private network with 150 hosts. It would be an administrative nightmare to configure 150 static NAT statements on your router. Dynamic NAT allows a pool of public IP addresses to be created. The public IP addresses are mapped to a private address as needed, and the mapping is dropped when the communication ends. Like Static NAT, Dynamic NAT requires the interfaces connected to the Internet and the private networks be configured with ip nat outside and ip nat inside, respectively.
Using the previous network example, R3 is now configured to assign an address from a NAT pool to these three network hosts as needed:
R3#conf t R3(config)#access-list 1 permit 10.5.5.0 0.0.0.255 R3#conf t R3(config)#interface ethernet0 R3(config-if)#ip nat inside R3(config-if)#interface serial0 R3(config-if)#ip nat outside
R3#conf t R3(config)#ip nat inside source list 1 pool NATPOOL R3(config)#ip nat pool NATPOOL 200.1.1.2 200.1.1.5 netmask 255.255.255.0 An access-list is used to identify the hosts that will have their addresses translated by NAT. The nat inside source command calls that list and then names the NAT pool to be used. The next line of the config defines the pool, named NATPOOL. The two addresses listed are the first and last addresses of the pool, meaning that 200.1.1.2, 200.1.1.3, 200.1.1.4, and 200.1.1.5 are in the pool, all using a mask of 255.255.255.0. Take care not to include the serial address of the NAT router in the pool.
The access list permits all hosts on 10.5.5.0/24, meaning that any host on that subnet can use an address from the NAT pool to communicate with Internet-based hosts.
Show ip nat statistics will display the name and configuration of the NAT pool.
R3#show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet0 Hits: 0 Misses: 0 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 1 pool NATPOOL refcount 0 pool NATPOOL: netmask 255.255.255.0 start 200.1.1.2 end 200.1.1.5
type generic, total addresses 4, allocated 0 (0%), misses 0
Four addresses are available in the NAT pool. What if the network has 50 hosts and ten of them want to connect to an Internet host simultaneously? NAT allows multiple hosts to use the same public IP address via Port Address Translation (PAT). Generally referred to as “overloading”, the private address will be translated to a public address and port number, allowing the same IP address to support multiple hosts. The router will differentiate the connections by using a different port number for each translation, even though the same IP address will be used.
Port Address Translation is simple to configure. Instead of referring to a NAT pool with the ip nat inside source command, identify the outside interface followed by the word overload.
“overload” indicates that the IP address of the named interface will be the only one used for NAT, but that a different port number will be used for each translation, allowing the router to keep the different translations separate while using only a single IP address.
R3(config)#interface ethernet0
R3(config-if)#ip nat inside R3(config-if)#interface serial0 R3(config-if)#ip nat outside R3(config-if)#ip nat inside source list 1 interface serial0 overload R3(config)#access-list 1 permit 10.5.5.0 0.0.0.255
Each host that matches the ACL will have its IP address translated to the same IP address - in this case, the same IP address that the serial interface is already using - but each host will be assigned a random port number.
These ports will not be from the well-known port number range.
The router keeps a translation table with the port numbers to allow translation when reply packets for these transmissions is received.
Copyright © 2011 The Bryant Advantage. All Rights Reserved.
