Private IP Addresses

Previous page
Table of content
Next page


Another aspect of TCP/IP routing has to do with private networks. You can use private IP addresses within a network if the network doesn’t need to be reached by outside machines. IANA (Internet Assigned Numbers Authority) allocates three blocks of IP addresses for private network use, as shown in Table 7.6.

Table 7.6: IANA-Assigned Private Networks

Network

Mask

Block

10.0.0.0

255.0.0.0

1 Class A network

172.16.0.0

255.240.0.0

16 Class B networks

198.168.0.0

255.255.0.0

256 Class C networks

Corporate networks that don’t connect to the global Internet can use these addresses. However, if you use these addresses within a network that also contains a globally unique IP address, you must filter the addresses with access lists to avoid advertising them to the Internet. Many companies use private IP address space, and it’s imperative that these routes not be announced to the Internet. Although ISPs do not allow private networks to be advertised by their routers, it’s good practice to make sure that your enterprise or campus routers do not advertise private networks to the ISP.

So if a host machine is assigned a private IP address, it can’t communicate via TCP/IP to the outside world because private network advertisements aren’t included in Internet routing tables—unless you provide the privately addressed host with a proxy server that has a globally unique address or uses a Network Address Translation (NAT) service. All the client’s requests for information then have the source IP address of the proxy machine and can communicate through it.

You should implement private addressing schemes using the same plan you used with global IP addressing schemes—assign contiguous addresses to defined regions so that you can apply summarization. Use VLSM for subnetting to more efficiently utilize allocated networks. Finally, don’t forget to run routing protocols that support classless routing.

Always consider the future of the network when you implement private ad- dresses. Some day, some of those machines on what is currently a private network will likely need access to the Internet. Once a network moves from not needing global connectivity to needing globally unique IP addresses, you’ll have to readdress.

Using private addresses really helps to conserve your allotment of IP addresses. Because every computer on the network probably doesn’t need to access the outside world directly, it’s wise to make good use of those private addresses and save the unique ones for machines that require global connectivity.

IP Unnumbered

When you use the ip unnumbered command, a serial interface is not on a separate network, as all router interfaces tend to be. Instead, the serial port “borrows” an IP address from another interface. In the following router configuration example, interface Serial 0 is using a borrowed IP address from interface Ethernet 0:

interface serial 0 no ip address ip unnumbered ethernet 0

Therefore, by using the ip unnumbered command, you ensure that the apparently discontiguous subnets, shown in Figure 7.20, are actually supported. Understand that both sides of the network must be the same address class. In other words, you can’t borrow an IP address on one side from a 10.0.0.0 network and then from 172.16.0.0 on the other side of the point- to-point link.

click to expand
Figure 7.20: An ip unnumbered example

Warning

There are a few things to be aware of before using IP unnumbered interfaces. For example, IP unnumbered is not supported on X.25 or SMDS networks (yeah, so what?). Also, since the serial interface has no IP number, you cannot ping the interface to see if it is up, although you can determine the interface status with SNMP. In addition, IP security options are not supported on an IP unnumbered interface.

Figure 7.20 shows an example of using the ip unnumbered command on two Cisco routers running a point-to-point T1.

The two routers, 2501A and 2501B, are connected point-to-point, and each has an Ethernet LAN connection.

2501A has the following configuration:

2501A#sh run [output cut] interface Ethernet0 ip address 172.16.10.1 255.255.255.0 interface serial0 ip address 10.1.1.1 255.255.255.0

2501B has the following configuration:

2501A#sh run [output cut] interface Ethernet0 ip address 172.16.30.1 255.255.255.0 interface serial0 ip address 10.1.1.2 255.255.255.0

You can configure ip unnumbered on the serial interfaces as follows:

2501A#config t 2501A(config)#interface serial0 2501A(config-if)#no ip address 2501A(config-if)#ip unnumbered ethernet0 2501B#config t 2501B(config)#interface serial0 2501B(config-if)#no ip address 2501B(config-if)#ip unnumbered ethernet0

The two routers can now communicate over the serial link without an IP address. You cannot ping the serial interfaces, but by using the show interface command, you can verify that the ip unnumbered command is being used:

2501A#sh int serial0 Serial0 is up, line protocol is up Interface is unnumbered. Using address of Ethernet0    (172.16.10.1)

The New /31 Subnet

Another way that Cisco is helping you save subnets is by using the /31 mask.

/31, are you crazy? That means the mask is 255.255.255.254!

I’ve been saying throughout this entire chapter that you must have at a minimum two bits for host bits, and this leaves only one bit. Todd, what are you thinking? Well, throughout this chapter, I meant to say that you must have two bits for hosts “most of the time!”

Cisco has announced a new point-to-point subnet mask called the /31 that is used for the same reason that the ip unnumbered command is used: to save address space. The /31 mask can only be used on non-broadcast links like a point-to-point serial link because there is no broadcast address! However, you can put it on a LAN interface; it just won’t work for a corporate environment. The /31 mask is meant for point-to-point serial links or point- to-point LAN connections between buildings, for example.

First, you must have a special IOS. Here’s the one that I found that worked on my 2600 routers:

2600#sh flash System flash directory: File  Length   Name/status   1   6973004  c2600-bin-mz.122-13.T1.bin [6973068 bytes used, 891252 available, 7864320 total] 8192K bytes of processor board System flash (Read/Write)

Once you have an IOS that supports the /31 network mask, then you can configure your point-to-point links as follows:

2600#config t Enter configuration commands, one per line.  End with    CNTL/Z. 2600(config)#int f0/0 2600(config-if)#ip address 10.1.1.0 255.255.255.254 % Warning: use /31 mask on non point-to-point interface    cautiously 2600(config-if)#int f0/1 2600(config-if)#ip address 192.168.10.2 255.255.255.254 % Warning: use /31 mask on non point-to-point interface    cautiously 2600(config-if)#int s0/0 2600(config-if)#ip address 172.16.100.4 255.255.255.254 2600(config-if)#^Z 2600#

The preceding example created three point-to-point subnets on two FastEthernet LAN connections and one serial connection. Notice the warning received when using the /31 on a LAN interface. Unless that is a point-to- point link, it just really isn’t going to work.

In addition, the preceding example used three subnets: 0, 2, and 4. The class of address doesn’t matter, but one of each class of IP address was created just for fun. The valid hosts are 0 and 1, 2 and 3, and 4 and 5.

In the following output, the subnets are shown as 0, 2, and 4, but understand that these subnet numbers are valid host addresses also:

2600#sh ip route [output cut]       10.0.0.0/31 is subnetted, 1 subnets C       10.1.1.0 is directly connected, FastEthernet0/0     192.168.10.0/31 is subnetted, 1 subnets C       192.168.10.2 is directly connected,           FastEthernet0/1      172.16.0.0/31 is subnetted, 1 subnets C       172.16.100.4 is directly connected, Serial0/0 2600#

Notice in the router’s output that there is no broadcast address for each subnet, only two host addresses.

IP Helper-Address

The ip helper-address command is a static command that is configured on a router interface to direct broadcasts to desired destinations within your internetwork. Configuring the ip helper-address command is simple and straightforward. You just have to be aware of which interface the broadcasts are being received on and where you want to forward these broadcasts to.

For example, in Figure 7.21, the 2501A router Ethernet0 interface receives a Dynamic Host Configuration Protocol (DHCP) client request from HostA, which is a broadcast looking for a DHCP server.

click to expand
Figure 7.21: An ip helper-address single server example

The 2501A router needs to be configured as follows:

2501A#config t 2501A(config)#interface ethernet0 2501A(config-if)#ip helper-address 172.16.30.2

The 2501A router now receives the DHCP client broadcast and forwards this broadcast to the DHCP server, which then provides a DHCP address to the client.

If you have more than one DHCP server for redundancy purposes, as shown in Figure 7.22, you can configure a subnet broadcast address instead of a single server address.

click to expand
Figure 7.22: An ip helper-address multiple server example

The 2501A router would be configured as follows:

2501A#config t 2501A(config)#interface ethernet0 2501A(config-if)#ip helper-address 172.16.30.255

The 2501 router now takes a DHCP client broadcast and sends this to any DHCP server on the 172.16.30.0 network.

Remember that when you enable the ip helper-address command, you are forwarding more than just DHCP requests. Let’s discuss all the ports that are being forwarded.

Forwarded Ports

When you enable the ip helper-address command on an interface, you are not just forwarding broadcasts from DHCP clients. The ip-helper command forwards all these UDP protocols:

  • TFTP 69

  • DNS 53

  • Time 37

  • NetBIOS name server 137

  • NetBIOS Datagram service 138

  • BootP server 67

  • BootP client 68

  • TACACS 49

This can cause your network to forward broadcasts you do not want forwarded, or it can cause a security problem, or both. Typically, it is important to stop ports 137 and 138 from being forwarded because these are Microsoft NT broadcasts that do not need to be forwarded. However, if you just need to forward DHCP client broadcasts, you can stop all ports from being forwarded except BootP server 67.

To stop the forwarding of unneeded UDP broadcasts, use the following commands from global configuration mode:

router(config)#no ip forward-protocol udp 69 router(config)#no ip forward-protocol udp 53 router(config)#no ip forward-protocol udp 37 router(config)#no ip forward-protocol udp 137 router(config)#no ip forward-protocol udp 138 router(config)#no ip forward-protocol udp 68 router(config)#no ip forward-protocol udp 49

This configuration now allows only a broadcast for a BootP server, port 67, to be forwarded.



Previous page
Table of content
Next page
CCDA. Cisco Certified Design Associate Study Guide
CCDA: Cisco Certified Design Associate Study Guide, 2nd Edition (640-861)
ISBN: 0782142001
EAN: 2147483647
Year: 2002
Pages: 201
Authors: Todd Lammle, Andy Barkl
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
GDI+ Programming with C#
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy