ICT372 Advanced Network Design

and Implementation
Lecture 1

Unit Overview
Fundamental Routing Concepts and Routing
Protocols
Agenda this Week
 Unit Overview: I will highlight important key items from the Unit
Outline Handout and discuss how to succeed in the unit.
 Lecture

2
Lecture Topics
 VPN Overview
 Differentiating Routing Protocols
 Tunnels
 Enterprise Network Architecture
 Characteristics of a Secure VPN
 Routing Protocols
 DMVPN and NHRP Concepts
 Understanding Network Technologies
 IPv6 Overview
 Traffic Types
 GUA
 Connecting Remote Locations
 Link-local address
 Underlay vs Overlay Networks
 ICMPv6 ND
 Types of VPNs
 MPLS Overview
 Virtual Routing and Forwarding (VRF)

3
Enterprise
Network
Infrastructure
A high-level overview of a
typical enterprise network, it
can be divided into two
major areas:
 Enterprise Campus
 Enterprise Edge

4
Data Centers
Core
Spine

Aggregation

Leaf
Access

Traditional 3-tier architecture 2-tier architecture (spine and

(core, aggregation, and leaf) topology
access) topology

5
Enterprise Network
Infrastructure

 Enterprise Edge:
 Provides:
 Access to the Internet
 Access to the same network services as users at the main site.

6
Levels of Internet Service Providers (ISP)
Tier-1 ISP: These ISPs are at the top of the hierarchy and
they have a global reach they do not pay for any internet
traffic through their network instead lower-tier ISPs have to
pay a cost for passing their traffic from one geolocation to
another which is not under the reach of that ISPs

Tier-2 ISP: These ISPs are service provider who connect

between tier 1 and tier 3 ISPs. They have regional or
country reach and they behave just like Tier-1 ISP for Tier-3
ISPs.

Tier-3 ISP: These ISPs are closest to the end users and
helps them to connect to the internet by charging some
money.

7
NTT DATA (Tier 1) Internet Service Provider

8
Traceroute Through the NTT Network

9
Enterprise Network
Infrastructure

 Enterprise Edge:
 Provides:
 Access to the Internet
 Access to the same network services as users at the main site.

10
Example of a Modern Corporate Network Today

11
Another Example of a Modern Corporate Network

12
 Role of Dynamic
Routing Protocols
Routing protocols provide:
 Network reachability between routers
 Dynamically adapt to network
changes

 Best practice that you use one IP (IGP) routing protocol throughout the
enterprise.
 OSPF or EIGRP
 Multiple routing protocols (IGP and BGP) are used when the organization is
multihomed to two or more ISPs for Internet connectivity.
 BGP with ISP 13
Choosing a Dynamic Routing Protocol
 Input (network) requirements
 Size of the network (scalability)
 Vendor interoperability
 Familiarity
 What’s currently being used
 Protocol characteristics:
 IGP or EGP
 Type of routing algorithm
 Speed of convergence
 Scalability
 Summarization 14
IGP versus EGP
 Interior Gateway Protocols
(IGP): These are used within
the organization, and they
exchange the routes within
an AS.
 RIP
 EIGRP
 OSPF
 IS-IS
 Exterior Gateway Protocols (EGP): Used to exchange routes
between different ASs.
 BGP is the only EGP that is used today.
15
Types of Routing Protocols
Exterior
Gateway
Interior Gateway Protocols Protocols
Distance Vector Link State Path Vector
Distance Vector Routing Link State Routing Path Vector
Protocols Protocols
IPv4 RIPv2 EIGRP OSPFv2 IS-IS BGP-4
RIPng EIGRP for OSPFv3 * IS-IS for BGP-4 for
IPv6 IPv6 IPv6 IPv6 or
MP-BGP
* OSPFv3 supports routing both IPv4 and IPv6.

16
Distance Vector Routing Protocols
 What does a street sign like this tell you?
 How far (distance)
 Which way (direction)
 Distance vector
 Routes are advertised as vectors of
distance and direction.
 Distance is defined in terms of a metric
 Such as hop count
 Direction is simply the:
 Next-hop router or
 Exit interface
 Typically use the Bellman-Ford algorithm for
the best-path (shortest) route determination 17
 Link-State Protocols
 Link-state routing protocol can
create a “complete view,” or
topology, of the network.
 Link-state protocols are associated
with Shortest Path First (SPF)
calculations. OR
 A link-state router uses the link-
state information to:
 Create a topology map
 Select the best path to all
destination networks in the
topology.
 Each router makes the decision!
Link State routing protocols is like having a complete map of the network topology 18
Path vector protocols

 Path vector protocols:

 Exchanges information about:
 The existence of destination networks
 The path on how to reach the destination
 Path information is used to determine the best paths and to prevent
routing loops.
19
Convergence
 Convergence is when a
network has complete and
accurate information
about the entire network
 Convergence time is
how fast network devices
can reach the state of
convergence after a
topology change.
 Convergence time
affected by:
 Routing protocol
timers
 Route summarization
20
 Route Protocol Scalability
 Scalability describes the ability of a routing
protocol to support further network growth.
 Scalability factors include:
 Number of routes
 Number of adjacent neighbors
 Number of routers in the network
 Addressing scheme
 Network design
 Frequency of changes
 Available resources (CPU and memory)
 Hierarchical addressing, structured address
assignment, and route summarization improve
the overall scalability regardless of routing protocol
type.
21
Lecture Topics
 VPN Overview
 Differentiating Routing Protocols
 Tunnels
 Enterprise Network Architecture
 Characteristics of a Secure VPN
 Routing Protocols
 DMVPN and NHRP Concepts
 Understanding Network Technologies
 IPv6 Overview
 Traffic Types
 GUA
 Connecting Remote Locations
 Link-local address
 Underlay vs Overlay Networks
 ICMPv6 ND
 Types of VPNs
 MPLS Overview
 Virtual Routing and Forwarding (VRF)

22
 Traffic Types
 Destination IP address: A device can send traffic to one
recipient, to selected recipients, or to all devices within a
subnet at the same time.
 Routing protocols use different traffic types to control how
routing information is exchanged.
 Unicast: Unicast addresses are used in a one-to-one context.
 Multicast: Multicast addresses identify a group of interfaces.
 Traffic that is sent to a multicast address is sent to multiple
destinations at the same time.
 Anycast: It is assigned to an interface on more than one node.
 When a packet is sent to an anycast address, it is routed
to the nearest interface that has this address.
 Broadcast: IPv4 broadcast addresses are used when sending
traffic to all devices in the subnet.

23
Well-known IPv4 and IPv6 multicast addresses used by
routers

 Notice the relationship between IPv4 and IPv6 multicast addresses. 24

Lecture Topics
 VPN Overview
 Differentiating Routing Protocols
 Tunnels
 Enterprise Network Architecture
 Characteristics of a Secure VPN
 Routing Protocols
 DMVPN and NHRP Concepts
 Understanding Network Technologies
 IPv6 Overview
 Traffic Types
 GUA
 Connecting Remote Locations
 Link-local address
 Underlay vs Overlay Networks
 ICMPv6 ND
 Types of VPNs
 MPLS Overview
 Virtual Routing and Forwarding (VRF)

25
Underlay vs Overlay Networks

26
Using VPNs MPLS

 What kind of connection?

 Traditionally leased lines or frame relay.
 Takes time to provision
 VPNs
 Easy to provision
 Used over different technologies
 Can provide security

Internet

27
Types of VPNs MPLS

Internet

 Types of VPNs used for remote access:

 MPLS-based VPN
 Tunnel-based VPN (sometimes referred to as IPsec VPNs, but
doesn’t have to be IPsec)
 Hybrid VPN (combination)
 Focus on VPN tunnels
28
MPLS overview

 MPLS (Multi-protocol label switching) is a

switching mechanism.
 A 32 bit header (label) is inserted by the
provider (PE) router.
 Packets are switched through the MPLS
network.
 The label is removed by the PE at the other
end of the MPLS network.
 To the customer, it looks like a Layer 2 or
Layer 3 connection.
29
VRF Routing Forwarding (VRF)

 Pure IP alternative to MPLS is VRFs

 Virtual Routing and Forwarding (VRF) is a technology that
allows the device to have multiple but separate instances of routing
tables exist and work simultaneously.
 VRF-Lite makes it easier
30
Lecture Topics
 VPN Overview
 Differentiating Routing Protocols
 Tunnels
 Enterprise Network Architecture
 Characteristics of a Secure VPN
 Routing Protocols
 DMVPN and NHRP Concepts
 Understanding Network Technologies
 IPv6 Overview
 Traffic Types
 GUA
 Connecting Remote Locations
 Link-local address
 Underlay vs Overlay Networks
 ICMPv6 ND
 Types of VPNs
 MPLS Overview
 Virtual Routing and Forwarding (VRF)

31
VPN Overview

 VPNs enable the exchange of information over a public (or private network)
as if remote hosts would be connected to the same private network.
 Similar to leased lines.
 The majority of VPN technologies also support routing protocols.
 VPNs use tunnels.

32
Tunnels

 Tunnels encapsulate a protocol inside another protocol

 Example: Encapsulating an IP packet inside another IP packet
 Why? Perhaps to hide/protect/encrypt the inner packet.
 Tunnels are created using either:
 IPsec
 Generic Routing Encapsulation (GRE) - Cisco
 Point to Point Tunneling Protocol (PPTP) - Microsoft
 Layer 2 Tunnel Protocol (L2TP)
 Layer 2 Forwarding (L2F) Protocol - Cisco
33
 GRE tunnel – Can appears to be Layer 2 (switch in the middle) or Layer 3
adjacent (router in the middle)
 Packets are sent out logical tunnel interface instead of physical interface
 Encapsulates almost anything including multicast (for routing protocols) but no
security
 Need IPsec for security
 Why not use IPsec only?
 IPsec is unicast only
34
 Host Host
IP IP

Transport mode:
 When IPsec headers are simply inserted in an IP packet (after the IP header),
 The original IP header is exposed and unprotected.
 Data at the transport layer and higher layers benefits from the implemented IPsec
features.
 Transport mode protects the transport layer and up.
35
 Router Router
IP IP

Tunnel mode:
 The actual IP addresses of the original IP header, along with all the data within the
packet, are protected.
 Tunnel mode creates a new external IP header that contains the IP addresses of the
tunnel endpoints (such as routers or VPN Concentrators).
 The exposed IP addresses are the tunnel endpoints, not the device IP addresses
that sit behind the tunnel end points. 36
 VPN technologies that use virtual tunnels
 GRE (appear Layer 2adjacent)
 DMVPN – Dynamic Mulitpoint VPN
 Good for hub spoke – communications between spokes
without going thru hub
 Uses multipoint GRE
 GRE by itself doesn’t encrypt but can use IPsec 37
Lecture Topics
 VPN Overview
 Differentiating Routing Protocols
 Tunnels
 Enterprise Network Architecture
 Characteristics of a Secure VPN
 Routing Protocols
 DMVPN and NHRP Concepts
 Understanding Network Technologies
 IPv6 Overview
 Traffic Types
 GUA
 Connecting Remote Locations
 Link-local address
 Underlay vs Overlay Networks
 ICMPv6 ND
 Types of VPNs
 MPLS Overview
 Virtual Routing and Forwarding (VRF)

38
 IPv6 Address Types
IPv6 Addresses

Unicast Multicast Anycast

Assigned Solicited-Node
FF00::/8 FF02::1:FF00:0000/104

Global Unique Embedded

Link-Local Loopback Unspecified
Unicast Local IPv4
2000::/3 FE80::/10 ::1/128 ::/128 FC00::/7 ::/80
3FFF::/3 FEBF::/10 FDFF::/7

IPv6 does not have a “broadcast” address.

 Global Unicast Address Range
Global Routing Prefix Subnet ID Interface ID

001 Range: 2000::/3 0010 0000 0000 0000 ::

to 3FFF::/3 0011 1111 1111 1111 ::

• Global Unicast Address (GUA)

• 2000::/3 (2000::/3 to 3FFF::/3)
• 1/8th of IPv6 address space

IANA’s allocation of IPv6

address space in 1/8th sections
 Parts of a Global Unicast Address
IPv4 Unicast Address /?

Network portion Subnet portion Host portion

32 bits

IPv6 Global Unicast Address

/48 /64
16-bit Fixed
Global Routing Prefix Interface ID
Subnet ID

128 bits
• 64-bit Interface ID = 18 quintillion (18,446,744,073,709,551,616) devices/subnet
• 16-bit Subnet ID = 65,536 subnets
/64 Global Unicast Address and the 3-1-4 Rule
/48 /64
16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits

Global Routing Prefix Subnet ID Interface ID

3 1 4

2001 : 0DB8 : CAFE : 0001 : 0000 : 0000 : 0000 : 0100

3 + 1 = 4 (/64) : 4
2001:0DB8:CAFE:0001:0000:0000:0000:0100/64
2001:0DB8:CAFE:0001::100/64
 2001:DB8:CAFE:1::/64
Static GUA :100 A G0/0
:1
2001:DB8:CAFE:3::/64

Configuration :100
:1
G0/0
R1
:1
S0/0/0
B
2001:DB8:CAFE:2::/64
I love the 3-1-4
rule and
R1(config)#interface gigabitethernet 0/1
subnetting IPv6!
R1(config-if)#ipv6 address 2001:db8:cafe:2::1/64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ipv6 address 2001:db8:cafe:3::1/64
R1(config-if)#no shutdown
R1(config-if)#exit

Unlike IPv4, IPv6 does not associate the all-zeroes and all-ones Interface-IDs
(host portion) to subnet/broadcast – valid IPv6 device addresses.
 IPv6 Address Allocation
Global Routing Prefix I am getting a /64 at home
/23 /32 /48 /56 /64
Subnet ID
Sub Interface ID

*RIR
*ISP Prefix
*Site Prefix
Possible Home Site Prefix
Subnet Prefix

* This is a minimum allocation. The prefix-length may be less if it can be justified.

 PI versus PA Address Space

/32 /48
Subnet
Global Routing Prefix ID Interface ID

Provider Independent (PI) Address Space

• Address space that is assigned by the RIR.
• Remains assigned to the customer regardless of provider
• No prefix renumbering needed if change providers
Provider Aggregatable (PA) Address Space
• Address space that is typically assigned by an ISP to a customer.
• Change provider, must get new address space
• Customer must do prefix renumbering (Helpful IETF RFCs)
 Link-Local Unicast Range
First 10 bits
1111 1110 10xx xxxx Remaining 54 bits 64-bit Interface ID

Range: FE80::/10 1111 1110 1000 0000 ::

to FEBF::/10 1111 1110 1011 1111 ::

Link-local Unicast

• Link – Network segment

• Link-local means, local to that
link or network.
 Link-Local Unicast Address
Link-Local Communications

• Used to communicate with other devices on the link.

• Are NOT routable off the link (network).
• Only have to be unique on the link.
• Not included in the IPv6 routing table.
• An IPv6 device must have at least a link-local address.
 Link-Local Unicast Address
First 10 bits
1111 1110 10xx xxxx Remaining 54 bits 64-bit Interface ID

FE80::Interface ID
Link-local addresses are created
• Automatically :
• FE80 (usually) – First 10 bits
• Interface ID
• EUI-64 (Cisco routers)
• Random 64 bits (many host operating systems)
• Static (manual) configuration
 G0/0
Automatic Link-Local Address S0/0/0
R1
using EUI-64 G0/1

R1# show interface gigabitethernet 0/0

GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is fc99.4775.c3e0 (bia
fc99.4775.c3e0)
<Output Omitted>

Link-local address: FE80:: 64-bit Interface ID

A 64-bit Interface ID is created with EUI-64 using:
• 48-bt MAC address
• Inserting 16 bits: FF-FE
• Flipping the U/L (Universal/Local) bit
Modified EUI-64 Format (Extended Unique Identifier–64)
OUI (24 bits) Device Identifier (24 bits)

FC 99 47 75 C3 E0
Insert FF-FE

FC 99 47 FF FE 75 C3 E0

FC
1111 1100
1110 99 47 FF FE 75 C3 E0
U/L bit flipped

FE 99 47 FF FE 75 C3 E0
 G0/0
Verifying the Router’s S0/0/0
R1
Link-Local Address G0/1
R1# show interface gigabitethernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is fc99.4775.c3e0 (bia
Link-local
fc99.4775.c3e0) addresses
<Output Omitted> only have to
Wait! Two be unique
R1#show ipv6 interface brief Link-locals on the link.
GigabitEthernet0/0 [up/up] are the
FE80::FE99:47FF:FE75:C3E0
2001:DB8:CAFE:1::1
EUI-64 same!
GigabitEthernet0/1 [up/up]
FE80::FE99:47FF:FE75:C3E1 FF:FE = EUI-64 (most likely)
2001:DB8:CAFE:2::1
Serial0/0/0 [up/up]
FE80::FE99:47FF:FE75:C3E0
Serial interfaces will use a MAC
2001:DB8:CAFE:3::1 address of an Ethernet interface.
R1#
 G0/0
Static Link-Local Addresses FE80::1 S0/0/0
Static addresses are more easily remembered G0/1 R1 FE80::1
and recognizable. FE80::1
R1(config)#interface gigabitethernet 0/0
R1(config-if)#ipv6 address fe80::1 ?
link-local Use link-local address

R1(config-if)#ipv6 address fe80::1 link-local Link-Local

R1(config-if)#exit Addresses only
R1(config)#interface gigabitethernet 0/1 have to be unique
R1(config-if)#ipv6 address fe80::1 link-local on the link!
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ipv6 address fe80::1 link-local
R1(config-if)#
 Unicast Addresses

• Loopback Address
• ::1/128
• Used by a node to send an IPv6 packet to itself, typically when testing the
TCP/IP stack.
• Same functionality as IPv4 loopback 127.0.0.1
• Not routable.
• Unspecified Address
• :: (all-0s)
• Indicates the absence or anonymity of an IPv6 address (RA source address)
 Unicast Addresses
Note: Site local addresses (FEC0::/10)
has ben deprecated.

• Unique Local Address

• FC00::/7 (FC00::7 to FDFF::/7)
• Similar to RFC 1918 IPv4 addresses but …
• Not meant to be translated to a global unicast (for security purposes)
• IETF does not support the concept of translating a “private IPv6” address
to a “public” IPv6 address... but there are exceptions
• Should not be routable in the global Internet.
• To be used in a more limited area such as within a site or devices inaccessible
from the global Internet.
• FC00::/7 – 1111 110x (x = local flag bit)
• FC00::/8 (x = 0) - /48 prefix assigned using RFC 4193 algorithm (dormant)
• FD00::/8 (x = 1) - /48 prefix locally locally assigned.
 ICMPv6 and ICMPv6-ND
Internet Control Message Protocol for IPv6
• ICMPv6 is defined in RFC 4443.
• ICMPv6 Neighbor Discovery is described in
RFC 4861.
• Much more robust than ICMP for IPv4.
• Contains new functionality and
improvements.
• More than just “messaging” but “how IPv6
conducts business”.

Next
All ICMPv6 IPv6 Main Header ICMPv6
Data
messages Header 58 Header
 ICMPv6 Neighbor Discover Protocol
ICMPv6 Neighbor Discovery defines 5 different packet types:
• Router Solicitation Message
• Router Advertisement Message Router-Device
Messaging
Used with dynamic address allocation

• Neighbor Solicitation Message

• Neighbor Advertisement Message Device-Device
Used with address resolution (IPv4 ARP) Messaging

• Redirect Message
Similar to ICMPv4 redirect message
Router-to-Device messaging
 Route Selection for Routers
Build the Routing Table
The main considerations when you build the routing table are:

Administrative Distance: This is the measure of trustworthiness of the

source of the route. If a router learns about a destination from more
than one routing protocol, the administrative distance is compared and the
preference is given to the routes with lower administrative distance.

Metrics: This is a measure used by the routing protocol to calculate

the best path to a given destination, if it learns multiple paths to the
same destination. Each routing protocol uses a different metric.

Prefix length
 Route Selection for Routers
Assume, again, that a router runs has three routing processes
(RIP, EIGRP and OSPF), and each process has received
these routes:

EIGRP: 192.168.32.0/24 (AD 90)

RIP: 192.168.32.0/24 (AD 120)
OSPF: 192.168.32.0/24 (AD 110)

Which of these routes will be installed in the routing table?

 Route Selection for Routers
Assume, again, that a router runs has three routing processes
(RIP, EIGRP and OSPF), and each process has received
these routes:

EIGRP: 192.168.32.0/19 (AD 90)

RIP: 192.168.32.0/24 (AD 120)
OSPF: 192.168.32.0/26 (AD 110)

Which of these routes can be installed in the routing table?

 Special Thanks
to
Rick Graziani
for allowing me to use many of his slides.