Downloads |
White Paper
Cisco IOS Easy IP
Summary
Cisco IOS Easy IP enables transparent and dynamic IP address allocation for hosts in remote environments via DHCP, reduces router configuration tasks via dynamic PPP/IPCP address negotiation, conserves IP addresses via PAT, and minimizes Internet access costs for remote offices.
Cisco IOS Easy IP is a combination of the following functionality:
- Port Address Translation (PAT), a subset of Network Address Translation (NAT)
- Dynamic PPP/IPCP WAN interface IP address negotiation
- Cisco IOS DHCP Server
This paper describes the features and benefits of Cisco IOS Easy IP, provides a technical discussion of how it works, including details on the Cisco IOS DHCP Server, and includes availability, packaging, and platform support information.
Introduction
Exponential growth in the remote access router market has created new challenges for Internet service providers (ISPs) and enterprise customers in remote locations and small office/home office (SOHO) environments. Such customers seek internetworking solutions that will:
- Minimize Internet access costs for remote offices
- Minimize configuration requirements on remote access routers
- Enable transparent and dynamic IP address allocation for hosts in remote environments
- Improve network security capabilities at each remote site
- Conserve registered IP addresses
- Maximize IP address manageability
Remote networks have variable numbers of end systems that need access to the Internet. Hence, ISPs are interested in allocating just one IP address to each remote LAN.
In enterprise networks where telecommuter populations are growing extremely fast, network administrators need solutions that ease configuration and management of remote routers and provide conservation and dynamic allocation of IP addresses within their networks. Such solutions are especially important when network administrators implement large dialup user pools where ISDN plays a major role.
As part of Cisco IOS software, the premier platform that delivers network services and enables networked applications, Cisco IOS Easy IP is a scalability/connectivity service that provides solutions for each of these challenges. It provides cost savings, scalability, conservation of registered IP addresses, and eases router deployment by nontechnical users.
Cisco IOS Easy IP - Overview
With Cisco IOS Easy IP, router configuration tasks are minimized: simply plug-in the router, configure the dialup number for a central access server, and connect the LAN devices to the router. With Cisco IOS Easy IP, a Cisco router automatically assigns local IP addresses to SOHO hosts via the Dynamic Host Configuration Protocol (DHCP) with the Cisco IOS DHCP Server, automatically negotiates its own registered IP address from a central server via the Point-to-Point Protocol/Internet Control Protocol (PPP/IPCP), and uses Port Address Translation (PAT) functionality to enable all SOHO hosts to access the global Internet using a single registered IP address. Because Cisco IOS Easy IP utilizes existing port-level multiplexed Network Address Translation (NAT) functionality within Cisco IOS software, IP addresses on the remote LAN are invisible to the Internet, making the remote LAN more secure.
Cisco IOS Easy IP does the following:
- Dramatically lowers Internet access costs for remote networks
- Eases IP address management
- Simplifies remote access to the Internet
- Improves remote network security
Cisco IOS Easy IP enables true mobility; client IP addresses are transparently configured via the Cisco IOS DHCP Server each time they power up on the network.
Cisco IOS Easy IP enables ISPs to allocate a single registered IP address to each remote LAN such that any host on the LAN can access the Internet. It allows ISPs to maximize their customer bases while minimizing the required number of registered IP addresses. This feature simplifies and reduces costs associated with global IP address management tasks for ISPs and their customers. Because only a single registered IP address is required to support all users on an entire remote LAN, customers and ISPs can use their registered IP addresses more efficiently. Cisco IOS Easy IP also reduces management tasks and costs associated with VLSM-based addressing for each remote LAN.
- Cisco IOS Easy IP is a Cisco IOS software solution that is compatible with other leading edge Cisco IOS functionality, including generic routing encapsulation (GRE) and Layer 2 Forwarding (L2F). As a result, Cisco IOS Easy IP can easily be installed within existing tunneling infrastructures. Although a Cisco IOS Easy IP router will generally be configured with a default route directing remote SOHO LAN traffic to the WAN interface, it can be used in conjunction with routing protocols such as Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP), and Enhanced IGRP. Cisco IOS Easy IP functionality operates independently of Cisco IOS routing features.
Cisco IOS Easy IP Component Technologies
A combination of the following technologies, the Cisco IOS Easy IP solution is a scalable, standards-based, "plug-and-play" solution to each of the challenges previously discussed:
- DHCP: Defined in RFC 2131, this protocol enables you to dynamically and transparently assign reusable IP addresses to clients. Cisco IOS Easy IP Phase 2 includes the Cisco IOS DHCP Server, a RFC 2131-compliant DHCP server implementation on selected routing platforms.
- NAT: Initially described in RFC 1631, NAT operates on a router that usually connects two or more networks. In Cisco IOS Easy IP, at least one of these networks (designated as "inside" or LAN) is addressed with addresses that must be converted into a registered address before packets are forwarded onto the other registered network (designated as "outside" or WAN). Cisco IOS software provides the ability to define one-to-one translations (NAT) as well as many-to-one translations (Port Address Translation [PAT]). Within the context of Cisco IOS Easy IP, PAT is used to translate all internal addresses to a single outside registered IP address.
- PPP/IPCP: Defined in RFC 1332, this protocol enables users to dynamically configure IP addresses over PPP. A Cisco IOS Easy IP router uses PPP/IPCP to dynamically negotiate its own WAN interface address from a central access server or DHCP server.
How Does Cisco IOS Easy IP Work?
Cisco IOS Easy IP contains a full DHCP server implementation that assigns and manages IP addresses from specified address pool(s) within the router to DHCP (SOHO) hosts. The Cisco IOS DHCP Server supports many DHCP options as defined in RFC 2132 -"DHCP Options and BOOTP Vendor Extensions". See the "Cisco IOS DHCP Server" section for additional information.
PPP/IPCP address negotiation functionality in Cisco IOS Easy IP is used to assign an IP address from a central device (PPP/IPCP option 3, "IP Address") to the Easy IP router.
In Figure 1 we assume that all remote hosts (Host A and Host B) are DHCP enabled. The Cisco IOS DHCP Server on the SOHO side assigns IP addresses to the SOHO clients. The DHCP server at the central site assigns an IP address to the Easy IP router's WAN interface.
Figure 1: Cisco IOS Easy IP Topology
The following illustrations demonstrate how Cisco IOS Easy IP works:
Figure 2: Easy IP Operations
Step 1. Upon powering up on the network, the DHCP-enabled client requests an IP address from a DHCP server. This is accomplished by broadcasting a DHCPDISCOVER message on its local physical subnet.
Figure 3: Easy IP Operation
Step 2. The Cisco IOS DHCP Server receives the DHCPDISCOVER request from the SOHO host and unicasts a DHCPOFFER message as a response. This message offers an IP address, subnet mask, address lease period, and several other parameters, to the client. (See the "Cisco IOS DHCP Server" section for additional information). The IP address in the DHCPOFFER message is taken from one of potentially several user-configured DHCP address pools. Although IP address lease times are configurable within the Cisco IOS DHCP Server, IP addresses are issued with a default lease period of 24 hours.
Note that the DHCP client will time out and retransmit the DHCPDISCOVER message if the client receives no DHCPOFFER messages.
Next, the client accepts the offer from the Cisco IOS DHCP Server by broadcasting a DHCPREQUEST message on its local physical subnet. 1
To acknowledge receipt of the DHCPREQUEST and begin the address lease, the Cisco IOS DHCP Server responds with a DHCPACK message. Arrival of the DHCPACK message enables the SOHO client to begin using the assigned address.2 (10.0.0.1/24 in our example). The combination of the client's hardware address and assigned network address constitutes a unique identifier for the client's lease and is used by both the client and server to identify a lease referred to in all DHCP messages. DHCP address lease information is stored on the user's choice of an FTP, TFTP, or RCP server.
Figure 4: Easy IP Operation
Step 3. When a SOHO host generates "interesting" traffic (as defined by access control lists) for dialup (first-time only), the Easy IP router will request a single registered IP address from the central site's access server via PPP/IPCP.
Figure 5: Easy IP Operation
Step 4: The central access server issues a single registered IP address to the Easy IP router via the PPP/IPCP address negotiation. This address could come from a local pool on either the central server, a DHCP server at the central site (via the "ip helper-address" functionality), or an authentication server. Next, the Easy IP router binds this address to its WAN (outside) interface.
Figure 6: Easy IP Operation
Step 5: The Easy IP router uses Port Address Translation (PAT) functionality to automatically create a translation entry that associates the WAN interface's global registered IP address with all inside local client IP addresses.
Figure 7: Easy IP Operation
Step 6: Using Port Address Translation (PAT), the Easy IP router automatically and dynamically translates all of the remote hosts' local IP addresses to the single registered global WAN IP address. This "port-level multiplexing" uses unique port numbers on a single outside IP address to distinguish between the various translations.
In this fashion, the remote hosts obtain their own unique local IP addresses from the Cisco IOS DHCP Server, while the Easy IP router obtains a single registered WAN interface IP address via PPP/IPCP. The Easy IP router then creates PAT translations between these addresses so that each remote host address (inside local address) will be translated to a single external address assigned to the Easy IP router. Note that PAT functionality conserves global addresses by enabling remote routers to use one global address for many local addresses.
Key Benefits
The following are key benefits of Cisco IOS Easy IP:
- Reduced Internet access costs - Using dynamic IP address negotiation (PPP/IPCP) at each remote site substantially reduces Internet access costs. Static IP addresses are considerably more expensive to purchase than are dynamically allocated IP addresses. Currently, most ISPs charge in the $300 to $500 per month range for Integrated Services Digital Network (ISDN) Internet access with a single static IP address. The same level of service using a single dynamically assigned IP address is available from most ISPs for only about $50 to $100 per month. Using Cisco IOS Easy IP, a small office will benefit from significant savings over typical Internet access service costs associated with a static IP address. In addition, using dynamic IP addresses saves time and money associated with IP address and subnet mask configuration tasks on remote hosts and eliminates the need to configure remote host IP addresses when moving from network to network.
- Simplified IP address management - Cisco IOS Easy IP enables ISPs to allocate a single registered IP address to each remote LAN. Because only a single registered IP address is required to provide global Internet access to all users on an entire remote LAN, customers and ISPs can use their registered IP addresses more efficiently.
- Remote LAN privacy - Because Cisco IOS Easy IP utilizes existing port-level multiplexed NAT functionality within Cisco IOS software, IP addresses on the remote LAN are invisible to the Internet, making it inherently more secure. As seen by the external network, the source IP address of all traffic from the remote LAN is the single registered IP address of the Easy IP router's WAN interface.
- Reduced router configuration tasks and costs - Because Cisco IOS Easy IP is easy to configure, it minimizes operational overhead and costs associated with router configuration tasks and eases deployment by non-technical users.
- Reduced DHCP management tasks: With Easy IP Phase 2, hosts in remote offices can obtain IP addresses dynamically directly from the remote office router via the Cisco IOS DHCP Server, eliminating the need to configure and maintain a separate and standalone DHCP server in the remote office.
Cisco IOS Easy IP Timeout Considerations
Dynamic NAT translations time out automatically after a predefined default period. Although configurable, with the port-level NAT functionality in Easy IP, Domain Name System (DNS) User Datagram Protocol (UDP) translations time out after 5 minutes, while DNS translations time out after 1 minute by default. Transmission Control Protocol (TCP) translations time out after 24 hours by default, unless a TCP Reset (RST) or TCP Finish (FIN) is seen in the TCP stream, in which case the translation times out after 1 minute.
What if Cisco IOS Easy IP router exceeds the "dialer idle-timeout" period? (This is the number of seconds of idle time that must occur on an interface before the line is automatically disconnected). If this occurs, it is expected that all active TCP sessions were previously closed via a RST or FIN. Thus, NAT times out all TCP translations before the Cisco IOS Easy IP router exceeds the "dialer idle-timeout" period. The Cisco IOS Easy IP router then renegotiates another (perhaps the same) registered IP address via PPP/IPCP the next time the WAN link needs to brought up, thus creating new dynamic NAT translations that bind the LAN hosts' IP addresses to the new negotiated IP address.
Cisco IOS DHCP Server
Available in Cisco IOS software 12.0(1)T on selected platforms, the Cisco IOS DHCP Server supports both DHCP and BOOTP clients and supports finite and infinite address lease periods. DHCP address binding information is stored on a remote host via RCP, FTP, or TFTP. The Cisco IOS DHCP Server supports the following DHCP options as defined in RFC 2132.
Supported DHCP Options
| DHCP Option Name | DHCP Option Code | Description |
|---|---|---|
|
Subnet Mask Option |
1 |
Specifies the client's subnet mask as per RFC 950. |
|
Router Option |
3 |
Specifies a list of IP addresses for routers on the client's subnet, usually listed in order of preference. |
|
Domain Name Server Option |
6 |
Specifies a list DNS name servers available to the client, usually listed in order of preference |
|
Hostname Option |
12 |
Specifies the name of the client. The name may or may not be qualified with the local domain name. |
|
Domain Name Option |
15 |
Specifies the domain name that client should use when resolving hostnames via the Domain Name System. |
|
NetBIOS over TCP/IP Name Server Option |
44 |
Specifies a list of RFC 1001/1002 NetBIOS name servers listed in order of preference. |
|
NetBIOS over TCP/IP Node Type Option |
46 |
Enables NetBIOS over TCP/IP clients that are configurable to be configured as described in RFC 1001/1002. Valid node types are B, P, M, and H. |
|
IP Address Lease Time Option |
51 |
Used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. |
|
DHCP Message Type Option |
53 |
Used to convey the type of the DHCP message. Legal values for this option are: Value Message Type 1 DHCPDISCOVER 2 DHCPOFFER 3 DHCPREQUEST 4 DHCPDECLINE 5 DHCPACK 6 DHCPNAK 7 DHCPRELEASE 8 DHCPINFORM |
|
Server Identifier Option |
54 |
Identifies the IP address of the selected DHCP server. Used in DHCPOFFER and DHCPREQUEST messages, and may optionally be included in the DHCPACK and DHCPNAK messages. DHCP servers include this option in the DHCPOFFER in order to allow the client to distinguish between lease offers. DHCP clients use the contents of the "server identifier" field as the destination address for any DHCP messages unicast to the DHCP server. DHCP clients also indicate which of several lease offers is being accepted by including this option in a DHCPREQUEST message. |
|
Renewal (T1) Time Option |
58 |
Specifies the time interval from address assignment until the client transitions to the RENEWING state. At time T1 the client sends (via unicast) a DHCPREQUEST message to the server to extend its lease. |
|
Rebinding (T2) Time Option |
59 |
Specifies the time interval from address assignment until the client transitions to the REBINDING state. If no DHCPACK (from the RENEWING state transition) arrives before time T2, the client moves to REBINDING state and sends (via broadcast) a DHCPREQUEST message any DHCP server to extend its lease. |
The Cisco IOS DHCP Server supports the following address allocation capabilities:
- "Automatic address allocation": assigns an IP address to a client for a finite period of time or until the client explicitly relinquishes the address. Dynamic allocation is particularly useful for assigning an address to a client that will be connected to the network only temporarily or for sharing a limited pool of IP addresses among a group of clients that do not need permanent IP addresses. Dynamic allocation may also be a good choice for assigning an IP address to a new client being permanently connected to a network where IP addresses are sufficiently scarce that it is important to reclaim them when old clients are retired.
- "Manual address allocation": allocates an administratively assigned IP address to a host. Manual allocation allows DHCP to be used to eliminate the error-prone process of manually configuring hosts with IP addresses.
Easy Configuration
Configuration of the Cisco IOS DHCP Server is simple and requires only a few steps:
a) Define the DHCP database agent, an external FTP, TFTP, or RCP host storing the DHCP bindings database. Several DHCP database agents may be defined.
b) Define and assign names to the DHCP address pool(s) from which IP addresses are allocated to clients. This includes defining the range of addresses in the pools, subnet masks, and address exclusions.3
c) On a per-address pool basis, specify DHCP options for clients where necessary, including:
- default boot image name
- default router(s)
- default DNS server(s)
- DNS domain name
- IP address lease period (days, hours, minutes)
- NetBIOS name server
- NetBIOS node type (b, p, m, or h)
d) Configure any required DHCP Forwarding functionality
Intelligent DHCP Relay and Secondary Address Pools
With the introduction of Easy IP Phase 2, Cisco IOS software also supports Intelligent DHCP Relay functionality. Generally speaking, a DHCP Relay Agent is any host that forwards DHCP packets between clients and servers. A DHCP relay agent enables the client and server to reside on separate subnets. If the Cisco IOS DHCP Server cannot satisfy a DHCP request from its own database, it can forward the DHCP request to one or more secondary DHCP servers defined by the network administrator via standard Cisco IOS "ip helper-address" functionality.
If the DHCP relay agent sees several DHCP retransmissions, it assumes that the DHCP server is not responding because of an exhausted address pool. The Intelligent DHCP Relay changes the "giaddr" field (the "gateway ID" field, or IP relay agent IP address, as described in RFC 2131) when it sees client DHCP request retransmissions, forcing the downstream DHCP Server to attempt to allocate an IP address from a different pool.4 This makes it possible for the client to boot with an IP address from a secondary address pool if the primary pool is depleted. Regular, "non-intelligent" DHCP Relays use the same giaddr field when forwarding client DHCP retransmissions, making it impossible for the client to boot if the primary address pool is depleted.
The Cisco IOS DHCP Server itself enables allocation of addresses from secondary address pools. Here we assume that the router is configured with secondary IP addresses. If the client is directly connected, the Cisco IOS DHCP Server attempts to allocate an address from the primary pools. If no free addresses are available in the primary pools, the server automatically allocates an address from a secondary pool. As a result, clients can boot even if all primary addresses are allocated. If all address pools are depleted, the Cisco IOS DHCP Server silently drops the request.
The Cisco IOS DHCP Server also supports the Relay Agent Information Option as defined in the "DHCP Relay Agent Information Option".
This option, used by cable modem termination systems, specifies whether the relay agent information option is added to forwarded BOOTREQUEST messages. By default, DHCP does not insert such relay information.
Unique Address Allocation
In order to prevent assigning to clients addresses that may already be in use, the Cisco IOS DHCP Server issues ICMP echo requests to pool addresses before assigning them to clients.5 Although configurable, the default number of pings used to check for potential IP address conflicts is 2. If the pings are unanswered within a configurable timeout period (default timeout value is 500 milliseconds), the Cisco IOS DHCP Server deduces that the address is not in use. The Server then assigns the address to the requesting client. If an address conflict is detected, the Cisco IOS DHCP Server removes the offending address from the pool. The address will not be assigned until the administrator resolves the conflict. In addition, most DHCP clients will perform a final check for address conflict with a gratuitous ARP request for the allocated IP address. If the client detects an address conflict, it must issue a DHCPDECLINE message to the server and restart the configuration process by requesting a new address.
IP Address Reacquisition and Expiration
The Cisco IOS DHCP Server supports IP address reacquisition and expiration as described in sections 4.4.5 and 4.4.6 of RFC 2131. Specifically, it supports client requests to "renew" and/or "rebind" IP addresses, and supports the DHCPRELEASE message sent by the client when the IP address is no longer needed.
Supported DHCP Messages
The Cisco IOS DHCP Server supports the following DHCP message types as defined in RFC 2131:
|
BOOTREQUEST |
DHCPDISCOVER |
|
DHCPREQUEST |
DHCPDECLINE |
|
DHCPRELEASE |
DHCPINFORM |
|
BOOTREPLY |
DHCPOFFER |
|
DHCPACK |
DHCPNAK |
Cisco IOS DHCP Server Memory Requirements
Run-time memory (Flash or DRAM, depending on hardware platform) requirements can be estimated with the following formula:
Memory required (bytes)=
|
(40K for global variables, processes, etc.) |
+ |
|
(112 * number of configured DHCP database agents) |
+ |
|
(292 * number of configured address pools) |
+ |
|
(280 * number of configured pool parameters) |
+ |
|
(104 * number of addresses available for assignment) |
Packaging and Availability
Cisco IOS Easy IP is available in a two-phase release strategy:
- Cisco IOS Easy IP Phase 1, which includes NAT and PPP/IPCP negotiation capabilities, assumes that all remote LAN hosts have statically configured IP addresses. Cisco IOS Easy IP Phase 1 is available in all base Cisco IOS software images on selected router platforms beginning with Cisco IOS software release 11.3.
- Cisco IOS Easy IP Phase 2, which adds the Cisco IOS DHCP Server capability, enables the Cisco IOS Easy IP router to dynamically allocate local IP addresses to the remote LAN hosts via DHCP. Cisco IOS Easy IP Phase 2 is available in all base images on selected router platforms beginning with Cisco IOS software release 12.0T.
Please refer to the following table for Easy IP packaging and platform support information:
Table 1: Cisco IOS Easy IP Packaging and Platform Support
| Cisco IOS software release | Easy IP Support | NAT Support in Base images | NAT Support in "Plus" images | Hardware Platforms Supported |
|---|---|---|---|---|
|
11.3 |
Phase 1 |
PAT only |
Full NAT |
1000, 1600, 2500, 3620, 3640, 4000, 4500, 4700, AS5200, 7200, RSP7000, 7500 |
|
11.3T |
Phase 1 |
PAT only |
Full NAT |
1000, 1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5200, AS5300, Cat5000 RSM, 7200, RSP7000, 7500 |
|
12.0 |
Phase 1 |
Full NAT |
Full NAT |
1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5200, AS5300, Cat5000 RSM, 7200, RSP7000, 7500 |
|
12.0T |
Phase 2 |
Full NAT |
Full NAT |
1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5200, AS5300, Cat5000 RSM, 7200, RSP7000, 7500 |
12.0/12.0T NAT Packaging on Cisco 1000 Series Platforms:
Full NAT functionality is provided only in Cisco 1000 Plus images in releases 12.0 and 12.0T. PAT-only functionality is available in all base images for Cisco 1000 series platforms. Customers must purchase a "Plus" image in order to obtain full NAT functionality for Cisco 1000 series when using releases 12.0 or 12.0T.
Definitions:
PAT Only: Only PAT (Port Address Translations: "many-to-one" translations), a subset of full NAT functionality, is supported. Static and dynamic one-to-one translations are not supported in these Cisco IOS software images for this release.
Full NAT: Full NAT functionality, including static, dynamic one-to-one translations, and PAT, is supported in these Cisco IOS software images for this release.
Easy IP Phase 1: Includes PAT Only or Full NAT and PPP/IPCP WAN interface address negotiation functionality.
Easy IP Phase 2: Includes PAT Only or Full NAT, PPP/IPCP WAN interface address negotiation functionality, and Cisco IOS DHCP Server functionality.
Summary
Cisco IOS Easy IP is a scalable and standards-based solution that:
- minimizes Internet access costs for remote offices
- minimizes configuration requirements on remote access routers
- enables transparent and dynamic IP address allocation for hosts in remote environments
- improves network security capabilities at each remote site
- conserves registered IP addresses
- maximizes IP address manageability
- improves remote network privacy
1In general network environments, more than one DHCP server can respond to a client's initial DHCPDISCOVER message. Those servers not selected by the DHCPREQUEST broadcast use the message as notification that the client has declined that server's offer.
2If the Cisco IOS DHCP Server is unable to satisfy the DHCPREQUEST message, it communicates this to the client with a DHCPNAK message. This typically occurs when the requested address has been assigned to some other client.
3DHCP address pools are stored in non-volatile RAM (NVRAM). There is no limit on the number of configurable address pools.
4This process repeats until the client successfully obtains an IP address or gives up.
5These ICMP echo requests can be disabled if desired.