“advanced ip networking for roadcast engineers” in real-world ip networking environment. ......
TRANSCRIPT
“Advanced IP Networking for Broadcast Engineers”
Tutorial & CBNE Study Topics
Wayne M. Pecena, CPBE, CBNE Texas A&M University
Office of Information Technology
Educational Broadcast Services
SBE Networking Certifications
CBNT Certified Broadcast Networking Technician
• This certification is designed for persons who wish to demonstrate a basic familiarity with networking hardware as utilized in business and audio/video applications in broadcast facilities.
• Exam Focus: – Network topologies and layouts
– Common network protocols
– Wiring standards and practices
– Maintenance, troubleshooting and connectivity issues
– Challenges unique to broadcast-based networks
CBNE Certified Broadcast Networking Engineer
2
• This certification is an “Advanced” level that reflects the skill and knowledge that will be required in today's world of converged IT and broadcast engineering.
• Exam Focus:
– Audio/Video over IP
– Digital Content Management
– Video Systems in an IT World
– Data Transmission Systems
– General IT Hardware
“Advanced IP Networking for Broadcast Engineers” Tutorial & CBNE Study Topics
3
Advertised Tutorial Scope:
This course will focus on deeper understanding and application of the
fundamentals in real-world IP networking environment. Emphasis will be
placed upon designing an IPv4 Addressing plan, IP Subnetting, Ethernet
Switching with VLAN implementation, IP Routing, Network Security, and
transport of audio and video content in an IP network infrastructure.
Additional topics will include an overview of related content found on the
Society of Broadcast Engineers CBNE examination including a practical
exercise designed to help prepare for the CBNE exam essay question(s).
Content Breakdown:
20% - Fundamentals of IP Networking Review
60% - Advanced IP Networking With Routing & Switching
Implementation Focus
20% - CBNE Study Topics
“Advanced IP Networking for Broadcast Engineers” Tutorial & CBNE Study Topics
OUTLINE:
• IP Networking Fundamentals Review
• Layered Network Design for Security & Performance
• Ethernet Switching In-Depth
• IP Routing In-Depth
• IP Addressing & Subnetting In-Depth
• Building the Network Infrastructure
• CBNE Study Topics & Practical Exercise
4
IP Networking Fundamentals Review
5
What is a Network? • The Foundation for Human Interaction.
• A Group of Computers That are Interconnected to Share Resources and Information.
• A group of Hosts That Share a Common Address Scheme.
• Networks are often defined by their geographic reach:
– Local Area Network - LAN
– Wide Area Network - WAN
– Metropolitan Area Network - MAN
– Campus Area Network – CAN
• Networks Can Be Defined By Their Function:
– Storage Area Network - SAN
6
5 Things Required To Build a Network
• Send Host
• Receive Host
• Message or Data to Send Between Hosts
• Media to Interconnect Hosts
• Protocol to Define How Data is Transferred
7
Protocols
Send Host Receive Host
MediaMedia
DATA
Remember - A Host is Any Device That Can Be Connected to a Network
Standards Organizations De Jure & De Facto
• IETF – Internet Engineering Task Force
– The Internet Standard RFC’s Originate Here
• IEEE- Institute of Electrical & Electronic Engineers
– Ethernet & Wireless LAN Standards
• ITU – International Telecommunications Union – Global Telecommunications Standards (ie PSTN)
• EIA – Electronic Industries Association
– Focused on Physical Layer Standards
• ISO – International Standards Organization
– OSI Reference Model Creation
8
IETF – Internet Engineering Task Force
• Request for Comments – RFC’s
– The “Standards Bible” of the Internet
– Used to Explain All Aspects of IP Networking
– Nomenclature “RFC xxxx”
• Requirement Levels:
– Required
– Recommended
– Elective
– Limited Use
– Not Recommended
9
www.rfc-editor.org/rfc.html
IEEE- Institute of Electrical & Electronic Engineers
• Project 802 Ethernet Standards: – 802.1 Bridging
– 802.3 Ethernet
– 802.11 Wireless
10
http://standards.ieee.org/about/get/
ITU – International Telecommunications Union
• ITU-T Sector Provides Standardization of Global Telecommunications Standards (except radio)
• Key Standards include: – Coding of Audio – G.711 & G.72x series
– Coding of Still Images - JPEG-2000 / T.800 series
– Video Coding - MPEG2 / MPEG-4 AVC
– ISDN (Integrated Services Digital Network) – Q.931
– Optical Transport Network (OTN) - G.709 series
– Passive optical networks (PON) - G.983 series
– Public Telecommunication Numbering Plan – E.164
– Signalling System 7 - Q.7xx series
– (x) Digital Subscriber Line)
11
www.itu.int
The OSI Model Open Systems Interconnection (OSI) Model
Developed by the International Organization for Standardization (ISO) A Conceptual Model – Abstract in Nature – Modular in Structure
Provides “Layer Swapping” – Partitions Communications Function - Defines How Data Traverses From An Application to the Network
12
Networking
Focus
“All People
Seem To
Need Data
Processing”
OR
“Please Do
Not Throw
Sausage
Pizza Away”
Open Systems Interconnection “OSI” Model
13
Application
Session
Presentation
Transport
Physical
Data Link
Network
7
5
6
4
1
2
3
User Application Interaction
Tracks User Sessions
Inter-Host Communications
Standardizes Data Encoding/Decoding/
Compression/Encryption
Manages End-End Connections:
TCP, UDP, & Flow Control
Interfaces to Physical Network, Moves Bits Onto &
Off Network Medium
Provides Network Access Control, Physical
Address (MAC), & Error Detection
Provides Internetwork Routing (path)
Provides Virtual Addressing (IP)
The OSI Model Expanded
14
Application
Session
Presentation
Transport
Physical
Data Link
Network
7
5
6
4
1
2
3
BITS
(data stream)
SEGMENT
PACKET
(Datagram)
FRAME
PORT
IP
ADDRESS
MAC
ADDRESS
SESSION ID
Layer AddressingPDU
Another OSI Model Perspective
15
EMAIL RS-xxx
PPP
IPv4TCP
25POP
SMTP
Net Mgmt
File Transfer
WEB
Directory
SNMP
FTP
HTTP
DNS
161 / 162
20 / 21
80
53
UDPIPv6
802.2 SNAP
Ethernet II
ISDN
ADSL
Fiber
Coax
CAT 5
Application
7
Presentation
6
Session
5
Transport
4
Network
3
Data Link
2
Physical
1
Application Layers
Data Flow Layers
Encapsulation Data is “Encapsulated” As It Travels Through the “Stack” From Application
16
Encapsulation & De-Encapsulation
Application
Session
Presentation
Transport
Physical
Data Link
Network
Segment
Bits
Frame
Packet
PDU
Upper Level Data
Upper Level Data
Data
Data
TCP Header
IP Header
LLC Header
0110010111001000111000111010
DataMAC Header
CS
CS
Application
Session
Presentation
Transport
Physical
Data Link
Network
Upper Level Data
17
The Protocol Data Unit
18
Source PortDestination
PortData
Destination IP Protocol Segment
EtherType
Packet
Source IP
SourceMAC
DestinationMAC
FCS
11010011010111101100101010010001000010101010101000011111111
Segment
Packet
Frame
Bit
“Some
People
Fear
Birthdays”
TCP/IP Focused Models DOD Model Stack or TCP/IP Model Stack Focused on IP
19
Application
Session
Presentation
Transport
Physical
Data Link
Network
Application
Host to Host
Network
Internet
OSI Model DoD Model
Application
Transport
Network
Interface
Internet
TCP/IP Model
TCP/IP Focused
The Models in Comparison
20
Application
Session
Presentation
Transport
Physical
Data Link
Network
7
5
6
4
1
2
3
Transport
Internetwork
Network
AccessProvides Media
Interface, Topology
Provides Data
Sequencing, Flow
Control, Integrity
Provides Logical
Addressing, Fragmentation,
End-End Delivery
Provides Physical
Addressing, Error
Correction
Service Provided to
Applications
Provides
Conversation Control
Provides Data
Formatting
3
1
2
LLC
MAC
The OSI Model TCP/IP Model Encapsulation
Application4
The OSI Model is a conceptual framework model independent of
protocols.
The TCP/IP Model is an implementation of the OSI Model that describes
the framework of the TCP/IP protocol suite.
TCP/IP describes how data is addressed, routed, and formatted for end-
end connectivity between computer hosts.
IP
Network
Interface
TCP UDP
Application Data
Segments
Bits
Frames
Packets
DoD Model
The Real – World OSI Model RFC 2321
“A Description of the usage of Nondeterministic Troubleshooting and Diagnostic Methodologies”
21
ID10T Errors Occur Here
1 - The Physical Layer
22
Medium defined
Physical interface defined
Places bits onto the physical network medium
Controls the signaling
Takes bits off the physical network medium
Sends / Receives frames to/from the Data Link Layer
Ethernet Beginnings
• Conceptually Based Upon “ALOHA NET”
– Developed as a “Wireless” Network by Norman Abramson & colleagues
– Deployed at the University of Hawaii in 1971
• Later Refined at Xerox PARC in 1973
– Bob Metcalf & David Boggs “Fathers of Ethernet”
• More Ethernet History:
http://ethernethistory.typepad.com/
23
Ethernet Evolution • Developed in Early 70’s at Xerox PARC
• Standardized as Ethernet Version 1 by Digital Equipment, Intel, & Xerox – DIX Standard
• Refined in 1982 as Ethernet II
• IEEE Releases Formal 802.3 Ethernet Standard in the mid 80’s
24
Ethernet Media Evolution
25
Thicknet Vampire
Tap
Thinnet
Topology Also Migrates from “Bus” to “Star” Based
The OSI Model & Ethernet Types
26
Data
Link
Layer
Physical
Layer
Physical
Layer
802.2LLC
MAC
Eth
ern
et
Eth
ern
et
80
2.3
Eth
ern
et
80
2.3
ab
Gig
ab
it E
the
rne
t
(co
pp
er)
Eth
ern
et
80
2.3
z
Gig
ab
it E
the
rne
t
Eth
ern
et
80
2.3
u
Fa
st E
the
rne
t
To
ke
n R
ing
80
2.6
FD
DI
CSMA / CD Carrier Sense Multiple Access with Collision Detection
27
Collision Collision
Jam Signal Placed on Wire
Ethernet CSMA/CD
• Original Ethernet Utilized a “Shared Medium”
• Half-Duplex Utilizes CSMA/CD “Carrier Sense Multiple Access with
Collision Detect”
• Full-Duplex Disables CSMA/CD • Valid Modes:
– Half/Full 10 Mbps – Full/Half 100 Mbps – Full 1000 Mbps
28
Ethernet Auto-Negotiation • Auto Configuration of Port Duplex & Speed
– Utilizes Ethernet FLP & NLP Bursts
• Duplex – Half Duplex or Full Duplex
• Speed – 10 / 100 / 1000 Mbps
• Be Careful Depending Upon Auto-Negotiation
• Insure Both Endpoint Devices Are Set to Auto – 10 Mbps Full Duplex is Not a Valid Mode
– 100 Mbps Half Duplex Indicates Auto-Negotiation Failure
• IMHO Best Practice – Static Configure Infrastructure – Duplex Mismatch = Poor Performance = CRC Errors
29
Duplex Mismatch Result
30
Switch
Host
RX
TX
Half – Duplex
Switch
Port
TX
RX
Full – Duplex
Server Interface
Always TransmitMonitored for Received
Frames
Transmits When
No Receive Activity
When Duplex Mismatch Occurs:
High Collision Rate Results, thus Performance Reduced
CSMA/CD
NOT Enabled
In Full Duplex
Ethernet Physical Standards
31
Ethernet GBIC & SFP Modules
32
“Giga-Bit Interface Converter” - GBIC Transceiver
SC Fiber Connector
“Single Form-factor Pluggable” – SFP (mini GBIC) Transceiver
LC Fiber Connector
Copper or Optical Based Transceiver to Provide Flexible
Physical Interface
-1000Base-T (some support 100/100-Base-T as well)
- 1000Base-SX / LX / ZX - Multi-Mode / Single-Mode Fiber
Power Over Ethernet - PoE
• Allows Data & DC Power To Be Carried on the Same UTP Cable
• IEEE Standardized: – 802.3af 13w device power (minimum 44 V DC and 350 mA)
– 802.3at “PoE+” 25w device power
• Power Sourcing Equipment:
33
PoE Compliant Switch
PoE
Injectors
2 - The Data Link Layer
34
Data Link
Layer
LLC Sublayer
MAC Sublayer
Network Layer Packets Encapsulated or De-Encapsulated
Into/From into Frames
Physical or Hardware Addressing Implemented
Defines Network Topology
Unique
The Data Link Sub-Layers:
35
LLC Sublayer
MAC Sublayer- Physical Addressing (MAC Address)
- Transmitting On The Media
- Flow Control
- Error Control (CRC)
- Synchronization
Data Link Functions:
Package Frames
Transmit Frames
Control Flow
Error Correction
Network ID
Data Link Frames:
Are Likely Ethernet Layer 2 Protocol Data Units
But, they could be:
Token Ring Layer 2 Protocol Data Units
Frame Relay Layer 2 Protocol Data Units
Ethernet Basics IEEE 802.3
• The “de facto Standard” of Networking Today!
• Based Upon Contention-Access to the Wire
• 4 Basic Building Blocks of the Ethernet System
– The Ethernet Frame
• 802.3 Raw Early Novell Netware IPX
• 802.2 LLC Current Novell NetWare IPX
• Ethernet II (DIX) TCP/IP
• Ethernet SNAP IPX, AppleTalk v2
– Media Access Control Protocol
– Signaling Components
– Physical Medium
36
The Layer 2 Ethernet Frame
Preamble TypeSource
Address
Destination
AddressData CRC
An Ethernet II (DIX) Frame
8
BYTES
6
BYTES
6
BYTES
2
BYTES46 – 1500 BYTES
VARIABLE
4
BYTES
Invalid FRAME Lengths:
< 64 BYTES = “RUNT” FRAME
> 1518 BYTES = “GIANT” FRAME
Note – Preamble Not Used in Frame Length Calculation
TypeSource
Address
Destination
AddressData CRC
64 Byte Minimum
37
Ethernet Network Physical Addressing
• MAC Address – 6 Bytes – Hexadecimal Notation - 00:12:3F:8D:4D:A7
– Layer 2 Physical Address (local network segment)
– Fixed – Assigned by NIC Mfg.
– Local Scope
38
172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF
Destination
MAC
Source
MAC
Destination
IP
Source
IP
IP Packet
Ethernet Frame
Simplified Representation
Organization Unique Identifier
(OUI)Mfg. Assigned
24 bits
48 bits
24 bits
6 hexadecimal digits 6 hexadecimal digits
A4 : 67 : 06 AB : 41 : D5
OUI A4:67:06 = Apple, Inc.
Media Access Control (MAC) Address
http://www.wireshark.org/tools/oui-lookup.html
http://standards.ieee.org/develop/regauth/oui/public.html
MAC Address Formats Always 48 Bits – Expressed as Hexadecimal
40
Byte
6
Byte
1
Byte
2
Byte
3
Byte
4
Byte
5
6 Bytes
Organization Unique
Identifier “OUI”
Network Interface
Controller “NIC”
Can Be Represented in Several Formats:
00:A0:C9:14:C8:29
00-A0-C9-14-C8-29
00A0.C914.C829
3 - The Network Layer
41
Network 1 Network 2
Network 3 Network 4
Network 5
Router A
Router B
Router C
Internetwork Communications Focused:
Packet Delivery from Source Host
To Destination Host
Logical Addressing Scheme
Implementation
Routing Decisions via Routing Protocols
IP Network Virtual Addressing
• IP Address – 4 Bytes – Doted Decimal Notation - 172.15.1.1
– Layer 3 Logical Address (global routed)
– Can Change – Determined by Network - Assigned by User
– Global Scope
42
172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF
Destination
MAC
Source
MAC
Destination
IP
Source
IP
IP Packet
Ethernet Frame
Simplified Representation
IP Packet – Layer 3 RFC 791
43
Version
(4)
Header
(4)
Precedence / Type
(8)
Length
(16)
Identification
(16)
Flag
(3)
Offset
(13)
Time to Live
(8)
Protocol
(8)
Header Checksum
(16)
Source IP Address
(32)
Options & Padding
(0 or 32)
Destination IP Address
(32)
Packet Payload
(Transport Layer Data)
32 bits
20
Bytes
L2 & L3 Flow Through an IP Network Summary
44
00:06:5B:01:02:03
192.168.1.101
00:06:5B:11:22:33
192.168.2.101
00:00:0C:C1:00:20
192.168.2.1
00:00:0C:C1:00:10
192.168.1.1
HOST A
HOST B
Source IP: 192.168.1.101
Destination IP: 192.168.2.101
Source MAC: 00:06:5B:01:02:03
Destination MAC: 00:00:0C:C1:00:10
Source IP: 192.168.1.101
Destination IP: 192.168.2.101
Source MAC: 00:00:0C:C1:00:20
Destination MAC: 00:06:5B:11:22:33
Frame & Packet Flow Through Network
45
00:06:5B:01:02:03
192.168.1.101
00:06:5B:11:22:33
192.168.1.104
00:00:0C:C1:00:01
192.168.1.102
00:00:0C:C1:00:30
192.168.1.103
00:00:0C:C1:00:20
192.168.100.102
00:00:0C:C1:00:10
192.168.100.101
Destination MAC
00:00:0C:C1:00:20
Source MAC
00:00:0C:C1:00:10
Source IP
192.168.1.101
Destination IP
192.168.1.104 DATAP
R
E
C
R
C
T
Y
P
E
Destination MAC
00:00:0C:C1:00:01
Source MAC
00:06:5B:01:02:03
Source IP
192.168.1.101
Destination IP
192.168.1.104 DATAP
R
E
C
R
C
T
Y
P
E
Destination MAC
00:06:5B:11:22:33
Source MAC
00:00:0C:C1:00:30
Source IP
192.168.1.101
Destination IP
192.168.1.104 DATAP
R
E
C
R
C
T
Y
P
E
HOST A HOST B
MAC Address Changes As Frame
Passes Through the Network
4 - The Transport Layer
46
Implements Reliable End-End Data Transport
Implements Fast Connectionless Data Transport
Implements Error Detection / Correction
Establishes Virtual Connect Between Hosts
Provides Segmentation, Sequencing, Flow Control
Send HostReceive Host
TCP 3-Way Handshake
47
Host 1 Host 2
SYN
SYN + ACK
ACK
Host 1 Sends
Synchronize Message
to Host 2
Host 2 Responds With
Acknowledgement
Plus Sends It’s Own
Synchronization
Message to Host 1Host 1 Completes the
3-Way Handshake By
Sending
Acknowledgement to
Host 2
Host 1 Initiates
Connection to Host 2
TCP Basics Transmission Control Protocol
RFC 675 and later v4 in RFC 793
• “Connection – Oriented” Protocol – Connection Establishment
– Segmentation & Sequencing
– Acknowledgement
– Flow Control or Windowing
• Guaranteed Or Reliable Data Delivery – Acknowledgment of Packet Receipt
– Retransmission Occurs if Packet Not Received
• High Overhead
• Requires Establishment of a “Session”
• TCP Windowing Feature – Dynamic Window Sizing
– “Slow-Start”
48
TCP Windowing
49
100 101 102 103 104 105 106
Bytes Receive
Is Ready to Accept
107 108 109 110 111 112
TCP Receive Window
BYTES Sent
NOT AcknowledgedBYTES Sent &
AcknowledgedBytes Receiver
Is NOT Ready to Accept
RFC 1072 & RFC 1323
TCP Sequencing
50
Host 1
Host 2
Sequence Number 1
Sequence Number 1501
Receive ACK
Sequence Number 3001
Sequence Number 4501
Receive ACK
Receive 1 – 1500
Receive 1501 – 3000
Send ACK 3001
Receive 3001 – 4500
Receive 4501 – 6000
Send ACK 6001
1500 bytes
1500 bytes
1500 bytes
1500 bytes
TCP Connection
Established
Window Size = 3000
TCP Connection Termination
51
Host 1 Host 2
FIN
FIN + ACK
ACK
Host 1 Sends Finish
Message to Host 2
Host 2 Responds With
Finish Plus Sends It’s
Own Synchronization
Message to Host 1
Host 1 Completes the
Termination By
Sending
Acknowledgement to
Host 2
Host 1 is Ready to
Terminate Connection
The TCP Session Summary
52
SYN + ACK
Time
Network
SYN
ACK
FIN
FIN
ACK
ACK
ACK
Connection
Closed
Listen
SYN Sent
SYN Received
Connection
Established Connection
Established
Connection
Closed
FIN Wait 1
FIN Wait 2
CLOSE Wait
Last ACK
ACK
ACK
Data Segment 1
Data Segment 2
Data Segment 3
TCP Congestion Control RFC 5681
• Control Mechanisms Based Upon Changing Network Environment: – Slow Start
– Congestion Avoidance
– Fast Retransmit
– Fast Recovery
• TCP Window – Defines Amount of Data That Can Be Transmitted
• Slow Start (Exponential Growth) – Increases TCP Window Over Time Until Congestion Occurs
53
TCP Congestion Control
54
Time
Da
ta T
hro
ug
hp
ut
Average
Throughput
Packet Loss Detection
Points
Slow
StartBackoff
RFC 5681
UDP Basics User Datagram Protocol
RFC 768
• “Connectionless” Protocol
• Simple or Lightweight, but Inherently Unreliable
• “Best Effort” Data Delivery
• Low Overhead, Thus Low Latency
• Why Use?
– Required for Real-Time Applications: • VOIP or “Video Over IP” or “Voice Over IP”
• AOIP or Audio Over IP”
– Latency More Detrimental Than Data Loss
55
UDP Session
56
Network
SYN
SYN + ACK
ACK
Data
Data
Data
Time
Data
Data
TCP Used to
Establish UDP
Session
TCP and UDP Headers
57
TCP vs UDP TCP
• Connection Oriented
• Guaranteed Delivery
• Acknowledgments Sent
• Reliable, But Higher Latency
• Segments & Sequences Data
• Resends Dropped Segments
• Provides Flow Control
• Performs CRC
• Uses Port Numbers for Multiplexing
UDP • Connectionless
• Not Guaranteed
• No Acknowledgements
• Unreliable, But Low Latency
• No Sequencing
• No Retransmission
• No Flow Control
• Performs CRC
• Uses Port Numbers for Multiplexing
58
Common TCP/IP Protocols • HTTP - Hyper Text Transfer Protocol • HTTPS - Secure HTTP • SSL - Secure Sockets Layer • SMTP - Simple Mail Transfer Protocol • MIME - Multi-purpose Internet Mail Extensions • IMAP - Internet Message Access Protocol • POP - Post Office Protocol • FTP - File Transfer Protocol • NTP - Network Time Protocol • DHCP - Dynamic Host Configuration Protocol • SNMP - Simple Network Management Protocol • LDAP - Lightweight Directory Access Protocol • ICMP - Internet Control Message Protocol • ARP - Address Resolution Protocol • RARP - Reverse Address Resolution Protocol • BOOTP - Boot Protocol
Primary TCP/IP System Protocols:
• ARP – Address Resolution Protocol
• DHCP – Dynamic Host Configuration Protocol
• DNS – Domain Name System
• ICMP – Internet Control Message Protocol
60
ARP Operation Address Resolution Protocol
• Local Network Scope
• Builds ARP Table or Cache - Maps an IP Address to a MAC Address - Refreshed
• Created Dynamically (Can Contain a Static Entry) – “Gratuitous” ARP Packet
61
Host 1:
192.168.1.10
00:07:E9:D4:EC:9A
Host 2:
192.168.1.20
00:07:E9:D4:EC:9B
Host 3:
192.168.1.30
00:07:E9:D4:EC:9C
Host 4:
192.168.1.40
00:07:E9:D4:EC:9D
Host 5:
192.168.1.50
00:07:E9:D4:EC:9E
1
2
Host 1 Host 5
Host 1 Broadcasts ARP
Request for 192.168.1.50
Host 5 Responds With It’s
MAC Address
00:07:E9:D4:EC:9E
ARP Cache
192.168.1.20 00:07:E9:D4:EC:9B
192.168.1.30 00:07:E9:D4:EC:9C
192.168.1.40 00:07:E9:D4:EC:9D
192.168.1.50 00:07:E9:D4:EC:9E Added
ARP Cache Updated:
192.168.1.50
00:07:E9:D4:EC:9E
3
DHCP Operation Dynamic Host Configuration Protocol
62
Client
DHCP Server
DHCP Discover – IP Address Request
DHCP Offer – IP Address Offer
DHCP Request – Select IP Address
DHCP ACK – Ack IP Address
DHCP ClientDHCP Client
Router
Configured for
DHCP Server
Must define:IP Pool
Lease Period
(default = 8 days)
DHCP provides IP Address & Mask.DHCP can also provide the Default Gateway , Domain Name, DNS Server Info, & Time Server Info
DNS Operation Domain Name System
• DNS Translates Host Names to an IP Address
• DNS is Hierarchical Based – Root @ Top Level
• DNS Records Provided: – A Address Record – Host IPv4
– AAAA Address Record – Host IPv6
– CNAME Canonical Host Name
– MX Mail Server Exchange Record
• Records Created By: – Manual Configuration (Hosts file)
– Dynamic Configuration via DNS Server
63
Basic DNS Flow
• DNS Servers: – Primary or Master – Start of Authority (SOA) Master Zone File
– Secondary or Slave
– Cache DNS
• Fully Qualified Domain Name (FQDN) www.nbcuni.com = 128.242.54.18 .com is the Top Level Domain
. nbcuni is the Secondary Level Domain www Represents a Host (http) in the “nbcuni.com” Domain
64
Client
Host
Internet
LAN
“Recursive”
DNS
Server
“Authority”
DNS
Server
DNS Hierarchy
65
Root DNS Servers
www.root-servers.org
Top Level Domain Servers
Secondary – Level
Domain Servers
DNS
ClientDNS
Client
.com
.org
.edu
ClearChannel.com TAMU.eduSBE.org
DNS
Client
ICMP Internet Control Message Protocol
• Network Layer Based – RFC 1256 – The “Tattle Tale” Protocol
• Common Messages: – Destination Unreachable
– Buffer Full
– Hops or Time Exceeded (TTL)
• Common Uses: – Ping
– Traceroute
ICMP
• Sends Error & Control Messages Between Hosts – Common Messages Include:
– Echo
– Echo Reply
– Destination Unreachable
– Time Exceeded
– Source Quench
– And Others ……
67
ICMP Messages: • Platform Utilized
by Ping & Traceroute
Utilities
68
ICMP Internet Control Message Protocol
Router A Router B
Switch 1 Switch 2
Host
A
Host B
Host
C
Host
D
Host A Sends Packet to Host C
X
ICMP Destination Unreachable
Host A Sends Packet to Host D
ICMP Destination Unreachable Returned
From Router B
Port Numbers RFC 1700
• Applications Are Indexed by a “Port Number”
• Allows Differentiation of Multiple Applications
• Port Numbers Can Be Between 0 - 65535
– 0–1023 Are Considered Reserved
– 1024–49151 Can Be Registered
– 49152–65535 Are Considered Dynamic or Private
• 65,535 TCP and 65,535 UDP Port Numbers
70
Common Port Numbers
• RESERVED PORTS
“System Port Numbers” • Port 20 / 21 – FTP “File Transfer Protocol”
• Port 23 – TELNET
• Port 53 – DNS “Domain Name Service”
• Port 80 – HTTP
• Port 110 – POP3 “Post Office Protocol”
• Port 123 – NTP “Network Time Protocol”
• Port 161 – SNMP “Simple Network Management Protocol” (UDP)
• Port 443 - HTTPS
• REGISTERED PORTS
“User Port Numbers” • Port 1720 – H.323 Video Call Setup
• Port 1812 – RADIUS Authentication
• Port 2000 – CISCO “Skinny”
• Port 3074 – “X-Box” Live
• Port 4664 – Google Desktop
• Port 5004 – RTP “Real Time Transport Protocol”
• Port 5060 – SIP “Session Initiation Protocol
• Port 5631 – PC Anywhere
• Port 8080 – Alternate HTTP
71
http://www.iana.org/assignments/port-numbers
Sockets
• A “Socket” Is a Combination of an IP Address & A Port Number
• Allows Multiple Network Services to Exist on the Same Host (IP Address)
• IP Address + Port Number = Socket
72
IP Address: 192.168.100.10
Port Number: 8080
Yields
Socket: 192.168.100.10:8080
Port Number Application Multiplexing
User PC
Email Ap
Browser AP
Media Player Ap
Server
Web Server
Stream Media Server
Ethernet Web DataTCPIP
Ethernet Email DataTCPIP
Ethernet Stream Media DataUDPIP
Socket
IP Address
Protocol
Port Number
Port Number Application Multiplexing
User PC
Email Ap
Browser AP
Media Player Ap
Server
Web Server
Stream Media Server
192.168.100.100
Stream
Media
Server
HTTP
Server
SMTP
Server
UDPTCP
192.168.100.100
Stream
Media
Player
Web
Browser
Client
UDPTCP
192.168.100.002
192.168.100.100 TCP 25 - 192.168.100.002 TCP 1245
192.168.100.100 TCP 80 - 192.168.100.002 TCP 1328
192.168.100.100 UDP 1755 - 192.168.100.002 UDP 1873
Transport Layer Port Numbering
75
Host 1
Host 2
1099 data ……...80
Source Port Destination Port
“Virtual Circuit” ID “Application” Port
80 data ……...1099
Destination PortSource Port
An Introduction to “IP Multicasting”
76
Multicast IP Address
77
Multicast Introduction
• IP Networking is Founded on an “Unicast” Model – One Send Host to One Receive Host
• Or the “Broadcast” Model – One Send Host to All Other Hosts on the Subnet
78
Network
Send Host
Multicast
• Multicast Adds a 3rd Packet Distribution Approach
– One Send Host to A Group of Receive Hosts on the Subnet
79
A Host Must Join
A Multicast Group
To Receive Multicast
Packets
Types of IP Packets on an IPv4 Network
• Unicast
– One Send Host TO One Receive Host
• Broadcast
– One Send Host TO ALL Hosts Within the Broadcast Domain
• Multicast
– One Send Host TO Specific Hosts
80
Unicast
81
Router A
Router B
Router C
Switch 1
Switch 6
Switch 3
Switch 4
Switch 5
Server A
Server B
Server C
Switch 2
Potential of 17
Sessions from the Server
Broadcast
82
Router A
Router B
Router C
Switch 1
Switch 6
Switch 3
Switch 4
Switch 5
Server A
Server B
Server C
Switch 2
Multicast
83
Router A
Router B
Router C
Switch 1
Switch 6
Switch 3
Switch 4
Switch 5
Server A
Server B
Server C
Switch 2
Why IP Multicast?
• Efficient Network Resource Use & Bandwidth Conserving Technology – Eliminates Network Traffic Redundancy on Segments
• Provides Server & CPU Load Decrease
84
Key Terminology To Be Aware Of:
• Multicast Group ID
• Class D IP Address Space
• Internet Group Management Protocol – IGMP
• Multicast Distribution Tree
• Protocol Independent Multicast – PIM
• Reverse Path Forwarding – RPF
85
Multicast Group ID
• The Multicast Group = Hosts That Want to Receive the Same Multicast
• The Multicast Group ID Identifies Each Group
• A Receiving Host Must Join a Group or Groups
• The Sending Host is Not Aware of the Receiving Host(s)
• Thus, UDP Must Be Utilized!
IP Multicast Addressing
• Layer 2 Addressing (physical address) – 23 Bits of 48 Bit MAC Address Reserved for Multicast
– By Default: A Layer 2 Switch Will Forward Multicast Packets Out All Ports (except origin port)
– To Eliminate “Flooding” – IGMP Snooping is Utilized
• IP Group Addressing (virtual address) – 28 Bits of 32 Bit IP Address Reserved for Multicast
– Class D IP Address Range Reserved for Multicast • 224.0.0.0 to 239.255.255.255
– Layer 2 Multicast Address Derived From Layer 3 IP Address
87
Internet Group Management Protocol “IGMP”
• A Multicast Group is Identified by a Multicast Address
• IGMP is the Protocol That Allows a Multicast Receive Client (Host) to Send a Request to Join a Multicast Group
• Three Versions of IGMP Exist: – IGMPv1 (RFC 1112)
– IGMPv2 (RFC 2236)
– IGMPv3 (RFC 3376)
88
Multicast
Source
No Multicast
Clients
Multicast
ClientsMulticast
Clients
Upstream
Interface
Downstream
Interface
Downstream
Interface
IGMP Message Types • Membership “Query”
– A Request to Identify Members of a Multicast Group
• Membership “Report” – List of Members of a Multicast Group
• Leave Group – Terminates Multicast Group Membership (Disconnect)
89
“Query” “Report”
Multicast
Routing
Table
Multicast
Routing
Table
IP Multicast Distribution Tree
• An IP Multicast Distribution Tree is a Path Structure From a Multicast Source to a Multicast Destination.
90
Tree
Base
Tree
Branch
Tree
Branch
Tree
Leaf
Tree
Leaf
Tree
Leaf
Single Source Tree
“Trim” or
“Prune”
the Tree
“Graft”
The Tree
Protocol Independent Multicast – “PIM”
• PIM is Focused on Getting Multicast Packets to the Desired Destination
• PIM Creates the Multicast Tree & “Trims” the Tree
• 3-Types of PIM:
– PIM Dense Mode
– PIM Sparse Mode
– PIM Sparse-Dense Mode (PIM-SM-DM “Cisco Proprietary”)
• Key Difference Between PIM Modes?
– “How The Distribution Tree is Created”
• Which is Best?
– Dense Mode Used in Large Networks – Quick Tree Creation
– Sparse Mode Used in Smaller Networks – More Efficient Bandwidth Use
91
PIM Dense Mode - “PIM-DM”
• All Segments of the Multicast Tree Are “Flooded”.
• Branches Are “Pruned” if Multicast Traffic is Not needed.
92
Multicast
Source
Multicast
Source
No Multicast
Required
No Multicast
Required
PIM Sparse Mode - “PIM-SM”
• Multicast Traffic is NOT Flooded.
• A “Rendezvous Point” is Designated.
• All Multicast Sources & Clients Register With the Rendezvous Point.
93
Multicast
Source
Multicast
Source
No Multicast
Required
No Multicast
Required
RP
DesignatedRP
Multicast Forwarding (Routing) - RFC 3704
• Unicast Routing Only Looks at the Destination Address
• Multicast Traffic is Forwarded Away From the Source Host or Downstream
• Reverse Path Forwarding (RPF) is Used to Prevent Loops
• A Router Only Forwards Traffic Received on an Upstream Interface
• RPF Check Used to Determine if an Interface is Valid
94
Router 1
Router 2
Router 4
Router 3
Multicast
Source192.168.1.2
Multicast Packet
Multic
ast P
acke
t
Multicast P
acket
Multic
ast P
acke
tM
ulticast Packet
X Discarded
Practical Applications of IP Multicast
• Typical Applications: – Audio & Video Content Distribution
– Digital Signage / Corporate Communications
– Stock Quote Distribution
– Distance Learning
• Common Broadcast Implementation Examples: – AoIP
– IPTV
95
Layered Network Design for Security & Performance
96
Hubs, Switches. & Routers A Summary!
• Hub – Layer 1 Device
– Acts as a Repeater - All Incoming Frame FWD Out Every Other Port
– Half-Duplex Based – CSMA/CD Algorithm Controled
– No Intelligence – Collision & Broadcast Domain Across All Ports
• Switch – Layer 2 Device – Originally Called “Forwarding”- Now Called “Switching”
– Full Duplex Based
– Intelligence Based – Selectively Forwards Frame to a Port
– Each Port is a Collision Domain (assuming one device per port)
– Each Switch is a Broadcast Domain
• Router – Layer 3 Device
– Forwards Packets Between Different Networks
– Separates Broadcast Domains
– Each Interface is a Collision Domain
97
X
The Network
• One Network – Single Broadcast Domain
– “Flat” Topology
• Multiple Networks – Individual Broadcast Domains
– “Segmented”
• Policy
• Regulation
• Security
• Performance
98
Understanding Broadcast Domains & Collision Domains
Broadcast Domain
Collision
Domain
Broadcast
Domain
Router
Switch
Hub
1000-Full 100 - Full
10 - Half
10
Half
100
Full
1000
Full
100
Full
100
Full 1000
Full
10
Half10
Half
100 – Full Capable
10
Half
Collision Domains & Broadcast Domains
100
3 Broadcast Domains
11 Collision Domains
Ethernet Switching In-Depth
101
Managed vs Un-Managed Ethernet Switches
• Managed Switch – User Configurable
– Provides Ability to Control & Monitor Host Communications
– Port Configuration , Security, & Monitoring
– VLAN Implementation
– Redundancy Supported (STP)
– QoS (Prioritization) Implementation
– Port Mirroring
• Un-Managed Switch – Fixed Configuration
– “Plug & Play”
– Provides Basic Host Communications
– Cheaper
102
Ethernet Switch Functions
• Learn MAC Addresses
• Filter Ethernet Frames
• Forward Ethernet Frames
• Flood Ethernet Frames
• Allow Redundancy (Avoid loops where redundant links exist)
• Can Provide Port Security Features
Ethernet Switching Fundamentals “Bridging”
• Switches Allow Segmentation of Network – Allows Dedicated Bandwidth and Creates Point-Point Communication
– Increased Throughput Due to Zero or Minimal Collisions
– Provides Full-Duplex Operation
– Increased Security Capability
• Switches Selectively Forward Individual “Frames” from a Receiving Port to a Destination Port – Builds Internal Table of Destination Address on each Port
– Forwards Ethernet Frame if in Table
– Floods Ports if Frame Not in Table OR a Broadcast Frame
Simplified Ethernet Switch Internals
105
Switch Fabric (backplane)
Port
ASIC
Port
ASIC
Port
ASIC
Port
ASIC
POE
Insertion
POE
Insertion
POE
Insertion
CPU
MAC Table
(CAM)
Buffer
Buffer
Processing
Learning a MAC Address
08-3e-8e-11-11-11
08-3e-8e-22-22-22 08-3e-8e-33-33-33
A1
A2A3
A4
Switch MAC Address Table
“Content Addressable Memory (CAM) Table”
MAC ADDRESS PORT
08-3e-8e-22-22-22 A2
08-3e-8e-11-11-11 A1
08-3e-8e-33-33-33 A3
08-3e-8e-44-44-44 A4
08-3e-8e-44-44-44
A Real MAC Address Table
NOTE
VLAN 1 is Special
Virtual Local Area Network – VLAN
• Allows Separation or Segmentation of Networks Across a Common Physical Media
– Creates Subset of Larger Network
– VLAN Control of Broadcast Domains – Each VLAN is a Broadcast Domain
– Architecture Flexibility
– Security
• Static Port Based VLAN(s) – Most Popular
– Manual Configuration
– Switch Port Security Features
• Dynamic Port Based – MAC-Based VLAN(s)
• Assignment Based Upon MAC Address
– Protocol-Based VLAN(s) • Assignment Based Upon Protocol
107
VLAN Example
108
Switch Port Type Configuration:
Access Link – Member of One VLAN Only Connects to a Host
Trunk Link – Carries Traffic From Multiple VLANS Between Switches
Switch Interface Configuration
109
Switch 3Switch 1
Switch 2
Interface Config:TRUNK
Blue VLAN
Green VLAN
Interface Config:TRUNK
Blue VLAN
Red VLAN
Green VLAN
Access
Interface
Access
Interface
Access
Interface
Broadcast Domains
110
Red
VLAN
Green
VLANBlue
VLAN
Broadcast Domains
No Connectivity Exists Between Broadcast Domain, Networks, or Subnets!
Adding the VLAN Tag
111
PREAMBLESOURCE MAC
ADDRESS
DESTINATION
MAC ADDRESSTYPE DATA CRC
PREAMBLESOURCE MAC
ADDRESS
DESTINATION
MAC ADDRESSTYPE DATA CRCTAG
TPID “0X8100” PRI
C
F
I
VLAN
ID
ETHERNET FRAME
802.1Q ETHERNET FRAME
802.1Q TAG
The 802.1Q Tag in Detail
112
TPID PRI
C
F
I
VID
TPID Tag Protocol ID “0x8100” 16 bits
PRI Priority 3 bits
CFI Canonical Format ID 1 bit
VID VLAN Identifier 12 bits
TPID TCI TAG CONTROL INFO
2 bytes 2 bytes
802.1Q Tag Length = 32 bits or 4 bytes
Where Does Tagging Occur?
113
Switch 3Switch 1
Switch 2
Access
Interface
Access
Interface
Access
Interface
Tag Added Tag Added
Tag added to frame at Egress trunk interface / Tag stripped at Ingress trunk interface
VLAN Configurations
LAN
#1
LAN
#2VLAN
#1VLAN
#2
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
VLAN #1
VLAN #2
Inter-Switch
Links
Physical
Separate
Networks
VLAN
Implementation
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
Trunk
Inter-Switch
Links
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
Trunk Link
VLAN #1 & #2
Trunk
Inter-Switch
Links
VLAN
#1
VLAN
#2
Trunk Link
VLAN #1 & #2
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
Trunk Link
VLAN #1 & #2
Trunk
Inter-Switch
Links
Trunk Link
VLAN #1 & #2
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
Trunk Link
VLAN #1 & #2
Trunk
Inter-Switch
Links
Trunk Link
VLAN #1 & #2
Internet
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
Trunk Link
VLAN #1 & #2
Trunk
Inter-Switch
Links
Trunk Link
VLAN #1 & #2
Internet Trunk Link
VLAN #1 & #2
Server
Servers can have “Trunk” interfaces
as well, especially in the virtualized
data center environment.
Practical VLAN Configuration – 1 Cisco to Cisco Switch
118
Host
Device AHost
Device B
Host
Device CHost
Device D
VLAN 100
192.168.1.0/24VLAN 200
192.168.2.0/24
Port 2 Port 14
Port 23 Port 23
Port 24Port 4
Conceptual Configuration:
define vlan 100 & 200 in switch
set port 2 mode to access
set port 14 mode to access
set port 23 mode to trunk
allow vlan 100 & 200 on trunk port
Conceptual Configuration:
define vlan 100 & 200 in switch
set port 4 mode to access
set port 24 mode to access
set port 23 mode to trunk
allow vlan 100 & 200 on trunk port
Exact configuration command will vary by switch model / IOS version
119
Host
Device AHost
Device B
Host
Device CHost
Device D
VLAN 100
192.168.1.0/24VLAN 200
192.168.2.0/24
Port 2 Port 14
Port 23
Port 7
Port 18
Port 24
Conceptual Configuration:
define vlan 100 & 200 in switch
set port 2 mode to access
set port 14 mode to access
set port 23 mode to trunk
allow vlan 100 & 200 on trunk port
Conceptual Configuration:
define vlan 100 & 200 in switch
set port 7 as untagged vlan 100
set port 24 as untagged vlan 200
set port 18 as tagged vlan 100 & 200
Practical VLAN Configuration – 2 Cisco to HP Switch
Cisco Terminology HP Terminology
Access Mode Untagged
Trunk Mode Tagged
“Common” Layer 2 Errors • Runts
– Ethernet Frame < 64 bytes
– Faulty NIC or Faulty Cabling
• Giants
– Ethernet Frame > 1518 bytes
– Faulty NIC or Faulty Cabling
• CRC
– Checksum Calculation & Received Checksum DO Not Match
– Faulty Cabling, Interference, Duplex-Mismatch
• Collisions – Not Always an “Error”
– Retransmissions Due to Collisions
– Normal In Half-Duplex Mode
• Late Collisions
– Collisions After 512 Bytes of the Frame
– Excessive Cable Length
– Duplex-Mismatch
120
Takeaway Points • VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated
Networks
• Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme
• Ethernet Switches Minimize Collision Domains
• IP Routing Must Be Used for Communications Between VLANs
• IP Routers Create Broadcast Domains
• Network Traffic May Be Isolated Because of:
– Policy
– Regulations
– Security
– Performance
• An Ethernet Frame is “Tagged” to Denote VLAN Membership on a Trunk Interface
121
IP Routing In-Depth
122
Routing
• Routing is Simply the Moving of Information Between Networks (Subnets or Broadcast Domains)
• OSI Model Layer 3 Process
• Routing Types:
– Static Routing
– Dynamic Routing
• Routing Protocol Classes:
– Interior Gateway Protocol (IGP)
– Exterior Gateway Protocols (EGP)
123
Routing Types
• Static Routing – Appropriate for Small & Simple Networks – Minimal Router CPU/Memory – No Routing Update Overhead – Appropriate for Stable Networks – Often Used in “Stub” Networks – Human Intervention / Administration Required Yy
• Dynamic Routing – Appropriate for Changing Topology Environments
– Automatically Adapts to Changes
– Desirable When Multiple Paths Exist
– More Scalable
– Hardware More Complex
– Less Configuration Error Prone
124
Dynamic Routing Categories
• Distance Vector Routing Protocol – Periodic Routing Table Updates
– “Distance” Used as a Metric
– Neighbors “Trust” Neighbors
– Slow Convergence
• Link State Routing Protocol – Maintains Neighbor, Topology, & Shortest-Path Tables
– Each Router Updates From All Others
– “Cost” Used as a Metric
125
Routing Metrics & Administrative Distance Determines The Best Path to Target Host
• Cost Metrics:
– Hop Count The Number of Routers in a Path
– Bandwidth Throughput (bps)
– Load Traffic Flowing Through a Router
– Delay Network Latency (distance or congestion)
– Reliability Amount of Downtime of a Network Path
• Administrative Distance
– Indicates Believability of the Route
– Often Used When Multiple Protocols Are Used
– Often Used to Prefer A Certain Path When Multiple Paths Exist
– Routing Protocols Have Default Administrative Distances
126
Smaller Metrics = Best Route
Lower Administrative Distance = More Believed
The “Administrative” Distance
• The Administrative Distance Determines Which Route to Trust
127
Route Source: Administrative Distance (default)
Direct 0
Static 1
EIGRP 90
OSPF 110
RIP 120
Unknown 255
Used When Multiple
Routes Exist
Hop Count May Not Be The Best Metric!
128
Ethernet
100 Mbps
DS-3
45 Mbps
T1
1.54 Mbps
DS-3
45 Mbps
T1
1.54 Mbps
The Routing Protocol
• Learn the route to each subnet in the internetwork (build routing table)
• Determine the “best’ route (one route)
• Remove routes that are no longer valid
• Update routing table to reflect changes
• Perform updates quickly
• Prevent routing loops
Routing Fundamentals
130
Router
A
Router
B Router
C
172.16.0.0/24 172.16.2.0 /24
172.16.1.1/30
172.16.1.2/30 172.16.1.6/30
172.16.1.7/30172.16.0.1 172.16.2.1
Destination
Network
Next Hop
Address
172.16.0.0/24
172.16.7.1/30172.16.2.0/24
172.16.1.1/30
Router
B
Routing
Table
IP Configuration:
172.16.2.2
255.255.255.0 mask
172.16.2.1 default gateway
Router A
sends
Network
172.16.0.0/24
Router B
sends
Network
172.16.2.0/24
Static Routing
Table Manually
Entered
Dynamic Routing
Table Generated by
Routing Updates
from All Routers
Distance-Vector Routing Protocols
• “Routing by Rumor” – The Overall Network is Unknown, Only Directly Connected Neighbors Are Known by Each Router
• Routing Decision Based Upon a “Distance” or Metric and “Direction” or Vector to Describe
the “Next-Hop”
131
Link-State Routing Protocols
• Network Topology Information is Flooded Throughout the Network
• Each Router Determines its Own “Best Path”
132
IGP and EGP Protocols
133
Exterior
Gateway
Protocol
Interior
Gateway
Protocol
Interior
Gateway
Protocol
IS-IS
BGP
RIP
IGRP
EIGRP
OSPF
RIP
IGRP
EIGRP
OSPF
Routing Protocol Choices “Most Popular”
134
Interior Distance Vector
Interior Link State Exterior Path Vector
Classful RIP IGRP EGP
Classless RIP v2 EIGRP OSPF v2 IS-IS BGP v4
IPv6 RIPng EIGRP v6 OSPF v3 IS-IS v6 BGP v4
Our Focus
Practical Routing Protocol Choices “Common” IGP Protocols – VLSM Support
RIP v2 EIGRP (Cisco) OSPF v2
Type: Distance Vector Hybird Link-State
Metric: Hop Count Bandwidth/Delay Cost
Administrative Distance:
120 90 110
Hop Count Limit: 15 224 None
Convergence: Slow Fast Fast
Updates:
Full Table Every 30 Seconds
Send Only Changes When Change Occurs
Send Only When Change Occurs, But Refreshed Every 30m
RFC Reference: RFC 1388 N/A RFC 2328
135
RIP v2 Routing Information Protocol
RFC 1388
• Advantages: – Simple – Easy to Configure
– Low Maintenance
– General Understanding Of
• Disadvantages: – Higher Router CPU Utilization
– High Bandwidth Use for Routing Updates
– No Knowledge of Link Bandwidth
– Slow Convergence
– Limited Network Size (hop count = 15)
136
OSPF v2 Open Shortest Path First
RFC 2328
• Advantages: – Fast Convergence
– Routing Updates Are Small
– Scales to Varying Network Sizes
– Considers Link Bandwidth Into Metric Calculation
• Disadvantages: – More Knowledge Required – A lot of Options
– Complex to Configure
137
OSPF Architecture
138
Autonomous
System
Area 0
Area 2Area 1
Backbone Router Area Border
Router “ABR”
Autonomous System
Border Router “ASBR”
EIGRP v4 Enhanced Interior Gateway Routing Protocol
CISCO Proprietary
• Advantages: – Fast Convergence
– No OSPF Area Assignments = Less Complex
– Complex Cost Metric: • Bandwidth
• Delay
• Reliability
• Utilization
• Disadvantages: – More Knowledge Required – A lot of Options
– Need “Cisco” Environment
139
Router Configuration:
140
Configuration Disclaimer:
Exact configuration commands may vary based upon specific equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
Blue Network:
192.168.100.0 /24
Green Network:
192.168.200.0 /24
Red Network:
192.168.300.0 /24
Assign Network to an Interface:
interface ge0
ip address 192.168.100.1 255.255.255.0
no shutdown
interface ge1
ip address 192.168.200.1 255.255.255.0
no shutdown
interface ge2
ip address 192.168.300.1 255.255.255.0
no shutdown
Enable RIP Routing:
router rip
network 192.168.100.0
network 192.168.200.0
network 192.168.300.0
The “ACL” Rules:
• Simply a “Set of Rules” That Provides a “Permit” or “Deny” Based Upon:
– Layer 3 IP Address
– Layer 4 Port Number
• An ACL is:
– A Table (with explicit DENY)
– Applied to a Specific Router Interface
141
The “ACL” Rules continued…..
• ACL’s can be Numbered or Named
• Numbered ACL’s Structure: – 1-99 IP Standard Access List
– 100-199 IP Extended Access List
– 200-299 Protocol Access List
– 1300-1999 IP Standard Access List-Expanded
– 2000-2999 IP Extended Access List-Expanded
• Named ACL Structure: – Standard Named
– Extended Named
142
The “ACL” Rules continued…..
• Standard Access List – Can Only Permit or Deny The Source Host IP Address
– Placed Closest to Destination Host
• Extended Access List – Can Permit or Deny Based Upon:
• Source IP Address
• Destination IP Address
• TCP Port #
• UDP Port #
• TCP/IP Protocol
– Placed Closest to Source Network
143
The “ACL” Rules continued…..
• One “ACL” per Interface per Direction – Ingress
– Egress
• An ACL Only Acts of IP Traffic Passing Through Router
• Organize Structure of ACL: – More specific statements placed first
– Process Sequentially
144
ACL Example(s):
access-list 110 deny ip any host 192.168.100.110
access-list 123 deny ip any host 192.168.100.110 eq 23
ACL Structure
145
Create an Access-List:
access-list [number] [deny | permit] [host] [source ip] [wildcard]
Apply Access-List to Interface:
ip access-group [number] [in | out]
Logical Operators Can Be Used:
lt Less Than
gt Greater Than
eq Equal To
neq Not Equal To
range port number range
Wild Card Mask
146
Inverse of the “Subnet” Mask
The Subnet Mask:
192.168.100.100 / 24
or
192.168.100.100 mask 255.255.255.0
The Inverse Mask:
0.0.0.255
Network Host
Match Don’t Care
Standard IP List Example #1: Prevent Host 192.168.30.30 from Accessing Host 192.168.10.10
147
Router
1
Router
2
192.168.10.1 /24 192.168.20.1 /24 192.168.20.254 /24 192.168.30.1 /24
192.168.30.30 /24
192.168.30.20 /24192.168.10.10 /24
E0 E1
Create Access List on Router 1: access list 101 192.168.30.30 0.0.0.0
access-list 101 permit any
Apply Access List to Interface: interface E1
ip access-group 101 in
Configuration Disclaimer:
Exact configuration commands may vary based upon specific equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
Extended IP List Example: Allow Only http Access to Host 192.168.10.10 from 192.168.30.0 /24
148
Router
1
Router
2
192.168.10.1 /24 192.168.20.1 /24 192.168.20.254 /24 192.168.30.1 /24
192.168.30.20 /24192.168.10.10 /24
E0 E1
Create Access List on Router 2: Access-list 101 permit tcp 192.168.30.0 0.0.0.255 host 192.168.10.10 eq 80
access-list 101 permit ip any any
Apply Access List to Interface: interface E0
ip access-group 101 in
Configuration Disclaimer:
Exact configuration commands may vary based upon specific equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
A “Practical” ACL Example Block External Users From “Pinging” Inside Hosts
149
Router
1
192.168.10.1 /24
192.168.10.2 /24
192.168.10.6 /24
The
“Internet”E0
E1
Create Access List on Router 1: access list 101 deny icmp any any
access-list 101 permit ip any any
Apply Access List to Interface: interface E1
ip access-group 101 in
Configuration Disclaimer:
Exact configuration commands may vary based upon specific equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
Consumer Routers
150
WAN
PortLAN
Port(s)
ISP
NetworkMay Be Private Address Space
May Be Public Address Space
Consumer Router Internals
DHCP
Server
DHCP
Client
NAT
w/ PAT
Access
Point
What Is A “Layer 3” Switch? • “Marketing Terminology” Applied to a One Box Solution:
– Layer 2 Switching
– Layer 3 Routing
• Layer 3 Switch Performs Both!
• Multilayer Switch Port Types:
– Switchport: Layer 2 Port – MAC Addresses Learned
– Layer-3 Port: Routing Port
– Switched Virtual Interface: VLAN Virtual Interface
• Not for All Environments:
– Typically Found in Workgroup Environment
– Limited to Ethernet Ports/Interfaces
– Limited to OSPF and RIP Protocols
151
Multi-Layer Switch Summary
• Layer 1 Switch = Really Does Not Exist - Often a Simple “Hub”
• Layer 2 Switch = Traditional Data-Link Layer Switching
• Layer 3 Switch = Performs Layer 3 Routing Decisions
• Layer 4 Switch = Implements Transport-Layer Flow Decisions – Firewall
– VPN Concentrator
• Layer 7 Switch = Provides Applications Level Functionality – Often Based Upon a Uniform Resource Locator (URL):
• Load Balancing
• Content Management
152
An Introduction to “MPLS”
153
Multi-Protocol Label Switching • Known as a “Layer 2.5 Protocol”
• Traditional Routing Process: – Each Router “Looks-Up” Destination Network
• MPLS: – First Router Performs Destination “Look-Up” and Finds Path to the
Destination Router
– Adds “Label or Shim” With Path Information
– Routers Use Label Information to Route Packet
154
Why Label Switching?
• CIDR Presented a New Challenge
• “Label or Tag” Switching Perform “Exact Matching” – Distribute Route Lookup Across Edge Routers
– Reduce Core Router Load
155
Why MPLS?
• Allows Traffic Engineering – Control Traffic Routing / Manage Congestion
– Manage Capacity
– Prioritize Traffic
• Allows Multi-Service Implementation – Provides Transport Across a Packet-Switched Network
• Provides Resiliency (Fast Reroute)
156
Takeaway Points
• The “Routed” Protocol
• The “Routing” Protocol
• The “Routing” Table Contains: – The Destination Network
– The “Next-Hop” Information
– Routing Metric & Administrative Distance
• The Router Looks at the “Destination” Address – Determines Appropriate Interface
157
IP Addressing & Subnetting In-Depth
158
IP Addressing “Rules” • Each Network MUST Have a Unique Network ID
• Each Host MUST Have a Unique Host ID
• Every IP Address MUST Have a Subnet Mask – Implied for a Classful Network
– Explicit Stated for Classless Network
• An IP Address Must Be Unique Globally If Host on the Public Internet
159
Classful IP Addressing Class First Octet Range Use
A
E
D
C
B
240 - 255
224 - 239
192 - 223
128 - 191
1 - 126 Large Unicast Network
Experimental Network
Multicast Network
Small Unicast Network
Medium Unicast Network
1 - 126 128 - 191 192 - 223First Octet Range
Mask
Host Bits
Network Bits
Available Hosts/Network
Available Networks
Network Range
Class BClass A Class C
1.0.0.0 – 126.0.0.0
126
16,777,214
8
24
255.0.0.0
128.0.0.0 – 191.255.0.0
16,384
65,534
16
16
255.255.0.0
192.0.0.0 – 223.255.255.0
2,097,152
254
24
8
255.255.255.0
IP Address Classes “Classful” Public & Private
• Class A – 126 Networks / 16,777,214 Hosts – 1.0.0.0 to 126.0.0.0
– PRIVATE - 10.0.0.0 to 10.255.255.255
• Class B – 16,384 Networks / 65,534 Hosts – 128.0.0.0 to 191.255.0.0
– PRIVATE - 172.16.0.0 to 172.31.255.255
• Class C – 2,097,152 Networks / 254 Hosts – 192.0.0.0 to 192.255.255.0
– PRIVATE - 192.168.0.0 to 192.168.255.255
161
IP Address Classes “32 Bit Doted Decimal Notation”
IPv4 Provides 232 or 4,294,967,296 IP Addresses
162
Determining the Class
163
Octet 1 Octet 2 Octet 3 Octet 4
0
Octet 1
1 0
Octet 1
1 01
Octet 1
Class A 1 - 126
Class C 192 - 223
Class B 128 - 191
IPv4 Address
Doted – Decimal Notation
192.168.100.254
or
32 bits Binary Representation
Leading Bit Patterns Indicated the Class
Private vs Public IP Addresses
• RFC 1918 Established “Private” Address Space – Class A: 10.0.0.0 to 10.255.255.255
– Class B: 172.16.0.0 to 172.31.255.255
– Class C: 192.168.0.0 to 192.168.255.255
• Key Points: – Private IP Addresses Are NOT Routable Outside the Local Network
– Widely Used in Home & Industry Networks
– May Be Translated With NAT At An Edge Router
• Map Private Address Space to Public Address Space
164
VLSM & CIDR
VLSM RFC 1009
• Variable Length Subnet Masking (VLSM)
– Host Addressing & Routing Inside a Routing Domain
– Allowed “Classless” Subnetting
• Mask Information is Explicit
– Allows More Efficient Use of Address Space – Taylor Address Space to Fit Network Needs
– Allows You to Subnet a Subnet
CIDR RFC 1517, 1518, 1519, 1520
• Classless Interdomain Routing (CIDR)
– Class System No Longer Applies
– Routing Between Routing Domains
– Allows “Supernets” To Be Created
• Combining a Group of Class C Addresses Into a Single Block
– CIDR Notation (slanted notation): 172.16.1.1 /16
165
Example: Classful Addressing 165.95.240.136 Implied Mask 255.255.0.0 VLSM Addressing 165.95.240.136 Explicit Mask 255.255.255.192 CIDR Notation 165.95.240.136/26
IP Address Formats
166
Classful Addressing: 165.95.240.136 (Implied Mask 255.255.0.0) VLSM Addressing: 165.95.240.136 255.255.255.192 (Explicit Mask 255.255.255.192) CIDR Notation : 165.95.240.136 /26
Number of Mask Bits
1 1
The IP Address Subnet Mask “VLSM” - Each IP Address Must Have a Subnet Mask to Define the Network and the Host
32 Bit Address & Subnet Mask Format
Expressed in Decimal as (4) 8-bit Octets using “Doted Decimal Notation”
IP Address: 192.168.1.100 /26
192.168.1.100 /26 or 255.255.255.192
11000000.10101000.00000001.01100100
11111111.11111111.11111111.11000000
Network Host
Subnets
Switch 1
Switch 2
Router A Router B
How Many Networks (subnets) Are Shown?
Network 1
Network 3
Network 2
IP Addressing / Subnetting • Classless IP Addressing Has Replaced Class-Full Addressing !
• Why Subnet?
– Allows Flexible Network Design
– Efficient Use of IP Address Space
• Dividing Networks Into the “Right” Size
– Performance
• Create “Smaller” Broadcast Domains
– Enhance Routing Efficiency – Reduce Routing Table Size
– Network Management Policy and Segmentation
• Grouping Hosts by Function or Purpose
• Grouping Hosts by Ownership
• Grouping Hosts Geographically
– Job Security for Network Engineers!
169
Subnetting Basics An IP Address Must Have a Subnet Mask
• The Subnet Mask Identifies the Boundary Between Network and Hosts
• “Subnetting” Simply Moves the Boundary! – Moves Boundary to the Right
– IP Address Subnetting Applies to All Classes
– Boundary Position Determined by the Subnet “Netmask”
• Expressed in Several Forms: – Doted Decimal Notation (same as IP address)
– Slash Notation (also known as CIDR notation)
170
IP Address 165.95.240.100 with Netmask of 255.255.255.0
OR
165.95.240.100 /24
IP Address Block Size Understanding the Power of 2: 2n
171
2n
128
64
32
16
8
4
2
1 LSB
172
ISP
VLAN 1 VLAN 2 VLAN 3
165.95.240.100/25
S1 S0
FE 0
FE 0
FE 1
FE 2
FE3
35
Hosts
Sales
17
Hosts
Engineering
27
Hosts
Production
S0 S1 S2
Network: 165.95.240.0
Broadcast: 165.95.240.127
Useable Range (126 hosts):
165.95.240.1 - 126
What You Need To Know About a Network?
• Network Address?
• Broadcast Address?
• IP Address Range? – Range of Useable Addresses
• Subnet Mask?
• Default Gateway Address?
173
Where is the Default Gateway
174
ISP
VLAN 1 VLAN 2 VLAN 3
165.95.240.100/25
S1 S0
35
Hosts
Sales
17
Hosts
Engineering
27
Hosts
Production
1 3
Default Gateway
VLAN 3 Interface IP Address
Default Gateway
VLAN 1 Interface IP Address
IP Addressing Reverse Engineering “A Useful Troubleshooting Tool”
• Verifying Proper Subnet Configuration When Given an IP Address and Subnet Mask – Determine Subnet Address Range
– Determine “Assignable” IP Addresses
– Determine Broadcast Address
• Subnetting When Given A Network Requirement
• Subnetting When Given A Host Requirement
175
You Are Provided:
IP Address / IP Mask
Network Address Translation – NAT RFC 3022
176
Inside
Network
(private)
Outside
Network
RFC 1918
Addressed Hosts
Public
Address
Space
(Usually)
Gateway Router
w/ NAT Services
• NAT Allows a Host Without a Valid Public IP Address to Communicate With a Host That Has a Public IP Address
• HOW?
– Simply Changes the IP Addresses as Packet Passes Through the NAT Device
• WHY?
– Conserve Public IP Address Space
– Security by Obscurity (hide actual host IP address)
NAT • Types of NAT:
– Static – One-to-One Translation
– Dynamic – Pool of Public Addresses Made Available to Outbound Traffic Client Traffic
– NAT Overloading or Port Address Translation (PAT) – Translates to a Single Public IP by Use of a Unique Port Number
• NAT Addressing Terminology: – Inside Local or Inside Private
– Inside Global or Inside Global
– Outside Global or Outside Public
– Outside Local or Outside Private
177
Inside
Network
(private)
Outside
Network
Gateway Router
w/ NAT Services
Inside Local
Inside Global
Outside Local
Outside Global
In General:
Inside Addresses Are Local
Global Addresses Are Public
Static NAT
178
10.0.0.2 /24
Gateway
Router
w/ NAT Services
10.0.0.2 mapped to 128.194.247.2
10.0.0.3 mapped to 128.194.247.3
10.0.0.4 mapped to 128.194.247.4
10.0.0.3 /24
10.0.0.4 /24
128.194.247.2 mapped to 10.0.0.2
128.194.247.3 mapped to 10.0.0.3
128.194.247.4 mapped to 10.0.0.4
Public Network Space
Private Network Space
10.0.0.2 128.194.300.2 Payload 128.194.247.2 128.194.300.2 Payload
128.194.300.2 /24
Source IP Address Changed by NAT
Simple Layer 3 Packet
128.194.247.2 10.0.0.2 Payload 128.194.300.2 128.194.247.2 Payload
Simple Layer 3 Packet
Source IP Destination IP
Destination IP Address Changed by NAT
Source IP Destination IP
128.194.247.0 /2410.0.0.0/24
Dynamic NAT
179
10.0.0.2 /24
Gateway
Router
w/ NAT Services
10.0.0.3 /24
10.0.0.4 /24
Public Network Space
Private Network Space
Pool Of
AVAILABLE
Public
IP
Addresses
10.0.0.2 128.194.247 10
NAT Table
IP Address Chosen from
Pool of Public IP Addresses:
128.194.247.2 – 128.194.247.14
Dynamic Entry Remains if Traffic Flows (timeout)
Common to Have More Private Hosts Than Public IP Address Space
NAT Overloading or – PAT Port Address Translation
Single Address NAT / Port-Level Multiplexed NAT
180
10.0.0.2 /24
Gateway
Router
w/ NAT Services
10.0.0.3 /24
10.0.0.4 /24
Public Network
Space
Private Network
Space
128.194.247.10
10.0.0.2:1024 128.194.247.10:1024
NAT Table
Inside Local Inside Global
10.0.0.3:1026 128.194.247.10:1026
10.0.0.4:1028 128.194.247.10:1028
Source Address
&
Port
Destination
Address
&
Port
NAT Drawbacks!
• Accountability Limited Globally
– Multiple Internal Hosts Share Global IP Address
• Breaks IP Concept of End-End Connectivity
• Complicates Process of Allowing a Global IP Host to Establish Session With an Internal Host
181
Special Use Address RFC 5735
• 0.0.0.0/8 Network Address “Wire Address”
• 10.0.0.0/8 Private IP Address Space (RFC 1918)
• 127.0.0.0/8 Loopback Address
• 169.254.0.0/16 IETF Zero Configuration Address Space (RFC 3927)
• 172.16.0.0/16 Private IP Address Space (RFC 1918)
• 192.168.0.0/16 Private IP Address Space (RFC 1918)
• 224.0.0.0/4 Multicast Address Space
• 255.255.255.255/32 Broadcast Address
182
The IPv4 Loop Back Address
• What is Special About 127.0.0.1 ?
– Actually Any 127.0.0.0/8 Address Works OR the Range of 127.0.0.1 to 127.255.255.255
• Known as a “Loop-Back” Address
• Useful For:
– Test Local IP Stack and Network Adapter Test
– May Be Used by Client-Server Ap on Host
183
An Introduction to IPv6
184
IPv4 Address Depletion
• As of February 2011 ALL ICANN IPv4 Address Space Assigned!
• Regional Registries Now Have Their Last Allocation!
http://www.potaroo.net/tools/ipv4/plotend.png
Updated:
4-24-14
IPv6 Address Space IETF - RFC 2460
IPv6 Provides Expanded IP Address Space 2128 =
340,282,366,920,938,463,463,374,607,431,768,211,456 (three hundred forty UNDECILLION addresses)
3.4 x 1038
• But, IPv6 is More Than Expanded Address Space:
– An Opportunity to Re-Engineer IPv4 • Improved Support for Multicasting, Security, & Mobile Aps
• Multiple Addresses per Interface
• Host Auto-Configuration Capability
• Security Incorporated
• MTU Discovery Incorporated
• Traffic Engineering Provisions Incorporate
The IPv6 Address
128-Bit Address Binary Format: 001001100000011110111000000000001111101010100000000000110010000110010101100110001000011110111100010010000010100011110001
Subdivide Into Eight (8) 16-bit Groups: 0010011000000111 1011100000000000 0000111110101010 0000000000000011 0010000110010101 1001100010000111 1011110001001000 0010100011110001
Convert Each 16-bit Group to Hexadecimal: (separate with a colon)
2607:b800:0faa:0003:2195:9887:bc48:28f1 2607:b800:faa:3:2195:9887:bc48:28f1
Address Summarization
128-Bit Address Represented as a 32 Hexadecimal Digits Subdivided Into Eight Groups (Chunks, Quads, Quartets) of Four Hexadecimal Digits
(separated by colon)
2001:0000:0000:0000:0DB8:8000:200C:417A or
2001:0:0:0:DB8:8000:200C:417A or
2001::DB8:8000:200C:417A
188 188
Remember: IPv6 Is More Than Address Space
“An Opportunity to Re-Engineer IPv4”
• Header Simplification for Performance Increase
• Improved Authentication and Security
• Host Auto-Configuration
• Mobility Incorporated
189
Version
(4)
Traffic Class
(8)
Flow Label
(20)
Payload Length
(16)
Source IP Address
(128)
Destination IP Address
(128)
Packet Payload
(Transport Layer Data)
32 bits
40
Bytes
Ipv6
Hop Limit
(8)
Next Header
(8)
Version
(4)
Header
(4)
Precedence / Type
(8)
Length
(16)
Identification
(16)
Flag
(3)
Offset
(13)
Time to Live
(8)
Protocol
(8)
Header Checksum
(16)
Source IP Address
(32)
Options & Padding
(0 or 32)
Destination IP Address
(32)
Packet Payload
(Transport Layer Data)
32 bits
20
Bytes
Ipv4
IPv6 Header Simplification
Fewer Fields & Fixed Header Size Result in Faster Packet Processing Providing Enhanced Routing Efficiency
Improved Authentication and Security
• IPsec is Mandatory in IPv6 – IPv6 Is Not Necessarily More Secure Than IPv4
• Mandatory Implementation Ensures Enhanced Security: – Data Integrity
– Authentication
– Confidentiality
191
Host Auto-Configuration
• Simply Saves Network Administrators Work!
• Stateless Auto-Configuration
• Stateful Auto-Configuration
• Auto-Configuration Process:
192
Host ID Generated from MAC Address:
Generated IPv6 Address: 2002:80c2:f737::80c2:f737
For Host with MAC Address: 80:C2:F7:37
Mobility Incorporated
• Provides Roaming Service Without Interrupting Connectivity – Ability to Move Between Networks
– Maintains Home IP Address Regardless of Location
– Establishes Care-Of IP Address When In a “Foreign” Network
• Similar in Concept to IPv4 Mobile IP
193
IPv6 Address Types
• Unicast – One-to-One Mapping – Global Unicast Address
– Unique-Local Unicast Address (non-Routable or Private)
– Link-Local Unicast
• Multicast – One-to Many Mapping – Multicast Groups Established
• Anycast – One-to-Nearest Mapping – Packets Are Delivered to the “Closest, Nearest, or Lowest-Cost”
Interface • Global Anycast
• Site-Local Anycast
• Link-Local Anycast
194
195
ARIN IPv6 Address Allocation Policies
• End-User / Enterprise Network – Qualify by Meeting IPv4 Qualifications
– /48 Minimum Allocated
• 65,536 subnets
• Qualify for Larger Blocks by Justification of Proposed Use
196
PrefixHost
(Interface ID)
Prefix Length
IPv6l
Addressing
IPv6 Address Assignment
• Service Provider: /32 232 /64 subnets
• Large End User: /48 65,536 /64 subnets
• Small End User: /56 256 /64 subnets
• SOHO: /64 1 /64 subnets
Recognize / Remember:
A /64 IPv6 subnet = 18,446,744,073,709,552,000
hosts
Why IPv6? • Reduction of Dependency Upon IPv4 Address Space for Growth
• Restores the End-End Communications Path Model of the Global Internet
• Enhances Overall Routing Efficiency
• Improved Security Increases Security and Confidentially
Want to Learn More?
IPv6 Enable Your Home Network
But, My Provider is Not IPv6
Enabled!
Then “Tunnel” to an IPv6
Provider:
http://www.tunnelbroker.net/
IPv6 Test Sites
http://ipv6-test.com/
http://v6.testmyipv6.com/
www.ARIN.net
An Ipv6 Address You Can Remember
The IPv6 Loopback Address
::1 Summarized from: 0:0:0:0:0:0:0:1
Some Final IPv6 Trivia
What Happened to Version 5 or IPv5 of the Internet Protocol?
“IPv5 Simply Does Not Exist!” Version 5 was intentionally skipped to avoid confusion, or at least to rectify it. The problem with version 5 relates to an experimental TCP/IP protocol called the Internet Stream Protocol, Version 2, originally defined in RFC 1190. This protocol was originally seen by some as being a peer of IP at the Internet Layer in the TCP/IP architecture and these packets were assigned IP version 5 to differentiate them from “normal” IPv4 packets. This protocol never went anywhere, but to be absolutely sure that there would be no confusion, version 5 was skipped over in favor of version 6.”
IPv4 and IPv6 Comparison Summary
IPv4 Developed: 1973-1977
Deployed: 1981
232 or 4.3 Billion Addresses
“More Than Anyone Could Possibly
Use”
Address Based Assignment Unit /32
IPv6 Developed: mid 1990’s
Deployed: 1999
2128 or 340 Undecillion Addresses
“More Than Anyone Could Possibly
Use”
Network Based Assignment Unit /64
Vinton Cerf “One of the Fathers of the Internet”
"Who the hell knew how much address space we needed for an experiment?“ “The experiment has not ended”
“Vint” Cerf comments on his & colleagues 1977 decision to use 32-bit IP Numbers
Building the Network Infrastructure
205
Reference Network Architecture
206
ISP
VLAN 1 VLAN 2 VLAN 3
Network Security Concerns
• Focused on Protecting the “Network Infrastructure”
• Common Threats: – DHCP Snooping
– ARP Spoofing (IP Spoofing)
– Rogue Routers Advertisements
– Denial of Service Attacks
– Application Layer Attacks
• Implementation Considerations: – Know Your Enemy
– Cost
– Human Factors
– Understand Your Network
– Limit Scope of Access
– Don’t Overlook Physical Security
207
The Challenge
SECURITY USEABILITY
208
The Scope of the Problem!
209
http://www.verizonenterprise.com/DBIR/2014/
IT Infrastructure Threats
• Viruses
• Worms
• Trojan Horse
• Spyware & Adware
• Botnets “Zombie Computer”
• Operating Systems
• File System / Media
• Application – Web Services
– Email Services
– P2P
• Wireless / Mobile Environment
• Social Engineering
• And the list goes on & on…..
210
Network Infrastructure Threats
• Denial of Service “DoS”
• Spoofing
• Hijacking
• Authentication Bypass or “Back Door” Access
• Physical Access
• And the list goes on & on…..
211
Common Policy Terminology
• Asset – Any object of value
• Vulnerability – A system weakness to be exploited
• Threat - Possible danger to a system or its information
• Risk – The feasibility that a vulnerability might be exploited
• Exploit - An attack directed at a vulnerability
• Countermeasure - An action or mitigation of a risk
212
Common Policy Attributes
• What Does a Security Policy Define?
– Company Objectives
– System Requirements
– User Rules & Regulations
• Who is the Security Policy Audience?
– “Anyone” Who Has Network Access!
213
Security Policy Lifecycle
214
Planning
Policy
Creation
Management &
Monitoring
Assessment
Policy
Implementation
& Enforcement
Detection
Threat
Analysis
Attributes of a Secure Network
• Layered Approach (“Defense in Depth” NOTE 1) – Different Security Controls Within Different Groups
• Security Domains – Segmentation of Network Into Areas or Groups
• Privileges – Restrict to “Need – To – Access”
– “Deny by Default”
• Access – Restrict by Firewalls, Proxies, etc.
• Logging – Accountability , Monitoring, & Activity Tracking
215
NOTE 1 – Cisco Security Terminology
Goals of Data Security
• Provides Confidentiality – Maintain Privacy – Prevent Use by Those Unauthorized
• Provides Authentication – Verify That User’s Are Who They Say They Are
• Maintains Data Integrity – Data Has Not Changed
216
Network
Send Host Receive HostDATA
Network Security Tools
• Firewall – Used to Create a “Trusted” Network Segment by Permitting or Denying
Network Packets
– Types of Firewalls:
• Stateless Packet Filtering – Single Packet Inspection
• Stateful Packet Filtering – Flow or Conversation Inspection
• Detection Tools – Intrusion Detection Systems (IDS)
• Signature Based
• Anomaly Based
– Intrusion Prevention Systems (IPS)
• Combine Firewall & IDS Functions
217
Not Within Today’s Scope
Firewalls • Determines What IP Traffic Can Enter or Exit a
Network Based Upon Pre-Defined Rules
• Firewall Types: • Stateless Packet Filtering – Single Packet Inspection
– Access Control List “ACL” – Ingress or Egress Filtering
– No knowledge of flow
– Filters on IP Header info – Layers 1-3
• Stateful Packet Filtering – Flow or Conversation Inspection – Filters on IP Header info – Layers 1-4
– Records conversations – then determines context:
» New Connections
» An Existing Conversation
» Not involved in any conversation
218
Firewall Types:
219
Internet
HTTP Request
HTTP ReplyBlocked X
Internet
HTTP Request
Blocked X
HTTP Reply
Telnet Session
Packet Filtering - “Stateless” Packet Filtering - “Stateful”
Filtering Parameters: IP Source Address
IP Destination Address
Protocol
TCP Traffic
UDP Traffic
Port Number
“Stateless” Firewall • In Addition to TCP/IP Header Checks, A Stateless Firewall
Can Detect Packet Anomalies: – IP Packet Header Makeup
– IP Addressing Non-Compliance
– IP Fragmentation Errors
– TCP Flow Sequencing
– UDP Flow Sequencing
– Anomalies Associated with Packet Flows: • SYN-ACK Sequence Not Compliant
• ICMP Errors
220
Firewall Implementation
221
Internet
(Outside)
Internal
Network(s)
Server
Web
Server
Demilitarized Zone
“DMZ”
HTTP & SMTP / POP
Only Allowed
All Allowed
Return Session Only
Allowed
“Stateful” Firewall
Functionality
May Be Implemented in
“Border” Router
All Allowed
All Blocked
Switch Port Security Actions
• Port Security Options: – Specific MAC Address/Port
– Limits on Learned MAC’s
– “Sticky” MAC Learning
• Port Security Violations: – Discards Frame if Disallowed
– Discards Frame if Disallowed and Sends Notification
– Shutdown
222
Implementing Switch Port Security
223
“Shutdown” ports that are un-used
Insure ports are configured as “Access” ports
Assign port to an Un-Used VLAN (do not use VLAN 1)
Configure
“Trunk”
Ports
Only
When
required
Insure port is configured as “Access” ports
Assign port to VLAN (do not use VLAN 1)
Enable Port Security:
Specific MAC address
Limit number of MAC addresses / port
Use “Sticky Learning” with caution
Specify the violation response
The IPSec VPN • The Virtual Private Network – “VPN” is a private network built across a public
infrastructure.
• VPN Advantages: – Provides Confidentiality
– Provides Authentication
– Maintains Data Integrity
– Prevents “Man-in-the-Middle” Scenarios
• VPN’s Built Between: – Routers
– VPN Appliances
– Soft Clients
• VPN Types: – IPsec Based
– SSL Based
– GRE Tunnel
224
Conceptual VPN
225
Router
1
Router
2
192.168.10.1 /24
192.168.20.1 /24 192.168.20.254 /24
192.168.30.1 /24
192.168.30.20 /24
192.168.10.10 /24
IP Packet
Source: 192.168.10.10
Destination: 192.168.30.20
Encrypted
PacketVPN Header New Header
Source: 192.168.20.1
Destination: 192.168.20.254
Public Network
IP Packet
VPN Implementation “Virtual Private Network”
226
Internet
(Outside)Internal
Network(s)
Server
Web
Server
Demilitarized Zone
“DMZ”
Application
Server
Application
Server
VPN
Concentrator
VPN
Access
ApplianceRemote
Office
Remote
User
(VPN Client)
Corporte
Office
A VPN is NOT a VLAN Essence of a VPN is a Tunnel Through a Network Infrastructure
227
Public Network Space
Corporate Network Space
Public InternetISP “B”
ISP “A”
Layer 2 ENCRYPTED Tunnel
Don Not Confuse VLAN’s and VPN’s
Layer 2 Guidelines
• Insure User Switch Ports Are Set as “Non-Trunking”
• Disable Un-Used Switch Ports
• Place Unused Ports in a Non-Used “Black Hole” VLAN
• Never Used VLAN 1
• Create a Secure Management Environment: – SSH Access (Secure Shell)
– OUB Access (Out of Band)
– Use ACLs (Access Control Lists)
228
Apply Layered Network Design
• Separate Networks into “Layers” or Zones or Groups With Different Security Access & Control – External or Public Network
– “DMZ” or Demilitarized Zone or Perimeter Network
– Internal or Private Network(s)
– Apply Access Control Between Internal Networks!
229
PUBLIC “External” NETWORK
“DMZ” NETWORK
NET
A
NET
C
NET
B
PRIVATE “Internal” NETWORKS
Non-Secure
Secure
Security “Best Practices” to Consider • Recognize Physical Security
• Change Default Logins
• Utilize Strong Passwords
• Disable Services Not Required
• Adopt a Layered Design Approach
• Segregate Network(s)
• Separate Networks via VLANS
• Implement Switch Port Security
• Utilize Packet Filtering in Routers & Firewalls
• Do Not Overlook Egress Traffic
• Deny All Traffic – Then Permit Only Required
• Keep Up With Equipment “Patches”
• Utilize Access Logging on Key Network Devices
• Utilize Session Timeout Features
• Encrypt Any Critical Data
• Restrict Remote Access Source
• Understand & Know Your Network Baseline
• Actively Monitor and Look for Abnormalities
• Limit “Need-to-Know”
• Disable External “ICMP” Access
• Don’t Use VLAN 1
230
Takeaway Points • Understand Security Threats
• Segment Your Network
• Implement “Switch-Port” Security
• Use Firewalls to Deny Access
• Use VPN to Provide Access
• Monitor Network Activity – Know the “Norm”
• Remember The “Security Lifecycle”
231
232
CBNE Study Topics & Practical Exercise
233
Cable Category Types
234
Category Maximum Speed Application
1 1 Mbps Voice (not for ethernet)
3 10 Mbps Ethernet 10BaseT
5 100 Mbps Ethernet 100BaseT
5e 1 Gbps Ethernet 1000BaseT
6 10 Gbps Ethernet 10GbE
6a 10 Gbps Ethernet 10GbE
For More Information:
http://www.lanshack.com/cat5e-tutorial.aspx/
Ethernet Cable Wiring - Straight
235
Ethernet Cable Wiring - Cross
236
Ethernet Cable Types
237
Cable Type Legend
Straight-Through
Cross-Over
Router 1 Router 3Router 2
Ethernet 0
Ethernet 0 Ethernet 0
Ethernet 1
Ethernet 1
Ethernet 3
Ethernet 1
EIA/TIA-568A EIA/TIA-568B
EIA/TIA-568B EIA/TIA-568B
MDI
MDIXMDIX
MDIX
MDI
MDI
MDI
DTE
Device
DCE
Device
1
2
3
6
1
2
3
6
Straight – Through Cable
DCE
Device
TX
RX
RX
TX
DCE
Device
3
6
1
2
1
2
3
6
Cross - Over Cable
TX
RX
RX
TX
Switch
Hub
RouterCross-Over Cable
Straight-Through Cable
Typical Cable Selection(non auto-mdix devices)
MDI
MDI
MDI-X
MDI-X
MDI-X
MDI
MDI
Ethernet Physical Standards
239
IEEE Standard Physical Standard
Cable Type Speed Maximum Length
802.3a 10-Base-2 Coax (thin-net) 10 Mbps 185m
802.3 10-Base-5 Coax (thick-net) 10 Mbps 500m
802.3i 10-Base-T Twisted Pair 10 Mbps 100m
802.3u 100-Base-TX Twisted Pair 100 Mbps 100m
802.3u 100-Base-T4 Twisted Pair 100 Mbps 100m
802.3u 100-Base-FX MM Fiber 100 Mbps 400-2000m
802.3u 100-Base-SX MM Fiber 100 Mbps 500m
Ethernet Physical Standards
240
IEEE Standard Physical Standard
Cable Type Speed Maximum Length
802.3ab 1000-Base-T Twisted Pair 1 Gbps 100m
802.3z 1000-Base-SX MM Fiber 1 Gbps 500m
802.3z 1000-Base-LX MM Fiber 1 Gbps 500m
802.3z 1000-Base-LX SM Fiber 1 Gbps Several Km
802.3an 10G-Base-T Twisted Pair 10 Gbps 100m
802.3ae 10G-Base-SR MM Fiber 10 Gbps 300m
802.3ae 10G-Base-LR SM Fiber 10 Gbps Several Km
and 20 Gigabit, 40 Gigabit, & 100 Gigabit Ethernet are emerging ……
Fiber Optic Connector Types
241
Power Over Ethernet - PoE
• Allows Data & DC Power To Be Carried on the Same UTP Cable
• IEEE Standardized: – 802.3af 13w device power (minimum 44 V DC and 350 mA)
– 802.3at “PoE+” 25w device power
• Power Sourcing Equipment:
242
PoE Compliant Switch
PoE
Injectors
WAN Technology • Generally Categorized as Dedicated, Circuit Switched , or Packet Switched:
• Dedicated
– T-Carrier (data)
– Optical Carrier
• Circuit Switched
– ISDN – BRI
– ISDN – PRI
– T-Carrier (voice)
• Packet Switched
– X.25
– Frame Relay
– ATM
– ADSL / HDSL
– Metro Ethernet Offerings
243
WAN Link Types
244
Line Type: Signaling Type: Bit Rate
64 DS0 64 kbps
T1 or DS1 DS1 1.544 Mbps
T3 or DS3 DS3 44.735 Mbps
SONET OC:
SONET STS:
Bit Rate
OC-1 STS-1 52 Mbps
OC-3 STS-3 155 Mbps
OC-12 STS-12 622 Mbps
OC-48 STS-48 2400 Mbps
OC-96 STS-96 5000 Mbps
DS1 Configuration
• DS1 or T1 Types:
– Channelized (voice)
– PRI (ISDN) (voice or data)
– Clear Channel (data)
• Encoding
– AMI (voice)
– B8ZS (data)
• Framing
– D4 Super Frame (voice)
– Extended Super Frame (data)
• Timing – Must specify source
245
WAN Component Example Point – Point T-1 or DS-1
246
Router 1 Router 2
Ethernet 1
CSU/DSU CSU/DSUDS-1
WAN
Ethernet 1
Serial 1Serial 1
Possible Interfaces That Might Be Found
WAN Component Example Integrated Services Digital Network
• ISDN - Integrated Services Digital Network – ISDN – BRI 2 “B Channels” + “D Channel”
– ISDN – PRI 23 “B Channels” + “D Channel”
• “B” Channel – Bearer Channel – 64k
• “D” Channel – Signaling Channel – 16k / 64k
247
ISDN Reference Devices • TE1 – Terminal Equipment Type 1
– ISDN Telephone Set or Computer Device
• TE2 – Terminal Equipment Type 2 – POTS Deskset
• TA – Terminal Adapter – Interfaces analog devices
• NT1 – Network Termination Type 1 – TELCO termination Point (Home)
• NT2 – Network Termination Type 2 • TELCO termination Point (PBX)
• LT – Line Termination
• ET – Exchange Termination
248
Telco Central Office
Frame Relay Basics • Standardized Packet Switched Network Technology
• Physical & Data Link Layer Based
• Local and Nationwide Scope Reach
• Frame Relay Switches Create Virtual Circuits Between Customer Endpoints
• Permanent Virtual Circuit (PVC) Provided to Customer
• Delivered via Leased Line Facilities – Often Fractional T1 (< 1.5 Mbps) – 56 kbps or 64 kbps increments
• Data Link Connection Identifier – DLCI:
– Identifies the Virtual Connection
– Physical Link Can Accommodate Multiple DLCI’s
– Unique Only To The Endpoint
• Committed Information Rate – CIR
• Extended Information Rate - EIR
249
Frame Relay Architecture
250
TELCO
Frame Relay
Network
Premise
Frame Relay
Router
Premise
Frame Relay
Router
Premise
Frame Relay
Router
DLCI 100
DLCI 200
DLCI 300Frame Relay
Switch
Frame Relay
Switch
PVC’s
Created
Between Customer
Endpoints
Local or Nationwide Scope
Frame Relay Cloud
Audio & Video Digital Signal Standards
• Digital Audio – AES3
• 32/44.1/48/96 kHz Sampling
• 16 – 24 bits
• Mono or Stereo
• Balanced 110 ohm
• Unbalanced 75 ohm
– AC3 • Compressed
• 5.1 channel based (6 channels)
• AC3 Metadata
– Dolby E • Compressed
• 8 channel
• Bound to Video Frame
• Digital Video: – SMPTE 259M SD-SDI 270 Mbps
– SMPTE 344M ED-SDI 540 Mbps
– SMPTE 292M HD-SDI 1.485 Gbps
– SMPTE 372M Dual Link HD-SDI 2.97 Gbps
– SMPTE 424M 3G-SDI 2.970 Gbps
251
Broadcast Digital Content Management & Workflow
252
Acquisition
Record
Log
QC
Production
Ingest
Encoder
Add Metadata
QC
Asset
Management
Catalog
Search
Archive
Store
Distribution
Encode
Transcode
Digital Rights Mgmt
Brand
Stream
Transfer
Content Management & Workflow
• Workflow: The decisions and processes that occur in the broadcast plant when a
Media Asset enters the system to the distribution of the Media Asset at the output of the system.
• Media Asset (SMPTE definition):
253
Essence Metadata
Content Rights
Media Asset
Wrapper Types:
Wrappers
GXF – General Exchange Format
MXF – Material Exchange Format
AAF – Advanced Authoring Format
QT – Quick Time
LXF – Leitch Exchange Format
WMF – Windows Media Format and others ……….
254
Metadata Essence
Wrapper
General Server Storage
• Hard Disk Interface Types
– SCSI
– IDE
– SATA
– Fiber Channel (FC)
• RAID Basics
• NAS Fundamentals
• SAN Architecture
255
Hard Disk Interface Types Data Transfer Rate (maximum)
• SCSI 160 MBps – 320 MBps
• IDE/ATA 100 MBps – 133 Mbps
• SATA 150 MBps – 300 Mbps
• FC 400 MBps
256
RAID Level Basics Redundant Array of Independent (Inexpensive) Disks
• RAID Technology:
– Striping
– Mirroring
– Parity
• Choosing a RAID Level:
– Cost
– Data Availability (protection)
– Performance (read/write)
• Levels:
– RAID 0
– RAID 1
– RAID 5
– RAID 10 (RAID 1 + 0)
– And many more……….
257
RAID Level Overview:
258
RAID Level 0
Data Blocks Stripped
No Redundancy
High Performance
BA
C
E
D
F
RAID Level 1
Data Blocks Mirrored
High Redundancy
Good Performance
AA
B
C
B
C
2 disks minimum
Usable Capacity = 100%
2 disks minimum
Usable Capacity = 50%
RAID Level Overview:
259
RAID Level 5
Data Blocks Stripped + Parity
Good Redundancy
Good Performance
BA
C
Parity
Parity
E
RAID Level 10 or “1 + 0”
Data Blocks Mirrored + Striped
High Redundancy
High Performance
Parity
D
F
BB
D
F
D
F
AA
C
E
C
E
“Most Popular Server Configuration”
3 – 16 disks
Usable Capacity = 67 – 94%
“Best Configuration – Mission Critical Aps”
4 disks minimum
Usable Capacity = 50%
NAS & SAN Architecture • Network Attached Storage NAS – Provides File System & Storage (stand alone) File Level Based - Shared Storage Over Shared Network
• Storage Area Network SAN – Provides Storage Only
Block Level Based - Shared Storage Over Dedicated Network
260
NAS
Server
File
Server
Workstation Clients
File
Server
Workstation Clients
Application
Server
Archive
TapeTape
Robot
SAN
RAID
Subsystem
Wireless Fidelity Networking
• 802.11 Standards – 802.11a 5 Ghz 54 Mbps (maximum)
– 802.11b 2.4 Ghz 11 Mbps
– 802.11g 2.4 Ghz 54 Mbps
– 802.11n 2.4/5 Ghz 600 Mbps
• Frequency Bands (ISM): – 2.4 Ghz 2.4-2.497 Ghz
– 5 Ghz 5.15 – 5.875 Ghz
• Wireless Security – WEP
– WPA
– WPA2 (802.11i)
261
Tutorial: http://www.radio-electronics.com/info/wireless/wi-fi/ieee-802-11-standards-tutorial.php
IEEE 802.11 Wi-Fi
262
802.11 802.11a 802.11b 802.11g 802.11n
Standardized 1997 1999 1999 2003 2010
Frequency 2.4 Ghz 5 Ghz 2.4 Ghz 2.4 Ghz 2.4/5 Ghz
Channels 3 <24 3 3 Variable
Modulation IR, FHSS, DSSS
OFDM DSSS DSSS/OFDM
DSSS, CCK, OFDM
Mbps 1,2 6,9,12,18,24,36,48,64
1,2,5.5,11 1,2,5.5,11 6,9,12,18,24,
36,48,64
>100 (MIMO
supported)
Modulation Legend:
IR – Infrared Radiation
FHSS – Frequency Hoping Spread Spectrum
DSSS- Direct Sequence Spread Spectrum
OFDM – Orthogonal Frequency Division Multiplexing
2.4 gHz Channels
263
5 gHz Channels
264
Practical Exercise Two Goals:
Summary of Practical Network Design Considerations CBNE Essay Question Prep
265
Thank You for Attending! Wayne M. Pecena Texas A&M University [email protected] [email protected] 979.845.5662
266
? Questions ?