1. TCP/IP Addressing Design

2. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems and describe strategies for resolving them Describe different address management tools -Secondary addressing -DHCP/DNS -Address translation Describe methods for implementing TCP/IP security features

3. Hierarcical Addressing

4. Prefix Length Determined from Context Variable-length prefixes are not a new invention – Prefix field identifies a network number – Host field identifies a device number 32 bits Prefix length = 8Host Prefix length = 16Host Prefix length = 24Host Class A Class B Class C

5. Prefix Length for classful & classless Routing “Classful” routers accept only a few prefix lengths 10.0.0.0/8 172.10.0.0/16 192.10.10.0/24 Class A Class B Class C 192.10.168.0/21Class C “Classless” routers accept any prefix length Prefix length is carried with an IP address

6. Subnetting Extends Prefix to the Right 32 bits Prefix Prefix length Host 172.16.0.0 255. 254.0 Assigned network address Subnetmask 255.255.254.0 11111111. 11111110. 00000000 510 Hosts126 Subnets 172.16.2.0Need 510 Hosts Need 2 Hosts 172.16.4.0 172.16.6.0 Good address utilization Poor address utilization RIP and IGRP require the same subnet mask on all interfaces

7. Classful Routing Protocols Do Not Advertise Prefix Length Subnetsmust be contiguous when using classful routing protocols 192.168.1.0/16 131.108.1.0/24131.108.2.0/24 A advertises 131.108.0.0 B advertises 131.108.0.0 A C B Router C: Where is network 131.108.0.0?

8. Classless Routing Protocols Allow Flexible Addressing

9. VLSM Saves Subnets in the WAN 131.108.13.8/30 255.255.255.252 131.108.13.16/30 255.255.255.252 131.108.13.12/30 255.255.255.252 131.108.13.4/30 255.255.255.252 131.108.15.0/24 255.255.255.0

10. Route Summarization (Aggregation) Subnetting extends prefix to the right Prefix Prefix length Host Summarization collapses prefix to the left Prefix Prefix length Host

11. Classless Routing and Prefix Routing I will just tell you about a summary route to 192.108.168.0/21. CIDR used by BGP4 Prefix routing used by EIGRP and OSPF 192.108.168.0 192.108.169.0 192.108.170.0 192.108.171.0 192.108.172.0 192.108.173.0 192.108.174.0 192.108.175.0

12. A Classless Routing Protocol Looks for the Longest Match 202.222.5.33/32host 202.222.5.32/27subnet 202.222.5.0/24network 202.222.0.0/16block of networks 0.0.0.0/0default IP routers support host-specific routes, blocks of networks, default routes

13. Secondary Addressing Useful in switched networks – Router may relay packets, acting as a default gateway – Host may communicate directly, using ARP for learning 172.16.2.2172.16.1.2 172.16.1.1 172.16.2.1

14. Host Address Assignment Static Dynamic – BOOTP – DHCP 131.108.6.3 255.255.255.0 Address request Address response

15. Name-to-Address Translation Cisco DNS/DHCP Manager – Manages domain names – Synchronizes IP addresses – Supports secondary addressing 172.16.2.2172.16.1.2 172.16.1.1 172.16.2.1 Client_1Client_2 DNS/DHCP Server Client_1172.16.1.2 Client_2172.16.2.2 : : : : : : : Next avail.172.16.1.3 DNS Table DHCP Table

16. Private versus Registered Addresses Three address blocks reserved for private networks – 10.0.0.0 (1 Class A) – 172.16.0.0 to 172.31.0.0 (16 Class B) – 192.168.0.0 to 192.168.255.0 (256 Class C) Address translation must occur to reach the Internet Private network (for example, 10.0.0.0) Public network (for example, Internet) Address translation gateway

17. Network Address Translation Cisco router provides – Network address translation only Private network (for example, 10.0.0.0) Public network (for example, Internet)

18. Cisco Private Internet Exchange Private Internet Exchange platform provides – Address translation – Firewall service Private network (for example, 10.0.0.0) Public network (for example, Internet) PIX Private servers Public servers

19. IP Security Considerations Private Network Public Network Policy Establish a security policy Implement firewall features Control access –Local –Remote

20. Implementing IP Security Policy drives implementation choices Private network (for example, 10.0.0.0) Public network (for example, Internet) Firewall System Policy

21. Policy Considerations for Security Determine how much security you need Trade off ease of use and configuration with security demands Determine what data outsiders need to reach Quantify the cost of the proposed security system Implement a simple, robust design

22. Many Aspects of Security Authorization, authentication, data integrity, privacy issues Firewalls are just one piece of the puzzle Firewalls Access Management Host Security Encryption Policy

23. Firewall System with Isolated LANs prevent unauthorized and improper access from external networks Public servers on outside LAN I cannot access the private network. Untrusted User Public Firewall System Private servers Public servers Private

24. Additional Firewall Functionality Network address translation Application proxy Packet filter Audit trail Login protection InternetFirewall System 10.0.0.0 InterNIC registered address

25. Disable All Unnecessary Features Disable Telnet, TFTP, and proxy services Outside filter FTP, WWW, Internet No VTYs No TFTP No finger Physical console port Public server Firewall System

26. Be Specific About Access Allowed Allow specific services to specific hosts on DMZ LAN only HTTP to host B only FTP to host A only DNS to host C only

27. Block Traffic from Firewall Routers, Hosts I have cracked the firewall!Where can I get to from here? Do not trust Telnet from firewall systems I am getting aTelnet from the firewall! I guess that’s OK! Telnet Untrusted User

28. Avoid IP Spoofing Deny packets from outside your network that claim to have a source address inside your network Filter source 131.108.X.X 131.108.0.0 Untrusted User