how-to block ads
|
| | | | FAQ Revisions | Editors: skj  , Covenant , aryoba , Phraxos
Last modified on 2008-06-30 10:47:55
| |
|
|
30.0 Technologies·Things to expect when setup network for home or small business
·Technical Aspects in xDSL/Cable Internet connection
·Between DHCP, PPP, Dynamic, and Static IP Address
·Setting Up Private Site-To-Site Connections
·Basic Cisco Commands and Descriptions
·I do not understand subnetting?
·Subnetting /24 and larger network
·The Wildcard (Inverse) Subnet Mask
·Choosing Gateway IP Address for a network
·What is the difference between the different gateways in the routing table?
·NBAR: An Overview
·What features does my IOS support?
·What is the difference between a Layer 3 switch and a router?
·Should I use layer-3 switch or router?
·How can I find out how far I am from the CO.
·Circuit Commissions
·How your ISP annouce your subnet via BGP to the Internet: BGP Looking Glass
·Understanding PIX Firewall/ASA
·Setting Up Wireless LAN
·Deploying VoIP
·Automatic Network Health Monitoring and Reporting System: An Introduction
| | | Network Setup
The following is considered the most usual network setup when you deploy the following technology, even though it might not fit your situation. You can see the following info as a guide or reference, rather than a requirement.
Equipments to use
* Routers, firewalls, switches
* Category 5/5e patch cable for wired connection
* Servers, workstations
1. Router
* In most cases, you need to do IP routing between your ISP (the Internet) and your network
* With that in mind then you need a router that at least has two Layer-3 (routing) interfaces, one is facing the ISP and another facing your LAN
* Depends on the router model, one interface that is facing your LAN is Ethernet interface and another interface that is facing your ISP could be Ethernet or non-Ethernet interface
* Non-Ethernet interface could be T1/E1 (Serial), ISDN, and DSL
* When the router has Non-Ethernet interface, then the router might have integrated modem
* When you have T1/E1, DSL, or cable Internet; you could use dual-Ethernet interface router when there is supporting external modem with Ethernet port
* When the router has multiple Ethernet ports (i.e. dual-Ethernet router), verify if any of those ports are capable as Layer-3 (routing) interface
* When the router has integrated switch, then the all switch ports are considered one Layer-3 (routing) interface that will be facing your LAN
* The router might need to do NAT/PAT between your internal private subnet and the IP address provided by the ISP
* Typically routers don't do OSI Layer 5-7 inspection and/or filtering (i.e. SPAM email filter). You might need a firewall specifically for these.
2. Firewall
* In most cases, you need to do IP routing between your ISP (the Internet) and your network
* In addition, you also need to have firewall for some Internet security
* With that in mind then you need a firewall that at least has two Layer-3 (routing) interfaces, one is facing the ISP and another facing your LAN
* Usually the firewall interfaces are Ethernet only without integrated modem
* You need to have an external modem or external integrated modem/router to connect the firewall to your ISP assuming no integrated modem exists
* When the firewall has multiple Ethernet ports, verify if any of those ports are capable as Layer-3 (routing) interface
* When the firewall has integrated switch, then the all switch ports are considered one Layer-3 (routing) interface that will be facing your LAN
* The firewall might need to do NAT/PAT between your internal private subnet and the IP address provided by the ISP
3. Switch
* Most home or small business network use Layer-2 switch
* With Layer-2 switch, all ports are considered one Layer-3 (routing) interface
* Layer-2 switch does not do routing; only switching or bridging
* You still need to do routing between your ISP (the Internet) and your LAN; hence you still need either a router or a firewall
* You will connect the switch to the router or firewall LAN interface
* When the router or firewall has integrated switch, then you probably need a crossover Category 5/5e patch cable instead of the straight-through type when connecting the switch to the router/firewall
4. Servers and Workstations
* You will connect servers and workstations to the switch ports
* When the workstations need to receive IP address automatically, then you may need to set the router or firewall as DHCP server and the workstations as DHCP client
* Servers need to have static IP address; refer to the server operating system on how to set static IP address
Choosing ISP
Whenever possible, choose ISP that has reliable connection to backbone network. Note that the ISP does not need to be the Tier-1 class (such as AT&T or Verizon), especially when your area is only served by Tier-3 class ISP. As long as the ISP has such reliable connection, you should be in good shape for the most of time.
To find out how reliable your ISP connection to backbone network, you can ask following questions
* What kind of circuit does the ISP have to the backbone network? OC-X (OC-3, OC-12, or higher)? SONET ring? DWDM?
* How many transit provider does the ISP connect to? Three should be the "standard"
* Who are the transit providers? Are they Tier-1 class providers? Something like Level 3, Cogent, Sprint, or Internap should be sufficient.
Choosing Circuit Connection to ISP
The most common circuit connections for home or small businesses are the following
1. T1/E1, Point-To-Point (Dedicated Leased Line), or Frame Relay
2. ISDN
3. Broadband: DSL, Cable Internet
4. Wireless
The first two kind of circuits are considered "top of the line" for home or small businesses. The standard SLA (Service Level Agreement) should include 4-hour response time which may not present on broadband circuit kind. In most cases, these two circuit kinds are more reliable than the broadband; hence require "top dollar" fee compared to the broadband.
Choosing circuit connection to ISP depend on how critical your Internet applications are. If you or your organizations require constant, stable, and reliable Internet connection 24/7, then the first two circuit kind should be the choice. If you or your organization can tolerate some down time (no Internet connection for some time), then the last two choices should be sufficient.
Between T1/E1, DSL, and Cable Internet
Let's say you have following choices of ISP connection speed (bandwidth)
1. A 1.5MBps full T1 circuit
2. A 1.5MBps ADSL over POTS (phone line)
3. A 3 MBps Cable Internet
For home users or small businesses, the third choice looks most attractive since it usually offers more bandwidth with the lowest cost. Keep in mind that broadband connection (including Cable Internet) has minimal or no SLA compared to the T1 circuit.
In addition, a lot of time Cable Internet provider has some kind of bandwidth limit. The 3 MBps bandwidth or speed is most likely the burstable speed and may not reflect the actual speed. If you or your organization constantly use up the 3 MBps speed, the Cable Internet provider might give you or your organization penalties like charge extra fee or might reduce the speed without your consent or knowing.
Unlike Cable Internet, there is no such penalty on ADSL connection. In most cases, the speed connection is constant. When you have both T1 and ADSL from the same provider, you or your organization might be able to have some kind of Internet connection load balance or failover mechanism.
Side Note:
Check out following FAQ for more info on load balance or failover mechanism
»Cisco Forum FAQ »Redundant Internet Link Graceful Load Balance/Failover
However ADSL (and other xDSL technology) speed depends on the distance between your site and the ISP. The closer your site to the ISP, the more bandwidth or higher speed available to you. Specifically with xDSL connection that ride over POTS, there might be some electromagnetic interference factors you also need to consider.
Choosing Connection Speed/Bandwidth
How fast should your connection be? Is 1.5MBps connection fast enough? Should I choose the 6MBps speed instead of 1.5MBps speed?
Choosing connection speed should be based on your application performance. Locate your critical Internet applications that will take the ISP connection bandwidth the most. These applications vary between home users or small businesses. As illustration, the applications could be simple Internet browsing, email, online gaming, voice or video over the Internet, and web hosting.
Once you locate the applications, the next step is to find out what the most appropriate speed for such applications considering their workload. When you are unsure what the most appropriate speed is, the application customer support should be the first to contact.
If you are still unable to find out the most appropriate speed afterward, then the next consideration factor is your financial budget. When your budget is limited, then you should pick the least expensive connection (which also mean the slowest connection). Should you need faster connection in the future, you could always consider upgrading the speed.
Choosing Internet gateway device
The most common Internet gateway devices for home or small businesses are routers and firewall. Routers are usually preferable since they fit to most Internet connection environment compared to firewall. However firewall could be the choice when you or your organization only require default gateway route to your ISP and no plan of having T1/E1, Point-To-Point, Frame Relay, or ISDN circuit to your ISP.
Whichever device you choose, you should choose device that can provide at least decent security features or protections. In addition, business grade device is recommended since they are more reliable than the consumer grade.
In Cisco world, routers for home or small businesses are 800 series or higher. As to firewall choices, they should be ASA 5500 series or PIX Firewall.
Choosing Modem
As mentioned, you have a choice to use either external or internal (integrated) modem. When you have a broadband Internet such as ADSL and Cable Internet, typically you need to have an external modem. Should you prefer to use internal modem that is integrated into the Internet gateway device, make sure that the modem is compatible to your ISP connection.
In case that you use external modem, you need to verify if the modem is "just" a modem (dumb modem) or if the modem is an integrated modem/router. A simple dumb modem typically need no special configuration. You can just connect the modem into your Internet gateway device. If the modem is an integrated modem/router, then you need to confirm further issues like bridge/route mode, NAT/PAT active, and so on.
Connecting Router or Firewall To Your ISP
Followings are most common network scenarios for each ISP connection type
1. T1/E1, Point-To-Point, or Frame Relay
* use a router with either internal or external DSU
* receive static IP address with specific subnet mask from ISP
* the ISP static IP address may be a public IP address (Internet routable) or may be a private IP address (non-Internet routable)
* may or may not receive ISP DNS IP address
2. DSL
* use a router or firewall with either internal or external DSL modem
* When using a Cisco router with internal DSL modem, there might be a need to have interface BVI1 activated and to set VPI/VCI value for the ATM interface
* When there is no internal DSL modem, you should not need BVI interface
* receive either static or dynamic IP address with specific subnet mask from ISP
* the ISP IP address is a public IP address (Internet routable)
* ISP assign the IP address by either PPP (PPPoE or PPPoA), DHCP, or static
* may or may not receive ISP DNS IP address
2.1 When ISP uses PPP
* When you use Cisco router as the ISP gateway, there is a need to have interface Dialer1 activated
* You need to tie the WAN port interface with the interface Dialer1
* Under the interface Dialer1, there is a need to have either "ip address x.x.x.x y.y.y.y" (statically assigned) or "ip address negotiated" (dynamically assigned)
2.2. When ISP uses DHCP or static
* When using a Cisco router with internal DSL modem, there might be a need to have either "ip address x.x.x.x y.y.y.y" (statically assigned) or "ip address negotiated" (dynamically assigned) under the interface BVI1
* You might be required to set specific MAC address under the interface BVI1
* When you do use interface BVI1, you need to tie the WAN port interface with the interface BVI1
* When the router has no internal DSL modem, then the IP address assignment (either statically or dynamically) should be under the ISP-facing Ethernet interface
* Should you need to set specific MAC address and there is no internal DSL modem, the MAC address should be under the ISP-facing Ethernet interface
3. Cable Internet
* use a router or firewall with either internal or external cable modem
* receive either static or dynamic IP address with specific subnet mask from ISP
* the ISP IP address is a public IP address (Internet routable)
* You might be required to set specific MAC address under the WAN port interface (interface cable0 or Ethernet interface)
* may or may not receive ISP DNS IP address
4. ISDN
* use a router with either internal or external ISDN modem
* receive either static or dynamic IP address with specific subnet mask from ISP
* the ISP IP address is a public IP address (Internet routable)
* may or may not receive ISP DNS IP address
* since ISDN uses PPP, also check on part of "2.1 When ISP uses PPP"
Find out your suitable WAN connection type
Usually you already know that your LAN is Ethernet environment. But do you know what WAN environment you would have? Is it T1/E1, DSL, PPPoE, PPPoA, DHCP, or what?
The only people who know what your WAN environment would be is your ISP. Please consult with your ISP representative regarding the connection type. Usually when you are a new customer, your ISP would provide you necessary info of how to connect your LAN to the Internet; either by mail, email, or phone.
Keep in mind that the ISP provided info might not be as technical or unclear. Here is a suggestion. Document all info provided here in this FAQ. You then consult the WAN connection type with your ISP representative. Ask the representative to find out which WAN connection type provided here that would match.
Some key words you need to discuss with your ISP representative are followings:
* Physical (Layer 1) connection: T1/E1, ISDN, DSL, Cable Internet
* Modem existence: external or internal modem
* Layer 2 connection: PPPoA, PPPoE, DHCP, Static IP addresses
* IP Address Assignment: Which IP address must be the gateway; which should be host
* NAT/PAT: Is it possible to use gateway (router) IP address to go out to the Internet using PAT?
* DNS IP addresses: Which are they? How do you use them on your system?
If your representative is not technical enough, ask to speak with one of their technical person. This way, you would be sure you have necessary info on how to connect your LAN to the Internet.
As an insight, following is some technical aspect description of DSL and Cable Internet
»Cisco Forum FAQ »Technical Aspects in xDSL/Cable Internet connection
Preparing Yourself before discussing with ISP representative
Before contacting your ISP, you need to understand your system you plan to use. This system is including your Internet gateway (router or firewall), servers, workstations, and all other hosts. Familiarize yourself with the router or firewall innerworking and features, as well as the operating system of your workstations, servers, and all other hosts. The key technology to familiarize with is how to setup network using DHCP, PPP (PPPoA/PPPoE), and static IP addresses on your system.
As to the router and firewall, it is suggested that you to be comfortable around various WAN connection type and deployment. Review router and firewall sample configuration of all WAN connection type; from DHCP, PPP, to static IP address. Eventhough your ISP would be using DHCP and not PPP for example, it is a good idea to be familiar on both to understand similarities and differences between the two technologies.
Check out the following FAQ for further info regarding DHCP, PPP, dynamic, and static IP address
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address
Following is the sample configuration list of specific WAN connection type for further review. The sample configuration covers most common WAN connection type such as T1/E1, cable Internet, DSL, external and internal modem, PPPoA, PPPoE, DHCP, and Static IP. It also cover multiple platforms; from routers of various model to PIX Firewall or ASA.
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco
Most of all sample configurations are written in CLI (Command Line Interface) and not in a Web GUI. In case you are not familiar with CLI, following FAQ is showing CLI introduction.
»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI
»Cisco Forum FAQ »Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI
By reviewing all of your system innerworking in advance, you are better prepared; which would make the ISP WAN connection type and deployment discussion process with their representative go smoother.
Deployment Process
When you are ready to do the actual deployment, you can check out the following FAQ for insights
»Cisco Forum FAQ »I do not understand subnetting?
»Cisco Forum FAQ »Choosing Gateway IP Address for a network
»Cisco Forum FAQ »NAT and PAT; Introduction and Implementations
»Cisco Forum FAQ »Network Design Tips
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections
 show feedback form
 close
by aryoba
last modified: 2008-01-30 14:16:17 | | | Prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
When you decide to have Broadband Internet access using xDSL (i.e. ADSL, SDSL) and Cable Internet, you most likely will deal with following aspects
* To use either a router or a firewall as the Internet gateway
* Layer-1: using either internal or external modem; Category 5/6 cable extension
* Layer-2: PPP (PPPoA, PPPoE); MAC address for DHCP
* Layer-3: auto-negotiate or static WAN IP address
Following are some details.
PPP
When you are using xDSL, ISDN, or T1/E1 circuits, you probably will be dealing with PPP technology. In a nutshell, PPP is Layer-2 technology providing connectivity to remote user (PPP client) to server (PPP server) using specific username and password. In this case, the PPP client is your Internet gateway (either router or firewall) and the PPP server is the ISP.
Typically you need a router as the PPP client. Specifically with PPPoE, you could use a firewall. However for PPPoA or legacy PPP, you need a router.
DHCP
When you are using either xDSL or Cable Internet, you probably will be dealing with DHCP technology. In a nutshell, DHCP is a mechanism that providing IP address and subnet mask dynamically to specific machine that needs one. In this case, the machine is your Internet gateway (either router or firewall) which will be the DHCP client and the DHCP server is at the ISP network.
Typically you could use either router or firewall as DHCP client. Unlike PPP that uses username and password to connect, DHCP process might require certain MAC address to connect to the ISP.
Following FAQ is some info on PPP, DHCP, and Static IP address assignment
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address
Between Internal Modem and External Modem Usage
When you use an external modem, your Internet gateway might receive Ethernet hand-off. This is applicable when you use a firewall or a router without integrated modem. From practical perspective, you then only need to configure the Layer-2/Layer-3 aspect on the Internet gateway. For PPP, in general you only need to configure the username, password, and authentication method. For DHCP, in general you only need to verify that your Internet gateway MAC address is on the ISP database.
There are some things you need to confirm whether you use external or internal (integrated) modem. Some examples are your ISP DSL signaling type, bridge mode configuration, and VPI/VCI value settings when you use xDSL service. Fortunately, you may not need to worry about this when you use the "ISP-approved" external modem since those settings are pre-configured. Note that the keyword is "may".
When you use a router with integrated DSL modem for xDSL service, your integrated modem/router may not be the "ISP-approved" xDSL equipment. Note that even though the router is not "ISP-approved", doesn't necessarily mean that the router won't work.
In any case (either using integrated modem or external modem; "ISP-approved" or "ISP-non-approved"), you need to verify the Layer-1/Layer-2/Layer-3 aspects. As illustration, you need verify things like DSL signaling and ATM VPI/VCI value in addition of the username, password, and authentication method.
One good thing about using integrated modem within a router is that you can see Layer-1/Layer-2/Layer-3 aspects on one device which is the router itself. When you use an external modem, then you need to confirm two device configurations which are the external modem and the router.
Some Troubleshooting Insights
Following are some discussions of troubleshooting Layer-1/Layer-2/Layer-3 issues
»[HELP] How to read dsl interface
»What do these sh dsl int atm0/0 - atm0/1 mean ??
»[HELP] Cisco 1721 and WIC-1ADSL Slow, 320Kbit
»Frequent disconnects with 1801
»[HELP] Cisco 857W and Qwest
»[Config] Fun with Cisco 1720 WIC-1ADSL, WIC-1ENET and Cisco PIX
For more info on Layer-1 xDSL troubleshooting, you can always visit the DSL forum FAQ such as this
»SBC DSL FAQ
For more info on Layer-1 Cable Internet troubleshooting, you can always visit the Cable Internet forum FAQ such as this
Cable Modem General Info
Cable Modem Troubleshooting
show feedback form
close
by aryoba
last modified: 2008-06-14 05:22:00 | | | Suggested prerequisite reading
»Cisco Forum FAQ »Things to expect when setup network for home or small business
When you are using ISP to connect to the Internet, most likely you will be dealing with DHCP, PPP, dynamic, or static IP address assignment (whether you are aware or unaware of it).
Let's say you have to configure Cisco router Ethernet 0 interface to have specific IP address. Then the following is illustration on how to configure the IP address.
1. Assign IP address by DHCP
interface Ethernet0
ip address dhcp
2. Assign IP address by PPP
interface Ethernet0
ip address negotiated
3. Assign IP address statically
interface Ethernet0
ip address xx.xx.xx.xx yy.yy.yy.yy
where xx.xx.xx.xx is the IP address and yy.yy.yy.yy is the subnet mask
In early days; DHCP and PPP were used to dynamically assign IP address to hosts. However with additional features, it is technically possible to assign "static IP address" via DHCP and PPP. By referring to specific MAC address of a host, the host is always receiving the same IP address via DHCP. By referring to specific username and password, a host is also always receiving the same IP address via PPP.
Why would your ISP use DHCP or PPP to "statically assign" IP addresses to their customer and not use the traditional way of statically assign IP addresses? Probably it is simpler from their network administration point of view. Whatever the reason is, you have to choose the most appropriate way to assign your ISP IP address and experience with the tip and tricks when you need to access the Internet using your ISP.
Assign Your Internet Gateway's IP Address
In term of configuring your Internet gateway's IP address, you need to consult with your ISP as to how exactly they assign IP address to your device.
When your ISP says the IP address would be assigned dynamically, you need to confirm the followings
* if they use DHCP or PPP (or PPPoE/PPPoA) technology to assign the IP address
* if they use PPP, confirm the username and password for the PPP authentication process
* if they use DHCP, confirm if the ISP lock down your IP address with specific MAC address
* if the IP address is always the same everytime or constantly changing
* assuming the IP address is changing, how frequent the change takes place and which event will trigger the change
When your ISP says the IP address would be static, you need to confirm the followings
* if they use DHCP or PPP technology to assign the IP address
* if the IP address might change
* assuming the IP address is changing, how frequent the change takes place and which event will trigger the change
Important Note:
Make sure that when you discuss this with your ISP representative, the representative is the technical person who knows what he or she is talking about. You don't want to get misinformed since you might not be able to access the Internet when you don't have the correct info.
Static IP without DHCP or PPP
If your ISP says "No DHCP, No PPP. It is static"; then it might mean that you have to statically configure your Internet gateway device with your assigned IP address. On Cisco router, you should then use the "ip address xx.xx.xx.xx yy.yy.yy.yy" command.
Check out this forum's FAQ for specific sample configuration of Cisco router with statically-assigned IP address
»Cisco Forum FAQ »How can I configure broadband router with cable/dsl using static IP address
Static IP with DHCP
When your ISP uses DCHP to "statically assign" your Internet gateway device, then from device perspective it is still DHCP (still somewhat dynamic IP address with "sticky IP" approach). To configure your Cisco router, you then still need to use the "ip address dhcp" command under the ISP-facing interface.
Check out this forum's FAQ for specific sample configuration of Cisco router as DHCP client.
»Cisco Forum FAQ »Configure router as DHCP client using external modem
Dynamic IP with DHCP
From DHCP client perspective, there is no difference between "static" and dynamic IP address assignment. As mentioned, "statically assigned" DHCP-based IP address is still dynamic process. Therefore you can use the same above FAQ for specific sample configuration of Cisco router as DHCP client when you only have dynamic IP address from your ISP.
As a note, the difference between DHCP-based static and dynamic IP address is probably the ISP requirement to lock down your Internet gateway device MAC address to a specific IP address. Although it is possible that the ISP administer MAC address lock down for both dynamic and static IP account customers due to network management simplicity. Check out the following thread for insight.
»[help] 851W and ISP DHCP
Dynamic IP with PPP
In general, your ISP usually supplies username and password for the PPP authentication process. Once your Internet gateway device successfully establishes PPP connection with your ISP (pass the Layer-2 process), then your device will deal with the IP address assignment issue (the Layer-3 process).
Under normal PPP-IP network environment, dynamic IP address assignment will require the "ip address negotiated" command under the ISP-facing interface on Cisco equipments. With static IP address, you need to use the "ip address xx.xx.xx.xx yy.yy.yy.yy" assignment on Cisco router. However there might be exception for certain ISP. If you have a static IP with PPP, read the next discussion.
Check out this forum's FAQ for specific sample configuration of Cisco router as PPP client
»Cisco Forum FAQ »Quick Guide of Configuring Cisco router for PPPoE using external modem
Static IP with PPP
When your ISP uses PPP to "statically assign" your Internet gateway device, then you may experience some unusual situation. To configure a Cisco router, you need to use the "ip address xx.xx.xx.xx yy.yy.yy.yy" command under the ISP-facing interface in normal static IP address environment. However for some ISP, you need to use the "ip address negotiated" command under the ISP-facing interface.
If you are in this situation, then you might try to use the 1st approach (the "ip address xx.xx.xx.xx yy.yy.yy.yy" command) and see if you are able to host public servers or establish VPN IPSec tunnel with remote end. If your public server is inaccessible from the Internet or you are unable to establish VPN tunnel, then try the 2nd approach ("ip address negotiated" command) and see if it makes any difference. When the 2nd approach works, then the 2nd approach is considered the most appropriate way to assign IP address to your ISP-facing interface.
Like the DHCP, static and dynamic IP address assignment in PPP-IP environment is using similar configuration. Therefore you can refer to the previous sample configuration of Cisco router as PPP client in static IP address assignment.
Additional Sample Configurations
For more sample configurations, check out the following FAQ
Various PPPoA/PPPoE/DHCP/Static Sample Configuration with Cisco
show feedback form
close
by aryoba
last modified: 2008-01-04 09:18:58 | | | Communications between internal sites within the same organization is preferred to be delivered in a form of secure or private connection, which ride over some circuit. The circuit could be in the form of dedicated circuit or broadband circuit such as DSL and Cable Internet.
Dedicated Circuit
Dedicated Circuit is a circuit to provide private dedicated connection between two sites or more. In other word, no other organization will use this circuit since it is dedicated to only one organization among its all sites end to end.
Following is the most common dedicated circuit type
1. T1/E1, DS-3
2. ISDN
3. Frame Relay
4. Fiber: OC-X, Metro Ethernet, SONET Ring, DWDM
To have this circuit, usually organization contact its preferred ISP to setup one. The organization could choose to use the ISP network as "intermediate network" between organization sites, or choose to have direct connection between sites bypassing ISP network.
Using T1/E1 circuit for such direct connection for example, the circuit would be some type of leased line; point to point between two sites. When there are more sites to connect, usually organization would use the ISP network at some point to reduce cost and to be more manageable.
This kind of connection technology is considered "top of the line" since it is the most reliable connection (at least for most of the time) compared to broadband connection such as DSL and Cable Internet. This nature requires the organization to pay premium maintenance cost compared to the broadband connection.
Wireless
In some situations, using wireless technology (i.e. microwaves) to provide private site-to-site connection is a good approach. Typically following are the situations that make wireless deployment is a "no-brainer" solution.
• Distance between all sites are pretty closed to each other
• Line of sight (LOS) between antennas are not blocked. In other words; neither trees, hills, mountains, nor buildings are between sites
• You need "unlimited" bandwidth with limited time and budget constraints to deploy
• "Little service abruption" is acceptable
VPN (Virtual Private Network)
With today's virtual communication technology, one organization could use some form of VPN (Virtual Private Network) to provide private and secure site-to-site connection.
Using VPN, connection between two locations could ride over public network (i.e. The Internet) while keep maintaining secure or private connection. This is done by creating logical or virtual connection between the locations that ride over any physical circuit.
There are several technology to set such connection
1. HTTPS/SSL
2. IPSec
3. MPLS
Following is the breakdown.
HTTPS/SSL-based Approach
One factor that contributes to decisions of setting up private or secure connection for internal communications is depending on the application, such as the file transfer and email. Let's say your organization uses web-based email or any web-based application accessible using your Internet browser (such as Internet Explorer, Netscape, or Mozilla) for site inter-communication. When this is the case, then one way of setting up private connection is to utilize HTTPS/SSL-based connection over the Internet.
HTTPS/SSL-based connection is basically HTTP (web) communication that can ride over any connection, including the Internet (public network) via any ISP while still maintain secure and private environment. By utilizing this HTTPS/SSL-based technology approach, any organization sites only need basic Internet connection without require special network setup.
Note that HTTPS/SSL-based network over the Internet only works when all necessary applications within the organizations are web-based applications. Some applications cannot be accessed simply by using Internet browser. For example, you cannot use Internet Explorer (as the Internet browser) to map share drives in Active Directory Microsoft network.
When remote users need to access these applications, then HTTPS/SSL-based approach will not work. To make it work, there would be a need to have network-layer connection technology approach (by go lower to OSI Layer 1 to 3) to setup such secure or private connections.
Using network-layer connection technology approach, any application (web or non-web based) will work since this approach is more general and not depended by specific application types.
IPSec Approach
Both IPSec and HTTPS/SSL technology are VPN connection. They both create encrypted data connection ("tunnel") between two sites. The difference is that HTTPS/SSL is web (OSI Layer 7) approach and IPSec is network (OSI Layer 3) approach.
As mentioned, IPSec VPN is capable of supporting web or non-web applications since it is using network-layer connection technology approach. Example of non-web application is accessing data in Microsoft Active Directory network share drives.
Note:
Both IPSec and HTTPS/SSL VPN technology is also applicable to remote users connecting to office temporary as following description.
Within an organization, there is probably at least one employee that is always "on the run" and need to access work remotely from anywhere. Sometime this type of employee is called "road warrior". There are also other type of employees that need to access work remotely from home, hotels, or any place from time to time.
The nature of such connection need is temporary access, where access is available only when it is needed. When the access is not needed anymore, the access could be closed or removed.
For this nature of remote access, either IPSec or HTTPS/SSL VPN should be a good choice to provide private and secure connection to office/sites; since these VPN technology create "temporary tunnel" between the office and remote users or sites to provide necessary data passing between the locations. When there are no more data passing, the tunnel will be removed.
On implementation, the employees (remote users) could go to the nearest Internet cafe or could use public wireless network to establish IPSec tunnel or HTTPS/SSL to office for work; assuming the employees have necessary tools or equipments.
Between Broadband and Dedicated Circuit
For most small organizations, broadband connection such as DSL and Cable Internet are preferred instead of having dedicated point-to-point circuit due to financial constraint. To provide the private and secure site-to-site connection, such organizations would utilize HTTPS/SSL, IPSec, or both technology.
As illustration, there is a small organization that has two sites. One site has DSL and another has Cable Internet connection. To provide a private an secure site-to-site connection, the organization has a choice to deploy T1 circuit to connect the two sites. Another choice is to deploy IPSec VPN tunnel between sites where each site utilizes the existing broadband connection.
Since the T1 circuit is "more expensive" than the DSL or Cable Internet, the organization then chooses to deploy the second choice. Keep in mind that DSL and cable Internet have lower SLA compared to the dedicated circuit. When the broadband connection is down, the ISP response time will be longer than the dedicated circuit ISP response time.
In addition, these VPN technology could be down "by itself" without obvious reason. Using dedicated circuit, in general the connection is more stable.
MPLS
MPLS is OSI Layer-2/3 VPN approach which is using dedicated point-to-point circuit between organization site to its ISP. Unlike the previous Dedicated Circuit network, MPLS will use the ISP public network that ride over ISP IP-based network devices without deal with the customer IP information. In other word, MPLS approach is somewhat between the Dedicated Circuit approach and IPSec VPN approach.
Generally speaking, ISP network will handle the VPN aspect and use the ISP public network securely and privately; which will be transparent to the organization (the ISP customer) sites. Using MPLS, site-to-site connection is pretty much like the previous dedicated site-to-site connection between sites from the organization perspective.
Network-Layer Site-to-Site Connection Approach
The network-layer site-to-site connection approach refers to IPSec VPN, Dedicated Circuit, and MPLS technology. As mentioned, this network-layer approach is needed to provide connection to the remote sites for any application type including non-web-based applications.
The next discussion will relate to considerations of having such site-to-site connection. Note that these considerations apply to site-to-site connection and do not apply to road-warrior-to-site connection.
Network Topology
When there are only two sites to communicate, the site-to-site connection setup should be just a straight point-to-point. When there are more sites to communicate, there are further considerations to review.
One of the consideration is the network topology. Most common site-to-site network topology setup for three sites or more as follows
1. Full Mesh
2. Hub and Spoke
3. Partially Mesh
Full Mesh
With Full Mesh connection, each site has dedicated connection to each other site as follows:
Site A --- Site B
| \ / |
| \ / |
| \ / |
| X |
| / \ |
| / \ |
| / \ |
Site C --- Site D
Typical organization that employ this connection is organization that has small number of branches or sites with relatively low data throughput.
When the organization has dedicated point-to-point circuits, then there will be (let's say) multiple dedicated T1 connections between sites. Reviewing illustration above, there will be three T1 from one site to others; which make the total of six T1 circuits. When the organization had dedicated VPN tunnels, there will be a total of six tunnels which each site has three tunnels to others.
Since each site has dedicated connection to each other, there will be no single point of failure. If one site is down, other sites still have connections within themselves.
However this kind of setup is considered high cost to manage when number of sites grow and/or larger data throughput are pushed down. With more sites, there will be more dedicated connections to each additional sites.
With dedicated circuits, then there will be more circuits to setup at each site which may be financially prohibitive. With VPN tunnels, then there will be more tunnels to setup which may consume too much VPN device resources such as CPU and memory.
Hub and Spoke
With Hub and Spoke connection, each site will only have a single connection to one central site. This central site then has multiple connections to each other site as follows
Site A
|
|
Site B ---- Site Z ---- Site C
|
|
Site D
Site A to D are called "spoke" and Site Z is called "hub". Note that some people refer this setup as "star topology".
Usually medium to large organizations have this setup. The hub is usually the corporate office and the spokes are branches, smaller offices, or remote offices.
When the organization uses dedicated circuits, there is only a single circuit needed to connect any other sites. With VPN tunnels, the VPN device resources are not consumed much compared to the Full Mesh setup.
The down side is that there is a single point of failure at Site Z (the central site). When this site is down, then all other sites lose connections.
Partially Mesh
Reviewing the two previous setup, you may wonder which the feasible setup that has no single point of failure but not cost prohibitive. The answer is probably the Partially Mesh setup.
With Partially Mesh setup, there will be not much existing connections like Full Mesh; and no single point of failure like Hub and Spoke. Following is illustration.
+------------------+
/ Site A | Site D --------+
/ / \ | / |
/ / \ | / |
Site B --- Site Y ---- Site Z --- Site E |
/ | | \ / \ | |
/ | | \ / \ | |
| | | Site C Site F | |
| | | | | |
| | +--------------+ | |
| | | |
| +------------------------+ |
| |
+---------------------------------+
The Site Y and Site Z are the "hubs". Site A to F are "spokes" to both Site Y and Site Z.
This setup is the preferred one on medium to large organizations. The both hubs are usually two large offices. The spokes are branches, smaller offices, or remote offices.
IP Routing
With either Point-to-Point, Hub and Spoke, Full Mesh, or Partially Mesh network setup; IP routing should be used to interconnect all sites. With this in mind, each site has its own subnet. Router will be used to interconnect sites.
Specifically for IPSec VPN, you could consider to have the router to terminate the VPN tunnel. You could also consider using dedicated VPN box such as firewall or VPN concentrator to provide the VPN tunnel; and use router only to interconnect sites.
Combination of Point-to-Point and Partially Mesh
As mentioned, traditional connection between two sites is just a single point-to-point. However it is possible to have redundant (multiple) point-to-point connection between two sites to provide automatic failover and/or load balance mechanism; where each connection has its own circuit on each site.
Following is the illustration. Let's say there are two sites that have two redundant point-to-point connections between each other. One site has a dedicated point-to-point T1 circuit to the other site and DSL connection. Another site has the other end of dedicated point-to-point T1 circuit and Cable Internet connection. Between the DSL on one site and Cable Internet on the other site, there is a IPSec VPN tunnel connecting the two sites as alternate path of the T1.
With such automatic failover and/or load balance mechanism in mind, following setup could be in place as well.
• Redundant connections between two Hubs in Partially Mesh network
• Redundant connections between one Hub and one Spoke
When there are redundant connections, it means there are multiple path between two sites. Note that with Full Mesh and Partially Mesh network, there are also multiple path between two sites. For such multiple path, dynamic IP routing should be deployed to optimize connections. In addition, packet-based or destination-based load balancing could be considered as well. With hub and spoke setup, static routing should be sufficient.
Starting to Design the Network
When you start designing the network, several aspects come into play
• Circuit choice
• IP address or subnet to use
• Routing protocol to provide connection
Typical network design for site-to-site connection from circuit choice perspective are following
• Dedicated circuit between sites; either uses private point-to-point, frame relay, or MPLS
• Dedicated circuit between sites as primary connection and IPSec VPN tunnel between sites as alternate connection
• IPSec VPN tunnel between sites
For small organizations, it is probably preferable to have full-mesh site-to-site VPN using broadband connection (DSL or Cable Internet) at each location. For simplicity, it is suggested to use the same ISP to provide the broadband connection at all sites. As illustration, all sites could be using Cisco ASA 5505 with 3MBps Cable Internet connection to have the full-mesh site-to-site VPN.
When you choose to have partially mesh or hub and spoke setup (either the circuit or VPN), make sure that the hub has large bandwidth and powerful network device to handle data throughput from other sites. As illustration, the hub could be using Cisco 3825 router with DS-3 circuit where spokes could be using Cisco 1841 router with 1.5MBps DSL connection to have hub-and-spoke site-to-site VPN.
Note:
For more info on Cisco equipment performance, check out the following FAQ
»Cisco Forum FAQ »Cisco Equipment Performance (per pps and Mbps)
Following is illustration. Let's say you decide to use the second choice where there are dedicated circuits between sites as primary connection and IPSec VPN tunnel over the Internet between sites as alternate connection. To start designing the network, you may start to question yourself these and go from there.
• Do you need dedicated equipment for Internet gateway and another for private site-to-site connection?
• Which is the suitable routing protocol to set dedicated circuit as primary connection and to set IPSec VPN tunnel as alternate connection?
• Is there possibility of site-to-site interconnectivity without going over IPSec VPN tunnel eventhough the connection goes over the Internet?
• Which IP address or subnet to use, Private or Public IP address?
• Will there be a NAT/PAT process in place?
• How much budget to spend to cover everything (equipments, circuits, infrastructures, etc.)
• How much connection downtime you can tolerate
• How much data throughput travel across each connection
• How long it takes to test the new network setup
• How immediate you need to have "live" network
Next discussions will view other important aspects.
Network Device Choice
When the organization chooses to use dedicated circuits to have private site-to-site connections, usually the network device would be either router or layer-3 switch where the WAN port would match the circuit specification.
Let's say the circuit would be Frame Relay and the organization selects Cisco router for all sites as the network device. You would use the router WAN port to connect to the Frame Relay circuit. This WAN port should be something like WIC T1 or E1 for internal DSU/CSU or WIC 1T for external DSU/CSU.
If the circuit is Gigabit Ethernet for example, then the network device could be a router or layer-3 switch. In Cisco world, the router could be something like 2821 model; and the layer-3 switch could be something like Catalyst 3750 switch.
When VPN connection is selected to provide the private site-to-site connection, there are also multiple network device alternatives such as router, layer-3 switch, firewall, and VPN concentrator. For small businesses, typical choices are firewall and router. In Cisco world, the firewall is ASA 5500 series and the router is 800 series or higher.
Whichever network device chosen, it is suggested to have the same brand for all of them. When you decide to use Cisco equipments let's say, then all sites should also use Cisco as the network device peer. In theory, multi-vendor equipments are inter-operate-able. However in practice, there are sometime unexpected behaviors when establishing connections between multi-vendor equipments. With single-vendor equipment, network behaviors are more predictable and controllable, leads to more stable network.
Another aspect of having the same-vendor equipments throughout the organization is network administration simplification. Network administrators could concentrate to only a single brand to administer. You don't have to deal with multi vendor when it comes to the network device technical or customer support. You might even receive discounts when you have device large volume number from the same single vendor.
Note:
To guide you in choosing the proper Cisco equipment, check out the following FAQ
»Cisco Forum FAQ »Which Cisco router, switch, VPN, firewall, or else is right for my situation?
Internal and External Connections
All the site interconnections such as file transfer between sites are considered internal connection. External connection is a connection to an outside world, such as connection to server located at the Internet or at external site; or Internet browsing.
For internal connections, the traffic should take the private connection. For external connections, there are multiple choices to consider. One way is to go directly out off the site to the external site. Another way is to go through other internal site before going out to the external site.
Let's review the following situation. Let's say one remote office need to have the updated Microsoft Windows patches. To retrieve the patches, there are several choices. One is to go directly out to the Internet, access the Microsoft sites, and download patches. Another way is to go to central office where the central office run a server that provide updated patches.
For small organizations, usually the preferred way for the remote office to receive the patches is by going directly out to the Internet to retrieve patches. However some situations require the remote office to access the central office's server to retrieve patches.
Should the organization have this second situation, there would probably a need to configure remote office network device to direct traffic to the central office's server for remote office upgrade patch need; and block any attempt from remote office to access the Internet directly to retrieve patches. With this situation, the network is considered more secure since the traffic is more controllable.
Remote Site and Internet Access
As previously mentioned, some situations require remote office to access central office before accessing external sites. However situation such as Internet browsing could not require central office access from remote office perspective. The remote office could just go out to the Internet for Internet browsing.
A good side of accessing the Internet directly without going through central office is that the central office bandwidth is not bogged down by the remote office's Internet traffic. The central office bandwidth then can be conserved for strictly internal access such as file sharing.
The down side of this approach is that the central office probably has no or minimum control of remote office's Internet access activities. Without such control, there is possible security risk or improper use of Internet access such downloading illegal software or virus/worm attack without the central office approval. Therefore for larger organizations, all traffic from remote offices including Internet access must go through central offices for data traffic management, including traffic policing at all sites. Note that from network security and network management perspective, traffic policing at all sites might be considered necessary eventhough it could create network administrative burden.
Keep in mind that it is possible to have the same level of control of remote office Internet access activities as the central offices when those remote offices have their own local Internet connection. With this kind of setup, the organization then has to control multiple Internet connection that are spread among multiple sites (both central and remote offices). Any type of control that take place in central offices must take place in remote offices as well. This is also a common practice for larger organizations. Note that this kind of remote office control might mean additional investment on each remote office to duplicate or to mimic central office.
Whichever the preferred setup, the network administrator should consider the trade offs between the two setup choices. For small business, direct Internet access from remote offices could be the preferred choice. When the organization is concerned more on the network security, then the organization might consider the second setup choice.
IPSec VPN and Internet (External Connection) Access
Let's say an organization permit their remote offices to go out to the Internet directly without going through central office. Typically there would be two separate connections at the remote office. One is to serve the internal access and another is to serve the Internet access.
Specifically for organizations that use IPSec VPN connections to serve the site inter-communication, there should be some kind of split tunneling to provide the separate connections between the Internet access and internal access. For Internet access, typically PAT (Port Address Translation) is used to bridge Private Subnet used in internal network (LAN) and the Internet. Using PAT; application traffic that use the most common IP protocol such as TCP, UDP (and ICMP) from local LAN are PAT-ed to the Public IP address.
Let's review the IPSec VPN tunnel setup requirement. IPSec tunnel would use IP Protocol 50 (ESP) or 51 (AH) to setup the VPN tunnel. Unlike TCP and UDP, ESP and AH have no concept of port numbers; hence in theory, these security protocols cannot be PAT-ed.
Should the organization permit remote offices to go out to the Internet directly and the organization deploys VPN tunnel to serve internal access; then each site should have at least two Public IP addresses. One IP address would serve the Internet access (to be PAT-ed as many as needed) and another IP address would be reserved for the VPN peer to other sites (or for any IP protocols that are un-PAT-able).
For small business, it is probably preferable to have each site having those two Public IP addresses assigned to the same gateway (or peer) network device, which then the traffic will ride over the same circuit. For medium or large business that quite large number of sites, each Public IP address could reside at different network device and could ride over different circuit.
Name Resolution
In sharing files between sites, the organization might use DNS server to resolve name to IP addresses. When the organization deploys Microsoft network, then there might also be WINS server in addition to the DNS server.
Let's say the organization permit remote office to go out to the Internet directly without going through the central office. The preferred way is to have the remote office to use the local ISP DNS server to reach the Internet sites. For internal access, the remote office uses internal DNS server to reach internal servers. The unwanted setup is to have the remote office to use the central office's internal DNS server to access the Internet since it will bog down the central office's bandwidth.
To have the preferred way, there are alternatives to setup the DNS/WINS servers at remote offices. One way is to setup local DNS/WINS server at each remote site. With this setup, any traffic (internal or external traffic) from remote office will use the local DNS/WINS server. The central office's DNS/WINS servers will be used only if the traffic are internal. When the traffic are external, only ISP DNS server will be used. The external traffic from remote office will never go through the central office. The down side is that this setup is probably cost prohibitive, not to mention network administration prohibitive.
Another way to setup is to assign multiple DNS/WINS IP addresses at remote site hosts. Assign both central office's DNS/WINS servers and also assign the remote site's local ISP DNS IP addresses to all remote site hosts. In addition, there might be a need to create traffic filtering on the remote office's network device to allow name resolving traffic to use central office's DNS/WINS server only when the traffic are internal; and to block attempted central office's DNS/WINS server access for external traffic. Similarly, there would be traffic filtering to allow name resolving traffic to use the local ISP DNS IP address only when the traffic are external. With this setup, there should be no need to deploy DNS/WINS servers at each remote site to provide name resolving and still be able to avoid central office bandwidth bogged down by the remote office's external traffic.
Real Network Illustration
Check out the following threads for illustration
»IPsec help 1811
»[HELP] BGP Failover to IPSEC
»How to Loadshare between a E1 LInka nd Ebgp(MPLS) Link
Deployment Process
Check out the following FAQ for following topics in network design
1. Between Hub and Spoke, Full Mesh, and Partially Mesh
»Cisco Forum FAQ »Tips in Designing Network on Hub-and-Spoke, Full-Mesh, or Partially-Mesh setup
2. VPN
»Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels
»Cisco Forum FAQ »Site-to-Site IPSec VPN: Cisco to Cisco and Cisco to Non-Cisco
»Cisco Forum FAQ »Private Routing over VPN: GRE over IP Sec
show feedback form
close
by aryoba
last modified: 2008-04-16 15:25:19 | | | Suggested prerequisite reading
»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI
CCNA level Cisco Commands and Descriptions
? Gives you a help screen
0.0.0.0 255.255.255.255 A wildcard command; same as the any command
access-class Applies a standard IP access list to a VTY line
access-list Creates a list of tests to filter the networks 9
any Specifies any host or any network; same as the 0.0.0.0 255.255.255.255 command
Backspace Deletes a single character
bandwidth Sets the bandwidth on a serial interface
banner Creates a banner for users who log into the router
cdp enable Turns on CDP on an individual interface
cdp holdtime Changes the holdtime of CDP packets
cdp run Turns on CDP on a router
cdp timer Changes the CDP update timer
clear counters Clears the statistics from an interface
clear line Clears a connection connected via Telnet to your router
clear mac-address-table Clears the filter table created dynamically by the switch
clock rate Provides clocking on a serial DCE interface
config memory Copies the startup-config to running-config
config network Copies a configuration stored on a TFTP host to running-config
config terminal Puts you in global configuration mode and changes the running-config
config-register Tells the router how to boot and to change the configuration register setting
copy flash tftp Copies a file from flash memory to a TFTP host
copy run start Short for copy running-config startup-config; places a configuration into NVRAM
copy run tftp Copies the running-config file to a TFTP host
copy tftp flash Copies a file from a TFTP host to flash memory
copy tftp run Copies a configuration from a TFTP host to the running-config file
Ctrl+A Moves your cursor to the beginning of the line
Ctrl+D Deletes a single character
Ctrl+E Moves your cursor to the end of the line
Ctrl+F Moves forward one character
Ctrl+R Redisplays a line
Ctrl+Shift+6, then X (keyboard combination) Returns you to the originating router when you telnet to numerous routers
Ctrl+U Erases a line
Ctrl+W Erases a word
Ctrl+Z Ends configuration mode and returns to EXEC
debug dialer Shows you the call setup and teardown procedures
debug frame-relay lmi Shows the lmi exchanges between the router and the Frame Relay switch
debug ip igrp events Provides a summary of the IGRP routing information running on the network
debug ip igrp transactions Shows message requests from neighbor routers asking for an update and the broadcasts sent from your router to that neighbor router
debug ip rip Sends console messages displaying informa-tion about RIP packets being sent and received on a router interface
debug ipx Shows the RIP and SAP information as it passes through the router
debug isdn q921 Shows layer-2 processes
debug isdn q931 Shows layer-3 processes
delete nvram Deletes the contents of NVRAM on a 1900 switch
delete vtp Deletes VTP configurations from a switch
description Sets a description on an interface
dialer idle-timeout number Tells the BRI line when to drop if no interesting traffic is found
dialer list number protocol protocol permit/deny Specifies interesting traffic for a DDR link
dialer load-threshold number inbound/outbound/either Sets the parameters that describe when the second BRI comes up on an ISDN link
dialer map protocol address name hostname number Used instead of a dialer string to provide more security in an ISDN network
dialer string Sets the phone number to dial for a BRI interface
disable Takes you from privileged mode back to user mode
disconnect Disconnects a connection to a remote router from the originating router
duplex Sets the duplex of an interface
enable Puts you into privileged mode
enable password Sets the unencrypted enable password
enable password level 1 Sets the user mode password
enable password level 15 Sets the enable mode password
enable secret Sets the encrypted enable secret password. Supersedes the enable password if set
encapsulation Sets the frame type used on an interface
encapsulation frame-relay Changes the encapsulation to Frame Relay on a serial link
encapsulation frame-relay ietf Sets the encapsulation type to the Internet Engineering Task Force (IETF); connects Cisco routers to off-brand routers
encapsulation hdlc Restores the default encapsulation of HDLC on a serial link
encapsulation isl 2 Sets ISL routing for VLAN
encapsulation ppp Changes the encapsulation on a serial link to PPP
erase startup Deletes the startup-config
erase startup-config Deletes the contents of NVRAM on a router
Esc+B Moves back one word
Esc+F Moves forward one word
exec-timeout Sets the timeout in seconds and minutes for the console connection
exit Disconnects a connection to a remote router via Telnet
frame-relay interface-dlci Configures the PVC address on a serial interface or subinterface
frame-relay lmi-type Configures the LMI type on a serial link
frame-relay map protocol address Creates a static mapping for use with a Frame Relay network
Host Specifies a single host address
hostname Sets the name of a router or a switch
int e0.10 Creates a subinterface
int f0/0.1 Creates a subinterface
interface Puts you in interface configuration mode; also used with show commands
interface e0/5 Configures Ethernet interface
interface ethernet 0/1 Configures interface e0/1
interface f0/26 Configures Fast Ethernet interface 26
interface fastethernet 0/0 Puts you in interface configuration mode for a Fast Ethernet port; also used with show commands
interface fastethernet 0/0.1 Creates a subinterface
interface fastethernet 0/26 Configures interface f0/26
interface s0.16 multipoint Creates a multipoint subinterface on a serial link that can be used with Frame Relay networks
interface s0.16 point-to-point Creates a point-to-point subinterface on a serial link that can be used with Frame Relay
interface serial 5 Puts you in configuration mode for interface serial 5 and can be used for show commands
ip access-group Applies an IP access list to an interface
ip address Sets an IP address on an interface or a switch
ip classless A global configuration command used to tell a router to forward packets to a default route when the destination network is not in the routing table
ip default-gateway Sets the default gateway of the switch
ip domain-lookup Turns on DNS lookup (which is on by default)
ip domain-name Appends a domain name to a DNS lookup
ip host Creates a host table on a router
ip name-server Sets the IP address of up to six DNS servers
IP route Creates static and default routes on a router
ipx access-group Applies an IPX access list to an interface
ipx input-sap-filter Applies an inbound IPX SAP filter to an interface
ipx network Assigns an IPX network number to an interface
ipx output-sap-filter Applies an outbound IPX SAP filter to an interface
ipx ping A Packet Internet Groper used to test IPX packet on an internetwork
ipx routing Turns on IPX routing
isdn spid1 Sets the number that identifies the first DS0 to the ISDN switch
isdn spid2 Sets the number that identifies the second DS0 to the ISDN switch
isdn switch-type Sets the type of ISDN switch that the router will communicate with; can be set at interface level or global configuration mode
K Used at the startup of the 1900 switch and puts the switch into CLI mode
line Puts you in configuration mode to change or set your user mode passwords
line aux Puts you in the auxiliary interface configuration mode
line console 0 Puts you in console configuration mode
line vty Puts you in VTY (Telnet) interface configuration mode
logging synchronous Stops console messages from overwriting your command-line input
logout Logs you out of your console session
mac-address-table permanent Makes a permanent MAC address entry in the filter database
mac-address-table restricted static Sets a restricted address in the MAC filter database to allow only the configured interfaces to communicate with the restricted address
media-type Sets the hardware media type on an interface
network Tells the routing protocol what network to advertise
no cdp enable Turns off CDP on an individual interface
no cdp run Turns off CDP completely on a router
no inverse-arp Turns off the dynamic IARP used with Frame Relay; static mappings must be configured
no ip domain-lookup Turns off DNS lookup
no ip host Removes a hostname from a host table
No IP route Removes a static or default route
no shutdown Turns on an interface
o/r 0x2142 Changes a 2501 to boot without using the contents of NVRAM
ping Tests IP connectivity to a remote device
port secure max-mac-count Allows only the configured amount of devices to attach and work on an interface
ppp authentication chap Tells PPP to use CHAP authentication
ppp authentication pap Tells PPP to use PAP authentication
router igrp as Turns on IP IGRP routing on a router
router rip Puts you in router rip configuration mode
secondary Adds a second IPX network on the same physical interface
Service password-encryption Encrypts the user mode and enable password
show access-list Shows all the access lists configured on the router
show access-list 110 Shows only access list 110
show cdp Displays the CDP timer and holdtime frequencies
show cdp entry * Same as show cdp neighbor detail, but does not work on a 1900 switch
show cdp interface Shows the individual interfaces enabled with CDP
show cdp neighbor Shows the directly connected neighbors and the details about them
show cdp neighbor detail Shows the IP address and IOS version and type, and includes all of the information from the show cdp neighbor command
show cdp traffic Shows the CDP packets sent and received on a device and any errors
Show controllers s 0 Shows the DTE or DCE status of an interface
show dialer Shows the number of times the dialer string has been reached, the idle-timeout values of each B channel, the length of call, and the name of the router to which the interface is connected
show flash Shows the files in flash memory
show frame-relay lmi Shows the LMI type on a serial interface
show frame-relay map Shows the static and dynamic Network layer-to-PVC mappings
show frame-relay pvc Shows the configured PVCs and DLCI numbers configured on a router
show history Shows you the last 10 commands entered by default
show hosts Shows the contents of the host table
show int f0/26 Shows the statistics of f0/26
show inter e0/1 Shows the statistics of interface e0/1
show interface s0 Shows the statistics of interface serial 0
show ip Shows the IP configuration of the switch
show ip access-list Shows only the IP access lists
show ip interface Shows which interfaces have IP access lists applied
show ip protocols Shows the routing protocols and timers associated with each routing protocol configured on a router
show ip route Displays the IP routing table
show ipx access-list Shows the IPX access lists configured on a router
show ipx interface Shows the RIP and SAP information being sent and received on an individual interface; also shows the IPX address of the interface
show ipx route Shows the IPX routing table
show ipx servers Shows the SAP table on a Cisco router
show ipx traffic Shows the RIP and SAP information sent and received on a Cisco router
show isdn active Shows the number called and whether a call is in progress
show isdn status Shows if your SPIDs are valid and if you are connected and communicating with the provider's switch
show mac-address-table Shows the filter table created dynamically by the switch
show protocols Shows the routed protocols and network addresses configured on each interface
show run Short for show running-config; shows the configuration currently running on the router
show sessions Shows your connections via Telnet to remote devices
show snmp Gives you the router's serial number as the "chassis" output
show start Short for show startup-config; shows the backup configuration stored in NVRAM
show terminal Shows you your configured history size
show trunk A Shows the trunking status of port 26
show trunk B Shows the trunking status of port 27
show version Gives the IOS information of the switch, as well as the uptime and base Ethernet address
show vlan Shows all configured VLANs App.
show vlan-membership Shows all port VLAN assignments
show vtp Shows the VTP configuration of a switch
shutdown Puts an interface in administratively down mode
Tab Finishes typing a command for you
telnet Connects, views, and runs programs on a remote device
terminal history size Changes your history size from the default of 10 up to 256
trace Tests a connection to a remote device and shows the path it took through the internetwork to find the remote device
traffic-share balanced Tells the IGRP routing protocol to share links inversely proportional to the metrics
traffic-share min Tells the IGRP routing process to use routes that have only minimum costs
trunk auto Sets the port to auto trunking mode
trunk on Sets a port to permanent trunking mode
username name password password Creates usernames and passwords for authentication on a Cisco router
variance Controls the load balancing between the best metric and the worst acceptable metric
vlan 2 name Sales Creates a VLAN 2 named Sales
vlan-membership static 2 Assigns a static VLAN to a port
vtp client Sets the switch to be a VTP client
vtp domain Sets the domain name for the VTP configuration
vtp password Sets a password on the VTP domain
vtp pruning enable Makes the switch a pruning switch
vtp server Sets the switch to be a VTP server
show feedback form
close
by flw edited by aryoba
last modified: 2007-12-05 09:25:13 | | | Here's a few links to help you finally crack that puzzle which has plagued you since you started to learn networking:
Cisco's slant on subnetting
Learn subnetting in 5 steps
Learn to Subnet
dpocoroba's contribution to the subnetting debate.
If any of the links are dead, please do not hesitate to alert the FAQ Editors by clicking feedback at the bottom of the FAQ.
Notify the FAQ Editors if you have more sources of subnetting material/tutorials and would like to add them to this FAQ.
FAQ originated from this thread on dpocoroba's suggestion.
Introduction
You may wonder what subnetting is and its purpose. A loose understanding is the following. Subnetting is a process of partitioning a network into smaller (sub) independent network. The smaller network is called subnet.
Subnetting relates to a good network design. One aspect of a good network design is to optimize the IP addresses that you have. Don't let IP addresses unused or go wasted. This is true especially when you have to pay to have those IP addresses, or you have limited IP address range to work with.
The example of pay IP addresses is Public IP addresses that you retrieved from your ISP. You have to pay certain amount to have static IP addresses dedicated to you from your ISP. When you ask more IP from them, you have to pay more.
Binary Number System (2-based Number System)
The most difficult part of understanding subnetting is probably the math (the calculation). As you can see from the links above, subnetting involves binary numbers. Yes, you are required to understand at least the basic of binary number system in order to understand subnetting process.
Binary number system is used by any computers based on their nature of "on" and "off" state. Unfortunately we humans are used to decimal number system, hence create a gap. This gap leads to some kind of confusion to those who are just learning networking and subnetting.
But no worries! There is an easier way to understand subnetting with less theory and more practical approach. The key is to keep using decimal number system with binary number system in mind.
Before we begin, you need to refresh your math on power. Following is an illustration.
2^0 = 1
2^1 = 2
2^2 = 2 x 2 = 4
2^3 = 2 x 2 x 2 = 8
2^4 = 2 x 2 x 2 x 2 = 16
2^5 = 32
2^6 = 64
2^7 = 128
2^8 = 256
Binary system number is based on power of two (2^n). On the following table, note that the next bigger number is always double the size of the current number.
1 x 2 = 2
2 x 2 = 4
4 x 2 = 8
8 x 2 = 16
16 x 2 = 32
32 x 2 = 64
64 x 2 = 128
128 x 2 = 256
In terms of subnetting,
1 = /32 = 255.255.255.255
2 = /31 = 255.255.255.254
4 = /30 = 255.255.255.252
8 = /29 = 255.255.255.248
16 = /28 = 255.255.255.240
32 = /27 = 255.255.255.224
64 = /26 = 255.255.255.192
128 = /25 = 255.255.255.128
256 = /24 = 255.255.255.0
In terms of IP address quantity
/32: 2^0 = 1 = 1 IP address within the subnet
/31: 2^1 = 2 of /32 = 2 x 1 = 2 = 2 IP addresses within the subnet
/30: 2^2 = 2 of /31 = 2 x 2 = 4 = 4 IP addresses within the subnet
/29: 2^3 = 2 of /30 = 2 x 4 = 8 = 8 IP addresses within the subnet
/28: 2^4 = 2 of /29 = 2 x 8 = 16 = 16 IP addresses within the subnet
/27: 2^5 = 2 of /28 = 2 x 16 = 32 = 32 IP addresses within the subnet
/26: 2^6 = 2 of /27 = 2 x 32 = 64 = 64 IP addresses within the subnet
/25: 2^7 = 2 of /26 = 2 x 64 = 128 = 128 IP addresses within the subnet
/24: 2^8 = 2 of /25 = 2 x 128 = 256 = 256 IP addresses within the subnet
Side Note:
Some people refer the xxx.xxx.xxx.xxx notation as octet (8-based number system). There are four octets in the notation. To separate the octets, there are dots between them. I call them 4-tuple octet.
For /24 to /32 subnets, the 1st three octets remain the same. The only octet that changes is the 4th octet (the last octet).
Subnet Mask
Subnetting always relates to something called Subnet Mask. Subnet Mask is the way an IP address represent which subnet it is under.
To show you how a subnet mask looks like, let's review the previous table.
1 = /32 = 255.255.255.255
2 = /31 = 255.255.255.254
4 = /30 = 255.255.255.252
8 = /29 = 255.255.255.248
16 = /28 = 255.255.255.240
32 = /27 = 255.255.255.224
64 = /26 = 255.255.255.192
128 = /25 = 255.255.255.128
256 = /24 = 255.255.255.0
As mentioned, there are octets separated by dots that I called 4-tuple octet. This 4-tuple octet is commonly known as Subnet Mask.
Another format of displaying subnet mask is by using CIDR (Classless Inter-Domain Routing) format. Where the 4-tuple octet format is shown on the above table rightmost column, the CIDR format is shown on the above table leftmost column. To clarify, check out following table.
IP Address Quantity Within Subnet CIDR format subnet mask 4-tuple octet format subnet mask
1 /32 255.255.255.255
2 /31 255.255.255.254
4 /30 255.255.255.252
8 /29 255.255.255.248
16 /28 255.255.255.240
32 /27 255.255.255.224
64 /26 255.255.255.192
128 /25 255.255.255.128
256 /24 255.255.255.0
Later you will find out that CIDR format is based on the subnet mask binary format where the number behind the / represents how many bits are set to 1 (one) contiguously from the left. You will also learn this relationship between subnet mask and IP address quantity within the subnet from the subnet mask binary format.
Following is illustration of how a subnet mask determine how an IP address fits into a subnet.
Example #1
IP Address: 192.168.0.4
Subnet Mask: /31 (255.255.255.254)
From the table above, /31 informs that there is a network that consists of two IP addresses; 192.168.0.4 and 192.168.0.5. The 192.168.0.4/31 is the 1st IP address of the network.
Example #2
IP Address: 192.168.0.4
Subnet Mask: /30 (255.255.255.252)
Refer to the table, /30 shows that there is a network that consists of four IP addresses; 192.168.0.4 to 192.168.0.7. The 192.168.0.4/30 is the 1st IP address of the network.
Example #3
IP Address: 192.168.0.4
Subnet Mask: /29 (255.255.255.248)
Using the above table, /29 reflects that there is a network that consists of eight IP addresses; 192.168.0.0 to 192.168.0.7. The 192.168.0.4/29 is the 5th IP address of the network.
Example #4
IP Address: 192.168.0.4
Subnet Mask: /32 (255.255.255.255)
Based on the above table, /32 points that there is a network that consists of a single IP address; 192.168.0.4. The 192.168.0.4/32 is the 1st and the last (the only) IP address of the network.
Number of IP Address Within A Subnet
Let's review the table of number of IP address within a subnet above. Let's say you have the following
* 192.168.0.0/32
IP Address: 192.168.0.0
Subnet Mask: /32 (255.255.255.255)
Number of IP address within the subnet: 1
Number of IP address available for host: 1
IP Address range: 192.168.0.0
* 192.168.0.0/31
IP Address: 192.168.0.0
Subnet Mask: /31 (255.255.255.254)
Number of IP address within the subnet: 2
Number of IP address available for host: 2
IP Address range: 192.168.0.0, 192.168.0.1
* 192.168.0.0/29
IP Address: 192.168.0.0
Subnet Mask: /29 (255.255.255.248)
Number of IP address within the subnet: 8
Number of IP address available for host: 8
IP Address range: 192.168.0.0, 192.168.0.1, ..., 192.168.0.6, 192.168.0.7
The Size Doubling and Subnetting
Referring to the previous examples, you may wonder how to create such table that shows specific IP address belongs to specific order number of a network or to determine the IP address range available for host by just looking at the subnet mask. Following is the break down.
To describe, let's start with 192.168.0.0/24 network. Referring to the above host IP address availability table, note that 192.168.0.0/24 network consists of 256 IP addresses; from 192.168.0.0, 192.168.0.1, 192.168.0.2, ...., 192.168.0.254, to 192.168.0.255.
/24
+---------------------------------------------------------------------------------- ------- ------------+
| |
+---------------------------------------------------------------------------------- ------- ------------+
A A
| |
1st IP address (192.168.0.0/24) Last IP address ( 192.168.0.255/24)
When you break up a /24 network into two equal sub-networks, note that you have two /25 networks. In other words, a /24 network is double the size of /25 network.
Since the /24 network is 192.168.0.0/24, then the two /25 networks off the /24 network are 192.168.0.0/25 (1st half) and 192.168.0.128/25 (2nd half). The 1st half, 192.168.0.0/25 network, consists of 128 IP addresses; from 192.168.0.0, 192.168.0.1, ...., to 192.168.0.127. The 2nd half, 192.168.0.128/28, consists of also 128 IP addresses; from 192.168.0.128, 192.168.0.129, ...., to 192.168.0.255.
/24
+---------------------------------------------------+ +----------------------------------- --------------+
| | | |
+---------------------------------------------------+ +----------------------------------- --------------+
1st half (1st /25) 2nd half (2nd /25)
A A A A
| | | |
1st IP address (192.168.0.0/25) | | Last IP address ( 192.168.0.255/24)
| |
Last IP address (192.168.0.127/25) 1st IP address (192.168.0.128/25)
Similarly, breaks up a /25 network into two equal-size networks gives you two /26 networks. In other words, a /25 network is double the size of /26 network.
From a /24 network perspective, you have four /26 networks when you break up a /24 network into four equal-size networks. Each of the four /26 networks consists of 64 IP addresses. Since the /24 network is 192.168.0.0/24, then the four /26 networks off the /24 network are 192.168.0.0/26 (1st quarter), 192.168.0.64/25 (2nd quarter), 192.168.0.128/26 (3rd quarter), and 192.168.0.192/26 (last quarter). Following is the illustration.
/24
+-----------------------+ +--------------------------+ +----------------------+ +--------- ---------------+
| | | | | | | |
+-----------------------+ +--------------------------+ +----------------------+ +--------- ---------------+
1st /26 2nd /26 3rd /26 4 th /26
A A A A A A A A
| | | | | | | |
1st IP address | | Last IP address | Last IP address | Last IP address
(192.168.0.0/26) | | (192.168.0.127/26) | (192.168.0.191/26) | ( 192.168.0.255/26)
| | | |
Last IP address 1st IP address 1st IP address 1st IP add ress
(192.168.0.63/26) (192.168.0.64/26) (192.168.0.128/26) (192.168.0 .192/26)
The same logic continues where /26 network is double the size of /27 network (or /27 network is half size of /26 network) and /31 network is double the size of /32 network (or /32 network is half size of /31 network).
To sum up the understanding, following shows how larger subnet size correlates to smaller subnet size.
/24 = 2 x /25 = 4 x /26 = 8 x /27 = 16 x /28 = 32 x /29 = 64 x /30 = 128 x /31 = 256 x /32
How did this size doubling or size halving concept come form? Let's review the previous table to find the answer.
/32: 2^0 = 1 = 1 IP address within the subnet
/31: 2^1 = 2 of /32 = 2 x 1 = 2 = 2 IP addresses within the subnet
/30: 2^2 = 2 of /31 = 2 x 2 = 4 = 4 IP addresses within the subnet
/29: 2^3 = 2 of /30 = 2 x 4 = 8 = 8 IP addresses within the subnet
/28: 2^4 = 2 of /29 = 2 x 8 = 16 = 16 IP addresses within the subnet
/27: 2^5 = 2 of /28 = 2 x 16 = 32 = 32 IP addresses within the subnet
/26: 2^6 = 2 of /27 = 2 x 32 = 64 = 64 IP addresses within the subnet
/25: 2^7 = 2 of /26 = 2 x 64 = 128 = 128 IP addresses within the subnet
/24: 2^8 = 2 of /25 = 2 x 128 = 256 = 256 IP addresses within the subnet
Note that the concept of size doubling or size halving is based on the binary system where you can only double the network size or break up the subnet into two equal size of smaller networks as shown on previous table.
Using the same logic as presented, let's recap. Subnetting /24 network into
* 2 equal network size makes 2 of /25 networks
* 4 equal network size makes 4 of /26 networks
* 8 equal network size makes 8 of /27 networks
* 256 equal network size makes 256 of /32 networks
When the /24 network is 192.168.0.0/24, then following are how the smaller subnets look like.
The 4 /26 networks:
1. 192.168.0.0/26
IP Address: 192.168.0.0
Subnet Mask: /26 (255.255.255.192)
Number of IP address within the subnet: 64
Number of IP address available for host: 64
IP Address range: 192.168.0.0, 192.168.0.1, ...., to 192.168.0.63
2. 192.168.0.64/26
IP Address: 192.168.0.64
Subnet Mask: /26 (255.255.255.192)
Number of IP address within the subnet: 64
Number of IP address available for host: 64
IP Address range: 192.168.0.64, 192.168.0.65, ...., to 192.168.0.127
3. 192.168.0.128/26
IP Address: 192.168.0.128
Subnet Mask: /26 (255.255.255.192)
Number of IP address within the subnet: 64
Number of IP address available for host: 64
IP Address range: 192.168.0.128, 192.168.0.129, ...., to 192.168.0.191
4. 192.168.0.192/26
IP Address: 192.168.0.192
Subnet Mask: /26 (255.255.255.192)
Number of IP address within the subnet: 64
Number of IP address available for host: 64
IP Address range: 192.168.0.192, 192.168.0.193, ...., to 192.168.0.255
The 32 /29 networks
192.168.0.0 /29 = 192.168.0.0 - 192.168.0.7
192.168.0.8 /29 = 192.168.0.8 - 192.168.0.15
192.168.0.16 /29 = 192.168.0.16 - 192.168.0.23
.
.
.
192.168.0.240/29 = 192.168.0.240 - 192.168.0.247
192.168.0.248/29 = 192.168.0.248 - 192.168.0.255
If let's say you only need nine subnets off 192.168.0.0/24, then following are the considerations.
* All subnets are in equal size
* Subnet quantity are only in two-power form which are 2 (as of 2 x /25), 4 (as of 4 x /26), 8 (as of 8 x /27), 16 (as of 16 x /28), and so on
* Nine is higher than 8 and is lower than 16
* To accommodate the nine subnets, then you can consider the 16 of the /28 subnet size
* You could then take the 1st nine subnet out of the 16 subnets available
* The nine subnets you take are 192.168.0.0/28, 192.168.0.16/28, 192.168.0.32/28, 192.168.0.48/28, 192.168.0.64/28, 192.168.0.80/28, 192.168.0.96/28, 192.168.0.112/28, and 192.168.0.128/28
Octet and Subnet Calculating
As you may notice, IP address and subnet mask are presented in form of octet (the xxx.xxx.xxx.xxx). There are four octets on both IP address and subnet mask representation, where dots are used to separate one octet from another.
In math, octet can be seen as "summary" of binary numbers. This is one of key in easy subnet calculation using decimal number system with binary number system in mind.
Another key to such easy subnet calculation is utilizing the octet. Start working from the last octet and work up the one previous octet when necessary. In calculating IP address within /24 subnet or smaller for example, note that only the last octet is changing as mentioned previously. When you calculate subnet larger than /24, you will then consider the 3rd octet (and the rest) as necessary.
Specifically with /25 or smaller subnet, you need to calculate starting from /24. In other word, you should see the /25 or smaller subnet as part of larger /24 network. Any /25 or smaller subnet calculation must refer to the larger /24 network, or in other word, must refer to the last octet.
Here is illustration. Let's say you are given 192.168.0.67/28 network. You need to determine the following
* range of IP addresses within the subnet
* order number of 192.168.0.67 IP address within the subnet
You start by seeing 192.168.0.67/28 as part of larger 192.168.0.0/24 network. In other words, you have to start calculating from 192.168.0.0 IP address (the 1st IP address) to create a list of smaller /28 networks off a larger /24 network.
Referring to the previous table, /28 = 2^4 = 16 IP addresses. Therefore the 1st /28 should be the following
192.168.0.0 - 192.168.0.15
The remaining /28 network should be the following
192.168.0.16 - 192.168.0.31
192.168.0.32 - 192.168.0.47
192.168.0.48 - 192.168.0.63
192.168.0.64 - 192.168.0.79
192.168.0.80 - 192.168.0.95
192.168.0.96 - 192.168.0.111
192.168.0.112 - 192.168.0.127
192.168.0.128 - 192.168.0.143
192.168.0.144 - 192.168.0.159
192.168.0.160 - 192.168.0.175
192.168.0.176 - 192.168.0.191
192.168.0.192 - 192.168.0.207
192.168.0.208 - 192.168.0.223
192.168.0.224 - 192.168.0.239
192.168.0.240 - 192.168.0.255
which makes up the entire 192.168.0.0/24 network.
By referring to the 1st IP address of each /28 subnet, you present those subnets as follow
192.168.0.0 - 192.168.0.15 = 192.168.0.0/28
192.168.0.16 - 192.168.0.31 = 192.168.0.16/28
192.168.0.32 - 192.168.0.47 = 192.168.0.32/28
192.168.0.48 - 192.168.0.63 = 192.168.0.48/28
192.168.0.64 - 192.168.0.79 = 192.168.0.64/28
192.168
|
|
