This blog post covers the following network design topics:
- Summarizable and structured addressing designs
- IPv6 for Enterprise Campus design considerations
When designing IP addressing at a professional level, several issues must be taken into consideration. This blog post will cover generic IP addressing designs, including subnets and summarizable blocks design recommendations, address planning, and advanced addressing concepts, in addition to IPv6 design considerations, which will be covered in the last section of the post.
Importance of IP Addressing for Network Design
One of the major concerns in the network design phase is ensuring that the IP addressing scheme is properly designed. This aspect should be carefully planned and an implementation strategy should exist for the structural, hierarchical, and contiguous allocation of IP address blocks. A solid addressing scheme should be hierarchical, structural, and modular.
These features will add value to the continually improving concept of the Enterprise Campus design. This is also important in scaling any of the dynamic routing protocols. A solid IP addressing scheme helps routing protocols function in an optimal manner, using RIPv2, EIGRP, OSPF, or BGP. Facilitating summarization and the ability to summarize addresses provides several advantages for the network:
- Shorter Access Control Lists (ACLs)
- Reduces the overhead on routers (the performance difference is noticeable, especially on older routers)
- Faster convergence of routing protocols
- Addresses can be summarized to help isolate trouble domains
- Overall improvement of network stability
Address summarization is also important when there is a need to distribute addresses from one routing domain into another, as it impacts both the configuration effort and the overhead in the routing processing. In addition, having a solid IP addressing scheme not only makes ACLs easier to implement and more efficient for security, policy, and QoS purposes, but also it facilitates advanced routing policies and techniques (such as zone-based policy firewalls), where modular components and object groupings that are based on the defined IP addressing schemes can be created.
Solid IP address planning supports several features in an organization:
- Route summarization
- A more scalable network
- A more stable network
- Faster convergence
Subnet Network Design Recommendations
The importance of IP addressing is reflected in the new requirements that demand greater consideration of IP addressing, as the following examples illustrate:
- The transition to VoIP Telephony and the additional subnet ranges required to support voice services. Data and voice VLANs are usually segregated, and in some scenarios, twice as many subnets may be needed when implementing Telephony in the network.
- Layer 3 switching at the edge, replacing the Layer 2 switching with multi-layer switches. This involves more subnets needed at the Enterprise Edge, so the number of smaller subnets will increase. There should be as little re-addressing as necessary, and making efficient use of the address space should be a priority. Sometimes, Layer 3 switching moved to the edge will involve a redesign of the IP addressing hierarchy.
- The company’s needs are changing and sometimes servers will be isolated by functions or roles (also called segmentation). For example, the accounting server, the development subnets, and the call-center subnets can be separated from an addressing standpoint. Identifying the subnets and ACLs based on corporate requirements can also add complexity to the environment.
- Many organizations use technologies like Network Admission Control (NAC), Cisco 802.1x (IBNS), or Microsoft NAP. These types of deployments will be dynamically assigning VLANs based on the user login or port-based authentication. In this situation, an ACL can actually manage connectivity to different servers and network resources based on the source subnet (which is based on the user role). Using NAC over a wired or wireless network will add more complexity to the IP addressing scheme.
- Many network topologies involve having separated VLANs (i.e., data, voice, and wireless). Using 802.1x may also involve a guest VLAN or a restricted VLAN, and authorization policies can be assigned based on VLAN membership from an Authentication, Authorization, and Accounting (AAA) server.
- Using role-based security techniques might require different sets of VPN clients, such as administrators, customers, vendors, guests, or extranets, so different groups can be implemented for different VPN client pools. This role-based access can be managed through a group password technique for each Cisco VPN client; every group can be assigned a VPN endpoint address from a different pool of addresses. If the pools are subnets of a summarizable block, then routing traffic back to the client can also be accomplished in a simplified fashion.
- Network designers should also consider that Network Address Translation (NAT) and Port Address Translation (PAT) can be applied on customer edge routers (often on the PIX firewall or on the ASA devices). NAT and PAT should not be used internally on the LAN or within the Enterprise Network to simplify the troubleshooting process. NAT can be used in a data center to support the Out-of-Band (OOB) management of the VLAN (i.e., on devices that cannot route or cannot find a default gateway for the OOB management of the VLAN).
You can read Ciscos network design guide here.
After planning the network design for a IPv4 addressing scheme and determining the number and types of necessary addresses, a hierarchical design might be necessary. This design is useful when finding a scalable solution for a large organization and this involves address summarization. Summarization reduces the number of routes in the routing table and involves taking a series of network prefixes and representing them as a single summary address. It also involves reducing the CPU load and the memory utilization on network devices. In addition, this technique reduces processing overhead because routers advertise a single prefix instead of many smaller ones.
A summarizable address is one that contains blocks with sequential numbers in one of the octets. The sequential patterns must fit a binary bit pattern, with X numbers in a row, where X is a power of 2. The first number in this sequence must be a multiple of X. For example, 128 numbers in a row could be summarized with multiples starting at 0 or 128. If there are 64 numbers in a row (26), these will be represented in multiples of 64, such as 0, 64, 128, or 192, and 32 numbers in a row can be summarized with the multiples 0, 32, 64, and so on. This process can be easily accomplished using software subnet calculators.
Another planning aspect of summarizable blocks involves medium or large blocks of server farms or data centers. Servers can be grouped based on their functions and on their level of mission criticality, and they can all be in different subnets. In addition, with servers that are attached to different Access Layer switches, it is easier to assign subnets that will provide a perfect pattern for wildcarding in the ACLs. Simple wildcard rules and efficient ACLs are desired, as complex ACLs are very difficult to deal with, especially for new engineers who must take over an existing project.
When implementing the hierarchical addressing scheme for network design, it is important to have a good understanding of the math behind it and how route summarization works. Below is an example of combining a group of Class C addresses into an aggregate address. Summarization is a way to represent several networks in a single summarized route. In a real-world scenario, a subnet calculator can be used to automatically generate the most appropriate aggregate route from a group of addresses.
In this example, the Enterprise Campus backbone (Core Layer) submodule is connected to several other buildings. In a single building, there are several networks in use:
- A network for the server farm
- A network for the management area
- A few networks for the Access Layer submodule (that serve several departments)
The goal is to take all of these networks and aggregate them into one single address that can be stored at the edge distribution submodule or at the Core Layer of the network. The first thing to understand when implementing a hierarchical addressing structure is the use of continuous blocks of IP addresses. In this example, the addresses 22.214.171.124 through 126.96.36.199 are used:
In this scenario, network design summarization will be based on a location where all of the uppermost bits are identical. Looking at the first address above, the first 8 bits equal the decimal 192, the next 8 bits equal the decimal 100, and the last 8 bits are represented by 0. The only octet that changes is the third one; to be more specific, only the last 3 bits in that octet change when going through the address range.
The summarization process requires writing the third octet in binary format and then looking for the common bits on the left side. In the example above, all of the bits are identical up to the last three bits in the third octet. With 21 identical bits, all of the addresses will be summarized to 188.8.131.52/21.
After deciding on a hierarchical addressing design and understanding the math involved in this process, the next approach will be a modular and scalable design, which will involve deciding how to divide the organization (i.e., Enterprise Network modules, submodules, and remote locations) in terms of addressing. This includes deciding whether to apply a hierarchical address to each module/submodule or to the entire Enterprise Network.
Another aspect to consider is the way summarization may affect the routing protocols used. Summarization usually affects routing because it reduces the size of the routing tables, the processor, and memory utilization, and it offers a much faster convergence of the routed network. The following are the most important advantages of using route aggregation:
- Lower device processing overhead
- Improved network stability
- Ease of future growth
Figure 1 below offers another example of a large organization network design using a campus with multiple buildings:
Figure 1 – Network Design Addressing for a Large Organization with Multiple Buildings
The internal private addressing will use the popular 10.0.0.0/8 range. Within the organization’s domain, two separate building infrastructures (on the same campus or in remote buildings) will be aggregated using the 10.128.0.0/16 and 10.129.0.0/16 ranges.
|Note: The 10.128.0.0 and 10.129.0.0 ranges are used instead of 10.1.0.0 or another lower second octet because many organizations already use those lower octet ranges, and there would be problems if the company decided to buy another company that uses one of those ranges. This minimizes the changes in overlap when merging other infrastructures with the network.|
Going deeper within each building, the addressing scheme can be broken down within different departments, using the 10.128.1.0, 10.128.2.0 or the 10.129.1.0, 10.128.2.0 networks with a 24-bit mask. Because of the scalable design, another tier could be included above the departmental addresses that would be within the 10.129.0.0/21 range, for example. Moving beyond that point leads to the Enterprise Edge module and its various submodules (e.g., e-commerce, Internet connectivity, etc.) that can have point-to-point connections to different ISPs. Variable Length Subnet Masking (VLSM) can be used to break down the addressing scheme further.
To summarize, from a network designer standpoint, it is very important to tie the addressing scheme to the modular Enterprise Network design. The advantages of using route summarization and aggregation are numerous but the most important ones are as follows:
- Isolates changes to the topology to a particular module
- Isolates routing updates to a particular module
- Fewer updates need to be sent up the hierarchy (preventing all of the updates from going through the entire network infrastructure)
- Lower overall recalculation of the entire network when links fail (e.g., a change in a routing table does not converge to the entire network); for example, route flapping in a particular department is constrained within the specific department and does not have a cascading effect on other modules (considering the example above)
- Narrow scope of route advertisement propagation
- Summarized module is easier to troubleshoot
|Note: The ultimate route summary is the default route, which summarizes everything. This can be created automatically using routing protocols or manually using the “ip route 0.0.0.0 0.0.0.0 <interface>” command.|
Routing Protocols and Summarization for Network Design
Different routing protocols handle summarization in different manners. Routing Information Protocol (RIP) version 2 (RIPv2) has classful origins (it summarizes by default), although it can act in a classless manner because it sends subnet mask information in the routing updates.
Because of its classful origins, RIPv2 performs automatic summarization on classful boundaries, so any time RIPv2 is advertising a network across a different major network boundary, it summarizes to the classful mask without asking for permission. This can lead to big problems in the routing infrastructure of discontiguous networks. RIPv2’s automatic summarization behavior should be disabled in many situations to gain full control of the network routing operations.
In addition to the automatic summarization feature, RIPv2 allows for manual route summarization to be performed at the interface level. The recommendation is to disable automatic summarization and configure manual summarization where necessary. RIPv2 does not allow for summarization below the classful address. The next example involves the following prefixes:
RIPv2 will not allow the summarization of addresses above a /22 address because these are Class C addresses, and this would involve trying to summarize beneath this class. This is a limitation due to the classful origin of RIP.
EIGRP functions similar to RIPv2 regarding summarization, as EIGRP also has classful origins because it is an enhanced version of the Interior Gateway Routing Protocol (IGRP). EIGRP automatically summarizes on classful boundaries and, just like with RIPv2, this feature can be disabled and manual summarization can be configured on specific interfaces. The biggest issue with this behavior is that there might be discontiguous networks and this could cause problems with any of the automatic summarization mechanisms described.
Figure 2 – Discontiguous Network Issue
An example of a discontiguous network issue is illustrated in Figure 2 above. The 172.16.10.0/24 subnet is on the left side and the 172.16.12.0/24 subnet is on the right side. These networks are divided by a different major network in the middle (172.20.60.0/24), which causes a problem. Applying EIGRP in this scenario, automatic summarization will be enabled by default, with summarization toward the middle of the topology (172.16.0.0) from both sides, and this will cause great confusion to that device. As a result of this confusion, the device might send one packet to the left side and one packet to the right side, so there will be packets going in the wrong direction to get to a particular destination. To solve this issue, the automatic summarization feature should be disabled in discontiguous networks. Another possible fix to this problem is designing the addressing infrastructure better so that no discontiguous subnets are present.
|Note: RIPv1 and IGRP cannot be replaced with modern routing protocols, but discontiguous network issues can be solved using static routes.|
OSPF does not have an automatic summarization feature but two different forms of summarization can be designed:
- Summarization between the internal areas
- Summarization from another separate domain
Two separate commands are used to handle these different summarization types. Summarizing from one area to another involves a Type 3 Link-State Advertisement (LSA). Summarizing from another domain involves two types of LSAs in the summarization process: a Type 4 LSA, which advertises the existence of the summarizing device (e.g. the OSPF Autonomous System Border Router – ASBR), and the actual summary of information, carried in a Type 5 LSA.
Border Gateway Protocol (BGP) uses a single type of summarization called aggregation, and this is accomplished during the routing process. BGP is used to summarize automatically, just like RIPv2 and EIGRP, but this behavior has been automatically disabled by the 12.2(8)T IOS code.
Variable Length Subnet Masking and Structured Addressing
A structured addressing plan involves the concept of Variable Length Subnet Masking (VLSM), a technology that all of the modern routing protocols can easily handle. VLSM provides efficiency, as it disseminates an addressing plan that does not waste address space (i.e., it assigns only the number of addresses needed for a certain subnetwork). VLSM also accommodates efficient summarization. The most important benefits of VLSM and summarization include the following:
- Less CPU utilization on network devices
- Less memory utilization on network devices
- Smaller convergence domains
Figure 3 – VLSM Example (Part 1)
VLSM functions by taking unused subnets from the address space used and further subnets them. Figure 3 above starts with the major network of 172.16.0.0/16 (not shown in the example), which is initially subnetted using a 24-bit mask, resulting in two large subnets on the two router interfaces (Fa0/0 and Fa0/1), 172.16.1.0/24 and 172.16.2.0/24, respectively. Two key formulas can be used when calculating the number of subnets and hosts using VLSM. An example of the subnet and host split in the address is shown below in Figure 4:
Figure 4 – VLSM Subnet and Host Split
The formula for calculating the number of subnets is 2s, where “s” is the number of borrowed subnet bits. In Figure 3.3 above, the network expanded from a /16 network to a /24 network by borrowing 8 bits. This means 28 = 256 subnets can be created with this scheme.
The formula for calculating the number of hosts that can exist in a particular subnet is 2h-2, where “h” is the number of host bits. Two hosts are subtracted from the 2h formula because the all-zeros host portion of the address represents the major network itself and the all-ones host portion of the address represents the broadcast address for the specific segment, as illustrated below:
- Major networks (all zeros in the host portion): 172.16.1.0 and 172.16.2.0
- Broadcast networks (all ones in the host portion): 172.16.1.255 and 172.16.2.255
After summarizing the 172.16.0.0/16 address space into 172.16.1.0/24 and 172.16.2.0/24, further subnetting might be needed to accommodate smaller networks, which can be achieved by taking one of the next available subnets (after the subnetting process), for example, 172.16.3.0/24. This will create additional subnets such as those below:
The /27 subnets are suitable for smaller networks and can accommodate the number of machines in those areas. The number of hosts that can be accommodated is 25-2=30.
Figure 5 – VLSM Example (Part 2)
A subnet might be needed for the point-to-point link that will connect two network areas, and this can be accomplished by further subnetting one of the available subnets in the /27 scheme, for example 172.16.3.96/27. This can be subnetted with a /30 to obtain 172.16.3.100/30, which offers just two host addresses: 172.16.3.101 and 172.16.3.102. This scheme perfectly suits the needs for the point-to-point connections (one address for each end of the link). By performing VLSM calculations, subnets that can accommodate just the right number of hosts in a particular area can be obtained.
Private versus Public Addressing
As a network design expert, after determining the number of necessary IP addresses, the next big decision is to find out whether private, public, or a combination of private and public addresses will be used. Private internetwork addresses are defined in RFC 1918 and are used internally within the network. From a real-world standpoint, because of the limitation of the number of public IP addresses, NAT techniques are usually used to translate the private internal numbers to external public addresses. Internally, one of the following three ranges of addresses can be used:
- 0.0.0/8 (10.0.0.0 to 10.255.255.255), usually used in large organizations
- 16.0.0/12 (172.16.0.0 to 172.31.255.255), usually used in medium organizations
- 168.0.0/16 (192.168.0.0 to 192.168.255.255), usually used in small organizations
Any address that falls within the three private address ranges cannot be routed on the Internet. Service Provider Edge devices usually have policies and ACLs configured to ensure that any packet containing a private address that arrives at an inbound interface will be dropped.
All of the other addresses are public addresses that are allocated to ISPs or other point of presence nodes on the Internet. ISPs can then assign Class A, B, or C addresses to customers to use on devices that are exposed to the Internet, such as:
- Web servers
- DNS servers
- FTP servers
- Other servers that run public-accessible services
|Note: Customers can also be assigned IP addresses by one of the following five Regional Internet Registries (RIRs) that are controlled by the Internet Assigned Numbers Authority (IANA):
When deciding to use private, public, or a combination of private and public addresses for your network design, one of the following four types of connections will be used:
- No Internet connectivity
- Only one public address (or a few) for users to access the Web
- Web access for users and public-accessible servers
- Every end-system has a public IP address
No Internet connectivity would imply that all of the connections between the locations are private links and the organization would not be connected to the Internet in any of its nodes. In this case, there is no need for any public IP addresses because the entire address scheme can be from the private address ranges.
Another situation would be the one in which there is Internet connectivity from all of the organization’s locations but there are no servers to run public-accessible services (e.g., Web, FTP, or others). In this case, a public IP address is needed that will allow users to access the Web. NAT can be used to translate traffic from the internal network to the outside network, so the internal networks contain only private IP addresses and the external link can use just one public address.
The third scenario is one of the most common, especially when considering the growth of enterprise networking. This involves having user Internet connectivity (just like in the previous scenario) but also having public-accessible servers. Public IP addresses must be used to connect to the Internet and access specific servers (e.g., Web, FTP, DNS, and others). The internal network should use private IP addresses and NAT to translate them into public addresses.
The most highly unlikely scenario would be the one in which every end-system is publicly accessible from the global Internet. This is a dangerous situation because the entire network is exposed to Internet access and this implies high security risks. To mitigate these risks, strong firewall protection policies must be implemented in every location. In addition to the security issues, this scenario is also not very effective because many IP addresses are wasted and this is very expensive. All of these factors make this scenario one not to be used in modern networks.
The two most common solutions from the scenarios presented above are as follows:
- One or a few public addresses for users to access the Web
- A few public addresses that provide Web access for users and public-accessible servers
Both scenarios imply using private internal addresses and NAT to reach outside networks.
For a deeper analysis of these aspects, it is useful to focus on how they map to the Cisco Enterprise Architecture model and where private and public addresses should be used, which is illustrated in Figure 6 below:
Figure 6 – Cisco Enterprise Architecture Model Addressing Scheme
First, in the figure above, assume that there is some kind of Internet presence in the organization that offers services either to internal users in the Access Layer submodule or to different public-accessible servers (e.g., Web, FTP, or others) in the Enterprise Edge module. Regardless of what modules receive Internet access, NAT is run in the edge distribution submodule to translate between the internal addressing structure used in the Enterprise Campus and the external public IP addressing structure. NAT mechanisms can also be used in the Enterprise Edge module.
Using the 10.0.0.0/8 range internally, both in the Enterprise Campus module and in the network management submodule, Enterprise Campus devices that use private IP addresses include all of its component submodules:
- Access Layer
- Distribution Layer
- Core Layer
- Server farm
The edge distribution submodule will use a combination of private and public IP addresses. The Enterprise Edge module will use a combination of private and public addresses, depending on each submodule. The remote access submodule can use a combination of private and public addresses but it will need to support some kind of NAT techniques. The WAN submodule can use either private addresses (when connecting to other remote sites) or public addresses (when connected to outside locations for a backup solution).
|Note: When connecting to the outside world using public addresses, consider implementing efficient security features.|
An important issue in the IP addressing design is how the addresses will be assigned. One way would be to use static assigning and the other way would be to use dynamic protocols such as the Dynamic Host Configuration Protocol (DHCP). Deciding on the address allocation method requires answering the following questions:
- How many end-systems are there?
For a small number of hosts (less than 50), consider using statically/manually assigned addresses; however, if there are several hundred systems, use DHCP to speed up the address allocation process (i.e., avoid manual address allocation).
- What does the security policy demand?
Some organizations demand the use of static IP addressing for every host or for every node to create a more secure environment. For example, an outsider cannot plug in a station to the network, automatically get an IP address, and have access to internal resources. The organization’s security policy might demand static addressing, regardless of the network size.
- What is the likelihood of renumbering?
This includes the possibility of acquisitions and mergers in the near future. If the likelihood of renumbering is high, DHCP should be used.
- Are there any high availability demands?
If the organization has high availability demands, DHCP should be used in a redundant server architecture.
In addition, static addressing should always be used on certain modules in certain devices:
- Corporate servers
- Network management workstations
- Standalone servers in the Access Layer submodule
- Printers and other peripheral devices in the Access Layer submodule
- Public-accessible servers in the Enterprise Edge module
- Remote Access Layer submodule devices
- WAN submodule devices
From a Cisco standpoint, the best way to implement role-based addressing is to have it mapped to the corporate structure or to the roles of the servers or end-user stations. Using an example based on the 10.0.0.0/8 network, consider the first octet to be the major network number, the second octet to be the number assigned to the closet (i.e., the server room or wiring closets throughout the organization), the third octet to be the VLAN numbers, and the last octet to be the number of hosts. An address of 10.X.Y.Z would imply the following octet definitions:
- X = closet numbers
- Y = VLAN numbers
- Z = host numbers
This is an easy mechanism that can be used with Layer 3 closets. Role-based addressing avoids binary arithmetic, so if there are more than 256 closets, for example (more than can be identified in the second octet), some bits can be borrowed from the beginning of the third octet because there will not be 256 VLANs for every switch. Thereafter, advanced binary arithmetic or bit splitting can be used to adapt the addressing structure to specific needs. Bit splitting can be used with routing protocols, as well as route summarization, to help number the necessary summarizable blocks. In this case, addresses will be split into a network part, an area part, a subnet part, and a host part.
Network designers might not always have the luxury of using the summarizable blocks around simple octet boundaries and sometimes this is not even necessary, especially when some bit splitting techniques would better accommodate the organization and the role-based addressing scheme. This usually involves some binary math, such as the example below:
The first octet is 172 and the second octet is 16. The “a” bits in the third octet identify the area and the “s” bits identify the network subnet or VLAN. Six bits are reserved for the hosts in the forth octet. This offers 62 hosts per VLAN or subnet, or 216-2 (two host addresses will be reserved for the network address – all zeros in the last bits and the broadcast address and all ones in the last bits).
This logical scheme will result in the following address ranges, based on the network areas:
- Area 0: 172.16.0.0 to 172.16.15.255
- Area 1: 172.16.16.0 to 172.16.31.255
- Area 2: 172.16.32.0 to 172.16.47.255
Subnet calculations should be made to ensure that the right type of bit splitting is used to represent the subnet and VLANs. Remember that a good summarization technique is to take the last subnet in every area and divide it so that the /30 subnet can be used for any WAN or point-to-point links. This will maximize the address space so for each WAN link there will be only two addresses with a /30 or .252 subnet mask.
|Note: Binary and subnet calculations can be also achieved using subnet calculator software that can be found on a variety of Internet sites.|
Most organizations have their addressing schemes mapped out onto spreadsheets or included in different reports and stored as part of their documentation for the network topology. This should be done very systematically and hierarchically, regardless of the addressing scheme used. Always take into consideration the possible growth of the company through mergers or acquisitions.
Network Address Translation Applications
Although the goal with IPv6 is to avoid the need for NAT, NAT for IPv4 will still be used for a while. NAT is one of the mechanisms used in the transition from IPv4 to IPv6, so it will not disappear any time soon. In addition, it is a very functional tool for working with IPv4 addressing. NAT and PAT (or NAT Overload) are usually carried out on ASA devices, which have powerful tools to accomplish these tasks in many forms:
- Static NAT
- Dynamic NAT
- Identity NAT
- Policy NAT
A recommended best practice is to try to avoid using NAT on internal networks, except for situations in which NAT is required as a stop-gap measure during mergers or migrations. NAT should not be performed between the Access Layer and the Distribution Layer or between the Distribution Layer and the Core Layer. Following this recommendation will prevent address translation between OSPF areas, for example.
Organizations with a merger in progress usually use the same internal network addressing schemes and these can be managed with NAT overlapping techniques (also referred to as bidirectional NAT), which translates between the two organizations when they have an overlapping internal IP addressing space that uses RFC 1918 addressing.
If there are internal servers or servers in the DMZ that are reached using translated addresses, it is a good practice to isolate these servers into their own address space and VLAN, possibly using private VLANs. NAT is often used to support content load balancing servers, which usually must be isolated by implementing address translation.
NAT can also be used in the data center submodule to support a management VLAN that is Out-of-Band from production traffic. It should also be implemented on devices that cannot route or cannot define a gateway for the management VLAN. This results in smaller management VLANs, not a single large management VLAN that covers the entire data center. In addition, large companies or Internet entities can exchange their summary routes, and then they can translate with NAT blocks into the network. This will offer faster convergence but the downside is an increased troubleshooting process because of the use of NAT or PAT.
PAT is harder to troubleshoot because one or a few IP addresses are used to represent hundreds or even thousands of internal hosts, all using TCP and UDP ports to create logical sockets. This increases the complexity of the troubleshooting process because it is difficult to know what IP address is assigned to a particular host. Each host uses a shared IP address and a port number. If the organization is connected to several different partners or vendors, each partner can be represented by a different NAT block, which can be translated in the organization.
Network Design for IPv6 Addressing
CCDP certification requires a solid understanding of the IP version 6 specifications, addressing, and some of the design issues. The IPv6 protocol is based on RFC 2460. From a network designer standpoint, the most important features offered by IPv6 include the following:
- A 128-bit address space
- Supports hierarchical addressing and auto-configuration
- Every host can have a globally unique IPv6 address; no need for NAT
- Hosts can have multiple addresses
- Efficient fixed header size for IPv6 packets
- Enhanced security and privacy headers
- Improved multicasting and QoS
- Dedicated IPv6 routing protocols: RIPng, OSPFv3, Integrated IS-ISv6, BGP4+
- Every major vendor supports IPv6
IPv6 is a mechanism that was created to overcome the limitations of the current IPv4 standard. One of the major shortcomings of IPv4 is that it uses a 32-bit address space. Because of the classful system and the growth of the Internet, the 32-bit address space has proven to be insufficient. The key factors that led to the evolution of IPv6 were large institutions, Enterprise Networks, and ISPs that demanded a larger pool of IP addresses for different applications and services.
IPv4 uses a 32-bit address space, so it offers around 4.2 billion possible addresses, including the multicast, experimental, and private ones. The IPv6 address space is 128 bits, so it offers around 3.4×1038 possible addressable nodes. The address space is so large that there are about 5×1028 addresses per person in the world. IPv6 also gives every user multiple global addresses that can be used for a wide variety of devices (e.g., PDAs, cell phones, and IP-enabled devices). IPv6 addresses will last a very long time. An IPv6 packet contains the following fields, as depicted in Figure 7 below:
Figure 7 – IPv6 Packet Fields
|Version||4 bits||Identifies the IP version (which is 6 in this case).|
|Traffic Class||8 bits||Similar to the ToS byte in the IPv4 header; QoS marking functionality.|
|Flow Label||20 bits||Used to identify and classify packet flows.|
|Payload Length||16 bits||The size of the packet payload.|
|Next Header||8 bits||Similar to the Protocol field in the IPv4 header; defines the type of traffic contained within the payload and which header to expect.|
|Hop Limit||8 bits||Similar to the TTL field in the IPv4 header; prevents endless loops.|
|Source IP Address||128 bits||Source logical IPv6 address.|
|Destination IP Address||128 bits||Destination logical IPv6 address.|
|Data||Variable||Transport Layer data.|
Knowing what is in the IPv4 header is important from a network designer standpoint because many of the fields in the header are used for features such as QoS or protocol type. The IPv6 header offers additional functionality, even though some fields from the IPv4 header have been eliminated, such as the Fragment Offset field and the Flags field.
The Version field, as in the IPv4 header, offers information about the IP protocol version. The Traffic Class field is used to tag the packet with the class of traffic it uses in its DiffServ mechanisms. IPv6 also adds a Flow Label field, which can be used for QoS mechanisms, by tagging a flow. This can be used for multilayer switching techniques and will offer faster packet switching on the network devices. The Payload Length field is the same as the Total Length field in IPv4.
The Next Header is an important IPv6 field. The value of this field determines the type of information that follows the basic IPv6 header. It can be a Transport Layer packet like TCP or UDP or it can designate an extension header. The Next Header field is the equivalent of the Protocol field in IPv4. The next field is Hop Limit, which designates the maximum number of hops an IP packet can traverse. Each hop/router decrements this field by one, so this is similar to the TTL field in IPv4. There is no Checksum field in the IPv6 header, so the router can decrement the Hop Limit field without recalculating the checksum. Finally, there is the 128-bit source address and the 128-bit destination address.
In addition to these fields there are a number of extension headers. The extension headers and the data portion of the packet will follow the eight fields covered thus far. The total length of an extension header’s chain can be variable because the number of extension headers is not fixed. There are different types of extension headers, such as the following:
- Routing header
- Fragmentation header
- Authentication header
- IPsec ESP header
- Hop-by-Hop Options header
The IPv4 address is comprised of a string of 32 bits represented in four octets using a dotted decimal format. IPv6, on the other hand, is comprised of 128 bits represented in eight groups of 16 bits using a hexadecimal format (i.e., 16 bits separated by colons), for example:
Considering the complex format of IPv6 addresses, some rules were developed to shorten them:
- One or more successive 16-bit groups that consist of all zeros can be omitted and represented by two colons (::).
- If a 16-bit group begins with one or more zeros, the leading zeros can be omitted.
Considering the IPv6 example above, here are its shortened representations:
|Note: The double colon (::) notation can appear only one time in an IPv6 address.|
In a mixed IPv4 and IPv6 environment, the IPv4 address can be embedded in the IPv6 address, specifically in the last 32 bits.
The prefix portion in IPv6 is the number of contiguous bits that represent the network host. For example, the address 2001:0000:0000:0AABC:0000:0000:0000:0000/60 can be represented as 2001:0:0:ABC::/60.
Several types of IPv6 addresses are required for various applications. When compared to IPv4 address types (i.e., unicast, multicast, and broadcast), IPv6 presents some differences: special multicast addresses are used instead of broadcast addressing, and a new address type was defined called anycast.
|Aggregatable Global Unicast||2000::/3||Public addresses, host-to-host communications; equivalent to IPv4 unicast.|
|Multicast||FF00::/8||One-to-many and many-to-many communications; equivalent to IPv4 multicast.|
|Anycast||Same as Unicast||Interfaces from a group of devices can be assigned the same anycast address; the device closest to the source will respond; application-based, including load balancing, optimization traffic for a particular service, and redundancy.|
|Link-local Unicast||FE80::/10||Connected-link communications; assigned to all device interfaces and used only for local link traffic.|
|Solicited-node Multicast||FF02::1:FF00:0/104||Neighbor solicitation.|
Anycast addresses are generally assigned to servers located in different geographical locations. By connecting to the anycast address, users will reach the closest server. Anycast addresses are also called one-to-nearest addresses. The IPv6 multicast address is a one-to-many address that identifies a set of hosts that will receive the packet. This is similar to an IPv4 Class D multicast address. IPv6 multicast addresses also supersede the broadcast function of IPv4 broadcast. IPv6 broadcast functionality is an all-nodes multicast behavior. The following are well-known multicast addresses that should be remembered:
- FF01::1 = all-nodes multicast address (broadcast)
- FF02::2 = all-routers multicast address (used for link-local address mechanisms)
Another important multicast address is the solicited node multicast address, which is created automatically and placed on the interface. This is used by the IPv6 Neighbor Discovery process to improve upon IPv4 ARP. A special IPv6 address is 0:0:0:0:0:0:0:1, which is the IPv6 loopback address, equivalent to the 127.0.0.1 IPv4 loopback address. This can also be represented as ::1/128.
The link-local addresses are significant only to individual nodes on a single link. Routers forward packets with a link-local source or destination address beyond the local link. Link-local addresses can be configured automatically or manually. Global unicast addresses are globally unique and routable and are defined in RFC 2374 and RFC 3587.
Figure 8 – IPv6 Global Unicast Address Format
Based on the IPv6 global unicast address format shown in Figure 8 above, the first 23 bits represent the registry, the first 32 bits represent the ISP prefix, the first 48 bits are the site prefix, and /64 represents the subnet prefix. The remaining bits are allocated to the interface ID.
The global unicast address and the anycast address share the same format. The unicast address space actually allocates the anycast address. To devices that are not configured for anycast, these addresses will appear as unicast addresses.
IPv6 global unicast addressing allows aggregation upward to the ISP. A single interface may be assigned multiple addresses of any type (i.e., unicast, anycast, and multicast). However, every IPv6-enabled interface must have a loopback address and a link-local address.
The IPv6 global unicast address is structured as presented above in Figure 3.8 to facilitate aggregation and reduce its number in the global routing tables, just like with IPv4. Global unicast addresses are defined by a global routing prefix, a subnet ID, and an interface ID. Typically, a global unicast address is made up of a 48-bit global routing prefix and a 16-bit subnet identifier.
As with IPv4, there are different mechanisms available for IPv6 and the most important of these includes the following:
- IPv6 Neighbor Discovery (ND)
- Name resolution
- Path Maximum Transmission Unit (MTU) Discovery
- IPv6 security
- IPv6 routing protocols
The Internet Control Message Protocol (ICMP) was modified to support IPv6 and is one of the most important mechanisms that support IPv6 functionality. ICMPv6 uses a Next Header number of 58. ICMP provides informational messages (e.g., Echo Request and Echo Reply) and error messages (e.g., Destination Unreachable, Packet Too Big, and Time Exceeded). IPv6 also uses ICMPv6 to determine important parameters, such as neighbor availability, Path MTU Discovery, destination addresses, or port reachability.
IPv6 uses a Neighbor Discovery protocol (RFC 2461), unlike IPv4, which uses the Address Resolution Protocol (ARP). IPv6 hosts use ND to implement “plug and play” functionality and to discover all other nodes on the same link. ND is also used in checking for duplicate addresses and finding the routers on a specific link. ND uses the ICMPv6 message structure in its operations and its type codes are 133 through 137:
- Router Solicitation
- Router Advertisement
- Neighbor Solicitation
- Neighbor Advertisement
Neighbor Discovery goes beyond the capabilities of ARP, as it performs many functions:
- Address Auto-Configuration (a host can find its full address without using DHCP)
- Duplicate Address Detection (DAD)
- Prefix Discovery (learns prefixes on local links)
- Link MTU Discovery
- Hop Count Discovery
- Next-Hop Determination
- Address Resolution
- Router Discovery (allows routers to find other local routers)
- Neighbor Reachability Detection
- Proxy Behavior
- Default Router Selection
Many of the features mentioned above have IPv4 equivalencies but some of them are unique to IPv6 and provide additional functionalities.
One of the important features made possible by the ND process is DAD, as defined in RFC 4862. This is accomplished through Neighbor Solicitation messages that are exchanged before the interface is allowed to use a global unicast address on the link, and this can determine whether the particular address is unique. The Target Address field in these specific packets is set to the IPv6 address for which duplication is being detected and the source address is set to unspecified (::).
The IPv6 stateless Auto-Configuration feature avoids using DHCP to maintain a mapping for the address assignment. This is a very low-overhead manner in which to disseminate addresses and it accommodates low-overhead re-addressing. In this process, the router sends a Router Advertisement message to advertise the prefix and its ability to act as a default gateway. The host receives this information and uses the EUI-64 format to generate the host portion of the address. After the host generates the address, it starts the DAD process to ensure that the address is unique on the network.
IPv4 performs Name Resolution by using A records in the DNS. RFC 3596 offers a new DNS record type to support the transition to IPv6 Name Resolution, which is AAAA (Quad A). The Quad A record will return an IPv6 address based on a given domain name.
IPv6 does not allow packet fragmentation through the network (except for the source of the packet), so the MTU of every link in an IPv6 implementation must be 1280 bytes or greater. The ICMPv6 Packet Too Big error message determines the path MTU because nodes along the path will send this message to the sending hosts if the packet is larger than the outgoing interface MTU.
DHCPv6 is an updated version of DHCP that offers dynamic address assignment for version 6 hosts. DHCPv6 is described in RD 3315 and provides the same functionality as DHCP but it offers more control, as it supports renumbering without numbers.
IPv6 also has some security mechanisms. Unlike IPv4, IPv6 natively supports IPsec (an open security framework) with two mechanisms: the Authentication Header (AH) and the Encapsulating Security Payload (ESP).
The support for IPsec in IPv6 is mandatory, unlike with IPv4. By making it mandatory in all the IPv6 nodes, secure communication can be created with any node in the network. An example of mandatory and leveraged IPsec in IPv6 is OSPF, which carries out its authentication using only IPsec. Another example of the IPsec IPv6 mechanism is the IPsec Site-to-Site Virtual Tunnel Interface, which allows easy creation of virtual tunnels between two IPv6 routers to very quickly form a site-to-site secured Virtual Private Network (VPN).
The following new routing protocols were developed for IPv6:
- RIPng (RIP new generation)
- Integrated Intermediate System-to-Intermediate System Protocol (IS-IS)
- EIGRP for IPv6
- BGP4 multiprotocol extensions for IPv6
Transitioning from IPv4 to IPv6
Because IPv6 almost always comes as an upgrade to the existing IPv4 infrastructure, IPv6 network design and implementation considerations must include different transition mechanisms between these two protocol suites. The IPv4 to IPv6 transition can be very challenging, and during the transition period it is very likely that both protocols will coexist on the network.
The designers of the IPv6 protocol suite have suggested that IPv4 will not go away anytime soon, and it will strongly coexist with IPv6 in combined addressing schemes. The key to all IPv4 to IPv6 transition mechanisms is dual-stack functionality, which allows a device to operate both in IPv4 mode and in IPv6 mode.
One of the most important IPv4 to IPv6 transition mechanisms involves tunneling between dual-stack devices and this can be implemented in different flavors:
- Static tunnels:
- Generic Routing Encapsulation (GRE) – default tunnel mode
- IPv6IP (less overhead, no CLNS transport)
- Automatic tunnels:
- 6to4 (embeds IPv4 address into IPv6 prefix to provide automatic tunnel endpoint determination); automatically generates tunnels based on the utilized addressing scheme
- Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) – automatic host-to-router and host-to-host tunneling
Figure 9 – IPv6 over IPv4 Tunneling
Analyzing Figure 9 above, the IPv4 island contains two dual-stack routers that run both the IPv4 and the IPv6 protocol stacks. These two routers will be able to support the transition mechanisms by tunneling IPv6 inside IPv4, and the two routers each connect to an IPv6 island. To carry IPv6 traffic between the two edge islands, a tunnel is created between the two routers that encapsulate IPv6 packets inside IPv4 packets. These packets are sent through the IPv4 cloud as regular IPv4 packets and they get de-encapsulated when they reach the other end. An IPv6 packet generated in the left-side network reaches a destination in the right-side network, so it is very easy to tunnel IPv6 inside IPv4 because of the dual-stack routers at the edge of the IPv4 infrastructure. Static tunneling methods are generally used when dealing with point-to-point links, while dynamic tunneling methods work best when using point-to-multipoint connections.
Network Address Translation Protocol Translation (NAT-PT) is another technology that can be utilized to carry out the transition to an IPv6 network. NAT-PT is often confused with NAT but it is a completely different technology. Simple NAT can also be used in IPv6 but this is very rare because IPv6 offers a very large address space and private addresses are not necessary. NAT-PT is another translation mechanism that will dynamically convert IPv4 addresses to IPv6 addresses, and vice-versa.
Another static tunneling technology is IPv6IP, which encapsulates IPv4 packets directly into IPv6. This is also called manual tunneling. Another type of static tunnel that can be created is a GRE tunnel that encapsulates the IPv6 packets within a GRE packet. GRE tunneling might be necessary when using special applications and services, like the IS-IS routing protocol for IPv6.
The dynamic tunnel types include the 6to4 tunnel, which is appropriate when a group of destinations needs to be connected dynamically utilizing IPv6. ISATAP is a unique type of host-to-router dynamic tunnel, unlike the previously mentioned tunneling techniques, which are router-to-router. ISATAP allows hosts to dynamically get to their IPv6 default gateway.
|Note: ISATAP is a protocol that will soon fade away because almost all modern hosts and routers have native IPv6 support.|
IPv6 Compared to IPv4
A network designer should have a very clear picture of the advantages IPv6 has over IPv4. The enhancements of IPv6 can be summarized as follows:
- IPv6 uses hexadecimal notation instead of dotted-decimal notation (IPv4).
- IPv6 has an expanded address space, from 32 bits to 128 bits.
- IPv6 addresses are globally unique due to the extended address space, eliminating the need for NAT.
- IPv6 has a fixed header length (40 bytes), allowing vendors to improve switching efficiency.
- IPv6 supports enhanced options (that offer new features) by placing extension headers between the IPv6 header and the Transport Layer header.
- IPv6 offers Address Auto-Configuration, providing for the dynamic assignment of IP addresses even without a DHCP server.
- IPv6 offers support for labeling traffic flows.
- IPv6 has security capabilities built-in, including authentication and privacy via IPsec
- IPv6 offers Path MTU Discovery before sending packets to a destination, eliminating the need for fragmentation.
- IPv6 supports site multi-homing.
- IPv6 uses the ND protocol instead of ARP.
- IPv6 uses AAAA DNS records instead of A records (IPv4).
- IPv6 uses site-local addressing instead of RFC 1918 (IPv4).
- IPv4 and IPv6 use different routing protocols.
- IPv6 provides for anycast addressing.
You can learn more about network design for security and wireless in our Cisco CCNP Encor course here.
Good IP addressing for network design uses summarizable blocks of addresses that enable route summarization and provide a number of benefits:
- Reduced router workload and routing traffic
- Increased network stability
- Faster convergence
- Significantly simplified troubleshooting
Creating and using summary routes depends on the use of summarizable blocks of addresses. Sequential numbers in an octet may denote a block of IP addresses as summarizable. For sequential numbers to be summarizable, the block must be X numbers in a row, where X is a power of 2, and the first number in the sequence must be a multiple of X. The created sequence will then end one before the next multiple of X in all cases.
Efficiently assigning IP addresses to the network is a critical network design decision, impacting the scalability of the network and the routing protocols that can be used. IPv4 addressing has the following characteristics:
- IPv4 addresses are 32 bits in length.
- IPv4 addresses are divided into various classes (e.g., Class A networks accommodate more than 16 million unique IP addresses, Class B networks support more than 65 thousand IP addresses, and Class C networks permit 254 usable IP addresses). Originally, organizations applied for an entire network in one of these classes. Today, however, subnetting allows an ISP to give a customer just a portion of a network’s address space, in an attempt to conserve the depleting pool of IP addresses. Conversely, ISPs can use supernetting (also known as Classless Inter-Domain Routing – CIDR) to aggregate the multiple network address spaces that they have. Aggregating multiple network address spaces into one address reduces the amount of route entries a router must maintain.
- Devices such as PCs can be assigned a static IP address, by hard coding the IP address in the device’s configuration. Alternatively, devices can dynamically obtain an address from a DHCP server, for example.
- Because names are easier to remember than IP addresses are, most publicly accessible Web resources are reachable by their name. However, routers must determine the IP address with which the name is associated to route traffic to that destination. Therefore, a DNS server can perform the translation between domain names and their corresponding IP addresses.
- Some IP addresses are routable through the public Internet, whereas other IP addresses are considered private and are intended for use within an organization. Because these private IP addresses might need to communicate outside the LAN, NAT can translate a private IP address into a public IP address. In fact, multiple private IP addresses can be represented by a single public IP address using NAT. This type of NAT is called Port Address Translation (PAT) because the various communication flows are identified by the port numbers they use to communicate with outside resources.
When beginning to design IP addressing for a network, the following aspects must be determined:
- The number of network locations that need IP addressing
- The number of devices requiring an IP address at each location
- Customer-specific IP addressing requirements (e.g., static IP addressing versus dynamic IP addressing)
- The number of IP addresses that need to be contained in each subnet (e.g., a 48-port switch in a wiring closet might belong to a subnet that supports 64 IP addresses)
A major challenge with IPv4 is the limited number of available addresses. A newer version of IP, specifically IPv6, addresses this concern. An IPv6 address is 128 bits long, compared to the 32-bit length of an IPv4 address.
To make such a large address more readable, an IPv6 address uses hexadecimal numbers and the 128-bit address is divided into eight fields. Each field is separated by a colon, as opposed to the four fields in an IPv4 address, which are each separated by a period. To further reduce the complexity of the IPv6 address, leading 0s in a field are optional and if one or more consecutive fields contain all 0s, those fields can be represented by a double colon (::). A double colon can be used only once in an address; otherwise, it would be impossible to know how many 0s are present between each pair of colons.
Consider some of the benefits offered by IPv6:
- IPv6 dramatically increases the number of available addresses.
- Hosts can have multiple IPv6 addresses, allowing those hosts to multi-home to multiple ISPs.
- Other benefits include enhancements relating to QoS, security, mobility, and multicast technologies.
Unlike IPv4, IPv6 does not use broadcasts. Instead, IPv6 uses the following methods for sending traffic from a source to one or more destinations:
- Unicast (one-to-one): Unicast support in IPv6 allows a single source to send traffic to a single destination, just as unicast functions in IPv4.
- Anycast (one-to-nearest): A group of interfaces belonging to nodes with similar characteristics (e.g., interfaces in replicated FTP servers) can be assigned an anycast address. When a host wants to reach one of those nodes, the host can send traffic to the anycast address and the node belonging to the anycast group that is closest to the sender will respond.
- Multicast (one-to-many): Like IPv4, IPv6 supports multicast addressing, where multiple nodes can join a multicast group. The sender sends traffic to the multicast IP address and all members of the multicast group receive the traffic.
The migration of an IPv4 network to an IPv6 network can take years because of the expenditures of upgrading equipment. Therefore, during the transition, IPv4-speaking devices and IPv6-speaking devices need to coexist on the same network. Consider the following solutions for maintaining both IPv4 and IPv6 devices in the network:
- Dual stack: Some systems (including Cisco routers) can simultaneously run both IPv4 and IPv6, allowing communication to both IPv4 and IPv6 devices.
- Tunneling: To send an IPv6 packet across a network that uses only IPv4, the IPv6 packet can be encapsulated and tunneled through the IPv4 network.
- Translation: A device, such as a Cisco router, could sit between an IPv4 network and an IPv6 network and translate between the two addressing formats.
IPv6 allows the use of static routing and supports specific dynamic routing protocols that are variations of the IPv4 routing protocols modified or redesigned to support IPv6:
Network Design Quiz