“Advanced IP Networking for Broadcast Engineers”

Tutorial & CBNE Study Topics

Wayne M. Pecena, CPBE, CBNE Texas A&M University

Office of Information Technology

Educational Broadcast Services

SBE Networking Certifications

CBNT Certified Broadcast Networking Technician

• This certification is designed for persons who wish to demonstrate a basic familiarity with networking hardware as utilized in business and audio/video applications in broadcast facilities.

• Exam Focus: – Network topologies and layouts

– Common network protocols

– Wiring standards and practices

– Maintenance, troubleshooting and connectivity issues

– Challenges unique to broadcast-based networks

CBNE Certified Broadcast Networking Engineer

2

• This certification is an “Advanced” level that reflects the skill and knowledge that will be required in today's world of converged IT and broadcast engineering.

• Exam Focus:

– Audio/Video over IP

– Digital Content Management

– Video Systems in an IT World

– Data Transmission Systems

– General IT Hardware

“Advanced IP Networking for Broadcast Engineers” Tutorial & CBNE Study Topics

3

Advertised Tutorial Scope:

This course will focus on deeper understanding and application of the

fundamentals in real-world IP networking environment. Emphasis will be

placed upon designing an IPv4 Addressing plan, IP Subnetting, Ethernet

Switching with VLAN implementation, IP Routing, Network Security, and

transport of audio and video content in an IP network infrastructure.

Additional topics will include an overview of related content found on the

Society of Broadcast Engineers CBNE examination including a practical

exercise designed to help prepare for the CBNE exam essay question(s).

Content Breakdown:

20% - Fundamentals of IP Networking Review

60% - Advanced IP Networking With Routing & Switching

Implementation Focus

20% - CBNE Study Topics

“Advanced IP Networking for Broadcast Engineers” Tutorial & CBNE Study Topics

OUTLINE:

• IP Networking Fundamentals Review

• Layered Network Design for Security & Performance

• Ethernet Switching In-Depth

• IP Routing In-Depth

• IP Addressing & Subnetting In-Depth

• Building the Network Infrastructure

• CBNE Study Topics & Practical Exercise

4

IP Networking Fundamentals Review

5

What is a Network? • The Foundation for Human Interaction.

• A Group of Computers That are Interconnected to Share Resources and Information.

• A group of Hosts That Share a Common Address Scheme.

• Networks are often defined by their geographic reach:

– Local Area Network - LAN

– Wide Area Network - WAN

– Metropolitan Area Network - MAN

– Campus Area Network – CAN

• Networks Can Be Defined By Their Function:

– Storage Area Network - SAN

6

5 Things Required To Build a Network

• Send Host

• Receive Host

• Message or Data to Send Between Hosts

• Media to Interconnect Hosts

• Protocol to Define How Data is Transferred

7

Protocols

Send Host Receive Host

MediaMedia

DATA

Remember - A Host is Any Device That Can Be Connected to a Network

Standards Organizations De Jure & De Facto

• IETF – Internet Engineering Task Force

– The Internet Standard RFC’s Originate Here

• IEEE- Institute of Electrical & Electronic Engineers

– Ethernet & Wireless LAN Standards

• ITU – International Telecommunications Union – Global Telecommunications Standards (ie PSTN)

• EIA – Electronic Industries Association

– Focused on Physical Layer Standards

• ISO – International Standards Organization

– OSI Reference Model Creation

8

IETF – Internet Engineering Task Force

• Request for Comments – RFC’s

– The “Standards Bible” of the Internet

– Used to Explain All Aspects of IP Networking

– Nomenclature “RFC xxxx”

• Requirement Levels:

– Required

– Recommended

– Elective

– Limited Use

– Not Recommended

9

www.rfc-editor.org/rfc.html

IEEE- Institute of Electrical & Electronic Engineers

• Project 802 Ethernet Standards: – 802.1 Bridging

– 802.3 Ethernet

– 802.11 Wireless

10

http://standards.ieee.org/about/get/

ITU – International Telecommunications Union

• ITU-T Sector Provides Standardization of Global Telecommunications Standards (except radio)

• Key Standards include: – Coding of Audio – G.711 & G.72x series

– Coding of Still Images - JPEG-2000 / T.800 series

– Video Coding - MPEG2 / MPEG-4 AVC

– ISDN (Integrated Services Digital Network) – Q.931

– Optical Transport Network (OTN) - G.709 series

– Passive optical networks (PON) - G.983 series

– Public Telecommunication Numbering Plan – E.164

– Signalling System 7 - Q.7xx series

– (x) Digital Subscriber Line)

11

www.itu.int

The OSI Model Open Systems Interconnection (OSI) Model

Developed by the International Organization for Standardization (ISO) A Conceptual Model – Abstract in Nature – Modular in Structure

Provides “Layer Swapping” – Partitions Communications Function - Defines How Data Traverses From An Application to the Network

12

Networking

Focus

“All People

Seem To

Need Data

Processing”

OR

“Please Do

Not Throw

Sausage

Pizza Away”

Open Systems Interconnection “OSI” Model

13

Application

Session

Presentation

Transport

Physical

Data Link

Network

7

5

6

4

1

2

3

User Application Interaction

Tracks User Sessions

Inter-Host Communications

Standardizes Data Encoding/Decoding/

Compression/Encryption

Manages End-End Connections:

TCP, UDP, & Flow Control

Interfaces to Physical Network, Moves Bits Onto &

Off Network Medium

Provides Network Access Control, Physical

Address (MAC), & Error Detection

Provides Internetwork Routing (path)

Provides Virtual Addressing (IP)

The OSI Model Expanded

14

Application

Session

Presentation

Transport

Physical

Data Link

Network

7

5

6

4

1

2

3

BITS

(data stream)

SEGMENT

PACKET

(Datagram)

FRAME

PORT

IP

ADDRESS

MAC

ADDRESS

SESSION ID

Layer AddressingPDU

Another OSI Model Perspective

15

EMAIL RS-xxx

PPP

IPv4TCP

25POP

SMTP

Net Mgmt

File Transfer

WEB

Directory

SNMP

FTP

HTTP

DNS

161 / 162

20 / 21

80

53

UDPIPv6

802.2 SNAP

Ethernet II

ISDN

ADSL

Fiber

Coax

CAT 5

Application

7

Presentation

6

Session

5

Transport

4

Network

3

Data Link

2

Physical

1

Application Layers

Data Flow Layers

Encapsulation Data is “Encapsulated” As It Travels Through the “Stack” From Application

16

Encapsulation & De-Encapsulation

Application

Session

Presentation

Transport

Physical

Data Link

Network

Segment

Bits

Frame

Packet

PDU

Upper Level Data

Upper Level Data

Data

Data

TCP Header

IP Header

LLC Header

0110010111001000111000111010

DataMAC Header

CS

CS

Application

Session

Presentation

Transport

Physical

Data Link

Network

Upper Level Data

17

The Protocol Data Unit

18

Source PortDestination

PortData

Destination IP Protocol Segment

EtherType

Packet

Source IP

SourceMAC

DestinationMAC

FCS

11010011010111101100101010010001000010101010101000011111111

Segment

Packet

Frame

Bit

“Some

People

Fear

Birthdays”

TCP/IP Focused Models DOD Model Stack or TCP/IP Model Stack Focused on IP

19

Application

Session

Presentation

Transport

Physical

Data Link

Network

Application

Host to Host

Network

Internet

OSI Model DoD Model

Application

Transport

Network

Interface

Internet

TCP/IP Model

TCP/IP Focused

The Models in Comparison

20

Application

Session

Presentation

Transport

Physical

Data Link

Network

7

5

6

4

1

2

3

Transport

Internetwork

Network

AccessProvides Media

Interface, Topology

Provides Data

Sequencing, Flow

Control, Integrity

Provides Logical

Addressing, Fragmentation,

End-End Delivery

Provides Physical

Addressing, Error

Correction

Service Provided to

Applications

Provides

Conversation Control

Provides Data

Formatting

3

1

2

LLC

MAC

The OSI Model TCP/IP Model Encapsulation

Application4

The OSI Model is a conceptual framework model independent of

protocols.

The TCP/IP Model is an implementation of the OSI Model that describes

the framework of the TCP/IP protocol suite.

TCP/IP describes how data is addressed, routed, and formatted for end-

end connectivity between computer hosts.

IP

Network

Interface

TCP UDP

Application Data

Segments

Bits

Frames

Packets

DoD Model

The Real – World OSI Model RFC 2321

“A Description of the usage of Nondeterministic Troubleshooting and Diagnostic Methodologies”

21

ID10T Errors Occur Here

1 - The Physical Layer

22

Medium defined

Physical interface defined

Places bits onto the physical network medium

Controls the signaling

Takes bits off the physical network medium

Sends / Receives frames to/from the Data Link Layer

Ethernet Beginnings

• Conceptually Based Upon “ALOHA NET”

– Developed as a “Wireless” Network by Norman Abramson & colleagues

– Deployed at the University of Hawaii in 1971

• Later Refined at Xerox PARC in 1973

– Bob Metcalf & David Boggs “Fathers of Ethernet”

• More Ethernet History:

http://ethernethistory.typepad.com/

23

Ethernet Evolution • Developed in Early 70’s at Xerox PARC

• Standardized as Ethernet Version 1 by Digital Equipment, Intel, & Xerox – DIX Standard

• Refined in 1982 as Ethernet II

• IEEE Releases Formal 802.3 Ethernet Standard in the mid 80’s

24

Ethernet Media Evolution

25

Thicknet Vampire

Tap

Thinnet

Topology Also Migrates from “Bus” to “Star” Based

The OSI Model & Ethernet Types

26

Data

Link

Layer

Physical

Layer

Physical

Layer

802.2LLC

MAC

Eth

ern

et

Eth

ern

et

80

2.3

Eth

ern

et

80

2.3

ab

Gig

ab

it E

the

rne

t

(co

pp

er)

Eth

ern

et

80

2.3

z

Gig

ab

it E

the

rne

t

Eth

ern

et

80

2.3

u

Fa

st E

the

rne

t

To

ke

n R

ing

80

2.6

FD

DI

CSMA / CD Carrier Sense Multiple Access with Collision Detection

27

Collision Collision

Jam Signal Placed on Wire

Ethernet CSMA/CD

• Original Ethernet Utilized a “Shared Medium”

• Half-Duplex Utilizes CSMA/CD “Carrier Sense Multiple Access with

Collision Detect”

• Full-Duplex Disables CSMA/CD • Valid Modes:

– Half/Full 10 Mbps – Full/Half 100 Mbps – Full 1000 Mbps

28

Ethernet Auto-Negotiation • Auto Configuration of Port Duplex & Speed

– Utilizes Ethernet FLP & NLP Bursts

• Duplex – Half Duplex or Full Duplex

• Speed – 10 / 100 / 1000 Mbps

• Be Careful Depending Upon Auto-Negotiation

• Insure Both Endpoint Devices Are Set to Auto – 10 Mbps Full Duplex is Not a Valid Mode

– 100 Mbps Half Duplex Indicates Auto-Negotiation Failure

• IMHO Best Practice – Static Configure Infrastructure – Duplex Mismatch = Poor Performance = CRC Errors

29

Duplex Mismatch Result

30

Switch

Host

RX

TX

Half – Duplex

Switch

Port

TX

RX

Full – Duplex

Server Interface

Always TransmitMonitored for Received

Frames

Transmits When

No Receive Activity

When Duplex Mismatch Occurs:

High Collision Rate Results, thus Performance Reduced

CSMA/CD

NOT Enabled

In Full Duplex

Ethernet Physical Standards

31

Ethernet GBIC & SFP Modules

32

“Giga-Bit Interface Converter” - GBIC Transceiver

SC Fiber Connector

“Single Form-factor Pluggable” – SFP (mini GBIC) Transceiver

LC Fiber Connector

Copper or Optical Based Transceiver to Provide Flexible

Physical Interface

-1000Base-T (some support 100/100-Base-T as well)

- 1000Base-SX / LX / ZX - Multi-Mode / Single-Mode Fiber

Power Over Ethernet - PoE

• Allows Data & DC Power To Be Carried on the Same UTP Cable

• IEEE Standardized: – 802.3af 13w device power (minimum 44 V DC and 350 mA)

– 802.3at “PoE+” 25w device power

• Power Sourcing Equipment:

33

PoE Compliant Switch

PoE

Injectors

2 - The Data Link Layer

34

Data Link

Layer

LLC Sublayer

MAC Sublayer

Network Layer Packets Encapsulated or De-Encapsulated

Into/From into Frames

Physical or Hardware Addressing Implemented

Defines Network Topology

Unique

The Data Link Sub-Layers:

35

LLC Sublayer

MAC Sublayer- Physical Addressing (MAC Address)

- Transmitting On The Media

- Flow Control

- Error Control (CRC)

- Synchronization

Data Link Functions:

Package Frames

Transmit Frames

Control Flow

Error Correction

Network ID

Data Link Frames:

Are Likely Ethernet Layer 2 Protocol Data Units

But, they could be:

Token Ring Layer 2 Protocol Data Units

Frame Relay Layer 2 Protocol Data Units

Ethernet Basics IEEE 802.3

• The “de facto Standard” of Networking Today!

• Based Upon Contention-Access to the Wire

• 4 Basic Building Blocks of the Ethernet System

– The Ethernet Frame

• 802.3 Raw Early Novell Netware IPX

• 802.2 LLC Current Novell NetWare IPX

• Ethernet II (DIX) TCP/IP

• Ethernet SNAP IPX, AppleTalk v2

– Media Access Control Protocol

– Signaling Components

– Physical Medium

36

The Layer 2 Ethernet Frame

Preamble TypeSource

Address

Destination

AddressData CRC

An Ethernet II (DIX) Frame

8

BYTES

6

BYTES

6

BYTES

2

BYTES46 – 1500 BYTES

VARIABLE

4

BYTES

Invalid FRAME Lengths:

< 64 BYTES = “RUNT” FRAME

> 1518 BYTES = “GIANT” FRAME

Note – Preamble Not Used in Frame Length Calculation

TypeSource

Address

Destination

AddressData CRC

64 Byte Minimum

37

Ethernet Network Physical Addressing

• MAC Address – 6 Bytes – Hexadecimal Notation - 00:12:3F:8D:4D:A7

– Layer 2 Physical Address (local network segment)

– Fixed – Assigned by NIC Mfg.

– Local Scope

38

172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF

Destination

MAC

Source

MAC

Destination

IP

Source

IP

IP Packet

Ethernet Frame

Simplified Representation

Organization Unique Identifier

(OUI)Mfg. Assigned

24 bits

48 bits

24 bits

6 hexadecimal digits 6 hexadecimal digits

A4 : 67 : 06 AB : 41 : D5

OUI A4:67:06 = Apple, Inc.

Media Access Control (MAC) Address

http://www.wireshark.org/tools/oui-lookup.html

http://standards.ieee.org/develop/regauth/oui/public.html

MAC Address Formats Always 48 Bits – Expressed as Hexadecimal

40

Byte

6

Byte

1

Byte

2

Byte

3

Byte

4

Byte

5

6 Bytes

Organization Unique

Identifier “OUI”

Network Interface

Controller “NIC”

Can Be Represented in Several Formats:

00:A0:C9:14:C8:29

00-A0-C9-14-C8-29

00A0.C914.C829

3 - The Network Layer

41

Network 1 Network 2

Network 3 Network 4

Network 5

Router A

Router B

Router C

Internetwork Communications Focused:

Packet Delivery from Source Host

To Destination Host

Logical Addressing Scheme

Implementation

Routing Decisions via Routing Protocols

IP Network Virtual Addressing

• IP Address – 4 Bytes – Doted Decimal Notation - 172.15.1.1

– Layer 3 Logical Address (global routed)

– Can Change – Determined by Network - Assigned by User

– Global Scope

42

172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF

Destination

MAC

Source

MAC

Destination

IP

Source

IP

IP Packet

Ethernet Frame

Simplified Representation

IP Packet – Layer 3 RFC 791

43

Version

(4)

Header

(4)

Precedence / Type

(8)

Length

(16)

Identification

(16)

Flag

(3)

Offset

(13)

Time to Live

(8)

Protocol

(8)

Header Checksum

(16)

Source IP Address

(32)

Options & Padding

(0 or 32)

Destination IP Address

(32)

Packet Payload

(Transport Layer Data)

32 bits

20

Bytes

L2 & L3 Flow Through an IP Network Summary

44

00:06:5B:01:02:03

192.168.1.101

00:06:5B:11:22:33

192.168.2.101

00:00:0C:C1:00:20

192.168.2.1

00:00:0C:C1:00:10

192.168.1.1

HOST A

HOST B

Source IP: 192.168.1.101

Destination IP: 192.168.2.101

Source MAC: 00:06:5B:01:02:03

Destination MAC: 00:00:0C:C1:00:10

Source IP: 192.168.1.101

Destination IP: 192.168.2.101

Source MAC: 00:00:0C:C1:00:20

Destination MAC: 00:06:5B:11:22:33

Frame & Packet Flow Through Network

45

00:06:5B:01:02:03

192.168.1.101

00:06:5B:11:22:33

192.168.1.104

00:00:0C:C1:00:01

192.168.1.102

00:00:0C:C1:00:30

192.168.1.103

00:00:0C:C1:00:20

192.168.100.102

00:00:0C:C1:00:10

192.168.100.101

Destination MAC

00:00:0C:C1:00:20

Source MAC

00:00:0C:C1:00:10

Source IP

192.168.1.101

Destination IP

192.168.1.104 DATAP

R

E

C

R

C

T

Y

P

E

Destination MAC

00:00:0C:C1:00:01

Source MAC

00:06:5B:01:02:03

Source IP

192.168.1.101

Destination IP

192.168.1.104 DATAP

R

E

C

R

C

T

Y

P

E

Destination MAC

00:06:5B:11:22:33

Source MAC

00:00:0C:C1:00:30

Source IP

192.168.1.101

Destination IP

192.168.1.104 DATAP

R

E

C

R

C

T

Y

P

E

HOST A HOST B

MAC Address Changes As Frame

Passes Through the Network

4 - The Transport Layer

46

Implements Reliable End-End Data Transport

Implements Fast Connectionless Data Transport

Implements Error Detection / Correction

Establishes Virtual Connect Between Hosts

Provides Segmentation, Sequencing, Flow Control

Send HostReceive Host

TCP 3-Way Handshake

47

Host 1 Host 2

SYN

SYN + ACK

ACK

Host 1 Sends

Synchronize Message

to Host 2

Host 2 Responds With

Acknowledgement

Plus Sends It’s Own

Synchronization

Message to Host 1Host 1 Completes the

3-Way Handshake By

Sending

Acknowledgement to

Host 2

Host 1 Initiates

Connection to Host 2

TCP Basics Transmission Control Protocol

RFC 675 and later v4 in RFC 793

• “Connection – Oriented” Protocol – Connection Establishment

– Segmentation & Sequencing

– Acknowledgement

– Flow Control or Windowing

• Guaranteed Or Reliable Data Delivery – Acknowledgment of Packet Receipt

– Retransmission Occurs if Packet Not Received

• High Overhead

• Requires Establishment of a “Session”

• TCP Windowing Feature – Dynamic Window Sizing

– “Slow-Start”

48

TCP Windowing

49

100 101 102 103 104 105 106

Bytes Receive

Is Ready to Accept

107 108 109 110 111 112

TCP Receive Window

BYTES Sent

NOT AcknowledgedBYTES Sent &

AcknowledgedBytes Receiver

Is NOT Ready to Accept

RFC 1072 & RFC 1323

TCP Sequencing

50

Host 1

Host 2

Sequence Number 1

Sequence Number 1501

Receive ACK

Sequence Number 3001

Sequence Number 4501

Receive ACK

Receive 1 – 1500

Receive 1501 – 3000

Send ACK 3001

Receive 3001 – 4500

Receive 4501 – 6000

Send ACK 6001

1500 bytes

1500 bytes

1500 bytes

1500 bytes

TCP Connection

Established

Window Size = 3000

TCP Connection Termination

51

Host 1 Host 2

FIN

FIN + ACK

ACK

Host 1 Sends Finish

Message to Host 2

Host 2 Responds With

Finish Plus Sends It’s

Own Synchronization

Message to Host 1

Host 1 Completes the

Termination By

Sending

Acknowledgement to

Host 2

Host 1 is Ready to

Terminate Connection

The TCP Session Summary

52

SYN + ACK

Time

Network

SYN

ACK

FIN

FIN

ACK

ACK

ACK

Connection

Closed

Listen

SYN Sent

SYN Received

Connection

Established Connection

Established

Connection

Closed

FIN Wait 1

FIN Wait 2

CLOSE Wait

Last ACK

ACK

ACK

Data Segment 1

Data Segment 2

Data Segment 3

TCP Congestion Control RFC 5681

• Control Mechanisms Based Upon Changing Network Environment: – Slow Start

– Congestion Avoidance

– Fast Retransmit

– Fast Recovery

• TCP Window – Defines Amount of Data That Can Be Transmitted

• Slow Start (Exponential Growth) – Increases TCP Window Over Time Until Congestion Occurs

53

TCP Congestion Control

54

Time

Da

ta T

hro

ug

hp

ut

Average

Throughput

Packet Loss Detection

Points

Slow

StartBackoff

RFC 5681

UDP Basics User Datagram Protocol

RFC 768

• “Connectionless” Protocol

• Simple or Lightweight, but Inherently Unreliable

• “Best Effort” Data Delivery

• Low Overhead, Thus Low Latency

• Why Use?

– Required for Real-Time Applications: • VOIP or “Video Over IP” or “Voice Over IP”

• AOIP or Audio Over IP”

– Latency More Detrimental Than Data Loss

55

UDP Session

56

Network

SYN

SYN + ACK

ACK

Data

Data

Data

Time

Data

Data

TCP Used to

Establish UDP

Session

TCP and UDP Headers

57

TCP vs UDP TCP

• Connection Oriented

• Guaranteed Delivery

• Acknowledgments Sent

• Reliable, But Higher Latency

• Segments & Sequences Data

• Resends Dropped Segments

• Provides Flow Control

• Performs CRC

• Uses Port Numbers for Multiplexing

UDP • Connectionless

• Not Guaranteed

• No Acknowledgements

• Unreliable, But Low Latency

• No Sequencing

• No Retransmission

• No Flow Control

• Performs CRC

• Uses Port Numbers for Multiplexing

58

Common TCP/IP Protocols • HTTP - Hyper Text Transfer Protocol • HTTPS - Secure HTTP • SSL - Secure Sockets Layer • SMTP - Simple Mail Transfer Protocol • MIME - Multi-purpose Internet Mail Extensions • IMAP - Internet Message Access Protocol • POP - Post Office Protocol • FTP - File Transfer Protocol • NTP - Network Time Protocol • DHCP - Dynamic Host Configuration Protocol • SNMP - Simple Network Management Protocol • LDAP - Lightweight Directory Access Protocol • ICMP - Internet Control Message Protocol • ARP - Address Resolution Protocol • RARP - Reverse Address Resolution Protocol • BOOTP - Boot Protocol

Primary TCP/IP System Protocols:

• ARP – Address Resolution Protocol

• DHCP – Dynamic Host Configuration Protocol

• DNS – Domain Name System

• ICMP – Internet Control Message Protocol

60

ARP Operation Address Resolution Protocol

• Local Network Scope

• Builds ARP Table or Cache - Maps an IP Address to a MAC Address - Refreshed

• Created Dynamically (Can Contain a Static Entry) – “Gratuitous” ARP Packet

61

Host 1:

192.168.1.10

00:07:E9:D4:EC:9A

Host 2:

192.168.1.20

00:07:E9:D4:EC:9B

Host 3:

192.168.1.30

00:07:E9:D4:EC:9C

Host 4:

192.168.1.40

00:07:E9:D4:EC:9D

Host 5:

192.168.1.50

00:07:E9:D4:EC:9E

1

2

Host 1 Host 5

Host 1 Broadcasts ARP

Request for 192.168.1.50

Host 5 Responds With It’s

MAC Address

00:07:E9:D4:EC:9E

ARP Cache

192.168.1.20 00:07:E9:D4:EC:9B

192.168.1.30 00:07:E9:D4:EC:9C

192.168.1.40 00:07:E9:D4:EC:9D

192.168.1.50 00:07:E9:D4:EC:9E Added

ARP Cache Updated:

192.168.1.50

00:07:E9:D4:EC:9E

3

DHCP Operation Dynamic Host Configuration Protocol

62

Client

DHCP Server

DHCP Discover – IP Address Request

DHCP Offer – IP Address Offer

DHCP Request – Select IP Address

DHCP ACK – Ack IP Address

DHCP ClientDHCP Client

Router

Configured for

DHCP Server

Must define:IP Pool

Lease Period

(default = 8 days)

DHCP provides IP Address & Mask.DHCP can also provide the Default Gateway , Domain Name, DNS Server Info, & Time Server Info

DNS Operation Domain Name System

• DNS Translates Host Names to an IP Address

• DNS is Hierarchical Based – Root @ Top Level

• DNS Records Provided: – A Address Record – Host IPv4

– AAAA Address Record – Host IPv6

– CNAME Canonical Host Name

– MX Mail Server Exchange Record

• Records Created By: – Manual Configuration (Hosts file)

– Dynamic Configuration via DNS Server

63

Basic DNS Flow

• DNS Servers: – Primary or Master – Start of Authority (SOA) Master Zone File

– Secondary or Slave

– Cache DNS

• Fully Qualified Domain Name (FQDN) www.nbcuni.com = 128.242.54.18 .com is the Top Level Domain

. nbcuni is the Secondary Level Domain www Represents a Host (http) in the “nbcuni.com” Domain

64

Client

Host

Internet

LAN

“Recursive”

DNS

Server

“Authority”

DNS

Server

DNS Hierarchy

65

Root DNS Servers

www.root-servers.org

Top Level Domain Servers

Secondary – Level

Domain Servers

DNS

ClientDNS

Client

.com

.org

.edu

ClearChannel.com TAMU.eduSBE.org

DNS

Client

ICMP Internet Control Message Protocol

• Network Layer Based – RFC 1256 – The “Tattle Tale” Protocol

• Common Messages: – Destination Unreachable

– Buffer Full

– Hops or Time Exceeded (TTL)

• Common Uses: – Ping

– Traceroute

ICMP

• Sends Error & Control Messages Between Hosts – Common Messages Include:

– Echo

– Echo Reply

– Destination Unreachable

– Time Exceeded

– Source Quench

– And Others ……

67

ICMP Messages: • Platform Utilized

by Ping & Traceroute

Utilities

68

ICMP Internet Control Message Protocol

Router A Router B

Switch 1 Switch 2

Host

A

Host B

Host

C

Host

D

Host A Sends Packet to Host C

X

ICMP Destination Unreachable

Host A Sends Packet to Host D

ICMP Destination Unreachable Returned

From Router B

Port Numbers RFC 1700

• Applications Are Indexed by a “Port Number”

• Allows Differentiation of Multiple Applications

• Port Numbers Can Be Between 0 - 65535

– 0–1023 Are Considered Reserved

– 1024–49151 Can Be Registered

– 49152–65535 Are Considered Dynamic or Private

• 65,535 TCP and 65,535 UDP Port Numbers

70

Common Port Numbers

• RESERVED PORTS

“System Port Numbers” • Port 20 / 21 – FTP “File Transfer Protocol”

• Port 23 – TELNET

• Port 53 – DNS “Domain Name Service”

• Port 80 – HTTP

• Port 110 – POP3 “Post Office Protocol”

• Port 123 – NTP “Network Time Protocol”

• Port 161 – SNMP “Simple Network Management Protocol” (UDP)

• Port 443 - HTTPS

• REGISTERED PORTS

“User Port Numbers” • Port 1720 – H.323 Video Call Setup

• Port 1812 – RADIUS Authentication

• Port 2000 – CISCO “Skinny”

• Port 3074 – “X-Box” Live

• Port 4664 – Google Desktop

• Port 5004 – RTP “Real Time Transport Protocol”

• Port 5060 – SIP “Session Initiation Protocol

• Port 5631 – PC Anywhere

• Port 8080 – Alternate HTTP

71

http://www.iana.org/assignments/port-numbers

Sockets

• A “Socket” Is a Combination of an IP Address & A Port Number

• Allows Multiple Network Services to Exist on the Same Host (IP Address)

• IP Address + Port Number = Socket

72

IP Address: 192.168.100.10

Port Number: 8080

Yields

Socket: 192.168.100.10:8080

Port Number Application Multiplexing

User PC

Email Ap

Browser AP

Media Player Ap

Server

Email

Web Server

Stream Media Server

Ethernet Web DataTCPIP

Ethernet Email DataTCPIP

Ethernet Stream Media DataUDPIP

Socket

IP Address

Protocol

Port Number

Port Number Application Multiplexing

User PC

Email Ap

Browser AP

Media Player Ap

Server

Email

Web Server

Stream Media Server

192.168.100.100

Stream

Media

Server

HTTP

Server

SMTP

Server

UDPTCP

192.168.100.100

Stream

Media

Player

Web

Browser

Mail

Client

UDPTCP

192.168.100.002

192.168.100.100 TCP 25 - 192.168.100.002 TCP 1245

192.168.100.100 TCP 80 - 192.168.100.002 TCP 1328

192.168.100.100 UDP 1755 - 192.168.100.002 UDP 1873

Transport Layer Port Numbering

75

Host 1

Host 2

1099 data ……...80

Source Port Destination Port

“Virtual Circuit” ID “Application” Port

80 data ……...1099

Destination PortSource Port

An Introduction to “IP Multicasting”

76

Multicast IP Address

77

Multicast Introduction

• IP Networking is Founded on an “Unicast” Model – One Send Host to One Receive Host

• Or the “Broadcast” Model – One Send Host to All Other Hosts on the Subnet

78

Network

Send Host

Multicast

• Multicast Adds a 3rd Packet Distribution Approach

– One Send Host to A Group of Receive Hosts on the Subnet

79

A Host Must Join

A Multicast Group

To Receive Multicast

Packets

Types of IP Packets on an IPv4 Network

• Unicast

– One Send Host TO One Receive Host

• Broadcast

– One Send Host TO ALL Hosts Within the Broadcast Domain

• Multicast

– One Send Host TO Specific Hosts

80

Unicast

81

Router A

Router B

Router C

Switch 1

Switch 6

Switch 3

Switch 4

Switch 5

Server A

Server B

Server C

Switch 2

Potential of 17

Sessions from the Server

Broadcast

82

Router A

Router B

Router C

Switch 1

Switch 6

Switch 3

Switch 4

Switch 5

Server A

Server B

Server C

Switch 2

Multicast

83

Router A

Router B

Router C

Switch 1

Switch 6

Switch 3

Switch 4

Switch 5

Server A

Server B

Server C

Switch 2

Why IP Multicast?

• Efficient Network Resource Use & Bandwidth Conserving Technology – Eliminates Network Traffic Redundancy on Segments

• Provides Server & CPU Load Decrease

84

Key Terminology To Be Aware Of:

• Multicast Group ID

• Class D IP Address Space

• Internet Group Management Protocol – IGMP

• Multicast Distribution Tree

• Protocol Independent Multicast – PIM

• Reverse Path Forwarding – RPF

85

Multicast Group ID

• The Multicast Group = Hosts That Want to Receive the Same Multicast

• The Multicast Group ID Identifies Each Group

• A Receiving Host Must Join a Group or Groups

• The Sending Host is Not Aware of the Receiving Host(s)

• Thus, UDP Must Be Utilized!

IP Multicast Addressing

• Layer 2 Addressing (physical address) – 23 Bits of 48 Bit MAC Address Reserved for Multicast

– By Default: A Layer 2 Switch Will Forward Multicast Packets Out All Ports (except origin port)

– To Eliminate “Flooding” – IGMP Snooping is Utilized

• IP Group Addressing (virtual address) – 28 Bits of 32 Bit IP Address Reserved for Multicast

– Class D IP Address Range Reserved for Multicast • 224.0.0.0 to 239.255.255.255

– Layer 2 Multicast Address Derived From Layer 3 IP Address

87

Internet Group Management Protocol “IGMP”

• A Multicast Group is Identified by a Multicast Address

• IGMP is the Protocol That Allows a Multicast Receive Client (Host) to Send a Request to Join a Multicast Group

• Three Versions of IGMP Exist: – IGMPv1 (RFC 1112)

– IGMPv2 (RFC 2236)

– IGMPv3 (RFC 3376)

88

Multicast

Source

No Multicast

Clients

Multicast

ClientsMulticast

Clients

Upstream

Interface

Downstream

Interface

Downstream

Interface

IGMP Message Types • Membership “Query”

– A Request to Identify Members of a Multicast Group

• Membership “Report” – List of Members of a Multicast Group

• Leave Group – Terminates Multicast Group Membership (Disconnect)

89

“Query” “Report”

Multicast

Routing

Table

Multicast

Routing

Table

IP Multicast Distribution Tree

• An IP Multicast Distribution Tree is a Path Structure From a Multicast Source to a Multicast Destination.

90

Tree

Base

Tree

Branch

Tree

Branch

Tree

Leaf

Tree

Leaf

Tree

Leaf

Single Source Tree

“Trim” or

“Prune”

the Tree

“Graft”

The Tree

Protocol Independent Multicast – “PIM”

• PIM is Focused on Getting Multicast Packets to the Desired Destination

• PIM Creates the Multicast Tree & “Trims” the Tree

• 3-Types of PIM:

– PIM Dense Mode

– PIM Sparse Mode

– PIM Sparse-Dense Mode (PIM-SM-DM “Cisco Proprietary”)

• Key Difference Between PIM Modes?

– “How The Distribution Tree is Created”

• Which is Best?

– Dense Mode Used in Large Networks – Quick Tree Creation

– Sparse Mode Used in Smaller Networks – More Efficient Bandwidth Use

91

PIM Dense Mode - “PIM-DM”

• All Segments of the Multicast Tree Are “Flooded”.

• Branches Are “Pruned” if Multicast Traffic is Not needed.

92

Multicast

Source

Multicast

Source

No Multicast

Required

No Multicast

Required

PIM Sparse Mode - “PIM-SM”

• Multicast Traffic is NOT Flooded.

• A “Rendezvous Point” is Designated.

• All Multicast Sources & Clients Register With the Rendezvous Point.

93

Multicast

Source

Multicast

Source

No Multicast

Required

No Multicast

Required

RP

DesignatedRP

Multicast Forwarding (Routing) - RFC 3704

• Unicast Routing Only Looks at the Destination Address

• Multicast Traffic is Forwarded Away From the Source Host or Downstream

• Reverse Path Forwarding (RPF) is Used to Prevent Loops

• A Router Only Forwards Traffic Received on an Upstream Interface

• RPF Check Used to Determine if an Interface is Valid

94

Router 1

Router 2

Router 4

Router 3

Multicast

Source192.168.1.2

Multicast Packet

Multic

ast P

acke

t

Multicast P

acket

Multic

ast P

acke

tM

ulticast Packet

X Discarded

Practical Applications of IP Multicast

• Typical Applications: – Audio & Video Content Distribution

– Digital Signage / Corporate Communications

– Stock Quote Distribution

– Distance Learning

• Common Broadcast Implementation Examples: – AoIP

– IPTV

95

Layered Network Design for Security & Performance

96

Hubs, Switches. & Routers A Summary!

• Hub – Layer 1 Device

– Acts as a Repeater - All Incoming Frame FWD Out Every Other Port

– Half-Duplex Based – CSMA/CD Algorithm Controled

– No Intelligence – Collision & Broadcast Domain Across All Ports

• Switch – Layer 2 Device – Originally Called “Forwarding”- Now Called “Switching”

– Full Duplex Based

– Intelligence Based – Selectively Forwards Frame to a Port

– Each Port is a Collision Domain (assuming one device per port)

– Each Switch is a Broadcast Domain

• Router – Layer 3 Device

– Forwards Packets Between Different Networks

– Separates Broadcast Domains

– Each Interface is a Collision Domain

97

X

The Network

• One Network – Single Broadcast Domain

– “Flat” Topology

• Multiple Networks – Individual Broadcast Domains

– “Segmented”

• Policy

• Regulation

• Security

• Performance

98

Understanding Broadcast Domains & Collision Domains

Broadcast Domain

Collision

Domain

Broadcast

Domain

Router

Switch

Hub

1000-Full 100 - Full

10 - Half

10

Half

100

Full

1000

Full

100

Full

100

Full 1000

Full

10

Half10

Half

100 – Full Capable

10

Half

Collision Domains & Broadcast Domains

100

3 Broadcast Domains

11 Collision Domains

Ethernet Switching In-Depth

101

Managed vs Un-Managed Ethernet Switches

• Managed Switch – User Configurable

– Provides Ability to Control & Monitor Host Communications

– Port Configuration , Security, & Monitoring

– VLAN Implementation

– Redundancy Supported (STP)

– QoS (Prioritization) Implementation

– Port Mirroring

• Un-Managed Switch – Fixed Configuration

– “Plug & Play”

– Provides Basic Host Communications

– Cheaper

102

Ethernet Switch Functions

• Learn MAC Addresses

• Filter Ethernet Frames

• Forward Ethernet Frames

• Flood Ethernet Frames

• Allow Redundancy (Avoid loops where redundant links exist)

• Can Provide Port Security Features

Ethernet Switching Fundamentals “Bridging”

• Switches Allow Segmentation of Network – Allows Dedicated Bandwidth and Creates Point-Point Communication

– Increased Throughput Due to Zero or Minimal Collisions

– Provides Full-Duplex Operation

– Increased Security Capability

• Switches Selectively Forward Individual “Frames” from a Receiving Port to a Destination Port – Builds Internal Table of Destination Address on each Port

– Forwards Ethernet Frame if in Table

– Floods Ports if Frame Not in Table OR a Broadcast Frame

Simplified Ethernet Switch Internals

105

Switch Fabric (backplane)

Port

ASIC

Port

ASIC

Port

ASIC

Port

ASIC

POE

Insertion

POE

Insertion

POE

Insertion

CPU

MAC Table

(CAM)

Buffer

Buffer

Processing

Learning a MAC Address

08-3e-8e-11-11-11

08-3e-8e-22-22-22 08-3e-8e-33-33-33

A1

A2A3

A4

Switch MAC Address Table

“Content Addressable Memory (CAM) Table”

MAC ADDRESS PORT

08-3e-8e-22-22-22 A2

08-3e-8e-11-11-11 A1

08-3e-8e-33-33-33 A3

08-3e-8e-44-44-44 A4

08-3e-8e-44-44-44

A Real MAC Address Table

NOTE

VLAN 1 is Special

Virtual Local Area Network – VLAN

• Allows Separation or Segmentation of Networks Across a Common Physical Media

– Creates Subset of Larger Network

– VLAN Control of Broadcast Domains – Each VLAN is a Broadcast Domain

– Architecture Flexibility

– Security

• Static Port Based VLAN(s) – Most Popular

– Manual Configuration

– Switch Port Security Features

• Dynamic Port Based – MAC-Based VLAN(s)

• Assignment Based Upon MAC Address

– Protocol-Based VLAN(s) • Assignment Based Upon Protocol

107

VLAN Example

108

Switch Port Type Configuration:

Access Link – Member of One VLAN Only Connects to a Host

Trunk Link – Carries Traffic From Multiple VLANS Between Switches

Switch Interface Configuration

109

Switch 3Switch 1

Switch 2

Interface Config:TRUNK

Blue VLAN

Green VLAN

Interface Config:TRUNK

Blue VLAN

Red VLAN

Green VLAN

Access

Interface

Access

Interface

Access

Interface

Broadcast Domains

110

Red

VLAN

Green

VLANBlue

VLAN

Broadcast Domains

No Connectivity Exists Between Broadcast Domain, Networks, or Subnets!

Adding the VLAN Tag

111

PREAMBLESOURCE MAC

ADDRESS

DESTINATION

MAC ADDRESSTYPE DATA CRC

PREAMBLESOURCE MAC

ADDRESS

DESTINATION

MAC ADDRESSTYPE DATA CRCTAG

TPID “0X8100” PRI

C

F

I

VLAN

ID

ETHERNET FRAME

802.1Q ETHERNET FRAME

802.1Q TAG

The 802.1Q Tag in Detail

112

TPID PRI

C

F

I

VID

TPID Tag Protocol ID “0x8100” 16 bits

PRI Priority 3 bits

CFI Canonical Format ID 1 bit

VID VLAN Identifier 12 bits

TPID TCI TAG CONTROL INFO

2 bytes 2 bytes

802.1Q Tag Length = 32 bits or 4 bytes

Where Does Tagging Occur?

113

Switch 3Switch 1

Switch 2

Access

Interface

Access

Interface

Access

Interface

Tag Added Tag Added

Tag added to frame at Egress trunk interface / Tag stripped at Ingress trunk interface

VLAN Configurations

LAN

#1

LAN

#2VLAN

#1VLAN

#2

VLAN

#1

VLAN

#2

VLAN

#1

VLAN

#2

VLAN #1

VLAN #2

Inter-Switch

Links

Physical

Separate

Networks

VLAN

Implementation

VLAN

#1

VLAN

#2

VLAN

#1

VLAN

#2

Trunk

Inter-Switch

Links

VLAN

#1

VLAN

#2

VLAN

#1

VLAN

#2

Trunk Link

VLAN #1 & #2

Trunk

Inter-Switch

Links

VLAN

#1

VLAN

#2

Trunk Link

VLAN #1 & #2

VLAN

#1

VLAN

#2

VLAN

#1

VLAN

#2

Trunk Link

VLAN #1 & #2

Trunk

Inter-Switch

Links

Trunk Link

VLAN #1 & #2

VLAN

#1

VLAN

#2

VLAN

#1

VLAN

#2

Trunk Link

VLAN #1 & #2

Trunk

Inter-Switch

Links

Trunk Link

VLAN #1 & #2

Internet

VLAN

#1

VLAN

#2

VLAN

#1

VLAN

#2

Trunk Link

VLAN #1 & #2

Trunk

Inter-Switch

Links

Trunk Link

VLAN #1 & #2

Internet Trunk Link

VLAN #1 & #2

Server

Servers can have “Trunk” interfaces

as well, especially in the virtualized

data center environment.

Practical VLAN Configuration – 1 Cisco to Cisco Switch

118

Host

Device AHost

Device B

Host

Device CHost

Device D

VLAN 100

192.168.1.0/24VLAN 200

192.168.2.0/24

Port 2 Port 14

Port 23 Port 23

Port 24Port 4

Conceptual Configuration:

define vlan 100 & 200 in switch

set port 2 mode to access

set port 14 mode to access

set port 23 mode to trunk

allow vlan 100 & 200 on trunk port

Conceptual Configuration:

define vlan 100 & 200 in switch

set port 4 mode to access

set port 24 mode to access

set port 23 mode to trunk

allow vlan 100 & 200 on trunk port

Exact configuration command will vary by switch model / IOS version

119

Host

Device AHost

Device B

Host

Device CHost

Device D

VLAN 100

192.168.1.0/24VLAN 200

192.168.2.0/24

Port 2 Port 14

Port 23

Port 7

Port 18

Port 24

Conceptual Configuration:

define vlan 100 & 200 in switch

set port 2 mode to access

set port 14 mode to access

set port 23 mode to trunk

allow vlan 100 & 200 on trunk port

Conceptual Configuration:

define vlan 100 & 200 in switch

set port 7 as untagged vlan 100

set port 24 as untagged vlan 200

set port 18 as tagged vlan 100 & 200

Practical VLAN Configuration – 2 Cisco to HP Switch

Cisco Terminology HP Terminology

Access Mode Untagged

Trunk Mode Tagged

“Common” Layer 2 Errors • Runts

– Ethernet Frame < 64 bytes

– Faulty NIC or Faulty Cabling

• Giants

– Ethernet Frame > 1518 bytes

– Faulty NIC or Faulty Cabling

• CRC

– Checksum Calculation & Received Checksum DO Not Match

– Faulty Cabling, Interference, Duplex-Mismatch

• Collisions – Not Always an “Error”

– Retransmissions Due to Collisions

– Normal In Half-Duplex Mode

• Late Collisions

– Collisions After 512 Bytes of the Frame

– Excessive Cable Length

– Duplex-Mismatch

120

Takeaway Points • VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated

Networks

• Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme

• Ethernet Switches Minimize Collision Domains

• IP Routing Must Be Used for Communications Between VLANs

• IP Routers Create Broadcast Domains

• Network Traffic May Be Isolated Because of:

– Policy

– Regulations

– Security

– Performance

• An Ethernet Frame is “Tagged” to Denote VLAN Membership on a Trunk Interface

121

IP Routing In-Depth

122

Routing

• Routing is Simply the Moving of Information Between Networks (Subnets or Broadcast Domains)

• OSI Model Layer 3 Process

• Routing Types:

– Static Routing

– Dynamic Routing

• Routing Protocol Classes:

– Interior Gateway Protocol (IGP)

– Exterior Gateway Protocols (EGP)

123

Routing Types

• Static Routing – Appropriate for Small & Simple Networks – Minimal Router CPU/Memory – No Routing Update Overhead – Appropriate for Stable Networks – Often Used in “Stub” Networks – Human Intervention / Administration Required Yy

• Dynamic Routing – Appropriate for Changing Topology Environments

– Automatically Adapts to Changes

– Desirable When Multiple Paths Exist

– More Scalable

– Hardware More Complex

– Less Configuration Error Prone

124

Dynamic Routing Categories

• Distance Vector Routing Protocol – Periodic Routing Table Updates

– “Distance” Used as a Metric

– Neighbors “Trust” Neighbors

– Slow Convergence

• Link State Routing Protocol – Maintains Neighbor, Topology, & Shortest-Path Tables

– Each Router Updates From All Others

– “Cost” Used as a Metric

125

Routing Metrics & Administrative Distance Determines The Best Path to Target Host

• Cost Metrics:

– Hop Count The Number of Routers in a Path

– Bandwidth Throughput (bps)

– Load Traffic Flowing Through a Router

– Delay Network Latency (distance or congestion)

– Reliability Amount of Downtime of a Network Path

• Administrative Distance

– Indicates Believability of the Route

– Often Used When Multiple Protocols Are Used

– Often Used to Prefer A Certain Path When Multiple Paths Exist

– Routing Protocols Have Default Administrative Distances

126

Smaller Metrics = Best Route

Lower Administrative Distance = More Believed

The “Administrative” Distance

• The Administrative Distance Determines Which Route to Trust

127

Route Source: Administrative Distance (default)

Direct 0

Static 1

EIGRP 90

OSPF 110

RIP 120

Unknown 255

Used When Multiple

Routes Exist

Hop Count May Not Be The Best Metric!

128

Ethernet

100 Mbps

DS-3

45 Mbps

T1

1.54 Mbps

DS-3

45 Mbps

T1

1.54 Mbps

The Routing Protocol

• Learn the route to each subnet in the internetwork (build routing table)

• Determine the “best’ route (one route)

• Remove routes that are no longer valid

• Update routing table to reflect changes

• Perform updates quickly

• Prevent routing loops

Routing Fundamentals

130

Router

A

Router

B Router

C

172.16.0.0/24 172.16.2.0 /24

172.16.1.1/30

172.16.1.2/30 172.16.1.6/30

172.16.1.7/30172.16.0.1 172.16.2.1

Destination

Network

Next Hop

Address

172.16.0.0/24

172.16.7.1/30172.16.2.0/24

172.16.1.1/30

Router

B

Routing

Table

IP Configuration:

172.16.2.2

255.255.255.0 mask

172.16.2.1 default gateway

Router A

sends

Network

172.16.0.0/24

Router B

sends

Network

172.16.2.0/24

Static Routing

Table Manually

Entered

Dynamic Routing

Table Generated by

Routing Updates

from All Routers

Distance-Vector Routing Protocols

• “Routing by Rumor” – The Overall Network is Unknown, Only Directly Connected Neighbors Are Known by Each Router

• Routing Decision Based Upon a “Distance” or Metric and “Direction” or Vector to Describe

the “Next-Hop”

131

Link-State Routing Protocols

• Network Topology Information is Flooded Throughout the Network

• Each Router Determines its Own “Best Path”

132

IGP and EGP Protocols

133

Exterior

Gateway

Protocol

Interior

Gateway

Protocol

Interior

Gateway

Protocol

IS-IS

BGP

RIP

IGRP

EIGRP

OSPF

RIP

IGRP

EIGRP

OSPF

Routing Protocol Choices “Most Popular”

134

Interior Distance Vector

Interior Link State Exterior Path Vector

Classful RIP IGRP EGP

Classless RIP v2 EIGRP OSPF v2 IS-IS BGP v4

IPv6 RIPng EIGRP v6 OSPF v3 IS-IS v6 BGP v4

Our Focus

Practical Routing Protocol Choices “Common” IGP Protocols – VLSM Support

RIP v2 EIGRP (Cisco) OSPF v2

Type: Distance Vector Hybird Link-State

Metric: Hop Count Bandwidth/Delay Cost

Administrative Distance:

120 90 110

Hop Count Limit: 15 224 None

Convergence: Slow Fast Fast

Updates:

Full Table Every 30 Seconds

Send Only Changes When Change Occurs

Send Only When Change Occurs, But Refreshed Every 30m

RFC Reference: RFC 1388 N/A RFC 2328

135

RIP v2 Routing Information Protocol

RFC 1388

• Advantages: – Simple – Easy to Configure

– Low Maintenance

– General Understanding Of

• Disadvantages: – Higher Router CPU Utilization

– High Bandwidth Use for Routing Updates

– No Knowledge of Link Bandwidth

– Slow Convergence

– Limited Network Size (hop count = 15)

136

OSPF v2 Open Shortest Path First

RFC 2328

• Advantages: – Fast Convergence

– Routing Updates Are Small

– Scales to Varying Network Sizes

– Considers Link Bandwidth Into Metric Calculation

• Disadvantages: – More Knowledge Required – A lot of Options

– Complex to Configure

137

OSPF Architecture

138

Autonomous

System

Area 0

Area 2Area 1

Backbone Router Area Border

Router “ABR”

Autonomous System

Border Router “ASBR”

EIGRP v4 Enhanced Interior Gateway Routing Protocol

CISCO Proprietary

• Advantages: – Fast Convergence

– No OSPF Area Assignments = Less Complex

– Complex Cost Metric: • Bandwidth

• Delay

• Reliability

• Utilization

• Disadvantages: – More Knowledge Required – A lot of Options

– Need “Cisco” Environment

139

Router Configuration:

140

Configuration Disclaimer:

Exact configuration commands may vary based upon specific equipment models and software version.

Generic “Cisco” commands utilized for illustration purposes.

Blue Network:

192.168.100.0 /24

Green Network:

192.168.200.0 /24

Red Network:

192.168.300.0 /24

Assign Network to an Interface:

interface ge0

ip address 192.168.100.1 255.255.255.0

no shutdown

interface ge1

ip address 192.168.200.1 255.255.255.0

no shutdown

interface ge2

ip address 192.168.300.1 255.255.255.0

no shutdown

Enable RIP Routing:

router rip

network 192.168.100.0

network 192.168.200.0

network 192.168.300.0

The “ACL” Rules:

• Simply a “Set of Rules” That Provides a “Permit” or “Deny” Based Upon:

– Layer 3 IP Address

– Layer 4 Port Number

• An ACL is:

– A Table (with explicit DENY)

– Applied to a Specific Router Interface

141

The “ACL” Rules continued…..

• ACL’s can be Numbered or Named

• Numbered ACL’s Structure: – 1-99 IP Standard Access List

– 100-199 IP Extended Access List

– 200-299 Protocol Access List

– 1300-1999 IP Standard Access List-Expanded

– 2000-2999 IP Extended Access List-Expanded

• Named ACL Structure: – Standard Named

– Extended Named

142

The “ACL” Rules continued…..

• Standard Access List – Can Only Permit or Deny The Source Host IP Address

– Placed Closest to Destination Host

• Extended Access List – Can Permit or Deny Based Upon:

• Source IP Address

• Destination IP Address

• TCP Port #

• UDP Port #

• TCP/IP Protocol

– Placed Closest to Source Network

143

The “ACL” Rules continued…..

• One “ACL” per Interface per Direction – Ingress

– Egress

• An ACL Only Acts of IP Traffic Passing Through Router

• Organize Structure of ACL: – More specific statements placed first

– Process Sequentially

144

ACL Example(s):

access-list 110 deny ip any host 192.168.100.110

access-list 123 deny ip any host 192.168.100.110 eq 23

ACL Structure

145

Create an Access-List:

access-list [number] [deny | permit] [host] [source ip] [wildcard]

Apply Access-List to Interface:

ip access-group [number] [in | out]

Logical Operators Can Be Used:

lt Less Than

gt Greater Than

eq Equal To

neq Not Equal To

range port number range

Wild Card Mask

146

Inverse of the “Subnet” Mask

The Subnet Mask:

192.168.100.100 / 24

or

192.168.100.100 mask 255.255.255.0

The Inverse Mask:

0.0.0.255

Network Host

Match Don’t Care

Standard IP List Example #1: Prevent Host 192.168.30.30 from Accessing Host 192.168.10.10

147

Router

1

Router

2

192.168.10.1 /24 192.168.20.1 /24 192.168.20.254 /24 192.168.30.1 /24

192.168.30.30 /24

192.168.30.20 /24192.168.10.10 /24

E0 E1

Create Access List on Router 1: access list 101 192.168.30.30 0.0.0.0

access-list 101 permit any

Apply Access List to Interface: interface E1

ip access-group 101 in

Configuration Disclaimer:

Exact configuration commands may vary based upon specific equipment models and software version.

Generic “Cisco” commands utilized for illustration purposes.

Extended IP List Example: Allow Only http Access to Host 192.168.10.10 from 192.168.30.0 /24

148

Router

1

Router

2

192.168.10.1 /24 192.168.20.1 /24 192.168.20.254 /24 192.168.30.1 /24

192.168.30.20 /24192.168.10.10 /24

E0 E1

Create Access List on Router 2: Access-list 101 permit tcp 192.168.30.0 0.0.0.255 host 192.168.10.10 eq 80

access-list 101 permit ip any any

Apply Access List to Interface: interface E0

ip access-group 101 in

Configuration Disclaimer:

Exact configuration commands may vary based upon specific equipment models and software version.

Generic “Cisco” commands utilized for illustration purposes.

A “Practical” ACL Example Block External Users From “Pinging” Inside Hosts

149

Router

1

192.168.10.1 /24

192.168.10.2 /24

192.168.10.6 /24

The

“Internet”E0

E1

Create Access List on Router 1: access list 101 deny icmp any any

access-list 101 permit ip any any

Apply Access List to Interface: interface E1

ip access-group 101 in

Configuration Disclaimer:

Exact configuration commands may vary based upon specific equipment models and software version.

Generic “Cisco” commands utilized for illustration purposes.

Consumer Routers

150

WAN

PortLAN

Port(s)

ISP

NetworkMay Be Private Address Space

May Be Public Address Space

Consumer Router Internals

DHCP

Server

DHCP

Client

NAT

w/ PAT

Access

Point

What Is A “Layer 3” Switch? • “Marketing Terminology” Applied to a One Box Solution:

– Layer 2 Switching

– Layer 3 Routing

• Layer 3 Switch Performs Both!

• Multilayer Switch Port Types:

– Switchport: Layer 2 Port – MAC Addresses Learned

– Layer-3 Port: Routing Port

– Switched Virtual Interface: VLAN Virtual Interface

• Not for All Environments:

– Typically Found in Workgroup Environment

– Limited to Ethernet Ports/Interfaces

– Limited to OSPF and RIP Protocols

151

Multi-Layer Switch Summary

• Layer 1 Switch = Really Does Not Exist - Often a Simple “Hub”

• Layer 2 Switch = Traditional Data-Link Layer Switching

• Layer 3 Switch = Performs Layer 3 Routing Decisions

• Layer 4 Switch = Implements Transport-Layer Flow Decisions – Firewall

– VPN Concentrator

• Layer 7 Switch = Provides Applications Level Functionality – Often Based Upon a Uniform Resource Locator (URL):

• Load Balancing

• Content Management

152

An Introduction to “MPLS”

153

Multi-Protocol Label Switching • Known as a “Layer 2.5 Protocol”

• Traditional Routing Process: – Each Router “Looks-Up” Destination Network

• MPLS: – First Router Performs Destination “Look-Up” and Finds Path to the

Destination Router

– Adds “Label or Shim” With Path Information

– Routers Use Label Information to Route Packet

154

Why Label Switching?

• CIDR Presented a New Challenge

• “Label or Tag” Switching Perform “Exact Matching” – Distribute Route Lookup Across Edge Routers

– Reduce Core Router Load

155

Why MPLS?

• Allows Traffic Engineering – Control Traffic Routing / Manage Congestion

– Manage Capacity

– Prioritize Traffic

• Allows Multi-Service Implementation – Provides Transport Across a Packet-Switched Network

• Provides Resiliency (Fast Reroute)

156

Takeaway Points

• The “Routed” Protocol

• The “Routing” Protocol

• The “Routing” Table Contains: – The Destination Network

– The “Next-Hop” Information

– Routing Metric & Administrative Distance

• The Router Looks at the “Destination” Address – Determines Appropriate Interface

157

IP Addressing & Subnetting In-Depth

158

IP Addressing “Rules” • Each Network MUST Have a Unique Network ID

• Each Host MUST Have a Unique Host ID

• Every IP Address MUST Have a Subnet Mask – Implied for a Classful Network

– Explicit Stated for Classless Network

• An IP Address Must Be Unique Globally If Host on the Public Internet

159

Classful IP Addressing Class First Octet Range Use

A

E

D

C

B

240 - 255

224 - 239

192 - 223

128 - 191

1 - 126 Large Unicast Network

Experimental Network

Multicast Network

Small Unicast Network

Medium Unicast Network

1 - 126 128 - 191 192 - 223First Octet Range

Mask

Host Bits

Network Bits

Available Hosts/Network

Available Networks

Network Range

Class BClass A Class C

1.0.0.0 – 126.0.0.0

126

16,777,214

8

24

255.0.0.0

128.0.0.0 – 191.255.0.0

16,384

65,534

16

16

255.255.0.0

192.0.0.0 – 223.255.255.0

2,097,152

254

24

8

255.255.255.0

IP Address Classes “Classful” Public & Private

• Class A – 126 Networks / 16,777,214 Hosts – 1.0.0.0 to 126.0.0.0

– PRIVATE - 10.0.0.0 to 10.255.255.255

• Class B – 16,384 Networks / 65,534 Hosts – 128.0.0.0 to 191.255.0.0

– PRIVATE - 172.16.0.0 to 172.31.255.255

• Class C – 2,097,152 Networks / 254 Hosts – 192.0.0.0 to 192.255.255.0

– PRIVATE - 192.168.0.0 to 192.168.255.255

161

IP Address Classes “32 Bit Doted Decimal Notation”

IPv4 Provides 232 or 4,294,967,296 IP Addresses

162

Determining the Class

163

Octet 1 Octet 2 Octet 3 Octet 4

0

Octet 1

1 0

Octet 1

1 01

Octet 1

Class A 1 - 126

Class C 192 - 223

Class B 128 - 191

IPv4 Address

Doted – Decimal Notation

192.168.100.254

or

32 bits Binary Representation

Leading Bit Patterns Indicated the Class

Private vs Public IP Addresses

• RFC 1918 Established “Private” Address Space – Class A: 10.0.0.0 to 10.255.255.255

– Class B: 172.16.0.0 to 172.31.255.255

– Class C: 192.168.0.0 to 192.168.255.255

• Key Points: – Private IP Addresses Are NOT Routable Outside the Local Network

– Widely Used in Home & Industry Networks

– May Be Translated With NAT At An Edge Router

• Map Private Address Space to Public Address Space

164

VLSM & CIDR

VLSM RFC 1009

• Variable Length Subnet Masking (VLSM)

– Host Addressing & Routing Inside a Routing Domain

– Allowed “Classless” Subnetting

• Mask Information is Explicit

– Allows More Efficient Use of Address Space – Taylor Address Space to Fit Network Needs

– Allows You to Subnet a Subnet

CIDR RFC 1517, 1518, 1519, 1520

• Classless Interdomain Routing (CIDR)

– Class System No Longer Applies

– Routing Between Routing Domains

– Allows “Supernets” To Be Created

• Combining a Group of Class C Addresses Into a Single Block

– CIDR Notation (slanted notation): 172.16.1.1 /16

165

Example: Classful Addressing 165.95.240.136 Implied Mask 255.255.0.0 VLSM Addressing 165.95.240.136 Explicit Mask 255.255.255.192 CIDR Notation 165.95.240.136/26

IP Address Formats

166

Classful Addressing: 165.95.240.136 (Implied Mask 255.255.0.0) VLSM Addressing: 165.95.240.136 255.255.255.192 (Explicit Mask 255.255.255.192) CIDR Notation : 165.95.240.136 /26

Number of Mask Bits

1 1

The IP Address Subnet Mask “VLSM” - Each IP Address Must Have a Subnet Mask to Define the Network and the Host

32 Bit Address & Subnet Mask Format

Expressed in Decimal as (4) 8-bit Octets using “Doted Decimal Notation”

IP Address: 192.168.1.100 /26

192.168.1.100 /26 or 255.255.255.192

11000000.10101000.00000001.01100100

11111111.11111111.11111111.11000000

Network Host

Subnets

Switch 1

Switch 2

Router A Router B

How Many Networks (subnets) Are Shown?

Network 1

Network 3

Network 2

IP Addressing / Subnetting • Classless IP Addressing Has Replaced Class-Full Addressing !

• Why Subnet?

– Allows Flexible Network Design

– Efficient Use of IP Address Space

• Dividing Networks Into the “Right” Size

– Performance

• Create “Smaller” Broadcast Domains

– Enhance Routing Efficiency – Reduce Routing Table Size

– Network Management Policy and Segmentation

• Grouping Hosts by Function or Purpose

• Grouping Hosts by Ownership

• Grouping Hosts Geographically

– Job Security for Network Engineers!

169

Subnetting Basics An IP Address Must Have a Subnet Mask

• The Subnet Mask Identifies the Boundary Between Network and Hosts

• “Subnetting” Simply Moves the Boundary! – Moves Boundary to the Right

– IP Address Subnetting Applies to All Classes

– Boundary Position Determined by the Subnet “Netmask”

• Expressed in Several Forms: – Doted Decimal Notation (same as IP address)

– Slash Notation (also known as CIDR notation)

170

IP Address 165.95.240.100 with Netmask of 255.255.255.0

OR

165.95.240.100 /24

IP Address Block Size Understanding the Power of 2: 2n

171

2n

128

64

32

16

8

4

2

1 LSB

172

ISP

VLAN 1 VLAN 2 VLAN 3

165.95.240.100/25

S1 S0

FE 0

FE 0

FE 1

FE 2

FE3

35

Hosts

Sales

17

Hosts

Engineering

27

Hosts

Production

S0 S1 S2

Network: 165.95.240.0

Broadcast: 165.95.240.127

Useable Range (126 hosts):

165.95.240.1 - 126

What You Need To Know About a Network?

• Network Address?

• Broadcast Address?

• IP Address Range? – Range of Useable Addresses

• Subnet Mask?

• Default Gateway Address?

173

Where is the Default Gateway

174

ISP

VLAN 1 VLAN 2 VLAN 3

165.95.240.100/25

S1 S0

35

Hosts

Sales

17

Hosts

Engineering

27

Hosts

Production

1 3

Default Gateway

VLAN 3 Interface IP Address

Default Gateway

VLAN 1 Interface IP Address

IP Addressing Reverse Engineering “A Useful Troubleshooting Tool”

• Verifying Proper Subnet Configuration When Given an IP Address and Subnet Mask – Determine Subnet Address Range

– Determine “Assignable” IP Addresses

– Determine Broadcast Address

• Subnetting When Given A Network Requirement

• Subnetting When Given A Host Requirement

175

You Are Provided:

IP Address / IP Mask

Network Address Translation – NAT RFC 3022

176

Inside

Network

(private)

Outside

Network

RFC 1918

Addressed Hosts

Public

Address

Space

(Usually)

Gateway Router

w/ NAT Services

• NAT Allows a Host Without a Valid Public IP Address to Communicate With a Host That Has a Public IP Address

• HOW?

– Simply Changes the IP Addresses as Packet Passes Through the NAT Device

• WHY?

– Conserve Public IP Address Space

– Security by Obscurity (hide actual host IP address)

NAT • Types of NAT:

– Static – One-to-One Translation

– Dynamic – Pool of Public Addresses Made Available to Outbound Traffic Client Traffic

– NAT Overloading or Port Address Translation (PAT) – Translates to a Single Public IP by Use of a Unique Port Number

• NAT Addressing Terminology: – Inside Local or Inside Private

– Inside Global or Inside Global

– Outside Global or Outside Public

– Outside Local or Outside Private

177

Inside

Network

(private)

Outside

Network

Gateway Router

w/ NAT Services

Inside Local

Inside Global

Outside Local

Outside Global

In General:

Inside Addresses Are Local

Global Addresses Are Public

Static NAT

178

10.0.0.2 /24

Gateway

Router

w/ NAT Services

10.0.0.2 mapped to 128.194.247.2

10.0.0.3 mapped to 128.194.247.3

10.0.0.4 mapped to 128.194.247.4

10.0.0.3 /24

10.0.0.4 /24

128.194.247.2 mapped to 10.0.0.2

128.194.247.3 mapped to 10.0.0.3

128.194.247.4 mapped to 10.0.0.4

Public Network Space

Private Network Space

10.0.0.2 128.194.300.2 Payload 128.194.247.2 128.194.300.2 Payload

128.194.300.2 /24

Source IP Address Changed by NAT

Simple Layer 3 Packet

128.194.247.2 10.0.0.2 Payload 128.194.300.2 128.194.247.2 Payload

Simple Layer 3 Packet

Source IP Destination IP

Destination IP Address Changed by NAT

Source IP Destination IP

128.194.247.0 /2410.0.0.0/24

Dynamic NAT

179

10.0.0.2 /24

Gateway

Router

w/ NAT Services

10.0.0.3 /24

10.0.0.4 /24

Public Network Space

Private Network Space

Pool Of

AVAILABLE

Public

IP

Addresses

10.0.0.2 128.194.247 10

NAT Table

IP Address Chosen from

Pool of Public IP Addresses:

128.194.247.2 – 128.194.247.14

Dynamic Entry Remains if Traffic Flows (timeout)

Common to Have More Private Hosts Than Public IP Address Space

NAT Overloading or – PAT Port Address Translation

Single Address NAT / Port-Level Multiplexed NAT

180

10.0.0.2 /24

Gateway

Router

w/ NAT Services

10.0.0.3 /24

10.0.0.4 /24

Public Network

Space

Private Network

Space

128.194.247.10

10.0.0.2:1024 128.194.247.10:1024

NAT Table

Inside Local Inside Global

10.0.0.3:1026 128.194.247.10:1026

10.0.0.4:1028 128.194.247.10:1028

Source Address

&

Port

Destination

Address

&

Port

NAT Drawbacks!

• Accountability Limited Globally

– Multiple Internal Hosts Share Global IP Address

• Breaks IP Concept of End-End Connectivity

• Complicates Process of Allowing a Global IP Host to Establish Session With an Internal Host

181

Special Use Address RFC 5735

• 0.0.0.0/8 Network Address “Wire Address”

• 10.0.0.0/8 Private IP Address Space (RFC 1918)

• 127.0.0.0/8 Loopback Address

• 169.254.0.0/16 IETF Zero Configuration Address Space (RFC 3927)

• 172.16.0.0/16 Private IP Address Space (RFC 1918)

• 192.168.0.0/16 Private IP Address Space (RFC 1918)

• 224.0.0.0/4 Multicast Address Space

• 255.255.255.255/32 Broadcast Address

182

The IPv4 Loop Back Address

• What is Special About 127.0.0.1 ?

– Actually Any 127.0.0.0/8 Address Works OR the Range of 127.0.0.1 to 127.255.255.255

• Known as a “Loop-Back” Address

• Useful For:

– Test Local IP Stack and Network Adapter Test

– May Be Used by Client-Server Ap on Host

183

An Introduction to IPv6

184

IPv4 Address Depletion

• As of February 2011 ALL ICANN IPv4 Address Space Assigned!

• Regional Registries Now Have Their Last Allocation!

http://www.potaroo.net/tools/ipv4/plotend.png

Updated:

4-24-14

IPv6 Address Space IETF - RFC 2460

IPv6 Provides Expanded IP Address Space 2128 =

340,282,366,920,938,463,463,374,607,431,768,211,456 (three hundred forty UNDECILLION addresses)

3.4 x 1038

• But, IPv6 is More Than Expanded Address Space:

– An Opportunity to Re-Engineer IPv4 • Improved Support for Multicasting, Security, & Mobile Aps

• Multiple Addresses per Interface

• Host Auto-Configuration Capability

• Security Incorporated

• MTU Discovery Incorporated

• Traffic Engineering Provisions Incorporate

The IPv6 Address

128-Bit Address Binary Format: 001001100000011110111000000000001111101010100000000000110010000110010101100110001000011110111100010010000010100011110001

Subdivide Into Eight (8) 16-bit Groups: 0010011000000111 1011100000000000 0000111110101010 0000000000000011 0010000110010101 1001100010000111 1011110001001000 0010100011110001

Convert Each 16-bit Group to Hexadecimal: (separate with a colon)

2607:b800:0faa:0003:2195:9887:bc48:28f1 2607:b800:faa:3:2195:9887:bc48:28f1

Address Summarization

128-Bit Address Represented as a 32 Hexadecimal Digits Subdivided Into Eight Groups (Chunks, Quads, Quartets) of Four Hexadecimal Digits

(separated by colon)

2001:0000:0000:0000:0DB8:8000:200C:417A or

2001:0:0:0:DB8:8000:200C:417A or

2001::DB8:8000:200C:417A

188 188

Remember: IPv6 Is More Than Address Space

“An Opportunity to Re-Engineer IPv4”

• Header Simplification for Performance Increase

• Improved Authentication and Security

• Host Auto-Configuration

• Mobility Incorporated

189

Version

(4)

Traffic Class

(8)

Flow Label

(20)

Payload Length

(16)

Source IP Address

(128)

Destination IP Address

(128)

Packet Payload

(Transport Layer Data)

32 bits

40

Bytes

Ipv6

Hop Limit

(8)

Next Header

(8)

Version

(4)

Header

(4)

Precedence / Type

(8)

Length

(16)

Identification

(16)

Flag

(3)

Offset

(13)

Time to Live

(8)

Protocol

(8)

Header Checksum

(16)

Source IP Address

(32)

Options & Padding

(0 or 32)

Destination IP Address

(32)

Packet Payload

(Transport Layer Data)

32 bits

20

Bytes

Ipv4

IPv6 Header Simplification

Fewer Fields & Fixed Header Size Result in Faster Packet Processing Providing Enhanced Routing Efficiency

Improved Authentication and Security

• IPsec is Mandatory in IPv6 – IPv6 Is Not Necessarily More Secure Than IPv4

• Mandatory Implementation Ensures Enhanced Security: – Data Integrity

– Authentication

– Confidentiality

191

Host Auto-Configuration

• Simply Saves Network Administrators Work!

• Stateless Auto-Configuration

• Stateful Auto-Configuration

• Auto-Configuration Process:

192

Host ID Generated from MAC Address:

Generated IPv6 Address: 2002:80c2:f737::80c2:f737

For Host with MAC Address: 80:C2:F7:37

Mobility Incorporated

• Provides Roaming Service Without Interrupting Connectivity – Ability to Move Between Networks

– Maintains Home IP Address Regardless of Location

– Establishes Care-Of IP Address When In a “Foreign” Network

• Similar in Concept to IPv4 Mobile IP

193

IPv6 Address Types

• Unicast – One-to-One Mapping – Global Unicast Address

– Unique-Local Unicast Address (non-Routable or Private)

– Link-Local Unicast

• Multicast – One-to Many Mapping – Multicast Groups Established

• Anycast – One-to-Nearest Mapping – Packets Are Delivered to the “Closest, Nearest, or Lowest-Cost”

Interface • Global Anycast

• Site-Local Anycast

• Link-Local Anycast

194

195

ARIN IPv6 Address Allocation Policies

• End-User / Enterprise Network – Qualify by Meeting IPv4 Qualifications

– /48 Minimum Allocated

• 65,536 subnets

• Qualify for Larger Blocks by Justification of Proposed Use

196

PrefixHost

(Interface ID)

Prefix Length

IPv6l

Addressing

IPv6 Address Assignment

• Service Provider: /32 232 /64 subnets

• Large End User: /48 65,536 /64 subnets

• Small End User: /56 256 /64 subnets

• SOHO: /64 1 /64 subnets

Recognize / Remember:

A /64 IPv6 subnet = 18,446,744,073,709,552,000

hosts

Why IPv6? • Reduction of Dependency Upon IPv4 Address Space for Growth

• Restores the End-End Communications Path Model of the Global Internet

• Enhances Overall Routing Efficiency

• Improved Security Increases Security and Confidentially

Want to Learn More?

IPv6 Enable Your Home Network

But, My Provider is Not IPv6

Enabled!

Then “Tunnel” to an IPv6

Provider:

http://www.tunnelbroker.net/

IPv6 Test Sites

http://ipv6-test.com/

http://v6.testmyipv6.com/

www.ARIN.net

An Ipv6 Address You Can Remember

The IPv6 Loopback Address

::1 Summarized from: 0:0:0:0:0:0:0:1

Some Final IPv6 Trivia

What Happened to Version 5 or IPv5 of the Internet Protocol?

“IPv5 Simply Does Not Exist!” Version 5 was intentionally skipped to avoid confusion, or at least to rectify it. The problem with version 5 relates to an experimental TCP/IP protocol called the Internet Stream Protocol, Version 2, originally defined in RFC 1190. This protocol was originally seen by some as being a peer of IP at the Internet Layer in the TCP/IP architecture and these packets were assigned IP version 5 to differentiate them from “normal” IPv4 packets. This protocol never went anywhere, but to be absolutely sure that there would be no confusion, version 5 was skipped over in favor of version 6.”

IPv4 and IPv6 Comparison Summary

IPv4 Developed: 1973-1977

Deployed: 1981

232 or 4.3 Billion Addresses

“More Than Anyone Could Possibly

Use”

Address Based Assignment Unit /32

IPv6 Developed: mid 1990’s

Deployed: 1999

2128 or 340 Undecillion Addresses

“More Than Anyone Could Possibly

Use”

Network Based Assignment Unit /64

Vinton Cerf “One of the Fathers of the Internet”

"Who the hell knew how much address space we needed for an experiment?“ “The experiment has not ended”

“Vint” Cerf comments on his & colleagues 1977 decision to use 32-bit IP Numbers

Building the Network Infrastructure

205

Reference Network Architecture

206

ISP

VLAN 1 VLAN 2 VLAN 3

Network Security Concerns

• Focused on Protecting the “Network Infrastructure”

• Common Threats: – DHCP Snooping

– ARP Spoofing (IP Spoofing)

– Rogue Routers Advertisements

– Denial of Service Attacks

– Application Layer Attacks

• Implementation Considerations: – Know Your Enemy

– Cost

– Human Factors

– Understand Your Network

– Limit Scope of Access

– Don’t Overlook Physical Security

207

The Challenge

SECURITY USEABILITY

208

The Scope of the Problem!

209

http://www.verizonenterprise.com/DBIR/2014/

IT Infrastructure Threats

• Viruses

• Worms

• Trojan Horse

• Spyware & Adware

• Botnets “Zombie Computer”

• Operating Systems

• File System / Media

• Application – Web Services

– Email Services

– P2P

• Wireless / Mobile Environment

• Social Engineering

• And the list goes on & on…..

210

Network Infrastructure Threats

• Denial of Service “DoS”

• Spoofing

• Hijacking

• Authentication Bypass or “Back Door” Access

• Physical Access

• And the list goes on & on…..

211

Common Policy Terminology

• Asset – Any object of value

• Vulnerability – A system weakness to be exploited

• Threat - Possible danger to a system or its information

• Risk – The feasibility that a vulnerability might be exploited

• Exploit - An attack directed at a vulnerability

• Countermeasure - An action or mitigation of a risk

212

Common Policy Attributes

• What Does a Security Policy Define?

– Company Objectives

– System Requirements

– User Rules & Regulations

• Who is the Security Policy Audience?

– “Anyone” Who Has Network Access!

213

Security Policy Lifecycle

214

Planning

Policy

Creation

Management &

Monitoring

Assessment

Policy

Implementation

& Enforcement

Detection

Threat

Analysis

Attributes of a Secure Network

• Layered Approach (“Defense in Depth” NOTE 1) – Different Security Controls Within Different Groups

• Security Domains – Segmentation of Network Into Areas or Groups

• Privileges – Restrict to “Need – To – Access”

– “Deny by Default”

• Access – Restrict by Firewalls, Proxies, etc.

• Logging – Accountability , Monitoring, & Activity Tracking

215

NOTE 1 – Cisco Security Terminology

Goals of Data Security

• Provides Confidentiality – Maintain Privacy – Prevent Use by Those Unauthorized

• Provides Authentication – Verify That User’s Are Who They Say They Are

• Maintains Data Integrity – Data Has Not Changed

216

Network

Send Host Receive HostDATA

Network Security Tools

• Firewall – Used to Create a “Trusted” Network Segment by Permitting or Denying

Network Packets

– Types of Firewalls:

• Stateless Packet Filtering – Single Packet Inspection

• Stateful Packet Filtering – Flow or Conversation Inspection

• Detection Tools – Intrusion Detection Systems (IDS)

• Signature Based

• Anomaly Based

– Intrusion Prevention Systems (IPS)

• Combine Firewall & IDS Functions

217

Not Within Today’s Scope

Firewalls • Determines What IP Traffic Can Enter or Exit a

Network Based Upon Pre-Defined Rules

• Firewall Types: • Stateless Packet Filtering – Single Packet Inspection

– Access Control List “ACL” – Ingress or Egress Filtering

– No knowledge of flow

– Filters on IP Header info – Layers 1-3

• Stateful Packet Filtering – Flow or Conversation Inspection – Filters on IP Header info – Layers 1-4

– Records conversations – then determines context:

» New Connections

» An Existing Conversation

» Not involved in any conversation

218

Firewall Types:

219

Internet

HTTP Request

HTTP ReplyBlocked X

Internet

HTTP Request

Blocked X

HTTP Reply

Telnet Session

Packet Filtering - “Stateless” Packet Filtering - “Stateful”

Filtering Parameters: IP Source Address

IP Destination Address

Protocol

TCP Traffic

UDP Traffic

Port Number

“Stateless” Firewall • In Addition to TCP/IP Header Checks, A Stateless Firewall

Can Detect Packet Anomalies: – IP Packet Header Makeup

– IP Addressing Non-Compliance

– IP Fragmentation Errors

– TCP Flow Sequencing

– UDP Flow Sequencing

– Anomalies Associated with Packet Flows: • SYN-ACK Sequence Not Compliant

• ICMP Errors

220

Firewall Implementation

221

Internet

(Outside)

Internal

Network(s)

Email

Server

Web

Server

Demilitarized Zone

“DMZ”

HTTP & SMTP / POP

Only Allowed

All Allowed

Return Session Only

Allowed

“Stateful” Firewall

Functionality

May Be Implemented in

“Border” Router

All Allowed

All Blocked

Switch Port Security Actions

• Port Security Options: – Specific MAC Address/Port

– Limits on Learned MAC’s

– “Sticky” MAC Learning

• Port Security Violations: – Discards Frame if Disallowed

– Discards Frame if Disallowed and Sends Notification

– Shutdown

222

Implementing Switch Port Security

223

“Shutdown” ports that are un-used

Insure ports are configured as “Access” ports

Assign port to an Un-Used VLAN (do not use VLAN 1)

Configure

“Trunk”

Ports

Only

When

required

Insure port is configured as “Access” ports

Assign port to VLAN (do not use VLAN 1)

Enable Port Security:

Specific MAC address

Limit number of MAC addresses / port

Use “Sticky Learning” with caution

Specify the violation response

The IPSec VPN • The Virtual Private Network – “VPN” is a private network built across a public

infrastructure.

• VPN Advantages: – Provides Confidentiality

– Provides Authentication

– Maintains Data Integrity

– Prevents “Man-in-the-Middle” Scenarios

• VPN’s Built Between: – Routers

– VPN Appliances

– Soft Clients

• VPN Types: – IPsec Based

– SSL Based

– GRE Tunnel

224

Conceptual VPN

225

Router

1

Router

2

192.168.10.1 /24

192.168.20.1 /24 192.168.20.254 /24

192.168.30.1 /24

192.168.30.20 /24

192.168.10.10 /24

IP Packet

Source: 192.168.10.10

Destination: 192.168.30.20

Encrypted

PacketVPN Header New Header

Source: 192.168.20.1

Destination: 192.168.20.254

Public Network

IP Packet

VPN Implementation “Virtual Private Network”

226

Internet

(Outside)Internal

Network(s)

Email

Server

Web

Server

Demilitarized Zone

“DMZ”

Application

Server

Application

Server

VPN

Concentrator

VPN

Access

ApplianceRemote

Office

Remote

User

(VPN Client)

Corporte

Office

A VPN is NOT a VLAN Essence of a VPN is a Tunnel Through a Network Infrastructure

227

Public Network Space

Corporate Network Space

Public InternetISP “B”

ISP “A”

Layer 2 ENCRYPTED Tunnel

Don Not Confuse VLAN’s and VPN’s

Layer 2 Guidelines

• Insure User Switch Ports Are Set as “Non-Trunking”

• Disable Un-Used Switch Ports

• Place Unused Ports in a Non-Used “Black Hole” VLAN

• Never Used VLAN 1

• Create a Secure Management Environment: – SSH Access (Secure Shell)

– OUB Access (Out of Band)

– Use ACLs (Access Control Lists)

228

Apply Layered Network Design

• Separate Networks into “Layers” or Zones or Groups With Different Security Access & Control – External or Public Network

– “DMZ” or Demilitarized Zone or Perimeter Network

– Internal or Private Network(s)

– Apply Access Control Between Internal Networks!

229

PUBLIC “External” NETWORK

“DMZ” NETWORK

NET

A

NET

C

NET

B

PRIVATE “Internal” NETWORKS

Non-Secure

Secure

Security “Best Practices” to Consider • Recognize Physical Security

• Change Default Logins

• Utilize Strong Passwords

• Disable Services Not Required

• Adopt a Layered Design Approach

• Segregate Network(s)

• Separate Networks via VLANS

• Implement Switch Port Security

• Utilize Packet Filtering in Routers & Firewalls

• Do Not Overlook Egress Traffic

• Deny All Traffic – Then Permit Only Required

• Keep Up With Equipment “Patches”

• Utilize Access Logging on Key Network Devices

• Utilize Session Timeout Features

• Encrypt Any Critical Data

• Restrict Remote Access Source

• Understand & Know Your Network Baseline

• Actively Monitor and Look for Abnormalities

• Limit “Need-to-Know”

• Disable External “ICMP” Access

• Don’t Use VLAN 1

230

Takeaway Points • Understand Security Threats

• Segment Your Network

• Implement “Switch-Port” Security

• Use Firewalls to Deny Access

• Use VPN to Provide Access

• Monitor Network Activity – Know the “Norm”

• Remember The “Security Lifecycle”

231

232

CBNE Study Topics & Practical Exercise

233

Cable Category Types

234

Category Maximum Speed Application

1 1 Mbps Voice (not for ethernet)

3 10 Mbps Ethernet 10BaseT

5 100 Mbps Ethernet 100BaseT

5e 1 Gbps Ethernet 1000BaseT

6 10 Gbps Ethernet 10GbE

6a 10 Gbps Ethernet 10GbE

For More Information:

http://www.lanshack.com/cat5e-tutorial.aspx/

Ethernet Cable Wiring - Straight

235

Ethernet Cable Wiring - Cross

236

Ethernet Cable Types

237

Cable Type Legend

Straight-Through

Cross-Over

Router 1 Router 3Router 2

Ethernet 0

Ethernet 0 Ethernet 0

Ethernet 1

Ethernet 1

Ethernet 3

Ethernet 1

EIA/TIA-568A EIA/TIA-568B

EIA/TIA-568B EIA/TIA-568B

MDI

MDIXMDIX

MDIX

MDI

MDI

MDI

DTE

Device

DCE

Device

1

2

3

6

1

2

3

6

Straight – Through Cable

DCE

Device

TX

RX

RX

TX

DCE

Device

3

6

1

2

1

2

3

6

Cross - Over Cable

TX

RX

RX

TX

Switch

Hub

RouterCross-Over Cable

Straight-Through Cable

Typical Cable Selection(non auto-mdix devices)

MDI

MDI

MDI-X

MDI-X

MDI-X

MDI

MDI

Ethernet Physical Standards

239

IEEE Standard Physical Standard

Cable Type Speed Maximum Length

802.3a 10-Base-2 Coax (thin-net) 10 Mbps 185m

802.3 10-Base-5 Coax (thick-net) 10 Mbps 500m

802.3i 10-Base-T Twisted Pair 10 Mbps 100m

802.3u 100-Base-TX Twisted Pair 100 Mbps 100m

802.3u 100-Base-T4 Twisted Pair 100 Mbps 100m

802.3u 100-Base-FX MM Fiber 100 Mbps 400-2000m

802.3u 100-Base-SX MM Fiber 100 Mbps 500m

Ethernet Physical Standards

240

IEEE Standard Physical Standard

Cable Type Speed Maximum Length

802.3ab 1000-Base-T Twisted Pair 1 Gbps 100m

802.3z 1000-Base-SX MM Fiber 1 Gbps 500m

802.3z 1000-Base-LX MM Fiber 1 Gbps 500m

802.3z 1000-Base-LX SM Fiber 1 Gbps Several Km

802.3an 10G-Base-T Twisted Pair 10 Gbps 100m

802.3ae 10G-Base-SR MM Fiber 10 Gbps 300m

802.3ae 10G-Base-LR SM Fiber 10 Gbps Several Km

and 20 Gigabit, 40 Gigabit, & 100 Gigabit Ethernet are emerging ……

Fiber Optic Connector Types

241

Power Over Ethernet - PoE

• Allows Data & DC Power To Be Carried on the Same UTP Cable

• IEEE Standardized: – 802.3af 13w device power (minimum 44 V DC and 350 mA)

– 802.3at “PoE+” 25w device power

• Power Sourcing Equipment:

242

PoE Compliant Switch

PoE

Injectors

WAN Technology • Generally Categorized as Dedicated, Circuit Switched , or Packet Switched:

• Dedicated

– T-Carrier (data)

– Optical Carrier

• Circuit Switched

– ISDN – BRI

– ISDN – PRI

– T-Carrier (voice)

• Packet Switched

– X.25

– Frame Relay

– ATM

– ADSL / HDSL

– Metro Ethernet Offerings

243

WAN Link Types

244

Line Type: Signaling Type: Bit Rate

64 DS0 64 kbps

T1 or DS1 DS1 1.544 Mbps

T3 or DS3 DS3 44.735 Mbps

SONET OC:

SONET STS:

Bit Rate

OC-1 STS-1 52 Mbps

OC-3 STS-3 155 Mbps

OC-12 STS-12 622 Mbps

OC-48 STS-48 2400 Mbps

OC-96 STS-96 5000 Mbps

DS1 Configuration

• DS1 or T1 Types:

– Channelized (voice)

– PRI (ISDN) (voice or data)

– Clear Channel (data)

• Encoding

– AMI (voice)

– B8ZS (data)

• Framing

– D4 Super Frame (voice)

– Extended Super Frame (data)

• Timing – Must specify source

245

WAN Component Example Point – Point T-1 or DS-1

246

Router 1 Router 2

Ethernet 1

CSU/DSU CSU/DSUDS-1

WAN

Ethernet 1

Serial 1Serial 1

Possible Interfaces That Might Be Found

WAN Component Example Integrated Services Digital Network

• ISDN - Integrated Services Digital Network – ISDN – BRI 2 “B Channels” + “D Channel”

– ISDN – PRI 23 “B Channels” + “D Channel”

• “B” Channel – Bearer Channel – 64k

• “D” Channel – Signaling Channel – 16k / 64k

247

ISDN Reference Devices • TE1 – Terminal Equipment Type 1

– ISDN Telephone Set or Computer Device

• TE2 – Terminal Equipment Type 2 – POTS Deskset

• TA – Terminal Adapter – Interfaces analog devices

• NT1 – Network Termination Type 1 – TELCO termination Point (Home)

• NT2 – Network Termination Type 2 • TELCO termination Point (PBX)

• LT – Line Termination

• ET – Exchange Termination

248

Telco Central Office

Frame Relay Basics • Standardized Packet Switched Network Technology

• Physical & Data Link Layer Based

• Local and Nationwide Scope Reach

• Frame Relay Switches Create Virtual Circuits Between Customer Endpoints

• Permanent Virtual Circuit (PVC) Provided to Customer

• Delivered via Leased Line Facilities – Often Fractional T1 (< 1.5 Mbps) – 56 kbps or 64 kbps increments

• Data Link Connection Identifier – DLCI:

– Identifies the Virtual Connection

– Physical Link Can Accommodate Multiple DLCI’s

– Unique Only To The Endpoint

• Committed Information Rate – CIR

• Extended Information Rate - EIR

249

Frame Relay Architecture

250

TELCO

Frame Relay

Network

Premise

Frame Relay

Router

Premise

Frame Relay

Router

Premise

Frame Relay

Router

DLCI 100

DLCI 200

DLCI 300Frame Relay

Switch

Frame Relay

Switch

PVC’s

Created

Between Customer

Endpoints

Local or Nationwide Scope

Frame Relay Cloud

Audio & Video Digital Signal Standards

• Digital Audio – AES3

• 32/44.1/48/96 kHz Sampling

• 16 – 24 bits

• Mono or Stereo

• Balanced 110 ohm

• Unbalanced 75 ohm

– AC3 • Compressed

• 5.1 channel based (6 channels)

• AC3 Metadata

– Dolby E • Compressed

• 8 channel

• Bound to Video Frame

• Digital Video: – SMPTE 259M SD-SDI 270 Mbps

– SMPTE 344M ED-SDI 540 Mbps

– SMPTE 292M HD-SDI 1.485 Gbps

– SMPTE 372M Dual Link HD-SDI 2.97 Gbps

– SMPTE 424M 3G-SDI 2.970 Gbps

251

Broadcast Digital Content Management & Workflow

252

Acquisition

Record

Log

QC

Production

Ingest

Encoder

Add Metadata

QC

Asset

Management

Catalog

Search

Archive

Store

Distribution

Encode

Transcode

Digital Rights Mgmt

Brand

Stream

Transfer

Content Management & Workflow

• Workflow: The decisions and processes that occur in the broadcast plant when a

Media Asset enters the system to the distribution of the Media Asset at the output of the system.

• Media Asset (SMPTE definition):

253

Essence Metadata

Content Rights

Media Asset

Wrapper Types:

Wrappers

GXF – General Exchange Format

MXF – Material Exchange Format

AAF – Advanced Authoring Format

QT – Quick Time

LXF – Leitch Exchange Format

WMF – Windows Media Format and others ……….

254

Metadata Essence

Wrapper

General Server Storage

• Hard Disk Interface Types

– SCSI

– IDE

– SATA

– Fiber Channel (FC)

• RAID Basics

• NAS Fundamentals

• SAN Architecture

255

Hard Disk Interface Types Data Transfer Rate (maximum)

• SCSI 160 MBps – 320 MBps

• IDE/ATA 100 MBps – 133 Mbps

• SATA 150 MBps – 300 Mbps

• FC 400 MBps

256

RAID Level Basics Redundant Array of Independent (Inexpensive) Disks

• RAID Technology:

– Striping

– Mirroring

– Parity

• Choosing a RAID Level:

– Cost

– Data Availability (protection)

– Performance (read/write)

• Levels:

– RAID 0

– RAID 1

– RAID 5

– RAID 10 (RAID 1 + 0)

– And many more……….

257

RAID Level Overview:

258

RAID Level 0

Data Blocks Stripped

No Redundancy

High Performance

BA

C

E

D

F

RAID Level 1

Data Blocks Mirrored

High Redundancy

Good Performance

AA

B

C

B

C

2 disks minimum

Usable Capacity = 100%

2 disks minimum

Usable Capacity = 50%

RAID Level Overview:

259

RAID Level 5

Data Blocks Stripped + Parity

Good Redundancy

Good Performance

BA

C

Parity

Parity

E

RAID Level 10 or “1 + 0”

Data Blocks Mirrored + Striped

High Redundancy

High Performance

Parity

D

F

BB

D

F

D

F

AA

C

E

C

E

“Most Popular Server Configuration”

3 – 16 disks

Usable Capacity = 67 – 94%

“Best Configuration – Mission Critical Aps”

4 disks minimum

Usable Capacity = 50%

NAS & SAN Architecture • Network Attached Storage NAS – Provides File System & Storage (stand alone) File Level Based - Shared Storage Over Shared Network

• Storage Area Network SAN – Provides Storage Only

Block Level Based - Shared Storage Over Dedicated Network

260

NAS

Server

File

Server

Workstation Clients

File

Server

Workstation Clients

Application

Server

Archive

TapeTape

Robot

SAN

RAID

Subsystem

Wireless Fidelity Networking

• 802.11 Standards – 802.11a 5 Ghz 54 Mbps (maximum)

– 802.11b 2.4 Ghz 11 Mbps

– 802.11g 2.4 Ghz 54 Mbps

– 802.11n 2.4/5 Ghz 600 Mbps

• Frequency Bands (ISM): – 2.4 Ghz 2.4-2.497 Ghz

– 5 Ghz 5.15 – 5.875 Ghz

• Wireless Security – WEP

– WPA

– WPA2 (802.11i)

261

Tutorial: http://www.radio-electronics.com/info/wireless/wi-fi/ieee-802-11-standards-tutorial.php

IEEE 802.11 Wi-Fi

262

802.11 802.11a 802.11b 802.11g 802.11n

Standardized 1997 1999 1999 2003 2010

Frequency 2.4 Ghz 5 Ghz 2.4 Ghz 2.4 Ghz 2.4/5 Ghz

Channels 3 <24 3 3 Variable

Modulation IR, FHSS, DSSS

OFDM DSSS DSSS/OFDM

DSSS, CCK, OFDM

Mbps 1,2 6,9,12,18,24,36,48,64

1,2,5.5,11 1,2,5.5,11 6,9,12,18,24,

36,48,64

>100 (MIMO

supported)

Modulation Legend:

IR – Infrared Radiation

FHSS – Frequency Hoping Spread Spectrum

DSSS- Direct Sequence Spread Spectrum

OFDM – Orthogonal Frequency Division Multiplexing

2.4 gHz Channels

263

5 gHz Channels

264

Practical Exercise Two Goals:

Summary of Practical Network Design Considerations CBNE Essay Question Prep

265

Thank You for Attending! Wayne M. Pecena Texas A&M University w-pecena@tamu.edu N1WP@tamu.edu 979.845.5662

266

? Questions ?