BGP calculates the best path toward a destination. With multiple ISPs in a multi-homed architecture, you can use the ISPs relationship to different networks on the internet to your advantage when load-sharing traffic. There are three options for receiving routes from the ISP. Default Route only - in this scenario, you receive a default 0.0.0.0/0 … Continue reading 11.24 Multi-homing Options →

Multi-homed connectivity represents the most redundant of all configurations when connecting an organization to the internet. It involves multiple CE routers connecting to multiple ISPs. This requires the use of PI (provider-independent) IP addresses. The CE routers advertise the same address space to all ISPs. Routes are exchanged with the ISP: the customer learns routes … Continue reading 11.23 Multi-homed Internet Connectivity →

There are multiple ways to route outbound traffic: Static RoutesDynamic Routing Protocols (EIGRP, OSPF, BGP)FHRP (HSRP, GLBP, VRRP) The connectivity between the customer (CE) and ISP (PE) routers will use either: Static RoutesBGP To load-balance or load-share, you must use BGP when connecting to the ISP. If a primary/standby configuration is sufficient, you may also … Continue reading 11.22 Configuring Best Path for Dual-Homed Internet Connectivity →

The following architectures are all considered dual-homed, though the last is often termed multi-homed because it uses two separate ISPs... Even in a dual-homed (multi-homed) architecture that is designed to mitigate risk of link, router, or ISP failure, a properly configured failover scenario is required.

A single-homed internet connection is prone to failure and should not be used for mission critical applications. For this reason, it is usually not sufficient for an organization. There are three main causes of outage associated with this lack of redundancy. Link failure - cable failure or construction crew severing a cable pathDevice/Gateway failure - … Continue reading 11.20 Drawbacks of a Single-Homed Internet Connectivity →

Things to remember in regards to IPv6 security at the edge: NAT doesn't exist with IPv6ACLs are similar, with two exceptions: they are pre-pended by the keyword ipv6 and are applied to an interface via the traffic-filter command. They can be applied in or out, as with IPv4 access-lists.Use a stateful firewall, security appliance, or … Continue reading 11.19 Securing IPv6 Internet Connectivity →

To configure an IPv6 address and default route: ACLS for IPV6: First, the rules for implicit deny are different than with IPv4. The implicit rule for IPv6 includes provisions for allowing neighbor-discovery advertisement and solicitation messages to be allowed through the ACL to ensure Path MTU-related discovery can complete properly, as it is different than … Continue reading 11.18 Basic IPv6 Internet Connectivity →

Note the following IPv6 address assignment methods and their descriptions: Manual Assignment - this is where the administrator assigns the addresses in a manual configuration process, which is prone to errors. The other methods are used to limit this risk of misconfiguration.SLAAC - (Stateless Address Auto-Configuration) is a method of automated assignment where the client … Continue reading 11.17 Obtaining Provider-Assigned IPv6 Addresses →

Consider this topology: We'll use dynamic NAT for the PC network and static NAT for the server. Configure the dynamic NAT ACL: Now create a NAT pool for translation using the IP range of 209.165.201.5/27 to 209.165.201.10/27. Note the use of the prefix-length command instead of the netmask command, which provide the same result, but … Continue reading 11.16 Configuring NAT Virtual Interface →

NAT virtual interface is a feature that overcomes the problem where internal clients are routed outside prior to translation and are unable to access systems that use a DNS entry based on their translated address: The only configuration difference is that ip nat inside and ip nat outside are not configured, and are instead replaced … Continue reading 11.15 NAT Virtual Interface →