september 24, 2015 “ip networking technology for roadcast engineers“ · 2015-09-21 · t c p ,...
TRANSCRIPT
“IP Networking Technology for Broadcast Engineers“
with CBNE Study Topics
Wayne M. Pecena, CPBE, CBNE Texas A&M University
Educational Broadcast Services – KAMU
September 24, 2015
WMP
"Networking Technology for Broadcast Engineers“ with CBNE Study Topics
This presentation focuses on TCP/IP based networking fundamentals in an
Ethernet environment. Topics include an understanding of networking
standards, the OSI model data flow layers , Ethernet Switching
fundamentals, IP Routing, TCP/IP & UDP , IPv4 Addressing, an Introduction
to IPv6, Network Design utilizing VLAN’s, and Networking Security
Concerns.
My Goals & Deliverables for Today:
- Provide an awareness of key IP networking topics
- Provide a understanding of key topic fundamentals and application
- Provide suggested network design best practices
- Provide study topics for SBE CBNE exam
2
Today’s Outline:
• Introduction: IP Networking Models & Standards
• Data Flow Focus: – Layer 1 – The Physical Infrastructure
– Layer 2 – Physical Addressing & Ethernet Switching
– Layer 3 – Virtual Addressing & IP Routing
– Layer 4 – TCP and UDP Transport
• LUNCH BREAK (12noon)
• Building & Securing a Segmented IP Network Infrastructure
• Bonus Topics: IPv6
• Takeaways, Questions, and Maybe Some Answers
• Optional: CBNE Study Topics 3
Introduction: IP Networking Models & Standards
4
5 Things Required To Build a Network
• Send Host
• Receive Host
• Message or Data to Send Between Hosts
• Media to Interconnect Hosts
• Protocol to Define How Data is Transferred
5
Protocols
Send Host Receive Host
MediaMedia
DATA
A Network is a Group of Host Devices That Share a Common Addressing Scheme
A Host is Any Device That Can Be Connected to That Network
Types of IP Packets on an IPv4 Network
• Unicast
– One Send Host TO One Receive Host
• Broadcast
– One Send Host TO ALL Hosts Within the Broadcast Domain (Network Segment)
• Multicast
– One Send Host TO Specific Hosts
6
Standards Organizations De Jure & De Facto
• IETF – Internet Engineering Task Force
– The Internet Standard RFC’s
• IEEE- Institute of Electrical & Electronic Engineers
– Ethernet & Wireless LAN Standards
• ISO – International Standards Organization
– OSI Reference Model
• ITU – International Telecommunications Union – Global Telecommunications Standards (ie PSTN)
• EIA – Electronic Industries Association
– Focused on Physical Layer Standards
7
IETF – Internet Engineering Task Force
• Request for Comments – RFC’s
– The “Standards Bible” of the Internet
– Used to Explain All Aspects of IP Networking
– Nomenclature “RFC xxxx”
• Requirement Levels:
– Required
– Recommended
– Elective
– Limited Use
– Deprecated / Not Recommended
8
www.rfc-editor.org/rfc.html
IEEE- Institute of Electrical & Electronic Engineers
• Project 802 Ethernet Standards: – 802.1 Bridging
– 802.3 Ethernet
– 802.11 Wireless
9
http://standards.ieee.org/about/get/
The OSI Model Open Systems Interconnection (OSI) Model
Developed by the International Organization for Standardization (ISO) A Conceptual Model – Abstract in Nature – Modular in Structure
Provides “Layer Swapping” – Partitions Communications Function - Defines How Data Traverses From An Application to the Network
10
Networking
Focus
Open Systems Interconnection “OSI” Model
11
Application
Session
Presentation
Transport
Physical
Data Link
Network
7
5
6
4
1
2
3
User Application Interaction
Tracks User Sessions
Inter-Host Communications
Standardizes Data Encoding/Decoding/
Compression/Encryption
Manages End-End Connections:
TCP, UDP, & Flow Control
Interfaces to Physical Network, Moves Bits Onto &
Off Network Medium
Provides Network Access Control, Physical
Address (MAC), & Error Detection
Provides Internetwork Routing (path)
Provides Virtual Addressing (IP)
Application
Session
Presentation
Transport
Physical
Data Link
Network
7
5
6
4
1
2
3
Intra-Layer Communications
12 NO
The Protocol Data Unit
13
Source PortDestination
PortData
Destination IP Protocol Segment
EtherType
Packet
Source IP
SourceMAC
DestinationMAC
FCS
11010011010111101100101010010001000010101010101000011111111
Segment
Packet
Frame
Bit
4
3
2
1
Layer PDU
Encapsulation Data is “Encapsulated” As It Travels Through the “Stack” From Application
14
Encapsulation & De-Encapsulation
Application
Session
Presentation
Transport
Physical
Data Link
Network
Segment
Bits
Frame
Packet
PDU
Upper Level Data
Upper Level Data
Data
Data
TCP Header
IP Header
LLC Header
0110010111001000111000111010
DataMAC Header
CS
CS
Application
Session
Presentation
Transport
Physical
Data Link
Network
Upper Level Data
15
TCP/IP Model or “TCP/IP Stack”
16
Application
Session
Presentation
Transport
Physical
Data Link
Network
OSI Model
Application
Transport
Network
Interface
Internet
TCP/IP Model
TCP/IP Ethernet
Focused
Data Flow Focus: Layer 1 – The Physical Infrastructure
17
Ethernet Is the Standard Today!
• Conceptually Based Upon “ALOHA NET”
– Developed as a “Wireless” Network by Norman Abramson & colleagues
– Developed in 1968 & Deployed at the University of Hawaii in 1971
• Later Refined at Xerox PARC in 1973 to Become “Ethernet”
– Bob Metcalf & David Boggs “Fathers of Ethernet”
18
Ethernet Media Evolution
19
Thicknet Vampire
Tap
Thinnet
Topology Also Migrates from “Bus” to “Star” Based
A Sampling – Ethernet Types
20
Wireless Fidelity Networking
• Frequency Bands (ISM): – 2.4 Ghz 2.4-2.497 Ghz
– 5 Ghz 5.15 – 5.875 Ghz
21
Data Flow Focus: Layer 2 – Physical Addressing
& Ethernet Switching
22
Layer 2 is Unique! Contains 2 Sub-Layers
23
Data LinkLayer
Logical Link ControlSub-Layer - LLC
Media Access Control
Sub-Layer - MAC
Logical Link Control Sub-Layer
- Flow Control
- Acknowledgment
- Error Check – CRC
Media Access Control Sub-Layer
- Access Control
- Frame Synchronization
- Addressing
Ethernet Media Access Control Protocol Carrier Sense Multiple Access with Collision Detection – “CSMA/CD”
• CSMA/CD Process:
– Listen Before Sending
– Detect Collisions
– Jam Signal &
Random Backoff
24
Ethernet Network Physical Addressing
• MAC Address – 6 Bytes – Hexadecimal Notation - 00:12:3F:8D:4D:A7
– Layer 2 Physical Address
– Fixed “Burned-in-Address” – Assigned by NIC Mfg.
– Local in Scope
25
172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF
Destination
MAC
Source
MAC
Destination
IP
Source
IP
IP Packet
Ethernet Frame
Simplified Representation
The Ethernet Frame
– The Ethernet Frame Comes in Flavors:
• 802.3 “Raw” Early Novell Netware IPX
• 802.2 LLC IEEE 802.2
• Ethernet SNAP IPX, AppleTalk v2
• Ethernet II (DIX) TCP/IP
26
Header Payload FCSPreamble
64 byte minimum
Multiple Frame Types Can Coexist on a Network
The Layer 2 Ethernet II (DIX) Frame
Preamble TypeSource
Address
Destination
AddressData CRC
An Ethernet II (DIX) Frame
8
BYTES
6
BYTES
6
BYTES
2
BYTES46 – 1500 BYTES
VARIABLE
4
BYTES
Invalid FRAME Lengths:
< 64 BYTES = “RUNT” FRAME
> 1518 BYTES = “GIANT” FRAME
Note – Preamble Not Used in Frame Length Calculation
TypeSource
Address
Destination
AddressData CRC
64 Byte Minimum
1518 Byte Maximum
27
Be Aware That Other Frame Types Exist !
1010…..1011
MAC Address Formats Always 48 Bits – Expressed as Hexadecimal
28
Byte
6
Byte
1
Byte
2
Byte
3
Byte
4
Byte
5
6 Bytes
Organization Unique
Identifier “OUI”
Network Interface
Controller “NIC”
Can Be Represented in Several Formats:
00:A0:C9:14:C8:29
00-A0-C9-14-C8-29
00A0.C914.C829
Organization Unique Identifier
(OUI)Mfg. Assigned
24 bits
48 bits
24 bits
6 hexadecimal digits 6 hexadecimal digits
A4 : 67 : 06 AB : 41 : D5
OUI A4:67:06 = Apple, Inc.
Media Access Control (MAC) Address
http://www.wireshark.org/tools/oui-lookup.html
http://standards.ieee.org/develop/regauth/oui/public.html
Ethernet Switch Functions
• Learn MAC Addresses
• Filter Ethernet Frames
• Forward Ethernet Frames
• Flood Ethernet Frames
• Allow Redundancy (Avoid loops where redundant links exist)
• Can Provide Port Security Features
31
Application
Session
Presentation
Transport
Physical
Data Link
Network
Application
Session
Presentation
Transport
Physical
Data Link
Network
Physical
Data Link
Physical
Data Link
Physical
Data Link
Physical
Data Link
Frame Flow Through Network
32
00:06:5B:01:02:03
192.168.1.101
00:06:5B:11:22:33
192.168.1.104
00:00:0C:C1:00:01
192.168.1.102
00:00:0C:C1:00:30
192.168.1.103
00:00:0C:C1:00:20
192.168.100.102
00:00:0C:C1:00:10
192.168.100.101
Destination MAC
00:00:0C:C1:00:20
Source MAC
00:00:0C:C1:00:10
Source IP
192.168.1.101
Destination IP
192.168.1.104 DATAP
R
E
C
R
C
T
Y
P
E
Destination MAC
00:00:0C:C1:00:01
Source MAC
00:06:5B:01:02:03
Source IP
192.168.1.101
Destination IP
192.168.1.104 DATAP
R
E
C
R
C
T
Y
P
E
Destination MAC
00:06:5B:11:22:33
Source MAC
00:00:0C:C1:00:30
Source IP
192.168.1.101
Destination IP
192.168.1.104 DATAP
R
E
C
R
C
T
Y
P
E
HOST A HOST B
MAC Address Changes As Frame
Passes Through the Network
Managed vs Un-Managed Ethernet Switches
• Managed Switch – User Configurable
– Provides Ability to Control & Monitor Host Communications
– Port Configuration , Security, & Monitoring
– VLAN Implementation
– Redundancy Supported (STP)
– QoS (Prioritization) Implementation
– Port Mirroring
• Un-Managed Switch – Fixed Configuration
– “Plug & Play”
– Provides Basic Host Communications
– Cheaper
33
Simplified Ethernet Switch Internals
34
Switch Fabric (backplane)
Port
ASIC
Port
ASIC
Port
ASIC
Port
ASIC
POE
Insertion
POE
Insertion
POE
Insertion
CPU
MAC Table
(CAM)
Buffer
Buffer
Processing
Power Over Ethernet - PoE
• Allows Data & DC Power To Be Carried on the Same UTP Cable
• IEEE Standardized: – 802.3af 13w device power (minimum 44 V DC and 350 mA)
– 802.3at “PoE+” 25w device power
• Power Sourcing Equipment:
35
PoE Compliant Switch
PoE
Injectors
Learning a MAC Address
08-3e-8e-11-11-11
08-3e-8e-22-22-22 08-3e-8e-33-33-33
A1
A2A3
A4
Switch MAC Address Table
“Content Addressable Memory (CAM) Table”
MAC ADDRESS PORT
08-3e-8e-22-22-22 A2
08-3e-8e-11-11-11 A1
08-3e-8e-33-33-33 A3
08-3e-8e-44-44-44 A4
08-3e-8e-44-44-44
A Real MAC Address Table
NOTE
VLAN 1 is Special
Virtual Local Area Network – VLAN
• Allows Separation or Segmentation of Networks Across a Common Physical Media
– Creates Subset of Larger Network
– VLAN Control of Broadcast Domains – Each VLAN is a Broadcast Domain
– Architecture Flexibility
– Security
• Static Port Based VLAN(s) – Most Popular
– Manual Configuration
– Switch Port Security Features
• Dynamic Port Based – MAC-Based VLAN(s)
• Assignment Based Upon MAC Address
– Protocol-Based VLAN(s) • Assignment Based Upon Protocol
37
Traffic Segmentation - VLAN Creation
• Segmentation Based Upon: – Geographic
– Traffic Patterns
– Security
– Traffic Type
– Administrative Policy / Regulation
38
VLAN Example
39
Switch Port Type Configuration:
Cisco Terminology
Access Link – Member of One VLAN Only Connects to a Host
Trunk Link – Carries Traffic From Multiple VLANS Between Switches
HP Terminology
Untagged Port – Member of One VLAN Only Connects to a Host
Tagged Port - Carries Traffic From Multiple VLANS Between Switches
Access / Untagged
Trunk / Tagged
Switch Interface Configuration
40
Switch 3Switch 1
Switch 2
Switch Interface Configuration
41
Switch 3Switch 1
Switch 2
Interface Config:TRUNK / TAGGED
Blue VLAN
Green VLAN
Interface Config:TRUNK / TAGGED
Blue VLAN
Red VLAN
Green VLAN
Access / Un-Tagged
Interface
Access / Un-Tagged
Interface
Access / Un-Tagged
Interface
Broadcast Domains
42
Red
VLAN
Green
VLANBlue
VLAN
Broadcast Domains
No Connectivity Exists Between Broadcast Domain, Networks, or Subnets!
Adding the VLAN Tag
43
PREAMBLESOURCE MAC
ADDRESS
DESTINATION
MAC ADDRESSTYPE DATA CRC
PREAMBLESOURCE MAC
ADDRESS
DESTINATION
MAC ADDRESSTYPE DATA CRCTAG
TPID “0X8100” PRI
C
F
I
VLAN
ID
ETHERNET FRAME
802.1Q ETHERNET FRAME
802.1Q TAG
4 bytes
VLAN ID = 12 bits Yields
4,096 Possible VLAN(s)
VLAN Configurations
LAN
#1
LAN
#2VLAN
#1VLAN
#2
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
VLAN #1
VLAN #2
Inter-Switch
Links
Physical
Separate
Networks
VLAN
Implementation
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
Trunk
Inter-Switch
Links
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
“Trunk” or “Tagged” Link
VLAN #1 & #2
Trunk
Inter-Switch
Links
VLAN
#1
VLAN
#2
“Trunk” or “Tagged” Link
VLAN #1 & #2
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
“Trunk” or “Tagged” Link
VLAN #1 & #2
Trunk
Inter-Switch
Links
“Trunk” or “Tagged”
Link
VLAN #1 & #2
VLAN
#1
VLAN
#2
VLAN
#1
VLAN
#2
“Trunk” or “Tagged” Link
VLAN #1 & #2
Trunk
Inter-Switch
Links
“Trunk” or
“Tagged”
LinkVLAN #1 & #2
Internet
Spanning Tree Protocol “STP” Prevents a “Broadcast Storm”
47
Switch A
Switch E
Switch D
Switch B
Switch C
Switch A
Switch E
Switch D
Switch B
Switched Topology ExampleActive Topology After
Spanning Tree Example
Switch C
STP Operation: 1 - Determine Root Bridge
2 - Select Root Port
3 - Select Designated Ports
4 - Block Ports with Loops
Data Flow Focus: Layer 3 – Virtual Addressing
& IP Routing
48
IP Network Virtual Addressing
• IPv4 Address – 4 Bytes – Doted Decimal Notation - 172.15.1.1
– Layer 3 Logical Address
– Can Change – Determined by Network - Assigned by User
– Global in Scope
49
172.15.1.1 172.15.2.2 DATA Trailer00:12:3F:8D:4D:A7FF:FF:FF:FF:FF:FF
Destination
MAC
Source
MAC
Destination
IP
Source
IP
IP Packet
Ethernet Frame
Simplified Representation
IP Addressing “Rules” • Each Network MUST Have a Unique Network ID
• Each Host MUST Have a Unique Host ID
• Every IP Address MUST Have a Subnet Mask – Implied for a Classful Network
– Explicit Stated for Classless Network
• An IP Address Must Be Unique Globally If Host on the Public Internet
50
The IPv4 Address
• 32 Bit Binary Address and 32 Bit Binary Mask
• 232 Yields 4,294,967,296 Addresses
• 32 Bits Divided Into Four (4) Octets or Bytes
• Expressed in “Dotted Decimal” Notation
51
192
32 bit IP Address
1100000010101000110010011111110
168 100 254
11000000 10101000 1100100 11111110
Octet 1 Octet 2 Octet 3 Octet 4
4 Bytes
192.168.100.254
2-Part IPv4 Address
52
192
32 bit IP Address
1100000010101000110010011111110
168 100 254
11000000 10101000 1100100 11111110
Subnet
Mask
Determines
Network
Address
Host
Address
Octet 1 Octet 2 Octet 3 Octet 4
4 Bytes
IPv4 Address Classes
53
NETWORK HOST HOST HOST
NETWORKNETWORK
NETWORKNETWORKNETWORK
HOSTHOST
HOST
Class A
Class D
Class C
Class E
Class B
Experimental
Multicast
32 bits
8 bits 8 bits8 bits8 bits
IPv4 “Default” Mask
54
NETWORK HOST HOST HOST
NETWORKNETWORK
NETWORKNETWORKNETWORK
HOSTHOST
HOST
Class A
Class C
Class B
8 bits
16 bits
Default Mask: 255.0.0.0
Default Mask: 255.255.255.0
Default Mask: 255.255.0.0
24 bits
16 bits
8 bits24 bits
Classful IPv4 Addressing 1 - 127 128 - 191 192 - 223First Octet Range
Default Mask
Host Bits
Network Bits
Available Hosts/Network
Available Networks
Network Range
Class B Class C
1.0.0.0 – 127.0.0.0
126
16,777,214
8
24
255.0.0.0
128.0.0.0 – 191.255.0.0
16,384
65,534
16
16
255.255.0.0
192.0.0.0 – 223.255.255.0
2,097,152
254
24
8
255.255.255.0
VLSM RFC 1009
• Variable Length Subnet Masking (VLSM)
– Host Addressing & Routing Inside a Routing Domain
– Allowed “Classless” Subnetting • Mask Information is Explicit – Must Be Specified
– Allows More Efficient Use of Address Space – Taylor Address Space to Fit Network Needs
– Allows You to Subnet a Subnet • Subnetting “Borrows” Host Bits to Create More Networks
56
VLSM
Allows Mask
To Be Moved
VLSM • Allows Mask to Be Determined on a “Bit Basis”
– Remember: Classful Addressing Specified Network/Host Boundary
– Classless Addressing Allows Network/Host Boundary to Be Specified at an Individual Bit
57
Octet 1 Octet 2 Octet 3 Octet 4
Octet 1 Octet 2 Octet 3 Octet 4
A B C
19 Subnet Mask Bits = 255.255.224.0
Network Host
Network Host
CIDR
RFC 1517, 1518, 1519, 1520
• Classless Interdomain Routing (CIDR)
– Class System No Longer Applies
– Routing Between Routing Domains
– Allows “Supernets” To Be Created
• Combining a Group of Class C Addresses Into a Single Block
– CIDR Notation (slanted notation): 192.168.100.254 /19
58
Mask:
11111111.11111111.11100000.00000000
255.255.224.0
IPv4 Address Mask Formats
59
Classful Addressing: 192.168.100.254 (Implied Mask 255.255.255.0) VLSM Addressing: 192.168.100.254 255.255.224.0 (Explicit Mask 255.255.224.0 CIDR Notation : 192.168.100.254 /19
Number of Mask Bits
1 1 1
IPv4 Address Subnet Mask Example “VLSM” - Each IP Address Must Have a Subnet Mask to Define the Network and the Host
32 Bit Subnet Mask
Expressed in Decimal as (4) 8-bit Octets using “Doted Decimal Notation”
IP Address: 192.168.100.254 /19
192.168.100.254 /19 or 255.255.224.0
11000000.10101000.00000001.01100100
11111111.11111111.11100000.00000000Network Host
IPv4 Address Block Size Based Upon 2n
61
2n
128
64
32
16
8
4
2
1 LSB
All Valid IPv4 Subnet Masks
62
Private IPv4 Address Space • RFC 1918 Established “Private” Address Space
– Class A: 10.0.0.0 to 10.255.255.255
– Class B: 172.16.0.0 to 172.31.255.255
– Class C: 192.168.0.0 to 192.168.255.255
• Private Address Space or “1918 Space”: – Private IP Address Space Is NOT Routable to the Global Internet
– Widely Used: • Hide Host IP Address “Security by Obscurity”
• Minimize Public IP Use
– May Be Translated With Network Address Translation (NAT) Techniques: • One-One Network Address Translation (NAT) – Static & Dynamic
• Many-One Port Address Translation (PAT)
63
Network Address Translation – NAT RFC 3022
64
Inside
Network
(private)
Outside
Network
RFC 1918
Addressed Hosts
Public
Address
Space
(Usually)
Gateway Router
w/ NAT Services
• NAT Allows a Host Without a Valid Public IP Address to Communicate With a Host That Has a Public IP Address by Simply Changeing the IP Addresses as Packet Passes Through the NAT Device
• Why Use?
– Conserve Public IP Address Space
– Security by Obscurity (hide actual host IP address)
• NAT Types:
– Static – One-to-One Translation
– Dynamic – Pool of Public Addresses Made Available to Outbound Traffic Client Traffic
– NAT Overloading or Port Address Translation (PAT) – Translates to a Single Public IP by Use of a Unique Port Number
Special Use “Reserved” IPv4 Address Space RFC 5735
• 0.0.0.0/8 Network Address “This Network or Wire Address”
• 10.0.0.0/8 Private IP Address Space (RFC 1918)
• 127.0.0.0/8 Loopback Address
• 169.254.0.0/16 IETF Zero Configuration Address Space (RFC 3927)
• 172.16.0.0/16 Private IP Address Space (RFC 1918)
• 192.168.0.0/16 Private IP Address Space (RFC 1918)
• 224.0.0.0/4 Multicast Address Space
• 240.0.0.0/4 Experimental Address Space
• 255.255.255.255/32 Broadcast Address
65
Yields About 3.7 Billion “Useable” IPv4 Addresses
The IPv4 “Loop Back” Address
• What is Special About 127.0.0.1 ?
– Known as a “Loop-Back” Address
– Actually Any 127.0.0.0/8 Address Works OR the Range of 127.0.0.1 to 127.255.255.255
• Useful For to Test Local IP Stack and Network Adapter
66
Primary TCP/IP System Protocols:
• ARP – Address Resolution Protocol
– Maps an IP Address to a MAC Address
• DHCP – Dynamic Host Configuration Protocol
– Provides Host IP Configuration Information
• DNS – Domain Name System
– Translates a Host Name to an IP Address
• ICMP – Internet Control Message Protocol
– The “Tattle Tale” Protocol
67
ICMP Internet Control Message Protocol
• Network Layer Based – RFC 1256 – The “Tattle Tale” Protocol
• Common Messages: – Destination Unreachable
– Buffer Full
– Hops or Time Exceeded (TTL)
• Common Uses: – Ping
– Traceroute
Routing
• Routing is Simply the Moving Packets Between Different Networks (Subnets or Broadcast Domains) by A “Routing” Protocol Using a “Routed” Protocol by Determining the “Best Route” to the Destination.
• OSI Model Layer 3 Defined Inter-Networking Process
• Routing Types: – Static Routing
– Dynamic Routing
• Routing Protocol Classes: – Interior Gateway Protocol (IGP)
– Exterior Gateway Protocols (EGP)
69
Broadcast Domains
70
Red
VLAN
Green
VLANBlue
VLAN
Broadcast Domains
No Connectivity Exists Between Broadcast Domain, Networks, or Subnets!
Add Connectivity Between Broadcast Domains
71
Red
VLAN
Green
VLANBlue
VLAN
Network #1 Network #3
Network #2
GE0
FE0
GE1
GE2
Add Router
Packet Flow Through Network
72
00:06:5B:01:02:03
192.168.1.101
00:06:5B:11:22:33
192.168.1.104
00:00:0C:C1:00:01
192.168.1.102
00:00:0C:C1:00:30
192.168.1.103
00:00:0C:C1:00:20
192.168.100.102
00:00:0C:C1:00:10
192.168.100.101
Destination MAC
00:00:0C:C1:00:20
Source MAC
00:00:0C:C1:00:10
Source IP
192.168.1.101
Destination IP
192.168.1.104 DATAP
R
E
C
R
C
T
Y
P
E
Destination MAC
00:00:0C:C1:00:01
Source MAC
00:06:5B:01:02:03
Source IP
192.168.1.101
Destination IP
192.168.1.104 DATAP
R
E
C
R
C
T
Y
P
E
Destination MAC
00:06:5B:11:22:33
Source MAC
00:00:0C:C1:00:30
Source IP
192.168.1.101
Destination IP
192.168.1.104 DATAP
R
E
C
R
C
T
Y
P
E
HOST A HOST B
IP Address Does Not Change As Packet
Passes Through the Network (except if NAT is involved)
Routing Types
• Static Routing – Appropriate for Small & Simple Networks – Minimal Router CPU/Memory – No Routing Update Overhead – Appropriate for Stable Networks – Often Used in “Stub” Networks – Human Intervention / Administration Required Yy
• Dynamic Routing – Appropriate for Changing Topology Environments
– Automatically Adapts to Changes
– Desirable When Multiple Paths Exist
– More Scalable
– Hardware More Complex
– Less Configuration Error Prone
73
Dynamic Routing Categories
• Distance Vector Routing Protocol
– Periodic Routing Table Updates
– “Distance” Used as a Metric
– Neighbors “Trust” Neighbors
– Slow Convergence
• Link State Routing Protocol
– Routing Table Updates As Changes Occur
– Maintains Neighbor, Topology, & Shortest-Path Tables
– Each Router Updates From All Others
– “Cost” Used as a Metric
74
Routing Metrics & Administrative Distance Determines The Best Path to Target Host
• Cost Metrics:
– Hop Count The Number of Routers in a Path
– Bandwidth Throughput (bps)
– Load Traffic Flowing Through a Router
– Delay Network Latency (distance or congestion)
– Reliability Amount of Downtime of a Network Path
• Administrative Distance
– Indicates Believability of the Route
– Often Used When Multiple Protocols Are Used
– Often Used to Prefer A Certain Path When Multiple Paths Exist
– Routing Protocols Have Default Administrative Distances
75
Smaller Metrics = Best Route
Lower Administrative Distance = More Believed
Hop Count May Not Be The Best Metric!
76
Ethernet
100 Mbps
DS-3
45 Mbps
T1
1.54 Mbps
DS-3
45 Mbps
T1
1.54 Mbps
The Routing Protocol
• Learn the route to each subnet in the internetwork (build routing table)
• Determine the “best’ route (one route)
• Remove routes that are no longer valid
• Update routing table to reflect changes
• Perform updates quickly
• Prevent routing loops
The Routing Table • Each Router Maintains It’s Own Routing Table
• Routing Table Contents: – Destination Network
– Cost and/or Metric
– Gateway or Next Hop Address
• Route Types: – Direct Connected
– Remote Routes
78
Destination
Network
Next Hop
AddressMetric
Simplified Routing Table
Example
Routing Table Examples
79
Router
A
Router
B Router
C
172.16.0.0/24 172.16.2.0 /24
172.16.1.1/30
172.16.1.2/30 172.16.1.6/30
172.16.1.7/30172.16.0.1 172.16.2.1
Destination
Network
Next Hop
Address
172.16.0.0/24
172.16.1.7/30172.16.2.0/24
172.16.1.1/30
Router
B
Routing
Table
IP Configuration:
172.16.2.2
255.255.255.0 mask
172.16.2.1 default gateway
Router A
sends
Network
172.16.0.0/24
Router B
sends
Network
172.16.2.0/24
Static Routing
Table Manually
Entered
Dynamic Routing
Table Generated by
Routing Updates
from All Routers
0
0
Metric
Destination
Network
Next Hop
Address
172.16.0.0/24
172.16.2.1/24172.16.2.0/24
172.16.1.6/30 100
0
Metric
IGP and EGP Protocols
80
Exterior
Gateway
Protocol
Interior
Gateway
Protocol
Interior
Gateway
Protocol
IS-IS
BGP
RIP
IGRP
EIGRP
OSPF
RIP
IGRP
EIGRP
OSPF
Routing Protocol Choices “Most Popular”
81
Interior Distance Vector
Interior Link State Exterior Path Vector
Classful RIP IGRP EGP
Classless RIP v2 EIGRP OSPF v2 IS-IS BGP v4
IPv6 RIPng EIGRP v6 OSPF v3 IS-IS v6 BGP v4
Our Focus
RIP v2 Routing Information Protocol
RFC 1388
• Advantages: – Simple – Easy to Configure
– Low Maintenance
– General Understanding Of
• Disadvantages: – Higher Router CPU Utilization
– High Bandwidth Use for Routing Updates
– No Knowledge of Link Bandwidth
– Slow Convergence
– Limited Network Size (hop count = 15)
82
OSPF v2 Open Shortest Path First
RFC 2328
• Advantages: – Fast Convergence
– Routing Updates Are Small
– Scales to Varying Network Sizes
– Considers Link Bandwidth Into Metric Calculation
• Disadvantages: – More Knowledge Required – A lot of Options
– Complex to Configure
83
EIGRP v4 Enhanced Interior Gateway Routing Protocol
CISCO Proprietary
• Advantages: – Fast Convergence
– No OSPF Area Assignments = Less Complex
– Complex Cost Metric: • Bandwidth
• Delay
• Reliability
• Utilization
• Disadvantages: – More Knowledge Required – A lot of Options
– Need “Cisco” Environment
84
Practical Routing Protocol Choices “Common” IGP Protocols – VLSM Support
RIP v2 EIGRP (Cisco) OSPF v2
Type: Distance Vector Hybird Link-State
Metric: Hop Count Bandwidth/Delay Cost
Administrative Distance:
120 90 110
Hop Count Limit: 15 224 None
Convergence: Slow Fast Fast
Updates:
Full Table Every 30 Seconds
Send Only Changes When Change Occurs
Send Only When Change Occurs, But Refreshed Every 30m
RFC Reference: RFC 1388 N/A RFC 2328
85
What Is A “Layer 3” Switch? • IMHO “Marketing Terminology” Applied to a One Box Solution:
– OSI Model Defines Layer 2 Switching
– OSI Model Defines Layer 3 Routing
• A “Layer 3 Switch” Incorporates Both!
• Multilayer Switch Port Types:
– Switchport: Layer 2 Port – MAC Addresses Learned
– Layer-3 Port: Routing Port
– Switched Virtual Interface: VLAN Virtual Interface
• Not for All Environments:
– Limited to Ethernet Ports/Interfaces
– Limited to OSPF and RIP Protocols
86
87
Application
Session
Presentation
Transport
Physical
Data Link
Network
Application
Session
Presentation
Transport
Physical
Data Link
Network
Physical
Data Link
Physical
Data Link
Network Network
Collision Domains & Broadcast Domains
88
3 Broadcast Domains
11 Collision Domains
When to Route – When to Switch?
Broadcast Domain
Collision
Domain
Broadcast
Domain
Router
Switch
Hub
1000-Full 100 - Full
10 - Half
10
Half
100
Full
1000
Full
100
Full
100
Full 1000
Full
10
Half10
Half
100 – Full Capable
10
Half
Route to Limit a Broadcast Domain or
Provide Interoperability Between Networks
Switch to Create a Zero Collision Domain
Data Flow Focus: Layer 4 – TCP and UDP Transport
90
TCP Basics Transmission Control Protocol
RFC 675 and later v4 in RFC 793
• “Connection – Oriented” Protocol – Connection Establishment
– Segmentation & Sequencing
– Acknowledgement
– Flow Control or Windowing
• Guaranteed Or Reliable Data Delivery – Acknowledgment of Packet Receipt
– Retransmission Occurs if Packet Not Received
• High Overhead
• Requires Establishment of a “Session”
• TCP Windowing Feature – Dynamic Window Sizing
– “Slow-Start”
91
TCP 3-Way Handshake
92
Host 1 Host 2
SYN
SYN + ACK
ACK
Host 1 Sends
Synchronize Message
to Host 2
Host 2 Responds With
Acknowledgement
Plus Sends It’s Own
Synchronization
Message to Host 1Host 1 Completes the
3-Way Handshake By
Sending
Acknowledgement to
Host 2
Host 1 Initiates
Connection to Host 2
The TCP Session Summary
93
SYN + ACK
Time
Network
SYN
ACK
FIN
FIN
ACK
ACK
ACK
Connection
Closed
Listen
SYN Sent
SYN Received
Connection
Established Connection
Established
Connection
Closed
FIN Wait 1
FIN Wait 2
CLOSE Wait
Last ACK
ACK
ACK
Data Segment 1
Data Segment 2
Data Segment 3
UDP Basics User Datagram Protocol
RFC 768
• “Connectionless” Protocol
• Simple or Lightweight, but Inherently Unreliable
• “Best Effort” Data Delivery
• Low Overhead, Thus Low Latency
• Why Use?
– Required for Real-Time Applications: • VOIP or “Video Over IP” or “Voice Over IP”
• AOIP or Audio Over IP”
– Latency More Detrimental Than Data Loss
94
UDP Session
95
Network
SYN
SYN + ACK
ACK
Data
Data
Data
Time
Data
Data
TCP Used to
Establish UDP
Session
TCP vs UDP TCP
• Connection Oriented
• Guaranteed Delivery
• Acknowledgments Sent
• Reliable, But Higher Latency
• Segments & Sequences Data
• Resends Dropped Segments
• Provides Flow Control
• Performs CRC
• Uses Port Numbers for Multiplexing
UDP • Connectionless
• Not Guaranteed
• No Acknowledgements
• Unreliable, But Low Latency
• No Sequencing
• No Retransmission
• No Flow Control
• Performs CRC
• Uses Port Numbers for Multiplexing
96
Building & Securing a Segmented IP Network Infrastructure
97
Hubs, Switches, & Routers
• Hub – Layer 1 Device
– Acts as a Repeater - All Incoming Frame FWD Out Every Other Port
– Half-Duplex Based – CSMA/CD Algorithm Controlled
– No Intelligence – Collision & Broadcast Domain Across All Ports
• Switch – Layer 2 Device – Originally Called “Forwarding”- Then “Bridging” - Now Called
“Switching”
– Full Duplex Based
– Intelligence Based – Selectively Forwards Frame to a Port
– Each Port is a Collision Domain (assuming one device per port)
– Each Switch is Within a Broadcast Domain
• Router – Layer 3 Device
– Forwards Packets Between Different Networks
– Creates Broadcast Domains
– Each Interface is a Broadcast Domain 98
X
Design Considerations ?
• Design to Achieve: – Availability
– Manageability
– Scalability
– Secure
• Segment to Achieve: – Performance
– Policy Compliance
– Regulation Compliance
– Security Compliance
Ethernet Switch Considerations
• Network Role & Location – Self-Contained – “Stackable” – Modular (chassis + cards)
• Interface Requirements – Capabilities - Range • Interface Density • Layer 3 Capability? • Processor/Memory/MAC Addresses Supported/Multicast IGMP • Backplane Fabric Throughput /Forwarding Rate (Gbps) • Redundancy (power, processor, interfaces) • PoE Requirements / Switch Capacity: (48vdc nominal)
– 802.af (15w) “Class 3” – 802.at (25w) “PoE+”
Router Considerations
• Network Role & Location – Self-Contained – Modular (chassis + cards)
• Interface Requirements – Capabilities (LAN/WAN) • Processor/Memory/Route Capacity • Fabric/Backplane Throughput (packets per second “PPS”) • Redundancy (power, processor, interfaces) • Required Feature Set:
– Security / IDS – QoS – MPLS – VOIP – NetFlow
The “Legacy” Flat Network
102
165.95.240.128 /25
A Single Broadcast Domain
165.95.24.128
255.255.255.128
The Hierarchical Network
103
165.95.240.128 /25
Organize By:
Policy
Regulation
Security
Performance
165.95.24.128
255.255.255.128
104
ISP
VLAN 1 VLAN 2 VLAN 3
165.95.240.128 /25
S1 S0
FE 0
FE 0
FE 1
FE 2
FE3
35
Hosts
Sales
17
Hosts
Engineering
27
Hosts
Production
S0 S1 S2
Network: 165.95.240.128
Broadcast: 165.95.240.255
Useable Range (126 hosts):
165.95.240.129 - 254
105
32 32 64
106
Subnet Number:
Last IP Address:
First IP Address:
Subnet Mask:
Broadcast IP Address:
165.95.240.128
255.255.255.192
165.95.240.191
165.95.240.190
165.95.240.129
VLAN
1
VLAN
3
VLAN
2
Subnet Number:
Last IP Address:
First IP Address:
Subnet Mask:
Broadcast IP Address:
165.95.240.192
255.255.255.224
165.95.240.223
165.95.240.22
165.95.240.193
Subnet Number:
Last IP Address:
First IP Address:
Subnet Mask:
Broadcast IP Address:
165.95.240.224
255.255.255.224
165.95.240.255
165.95.240.254
165.95.240.225
165.95.240.128 /26 165.95.240.192 /26 165.95.240.224 /27
http://linustechtips.com/main/topic/120947-unofficial-ltt-subnetting-guide/
IT Infrastructure Threats
• Viruses
• Worms
• Trojan Horse
• Spyware & Adware
• Botnets “Zombie Computer”
• Operating Systems
• File System / Media
• Application – Web Services
– Email Services
– P2P
• Wireless / Mobile Environment
• Social Engineering
• And the list goes on & on…..
108
Network Infrastructure Threats
• Denial of Service “DoS”
• Spoofing
• Hijacking
• Authentication Bypass or “Back Door” Access
• Physical Access
• And the list goes on & on…..
109
Common Policy Terminology
• Asset – Any object of value
• Vulnerability – A system weakness to be exploited
• Threat - Possible danger to a system or its information
• Risk – The feasibility that a vulnerability might be exploited
• Exploit - An attack directed at a vulnerability
• Countermeasure - An action or mitigation of a risk
110
Common Policy Attributes
• What Does a Security Policy Define?
– Company Objectives
– System Requirements
– User Rules & Regulations
• Who is the Security Policy Audience?
– “Anyone” Who Has Network Access!
111
Security Policy Lifecycle
112
Planning
Policy
Creation
Management &
Monitoring
Assessment
Policy
Implementation
& Enforcement
Detection
Threat
Analysis
Attributes of a Secure Network
• Layered Approach (“Defense in Depth” NOTE 1) – Different Security Controls Within Different Groups
• Security Domains – Segmentation of Network Into Areas or Groups
• Privileges – Restrict to “Need – To – Access”
– “Deny by Default”
• Access – Restrict by Firewalls, Proxies, etc.
• Logging – Accountability , Monitoring, & Activity Tracking
113
NOTE 1 – Cisco Security Terminology
Goals of Data Security
• Provides Confidentiality – Maintain Privacy – Prevent Use by Those Unauthorized
• Provides Authentication – Verify That User’s Are Who They Say They Are
• Maintains Data Integrity – Data Has Not Changed
114
Network
Send Host Receive HostDATA
Network Security Tools
• Firewall – Used to Create a “Trusted” Network Segment by Permitting or Denying
Network Packets
– Types of Firewalls:
• Stateless Packet Filtering – Single Packet Inspection
• Stateful Packet Filtering – Flow or Conversation Inspection
• Detection Tools – Intrusion Detection Systems (IDS)
• Signature Based
• Anomaly Based
– Intrusion Prevention Systems (IPS)
• Combine Firewall & IDS Functions
115
Not Within Today’s Scope
Firewalls • Determines What IP Traffic Can Enter or Exit a
Network Based Upon Pre-Defined Rules
• Firewall Types: • Stateless Packet Filtering – Single Packet Inspection
– Access Control List “ACL” – Ingress or Egress Filtering
– No knowledge of flow
– Filters on IP Header info – Layers 1-3
• Stateful Packet Filtering – Flow or Conversation Inspection – Filters on IP Header info – Layers 1-4
– Records conversations – then determines context:
» New Connections
» An Existing Conversation
» Not involved in any conversation
116
Firewall Types:
117
Internet
HTTP Request
HTTP ReplyBlocked X
Internet
HTTP Request
Blocked X
HTTP Reply
Telnet Session
Packet Filtering - “Stateless” Packet Filtering - “Stateful”
Filtering Parameters: IP Source Address
IP Destination Address
Protocol
TCP Traffic
UDP Traffic
Port Number
“Stateless” Firewall • In Addition to TCP/IP Header Checks, A Stateless Firewall
Can Detect Packet Anomalies: – IP Packet Header Makeup
– IP Addressing Non-Compliance
– IP Fragmentation Errors
– TCP Flow Sequencing
– UDP Flow Sequencing
– Anomalies Associated with Packet Flows: • SYN-ACK Sequence Not Compliant
• ICMP Errors
118
Firewall Implementation
119
Internet
(Outside)
Internal
Network(s)
Server
Web
Server
Demilitarized Zone
“DMZ”
HTTP & SMTP / POP
Only Allowed
All Allowed
Return Session Only
Allowed
“Stateful” Firewall
Functionality
May Be Implemented in
“Border” Router
All Allowed
All Blocked
The “ACL” Rules:
• Simply a “Set of Rules” That Provides a “Permit” or “Deny” Based Upon:
– Layer 3 IP Address
– Layer 4 Port Number
• An ACL is:
– A Table (with explicit DENY)
– Applied to a Specific Router Interface
120
The “ACL” Rules continued…..
• Standard Access List – Can Only Permit or Deny The Source Host IP Address
– Placed Closest to Destination Host
• Extended Access List – Can Permit or Deny Based Upon:
• Source IP Address
• Destination IP Address
• TCP Port #
• UDP Port #
• TCP/IP Protocol
– Placed Closest to Source Network
121
Standard IP List Example #1: Prevent Host 192.168.30.30 from Accessing Host 192.168.10.10
122
Router
1
Router
2
192.168.10.1 /24 192.168.20.1 /24 192.168.20.254 /24 192.168.30.1 /24
192.168.30.30 /24
192.168.30.20 /24192.168.10.10 /24
E0 E1
Create Access List on Router 1: access list 101 192.168.30.30 0.0.0.0
access-list 101 permit any
Apply Access List to Interface: interface E1
ip access-group 101 in
Configuration Disclaimer:
Exact configuration commands may vary based upon specific equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
A “Practical” ACL Example Block External Users From “Pinging” Inside Hosts
123
Router
1
192.168.10.1 /24
192.168.10.2 /24
192.168.10.6 /24
The
“Internet”E0
E1
Create Access List on Router 1: access list 101 deny icmp any any
access-list 101 permit ip any any
Apply Access List to Interface: interface E1
ip access-group 101 in
Configuration Disclaimer:
Exact configuration commands may vary based upon specific equipment models and software version.
Generic “Cisco” commands utilized for illustration purposes.
Switch Port Security Actions
• Port Security Options: – Specific MAC Address/Port
– Limits on Learned MAC’s
– “Sticky” MAC Learning
• Port Security Violations: – Discards Frame if Disallowed
– Discards Frame if Disallowed and Sends Notification
– Shutdown
124
Conceptual VPN
125
Router
1
Router
2
192.168.10.1 /24
192.168.20.1 /24 192.168.20.254 /24
192.168.30.1 /24
192.168.30.20 /24
192.168.10.10 /24
IP Packet
Source: 192.168.10.10
Destination: 192.168.30.20
Encrypted
PacketVPN Header New Header
Source: 192.168.20.1
Destination: 192.168.20.254
Public Network
IP Packet
VPN Implementation “Virtual Private Network”
126
Internet
(Outside)Internal
Network(s)
Server
Web
Server
Demilitarized Zone
“DMZ”
Application
Server
Application
Server
VPN
Concentrator
VPN
Access
ApplianceRemote
Office
Remote
User
(VPN Client)
Corporte
Office
A VPN is NOT a VLAN Essence of a VPN is a Tunnel Through a Network Infrastructure
127
Public Network Space
Corporate Network Space
Public InternetISP “B”
ISP “A”
Layer 2 ENCRYPTED Tunnel
Don Not Confuse VLAN’s and VPN’s
Bonus Topic: IPv6
128
IPv6 Address Space IETF - RFC 2460
IPv6 Provides Expanded IP Address Space 2128 =
340,282,366,920,938,463,463,374,607,431,768,211,456 (three hundred forty UNDECILLION addresses)
3.4 x 1038
• But, IPv6 is More Than Expanded Address Space:
– An Opportunity to Re-Engineer IPv4 • Improved Support for Multicasting, Security, & Mobile Aps
• Multiple Addresses per Interface
• Host Auto-Configuration Capability
• Security Incorporated
• MTU Discovery Incorporated
• Traffic Engineering Provisions Incorporate
The IPv6 Address
128-Bit Address Binary Format: 001001100000011110111000000000001111101010100000000000110010000110010101100110001000011110111100010010000010100011110001
Subdivide Into Eight (8) 16-bit Groups: 0010011000000111 1011100000000000 0000111110101010 0000000000000011 0010000110010101 1001100010000111 1011110001001000 0010100011110001
Convert Each 16-bit Group to Hexadecimal: (separate with a colon)
2607:b800:0faa:0003:2195:9887:bc48:28f1 2607:b800:faa:3:2195:9887:bc48:28f1
Address Summarization
128-Bit Address Represented as a 32 Hexadecimal Digits Subdivided Into Eight Groups (Chunks, Quads, Quartets) of Four Hexadecimal Digits
(separated by colon)
2001:0000:0000:0000:0DB8:8000:200C:417A or
2001:0:0:0:DB8:8000:200C:417A or
2001::DB8:8000:200C:417A
131 131
Routed vs Host portion
• Every IPv6 Address is Divided Into: – Routed Portion
– Host Portion
• The Block Size To-Be-Routed Specified by the Mask
• The Host Portion is the Interface Identifier
0x001IANA Allocated Global Routing
Prefix
SLA
(Subnet ID)Interface ID
3 bits 45 bits 16 bits 64 bits
Provider Site
128 bits
Network Portion Host Portion
EXAMPLE: Global Unicast Address Format (Aggregatable & Routable)
IPv6 Address Mask
• Every IPv6 Address is Divided Into Routed Portion & Host Portion
• Mask Specifies the Block Size To-Be-Routed
0x001IANA Allocated Global Routing
Prefix
SLA
(Subnet ID)Interface ID
3 bits 45 bits 16 bits 64 bits
Provider Site
128 bits
Network Portion Host Portion
EXAMPLE: Global Unicast Address Format (Aggregatable & Routable)
Network Subnet Host
Prefix Host
PrefixHost
(Interface ID)
Prefix Length
Prefix Length
Classful Network + Subnet
IPv4 Classful
Addressing
IPv4 Classless
Addressing
IPv6l
Addressing
What Happened to Version 5 or IPv5 of the Internet Protocol?
“IPv5 Simply Does Not Exist!” Version 5 was intentionally skipped to avoid confusion, or at least to rectify it. The problem with version 5 relates to an experimental TCP/IP protocol called the Internet Stream Protocol, Version 2, originally defined in RFC 1190. This protocol was originally seen by some as being a peer of IP at the Internet Layer in the TCP/IP architecture and these packets were assigned IP version 5 to differentiate them from “normal” IPv4 packets. This protocol never went anywhere, but to be absolutely sure that there would be no confusion, version 5 was skipped over in favor of version 6.”
IPv4 and IPv6 IPv4 Developed: 1973-1977
Deployed: 1981
232 or 4.3 Billion Addresses
“More Than Anyone Could Possibly
Use”
Address Based Assignment Unit /32
IPv6 Developed: mid 1990’s
Deployed: 1999
2128 or 340 Undecillion Addresses
“More Than Anyone Could Possibly
Use”
Network Based Assignment Unit /64
Vinton Cerf “One of the Fathers of the Internet”
"Who the hell knew how much address space we needed for an experiment?“ “The experiment has not ended”
“Vint” Cerf comments on his & colleagues 1977 decision to use 32-bit IP Numbers
An Ipv6 Address You Can Remember
The IPv6 Loopback Address
::1 Summarized from: 0000:0000:0000:0000:0000:0000:0000:0001
Takeaways – Questions – Maybe Some Answers
138
139
Application
Session
Presentation
Transport
Physical
Data Link
Network
Application
Session
Presentation
Transport
Physical
Data Link
Network
Physical
Data Link
Physical
Data Link
Physical
Data Link
Physical
Data Link
Physical
Data Link
Physical
Data Link
Network Network
Layer 2
Device Layer 2
Device Layer 3
Device
Takeaway Points • Hierarchical or Segmented Networks Are Desirable!
• Network Traffic May Be Isolated Because of:
– Policy
– Regulations
– Security
– Performance
• VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks
• Each VLAN is an Isolated Network or Subnet and is a Broadcast Domain With a Unique IP Address Scheme
• Physical Addressing Provided by Layer 2 MAC Address
• Ethernet Switches Eliminate or Minimize Collision Domains
• Virtual Addressing Provided by Layer 3 IP Address
• IP Routers Create Broadcast Domains
• An IP Address Has 2-Parts: Network Address & Host Address
• The IP Address Mask Determines the Network Address | Host Address Separation
• Remember Block Sizes When Addressing – The Power of 2n
140
Don’t Forget Security! • Insure User Switch Ports Are Set as “Access or Non-Trunking”
• Disable Any Un-Used Switch Ports
• Place Unused Ports in a Non-Used “Black Hole” VLAN
• Never Used VLAN 1
• Create a Secure Management Environment: – SSH Access (Secure Shell)
– OUB Access (Out of Band)
– Use ACLs (Access Control Lists)
• Change Default Logins
• Disable Services Not Required
• Understand & Know Your Network Baseline
• Utilize Switch Port Security
141
Knowledge & Expertise
Source: Simon Wardley (2008)
http://blog.gardeviance.org/2008/04/three-stages-of-expertise.html
142
My Favorite Reference Sources: • IEEE Ethernet References: http://standards.ieee.org/about/get/
• IETF Resources: http://www.ietf.org/
• RFC References: www.rfc-editor.org/rfc.html
• MAC OUI Look-Up: https://www.wireshark.org/tools/oui-lookup.html
• IPv4 Address Block Size: http://packetlife.net/media/library/15/IPv4_Subnetting.pdf
• Cisco Oriented Guides: http://routeralley.com/guides.html
• Subnetting Chart: http://linustechtips.com/main/topic/120947-unofficial-ltt-subnetting-guide/
• On-Line Subnet Calculator: http://www.subnet-calculator.com/
143
The “Mask” iOS Subnet Calculator:
http://www.cylineapro.com/cylsoft-portfolio/the-mask-ipv4-ipv6-calculator
My Favorite Reference Texts:
144
The Real – World OSI Model RFC 2321
“The Reliable Internet Troubleshooting Agent”
145
ID10T Errors
146
Thank You for Attending! Wayne M. Pecena Texas A&M University [email protected] 979.845.5662
147
? Questions ?
Download This Presentation:
CBNE Study Topics
148
Layer 5 (Session) & Port Numbers RFC 1700
• Applications Are Indexed by a “Port Number”
• Each Application Has a Port Number – Differentiates Multiple Applications
• Port Numbers Range Between 0 – 65,535
– 0–1,023 Are Considered Reserved or “Well Known”
– 1,024–49,151 Can Be Registered
– 49,152–65,535 Are Considered Dynamic or Private
• TCP & UDP Port Numbers Are Independent – But, Some Are the Same IE “DNS”
149
http://www.iana.org/assignments/port-numbers
Examples:
“Well Known” System Port
Numbers”
Port 20 / 21 – FTP “File Transfer Protocol”
Port 23 – TELNET
Port 53 – DNS “Domain Name Service”
Port 80 – HTTP
Port 110 – POP3 “Post Office Protocol”
Port 123 – NTP “Network Time Protocol”
Port 161 – SNMP “Simple Network
Management Protocol”
Port 443 - HTTPS
Cable Category Types
151
Category Maximum Speed Application
1 1 Mbps Voice (not for ethernet)
3 10 Mbps Ethernet 10BaseT
5 100 Mbps Ethernet 100BaseT
5e 1 Gbps Ethernet 1000BaseT
6 10 Gbps Ethernet 10GbE
6a 10 Gbps Ethernet 10GbE
For More Information:
http://www.lanshack.com/cat5e-tutorial.aspx/
Ethernet Cable Wiring - Straight
152
Ethernet Cable Wiring - Cross
153
Ethernet Cable Types
Cable Type Legend
Straight-Through
Cross-Over
Router 1 Router 3Router 2
Ethernet 0
Ethernet 0 Ethernet 0
Ethernet 1
Ethernet 1
Ethernet 3
Ethernet 1
EIA/TIA-568A EIA/TIA-568B
EIA/TIA-568B EIA/TIA-568B
MDI
MDIXMDIX
MDIX
MDI
MDI
MDI
154
DTE
Device
DCE
Device
1
2
3
6
1
2
3
6
Straight – Through Cable
DCE
Device
TX
RX
RX
TX
DCE
Device
3
6
1
2
1
2
3
6
Cross - Over Cable
TX
RX
RX
TX
Switch
Hub
RouterCross-Over Cable
Straight-Through Cable
Typical Cable Selection(non auto-mdix devices)
MDI
MDI
MDI-X
MDI-X
MDI-X
MDI
MDI
Ethernet Physical Standards
156
IEEE Standard Physical Standard
Cable Type Speed Maximum Length
802.3a 10-Base-2 Coax (thin-net) 10 Mbps 185m
802.3 10-Base-5 Coax (thick-net) 10 Mbps 500m
802.3i 10-Base-T Twisted Pair 10 Mbps 100m
802.3u 100-Base-TX Twisted Pair 100 Mbps 100m
802.3u 100-Base-T4 Twisted Pair 100 Mbps 100m
802.3u 100-Base-FX MM Fiber 100 Mbps 400-2000m
802.3u 100-Base-SX MM Fiber 100 Mbps 500m
Ethernet Physical Standards
157
IEEE Standard Physical Standard
Cable Type Speed Maximum Length
802.3ab 1000-Base-T Twisted Pair 1 Gbps 100m
802.3z 1000-Base-SX MM Fiber 1 Gbps 500m
802.3z 1000-Base-LX MM Fiber 1 Gbps 500m
802.3z 1000-Base-LX SM Fiber 1 Gbps Several Km
802.3an 10G-Base-T Twisted Pair 10 Gbps 100m
802.3ae 10G-Base-SR MM Fiber 10 Gbps 300m
802.3ae 10G-Base-LR SM Fiber 10 Gbps Several Km
and 20 Gigabit, 40 Gigabit, & 100 Gigabit Ethernet are emerging ……
Fiber Optic Connector Types
158
WAN Technology • Generally Categorized as Dedicated, Circuit Switched , or Packet Switched:
• Dedicated
– T-Carrier (data)
– Optical Carrier
• Circuit Switched
– ISDN – BRI
– ISDN – PRI
– T-Carrier (voice)
• Packet Switched
– X.25
– Frame Relay
– ATM
– ADSL / HDSL
– Metro Ethernet Offerings
159
WAN Link Types
160
Line Type: Signaling Type: Bit Rate
64 DS0 64 kbps
T1 or DS1 DS1 1.544 Mbps
T3 or DS3 DS3 44.735 Mbps
SONET OC:
SONET STS:
Bit Rate
OC-1 STS-1 52 Mbps
OC-3 STS-3 155 Mbps
OC-12 STS-12 622 Mbps
OC-48 STS-48 2400 Mbps
OC-96 STS-96 5000 Mbps
DS1 Configuration
• DS1 or T1 Types:
– Channelized (voice)
– PRI (ISDN) (voice or data)
– Clear Channel (data)
• Encoding
– AMI (voice)
– B8ZS (data)
• Framing
– D4 Super Frame (voice)
– Extended Super Frame (data)
• Timing – Must specify source
161
WAN Component Example Point – Point T-1 or DS-1
Router 1 Router 2
Ethernet 1
CSU/DSU CSU/DSUDS-1
WAN
Ethernet 1
Serial 1Serial 1
162
Possible Interfaces That Might Be Found
WAN Component Example Integrated Services Digital Network
• ISDN - Integrated Services Digital Network – ISDN – BRI 2 “B Channels” + “D Channel”
– ISDN – PRI 23 “B Channels” + “D Channel”
• “B” Channel – Bearer Channel – 64k
• “D” Channel – Signaling Channel – 16k / 64k
163
ISDN Reference Devices • TE1 – Terminal Equipment Type 1
– ISDN Telephone Set or Computer Device
• TE2 – Terminal Equipment Type 2 – POTS Deskset
• TA – Terminal Adapter – Interfaces analog devices
• NT1 – Network Termination Type 1 – TELCO termination Point (Home)
• NT2 – Network Termination Type 2 • TELCO termination Point (PBX)
• LT – Line Termination
• ET – Exchange Termination
164
Telco Central Office
Frame Relay Basics • Standardized Packet Switched Network Technology
• Physical & Data Link Layer Based
• Local and Nationwide Scope Reach
• Frame Relay Switches Create Virtual Circuits Between Customer Endpoints
• Permanent Virtual Circuit (PVC) Provided to Customer
• Delivered via Leased Line Facilities – Often Fractional T1 (< 1.5 Mbps) – 56 kbps or 64 kbps increments
• Data Link Connection Identifier – DLCI:
– Identifies the Virtual Connection
– Physical Link Can Accommodate Multiple DLCI’s
– Unique Only To The Endpoint
• Committed Information Rate – CIR
• Extended Information Rate - EIR
165
Frame Relay Architecture
166
TELCO
Frame Relay
Network
Premise
Frame Relay
Router
Premise
Frame Relay
Router
Premise
Frame Relay
Router
DLCI 100
DLCI 200
DLCI 300Frame Relay
Switch
Frame Relay
Switch
PVC’s
Created
Between Customer
Endpoints
Local or Nationwide Scope
Frame Relay Cloud
Wireless Fidelity Networking • 802.11 Standards
– 802.11 2.4 Ghz 2 Mbps (maximum)
– 802.11b 2.4 Ghz 11 Mbps
– 802.11a 5 Ghz 54 Mbps
– 802.11g 2.4 Ghz 54 Mbps
– 802.11n 2.4 “MIMO” 300 Mbps
– 802.ac 2.4 / 5 Ghz 450 / 1300 Mbps
• Frequency Bands (ISM): – 2.4 Ghz 2.4-2.497 Ghz
– 5 Ghz 5.15 – 5.875 Ghz
167
IEEE 802.11 Wi-Fi
168
802.11 802.11a 802.11b 802.11g 802.11n
Standardized 1997 1999 1999 2003 2010
Frequency 2.4 Ghz 5 Ghz 2.4 Ghz 2.4 Ghz 2.4/5 Ghz
Channels 21 21 11 11 32
Modulation IR, FHSS, DSSS
OFDM DSSS DSSS/OFDM OFDM
Mbps 1,2 54 11 54 300
Modulation Legend:
IR – Infrared Radiation
FHSS – Frequency Hoping Spread Spectrum
DSSS- Direct Sequence Spread Spectrum
OFDM – Orthogonal Frequency Division Multiplexing
2.4 gHz Channels
169
5 gHz Channels
170
Wireless Security
• Wireless Equivalent Privacy - WEP
• Wi-Fi Protected Access – WAP
• Wi-Fi Protected Access 2– WAP2 (802.11i)
• IEEE 802.1x
171
Wireless LAN Components
• BSA-Basic Service Area: Physical Area Covered by a BSS
• BSS-Basic Service Set: Set of Access Points That Can Communicate via Wireless
• DS-Distribution System: Wired Infrastructure That Connects BSS to Create a ESS
• ESS-Extended Service Set: Multiple BSS Connected by DS to Appear as a Single BSS.
• IBSS-Independent BSS: BSS With No DS Connectivity
• Ad Hoc vs Infrastructure: – WLAN With No Central Control
– WLAN Attached to A Wired Infrastructure
172
Wireless LAN Components
173
IBSS
BSS BSS
DS
SSID
SSID = Service Set Identifier (1-32 characters)
Broadcast Digital Content Management & Workflow
174
Acquisition
Record
Log
QC
Production
Ingest
Encoder
Add Metadata
QC
Asset
Management
Catalog
Search
Archive
Store
Distribution
Encode
Transcode
Digital Rights Mgmt
Brand
Stream
Transfer
Content Management & Workflow • Workflow:
The decisions and processes that occur in the broadcast plant when a
Media Asset enters the system to the distribution of the Media Asset at the output of the system.
• Media Asset (SMPTE definition):
175
Essence Metadata
Content Rights
Media Asset
Wrapper Types:
Wrappers
GXF – General Exchange Format
MXF – Material Exchange Format
AAF – Advanced Authoring Format
QT – Quick Time
LXF – Leitch Exchange Format
WMF – Windows Media Format and others ……….
176
Metadata Essence
Wrapper
General Server Storage
• Hard Disk Interface Types
– SCSI
– IDE
– SATA
– Fiber Channel (FC)
• RAID Basics
• NAS Fundamentals
• SAN Architecture
177
Hard Disk Interface Types Data Transfer Rate (maximum)
• SCSI 160 MBps – 320 MBps
• IDE/ATA 100 MBps – 133 Mbps
• SATA 150 MBps – 300 Mbps
• FC 400 MBps
178
RAID Level Basics Redundant Array of Independent (Inexpensive) Disks
• RAID Technology:
– Striping
– Mirroring
– Parity
• Choosing a RAID Level:
– Cost
– Data Availability (protection)
– Performance (read/write)
• Levels:
– RAID 0
– RAID 1
– RAID 5
– RAID 10 (RAID 1 + 0)
– And many more……….
179
RAID Level Overview:
180
RAID Level 0
Data Blocks Stripped
No Redundancy
High Performance
BA
C
E
D
F
RAID Level 1
Data Blocks Mirrored
High Redundancy
Good Performance
AA
B
C
B
C
2 disks minimum
Usable Capacity = 100%
2 disks minimum
Usable Capacity = 50%
RAID Level Overview:
181
RAID Level 5
Data Blocks Stripped + Parity
Good Redundancy
Good Performance
BA
C
Parity
Parity
E
RAID Level 10 or “1 + 0”
Data Blocks Mirrored + Striped
High Redundancy
High Performance
Parity
D
F
BB
D
F
D
F
AA
C
E
C
E
“Most Popular Server Configuration”
3 – 16 disks
Usable Capacity = 67 – 94%
“Best Configuration – Mission Critical Aps”
4 disks minimum
Usable Capacity = 50%
NAS & SAN Architecture • Network Attached Storage NAS – Provides File System & Storage (stand alone) File Level Based - Shared Storage Over Shared Network
• Storage Area Network SAN – Provides Storage Only
Block Level Based - Shared Storage Over Dedicated Network
182
NAS
Server
File
Server
Workstation Clients
File
Server
Workstation Clients
Application
Server
Archive
TapeTape
Robot
SAN
RAID
Subsystem
Audio & Video Digital Signal Standards
• Digital Audio – AES3
• 32/44.1/48/96 kHz Sampling
• 16 – 24 bits
• Mono or Stereo
• Balanced 110 ohm
• Unbalanced 75 ohm
– AC3 • Compressed
• 5.1 channel based (6 channels)
• AC3 Metadata
– Dolby E • Compressed
• 8 channel
• Bound to Video Frame
• Digital Video: – SMPTE 259M SD-SDI 270 Mbps
– SMPTE 344M ED-SDI 540 Mbps
– SMPTE 292M HD-SDI 1.485 Gbps
– SMPTE 372M Dual Link HD-SDI 2.97 Gbps
– SMPTE 424M 3G-SDI 2.970 Gbps
183
CBNE Recommended Study:
184
SBE Networking Certifications
CBNT Certified Broadcast Networking Technician
• This certification is designed for persons who wish to demonstrate a basic familiarity with networking hardware as utilized in business and audio/video applications in broadcast facilities.
• Exam Focus: – Network topologies and layouts
– Common network protocols
– Wiring standards and practices
– Maintenance, troubleshooting and connectivity issues
– Challenges unique to broadcast-based networks
CBNE Certified Broadcast Networking Engineer
185
• This certification is an “Advanced” level that reflects the skill and knowledge that will be required in today's world of converged IT and broadcast engineering.
• Exam Focus:
– Audio/Video over IP
– Digital Content Management
– Video Systems in an IT World
– Data Transmission Systems
– General IT Hardware
Good Luck on Your Exams!
186