 |
Caution: Because MPLS is operating in packet mode, security services are not available. |
The logical properties of an interface are the characteristics that do not apply to the physical interface or the wires connected to it. Logical properties include the protocol families running on the interface (including any protocol-specific MTUs), the IP address or addresses associated with the interface, virtual LAN (VLAN) tagging, and any firewall filters or routing policies that are operating on the interface.
The IP specification requires a unique address on every interface of each system attached to an IP network, so that traffic can be correctly routed. Individual hosts such as home computers must have a single IP address assigned. Devices must have a unique IP address for every interface.
This section contains the following topics:
A protocol family is a group of logical properties within an interface configuration. Protocol families include all the protocols that make up a protocol suite. To use a protocol within a particular suite, you must configure the entire protocol family as a logical property for an interface. The protocol families include common and not-so-common protocol suites.
JUNOS protocol families include the following common protocol suites:
If your device is operating in secure context, the Inet6, ISO, and MPLS protocol families are disabled on the device by default. You must enable these protocol families for a device in secure mode to forward IPv6, IS-IS, and MPLS packets. For more information, see Enabling IPv6 in Secure Context, Configuring the IS-IS Protocol, and Enabling MPLS.
|
Caution: Because MPLS is operating in packet mode, security services are not available. |
 |
Note: JUNOS software security processing is not applied to IPv6 or IS-IS packets forwarded by the device. |
In addition to the common protocol suites, JUNOS protocol families sometimes use the following protocol suites:
IPv4 addresses are 32-bit numbers that are typically displayed in dotted decimal notation. A 32-bit address contains two primary parts: the network prefix and the host number.
All hosts within a single network share the same network address. Each host also has an address that uniquely identifies it. Depending on the scope of the network and the type of device, the address is either globally or locally unique. Devices that are visible to users outside the network (Web servers, for example) must have a globally unique IP address. Devices that are visible only within the network (J-series devices, for example) must have locally unique IP addresses.
IP addresses are assigned by a central numbering authority called the Internet Assigned Numbers Authority (IANA). IANA ensures that addresses are globally unique where needed and has a large address space reserved for use by devices not visible outside their own networks.
To provide flexibility in the number of addresses distributed to networks of different sizes, 4-octet (32-bit) IP addresses were originally divided into three different categories or classes: class A, class B, and class C. Each address class specifies a different number of bits for its network prefix and host number:
In binary format, with an x representing each bit in the host number, the three address classes can be represented as follows:
00000000 xxxxxxxx xxxxxxxx xxxxxxxx (Class A) 00000000 00000000 xxxxxxxx xxxxxxxx (Class B) 00000000 00000000 00000000 xxxxxxxx (Class C)
Because each bit (x) in a host number can have a 0 or 1 value, each represents a power of 2. For example, if only 3 bits are available for specifying the host number, only the following host numbers are possible:
111 110 101 100 011 010 001 000
In each IP address class, the number of host-number bits raised to the power of 2 indicates how many host numbers can be created for a particular network prefix. Class A addresses have 224 (or 16,777,216) possible host numbers, class B addresses have 216 (or 65,536) host numbers, and class C addresses have 28 (or 256) possible host numbers.
The 32-bit IPv4 addresses are most often expressed in dotted decimal notation, in which each octet (or byte) is treated as a separate number. Within an octet, the rightmost bit represents 20 (or 1), increasing to the left until the first bit in the octet is 27 (or 128). Following are IP addresses in binary format and their dotted decimal equivalents:
11010000 01100010 11000000 10101010 = 208.98.192.170 01110110 00001111 11110000 01010101 = 118.15.240.85 00110011 11001100 00111100 00111011 = 51.204.60.59
Because of the physical and architectural limitations on the size of networks, you often must break large networks into smaller subnetworks. Within a network, each wire or ring requires its own network number and identifying subnet address.
Figure 10 shows two subnets in a network.
Figure 10: Subnets in a Network
Figure 10 shows three devices connected to one subnet and three more devices connected to a second subnet. Collectively, the six devices and two subnets make up the larger network. In this example, the network is assigned the network prefix 192.14.0.0, a class B address. Each device has an IP address that falls within this network prefix.
In addition to sharing a network prefix (the first two octets), the devices on each subnet share a third octet. The third octet identifies the subnet. All devices on a subnet must have the same subnet address. In this case, the alpha subnet has the IP address 192.14.126.0 and the beta subnet has the IP address 192.14.17.0.
The subnet address 192.14.17.0 can be represented as follows in binary notation:
11000000 . 00001110 . 00010001 . xxxxxxxx
Because the first 24 bits in the 32-bit address identify the subnet, the last 8 bits are not significant. To indicate the subnet, the address is written as 192.14.17.0/24 (or just 192.14.17/24). The /24 is the subnet mask (sometimes shown as 255.255.255.0).
Traditionally, subnets were divided by address class. Subnets had either 8, 16, or 24 significant bits, corresponding to 224, 216, or 28 possible hosts. As a result, an entire /16 subnet had to be allocated for a network that required only 400 addresses, wasting 65,136 (216 – 400 = 65,136) addresses.
To help allocate address spaces more efficiently, variable-length subnet masks (VLSMs) were introduced. Using VLSM, network architects can allocate more precisely the number of addresses required for a particular subnet.
For example, suppose a network with the prefix 192.14.17/24 is divided into two smaller subnets, one consisting of 18 devices and the other of 46 devices.
To accommodate 18 devices, the first subnet must have 25 (32) host numbers. Having 5 bits assigned to the host number leaves 27 bits of the 32-bit address for the subnet. The IP address of the first subnet is therefore 192.14.17.128/27, or the following in binary notation:
11000000 . 00001110 . 00010001 . 100xxxxx
The subnet mask includes 27 significant digits.
To create the second subnet of 46 devices, the network must accommodate 26 (64) host numbers. The IP address of the second subnet is 192.14.17.64/26, or
11000000 . 00001110 . 00010001 . 01xxxxxx
By assigning address bits within the larger /24 subnet mask, you create two smaller subnets that use the allocated address space more efficiently.
To create a much larger address space and relieve a projected future shortage of IP addresses, IPv6 was created. IPv6 addresses consist of 128 bits, instead of 32 bits, and include a scope field that identifies the type of application suitable for the address. IPv6 does not support broadcast addresses, but instead uses multicast addresses for broadcast. In addition, IPv6 defines a new type of address called anycast.
On devices in secure context, IPv6 is disabled and must be explicitly enabled.
IPv6 addresses consist of 8 groups of 16-bit hexadecimal values separated by colons (:). IPv6 addresses have the following format:
aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa
Each aaaa is a 16-bit hexadecimal value, and each a is a 4-bit hexadecimal value. Following is a sample IPv6 address:
3FFE:0000:0000:0001:0200:F8FF:FE75:50DF
You can omit the leading zeros of each 16-bit group, as follows:
3FFE:0:0:1:200:F8FF:FE75:50DF
You can compress 16-bit groups of zeros to double colons (::) as shown in the following example, but only once per address:
3FFE::1:200:F8FF:FE75:50DF
IPv6 has three types of addresses:
Unicast and multicast IPv6 addresses support feature called address scoping that identifies the application suitable for the address.
Unicast addresses support global address scope and two types of local address scope:
Multicast addresses support 16 different types of address scope, including node, link, site, organization, and global scope. A 4-bit field in the prefix identifies the address scope.
Unicast addresses identify a single interface. Each unicast address consists of n bits for the prefix, and 128 – n bits for the interface ID.
Multicast addresses identify a set of interfaces. Each multicast address consists of the first 8 bits of all 1s, a 4-bit flags field, a 4-bit scope field, and a 112-bit group ID:
11111111 | flgs | scop | group ID
The first octet of 1s identifies the address as a multicast address. The flags field identifies whether the multicast address is a well-known address or a transient multicast address. The scope field identifies the scope of the multicast address. The 112-bit group ID identifies the multicast group.
Similar to multicast addresses, anycast addresses identify a set of interfaces. However, packets are sent to only one of the interfaces, not to all interfaces. Anycast addresses are allocated from the normal unicast address space and cannot be distinguished from a unicast address in format. Therefore, each member of an anycast group must be configured to recognize certain addresses as anycast addresses.
If your device is in secure context, you must explicitly enable IPv6. By default in secure context, the device drops IPv6 packets. You can enable the device in one of the following ways to forward IPv6 packets:
|
Note: JUNOS software security processing is not applied to IPv6 packets forwarded by the device. |
A local area network (LAN) is a single broadcast domain. When traffic is broadcast, all hosts within the LAN receive the broadcast traffic. A LAN is determined by the physical connectivity of devices within the domain.
Within a traditional LAN, hosts are connected by a hub or repeater that propagates any incoming traffic throughout the network. Each host and its connecting hubs or repeaters make up a LAN segment. LAN segments are connected through switches and bridges to form the broadcast domain of the LAN. Figure 11 shows a typical LAN topology.
Figure 11: Typical LAN
Virtual LANs (VLANs) allow network architects to segment LANs into different broadcast domains based on logical groupings. Because the groupings are logical, the broadcast domains are not determined by the physical connectivity of the devices in the network. Hosts can be grouped according to a logical function, to limit the traffic broadcast within the VLAN to only the devices for which the traffic is intended.
Suppose a corporate network has three major organizations: engineering, sales, and support. Using VLAN tagging, hosts within each organization can be tagged with a different VLAN identifier. Traffic sent to the broadcast domain is then checked against the VLAN identifier and broadcast to only the devices in the appropriate VLAN. Figure 12 shows a typical VLAN topology.
Figure 12: Typical VLAN
