This is a post for people new to networking that have just started learning IP addressing and the basis of routing and subnetting.

Every host or device on a TCP/IP network MUST have an IP address assigned in order to communicate with other devices. An IP address consists of a network part and a host part. Think about the Network part as a multi dueling Building Address number, and the Host part as your apartment number inside this building. For example, building address “Building XYZ” is the network IP address part, and “Apartment number 2” is the host address part.    

For example IP address 10.0.0.2 which identifies a single host, contains the network part 10.0.0 and the host part 2. Now, how do devices on the network know which portion is the network part and which is the host part of their assigned IP address? They know this information using the “Subnet Mask”. Every host on a TCP/IP network is configured with an IP address AND a subnet mask. The subnet mask is the one which identifies the Network Part portion of the IP address assigned to the host. For our example above, the host with IP 10.0.0.2 is assigned also a subnet mask 255.255.255.0. If you do a logical AND operation between the IP address and the subnet mask, you will find the Network potion of the address:

10.0.0.2 AND 255.255.255.0 = 10.0.0.0  (The network part is 10.0.0 and the remaining part is the host part. i.e 2 ).

Let’s see a diagram below:

From the picture above, Host A and Host B belong to the same local subnetwork (10.0.0.0/24) and are connected to the same switch together with a router interface. The router interface has also an IP address 10.0.0.254 with the same subnet mask 255.255.255.0 as the two Hosts.

Also, two other hosts (Host C, Host D) belong to another subnetwork (10.1.1.0/24) together with the second interface of the router which has address 10.1.1.254.

Each host has also a default gateway assigned (in addition to IP address and Subnet Mask). Hosts A and B must be configured with a default gateway address of the router interface which is 10.0.0.254. Similarly, Hosts C and D must be configured with a default gateway address of their router which is 10.1.1.254.

How Hosts use the Subnet Mask

When a host wants to communicate with another host, it uses its subnet mask to compare the network portion of its local network IP address with the destination network address of the packet to be sent. Before an end system can send a packet to its destination, it must first determine whether the destination address is on the local network. This is done by comparing the bits in the destination address with the network bits of its own IP address. For example, if Host A wants to send a packet to Host B, it will take the destination address 10.0.0.2 (Host B) and perform an AND operation with its subnet mask. The result will be 10.0.0.0 which will tell Host A that the destination address belongs to the same subnetwork as itself. Therefore it will NOT send the packet to the default gateway (router). Rather, Host A will perform an ARP request (Address Resolution Protocol) to find out the destination MAC address of Host B (ARP protocol maps an IP address with a MAC address). Therefore, Host A will send the packet directly to Host B through the switch without going through the router.

Now, if Host A wants to send a packet to Host C, it will take the destination address 10.1.1.1 of Host C and perform an AND operation with its subnet mask. The result will be
10.1.1.1 AND 255.255.255.0 = 10.1.1.0
which will tell Host A that the destination address has a different network portion than itself (10.1.1). Therefore Host A will have to send the packet to its default gateway (router address 10.0.0.254) in order to reach Host C on the other side of the router.

Extending the central office enterprise environment to remote branch office locations gives employees greater flexibility while enhancing productivity and reducing costs. Cisco Virtual Office solution is an umbrella of technologies and products that delivers secure data, voice, and video communication to remote teleworkers and branch offices, providing to remote employees a seamless office-caliber experience to wherever they may be located.

A high level network topology of two remote branch offices with the enterprise central site is shown in the figure below:

The components that constitute the Cisco Virtual Office solution include the following products and technologies:

 REMOTE BRANCH LOCATION:

 In the remote user premises, the equipment includes Cisco 800 series ISR (Integrated Services Routers) to provide secure IPSEC VPN connectivity towards the central site, together with unified 7900 series IP Phones that offer voice and video communication with the central call manager system.

 CENTRAL SITE LOCATION:

 The equipment and technologies here include a VPN termination device (which can be either a VPN router or a Cisco ASA Firewall), central call manager system for voice and video control, and central management software for policy enforcement, authentication services, identity management etc.

IPSEC VPN is a great technology for encrypting and securing communications between networks. The only drawback is that IPSEC supports ONLY pure IP unicast traffic and nothing else. If you want to securely pass multicast or non-IP traffic between sites then IPSEC alone will not work. Fortunately Cisco routers support the GRE protocol (Generic Routing Encapsulation) which is a tunneling protocol that can encapsulate a variety of network layer packet types into a GRE tunnel. GRE therefore can encapsulate multicast traffic, routing protocols (OSPF, EIGRP etc) packets, and other non-IP traffic inside a point-to-point tunnel. The downside of GRE is that it’s not as secure as IPSEC. Now, by using GRE over IPSEC, we can have the best of both technologies: Security and support for many network protocols. Some applications of using GRE over IPSEC are the following:
 

• Pass multicast traffic from a video server of one site to another site over the Internet.
• Pass routing protocol updates (multicast traffic) between sites working in an IPSEC VPN topology.
• Running Novel IPX between IPSEC VPN sites.
• Use load balancing with a routing protocol between IPSEC VPN sites.

Configuration example

Below we will describe a configuration example between two Cisco routers running GRE over IPSEC via the Internet.

From the diagram above, we have two private LAN networks 192.168.1.0/24 and 192.168.2.0/24 and we want to send non-IP traffic between them (e.g multicast video server traffic from Site-A to Site-B or any other non-IP non-unicast traffic). For each router we have a static Public IP address on the FE0/1 outside interface (100.100.100.1 and 200.200.200.1) over which we will set up the IPSEC tunnel. The GRE tunnels will be running between two private IP addresses (10.0.0.1 and 10.0.0.2) configured on each router (with the interface Tunnel command). The scenario also involves NAT for general internet access of the local networks.

SITE-A

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-A
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key testkey123 address 200.200.200.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 200.200.200.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0

!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 200.200.200.1

!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn

!— This is the internal network.

interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside

!— This is the external interface and one end of the GRE tunnel.

interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.0
ip nat outside
crypto map myvpn

!— Define the NAT pool.

ip nat pool NATPOOL 100.100.100.2 100.100.100.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless

ip route 0.0.0.0 0.0.0.0 100.100.100.254

!— Force the private network traffic into the tunnel.

ip route 192.168.2.0 255.255.255.0 10.0.0.2

!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 100.100.100.1 host 200.200.200.1

!— Use access list in route-map to address what to NAT.

access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10
match ip address 175

end

SITE-B

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-B
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key testkey123 address 100.100.100.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 100.100.100.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0

!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 100.100.100.1

!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn

!— This is the internal network.

interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside

!— This is the external interface and one end of the GRE tunnel.

interface FastEthernet0/1
ip address 200.200.200.1 255.255.255.0
ip nat outside
crypto map myvpn

!— Define the NAT pool.

ip nat pool NATPOOL 200.200.200.2 200.200.200.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless

ip route 0.0.0.0 0.0.0.0 200.200.200.254

!— Force the private network traffic into the tunnel.

ip route 192.168.1.0 255.255.255.0 10.0.0.1

!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 200.200.200.1 host 100.100.100.1

!— Use access list in route-map to address what to NAT.

access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any

route-map nonat permit 10
match ip address 175

end

Cisco has announced the Grand Prize winner of its competition for the best overall home network using Cisco equipment. This competition is run among Cisco employees. The winner is Iwan Eberhart, Frauenfeld, Switzerland. His Home Network is shown in the figure below:

“I enjoy having the latest and greatest technologies at home, too,” he says. In fact, not a day goes by that Eberhart doesn’t use his home network for work, play, or both.
As you can see, Eberhart uses his home network for TV and Movies, Centralized Storage of his media collection, Sound and Music, IP Telephony, Home LAN gaming etc.

Eberhart’s prize-winning home network evolves continually as new technology becomes available. His next plan is to consolidate the three devices in his living room. One option is to use the KiSS Technology set-top box to stream local movies and MP3 files, which would enable Eberhart to relocate the media player to his bedroom. Or, if his service provider agrees, he might install the Microsoft IP/TV client on a new Xbox 360, which would let him move the set-top box to his bedroom.
He plans to use the prize money to buy more home network gadgets.