Documente Academic
Documente Profesional
Documente Cultură
Based on the CBT Nuggets Network+ Video Series Author: Skrpune, ProProfs.com
Table of Contents
1. Network Topologies Part 1 ............................................................................................................................................... 2 2. Network Topologies Part 2 ............................................................................................................................................... 3 3. Media Connectors & Cabling............................................................................................................................................ 5 4. Network Devices & Components Part 1 ........................................................................................................................... 7 5. Network Devices & Components Part 2 ........................................................................................................................... 8 6. OSI Model ...................................................................................................................................................................... 10 7. Media Access Control .................................................................................................................................................... 11 8. IP Addressing ................................................................................................................................................................. 12 9. Network Layer Protocols ................................................................................................................................................ 13 10. TCP/IP Suite of Protocols & Services........................................................................................................................... 15 11. TCP/UDP Protocols & Services ................................................................................................................................... 17 12. Additional Network Protocols & Services ..................................................................................................................... 18 13. WAN Technologies ...................................................................................................................................................... 20 14. Wireless Technologies ................................................................................................................................................. 22 15. Internet Access Technologies ...................................................................................................................................... 23 16. Remote Access Protocols & Services .......................................................................................................................... 24 17. Server Remote Connectivity & Configuration ............................................................................................................... 25 18. Security Protocols ........................................................................................................................................................ 26 19. Authentication Protocols............................................................................................................................................... 28 20. Network Operating Systems......................................................................................................................................... 30 21. Client Workstation Connectivity .................................................................................................................................... 31 22. Firewalls & Proxy Services ........................................................................................................................................... 33 23. VLANs .......................................................................................................................................................................... 35 24. Intranets & Extranets .................................................................................................................................................... 36 25. Anti-Virus Protection..................................................................................................................................................... 37 26. Fault Tolerance & Disaster Recovery ........................................................................................................................... 38 27. Troubleshooting Strategies .......................................................................................................................................... 40 28. Troubleshooting Utilities ............................................................................................................................................... 42 29. Physical Network Troubleshooting ............................................................................................................................... 43 30. Troubleshooting in Client/Server Environments ........................................................................................................... 44
Star Topology o Physical Star hub or switch at the center of the star o Logical Star i.e., switch o Used in LAN / WAN Shared Ethernet bus if hub RING TOPOLOGY Switch does dynamic bridge Maximize bandwidth via transparent braiding Ring Topology o Physical Ring physical closed loop o FDDI = both physical & logical ring o Token Ring = physical star, but logically a ring to pass token from node to node BUT each node must be attached to a hub/concentrator or a MSAU / MAU (multistation access unit) MeshTopology o AKA, Frame Relay, ATM o Partial Mesh = used where need most redundancy or bandwidth
ISP
IEEE 802.2 / LLC - LLC = Logic Link Control o Maps to Data Link Layer 2 of OSI Model - What does LLC do?? o Manages data link connections, works with physical medium o Addressing reads MAC addresses o SAPs service access points o Performs sequencing of data packets as they are moved around network o In a nutshellprovides basic networking between devices
MESH TOPOLOGY
PARTIAL MESH
OSI LAYERS 7 APPLICATION 6 PRESENTATION 5 SESSION 4 TRANSPORT 3 NETWORK 2 DATA LINK 1 PHYSICAL
IEEE 802.3 / ETHERNET (CSMA/CD) - Dominant LAN Technology = ~85%!!! - CSMA/CD = Carrier Sense Multiple Access/Collision Detection o FIRST, before sending, polls the channel to see if another node is transmitting o If not carrier is senses, then it transmits o If have a collision (i.e., 2 signals at once), will retry to send after a wait period o Puts limits to number of machines that can access network before collision increase & network gets too crowded - Collision Domain logical network segment where data packets can collide with each other o NOTE: Switches create smaller collision domains than hubs & reduce congestion - 10BaseT / 10Mbps Ethernet developed by DEC + Intel + Xerox Ethernet Types / Speeds (Using CSMA/CD) - Half-Duplex Switching cannot send & receive at same time 10 Mbps 10BaseT o I.e., walkie-talkie 100 Mbps Fast Ethernet - Full-Duplexed Switching can send & receive; two-way transmission 1000 Mbps / 1 Gbps Gigabit Ethernet o I.e., telephone 10000 Mbps / 10 Gbps 10 Gigabit Ethernet - Advantages of using Ethernet o Easy to manage, maintain, implement o Flexible o Widely supported - Terminology / Components o DTE = Data Terminal Equipment source or destination of data (laptop, PC, Server, Printer) o DCE = Data Communication Equipment receive & forward frames on LAN network or to other LANs (Switch, Hub, Router, Modem)
DAC
SAS
SAS
Gigabit Ethernet
802.3ae
UTP Twisted pair cabling with no additional shielding Usually includes 4 pairs of wires in a common sheath Typicall 100 Ohm Category 3, 4, 5, 5e, 6 (&7) cables from TIA/EIA 568-A standard 10Base T; 100BaseTX; 100BaseT2 = 2 wire pairs 100BaseT4; 1000BaseT = 4 wire pairs
STP 150 Ohm IBM cabling system for Token Ring Twisted pairs wrapped individually in a foil shield & w/outer braided wires (further reduces crosstalk & EMI) Originally IBM cable types 1, 2, 6, 8, 9 supported token ring up to 16 Mhz Can be used in Ethernet: 10BaseT, 100BaseTX, 100BaseT-2 using special impedence matching transformers Better performance BUT a lot of effort: monitoring, maintenance, $$$$$ Newer types = STP-A: 1A, 2A, 6A, 9A support FDDI up to 100Mhz Type 1 is heavy black cable associated with IBM cabling system
Characteristics of BOTH:
Between 1-3 twists per inch Two insulated copper wires twisted together = 1 pair
RJ-45 -Ethernet LANs -Cat5, Cat5e, Cat6 -Wider than RJ-11 -Up to 8 wires -Typically w/UTP -Telephony, Token Ring, ISDN, 10BaseT, 100BaseT4 F-Type -Coax ST -Fiber Optic -Straight Tip (can twist on/off) SC -Fiber Optic -Square tip MTRJ -Fiber Optic FiberLC -Fiber Optic -Connects MMF & SMF -Usu. used for MMF - Local, LAN connections
CONNECTORS
RJ-11 -Registered Jack 11 -Global standard -4 copper wires -Phone/fax/modem -Cat3 -Historically used for LAN
UTP
Cat3
100Mbps (16Mhz)
Cat5
Cat5e Cat6
STP
Patch cables at PC, workstation, etc High grade Type 1 cable 1994-replaced with 5e 4 UTP; 100m max distance; RJ-45 Gigabit ethernet BUT also backwards compatible RJ-45 Better performance; Higher signal/noise ratio Overall better reliability For future enhancement in data rate & application usage RJ-45 Shielding reduces EMI & crosstalk Use IDC/UDC connectors, also RJ-45
ISDN T1 / 1.54 Mbps 1-BaseT; 100BaseT4 Token Ring 4Mbps POTS (plain old telephone system) 10BaseT 100BaseT4 100BaseTX FDDI, ATM 1000BaseT 155Mbps ATM 10BaseT Fast Ethernet Gigabit Ethernet 10BaseT 100BaseT-2 100BaseTX FDDI
COAX
RG8
10Mbps
RG58
10Mbps
FIBER OPTIC
SMF
2.5 Gbps
MMF
2.5 Gbps
OTHERS:
ThickNet 10Base5 No hub needed AUI connector & VampTap Economical; good shielding; not too flexible ThinNet 10Base2 No hub needed BNC connector Economical; good shielding; not too flexible Single Mode Fiber Connectors: Only transmit light in one fundamental mode/path ST (straight tip) & SC (square) Very small core diameter MTRJ Transmits over longer distance than MMF FiberLC (usu. MMF; local/LAN Supports very high bandwidth connections) Multi Mode Fiber Connectors: Light travels in multiple modes/paths within the wire ST (straight tip) & SC (square) Larger center core / thicker than SMF MTRJ Used for relatively short distance, i.e., LANs & Campus FiberLC (usu. MMF; local/LAN networking connections) Used for data transfer from peripherals to PC Connects peripheral devices for high speed data transfer; also used for USB NICs
Physical Layer Name N/A 10Base5 10Base2 N/A 10 Base-T 10 Base-T 10 Base-T 100 Base-T4 100 Base-TX 10 Base-T 100 Base-T4 100 Base-TX 1000 Base-T 10 Base-T 100 Base-T4 100 Base-TX 1000 Base-T 10-Base-F 10 Base-F Speed 10 Mbps 10 Mbps 10/100 Mbps 16 Mbps 10/100 Mbps 10/100/1000 Mbps 10/100/1000 Mbps Max Length (M) N/A 50 (drop) 500 (backbone) 185 N/A 100 100 100 100 Links & Segments 100/segment 30/segment 1 per link/drop 1 per link/drop 1 per link/drop(-T) Notes Satellite TV Thicker wire; used in some networks
Small bus topology
Cable Type COAXIAL RG-6 RG-8 (AUI) RG-58 (BNC) RG-59 CAT3 UTP CAT4 UTP CAT5
Common Name Satellite TV Thicknet Thinnet Cable TV Fast Ethernet Fast Ethernet Fast Ethernet Gigabit Ethernet
UTP (Unshielded Twisted Pair) - general UTP & STP note: cancels out interference by twisting the wires. The # after CAT is code for how many twists per foot. - RJ-45
Phone/data; 3-4 TPF 5-6 TPF 3-4 TPI More reliable IGBPS network .
CAT5e
CAT6
Gigabit Ethernet
100
CAT 7 STP (Shielded Twisted Pair) (IDC/UDC) FIBER SMF (ST/SC) Single-Mode MMF Multi-Mode
* TPF = twists per foot of cable * 10 Base-T, 100 Base-TX, 100 Base-T2 use 2 wire pairs
2000 2000
* TPI = twists per inch of cable * 100 Base-T4, 1000 Base-T use 4 wire pairs
Connectors
IDC/UDC - very expensive - copper jacket & wires/pairs wrapped - IBM-type/ Universal Data Connector - Twisted Pair
Twisted Pair
BRIDGE
A
Switches = multi-port bridges o Switches optimize the collision domain (whereas routers optimize the broadcast domain) Use software & hardware to create full duplex non-collision domain to communicate uber-fast. o Multi-layer switch Operates as a Switch at Layer 2 Operates as a Router at Layer 3 o Examples of some commands at a Switch interface, i.e., like that of Cisco Catalyst 3550 Show version = display switch info Config terminal = allows for configuration of the terminal SWITCH ? = lists available commands within the switchs configuration interface
Firewall o Firewall hardware device/software application that functions in a network environment to prevent some communications that are explicitly forbidden by a corporate security policy o Goals/Characteristics: Can be Hardware or Software running on a Server or Both Prevents spread, provides security & controls traffic between different types of security zones Will have varying levels of trust to control connectivity & packet flow between the different zones Goal is to prevent hackers & unauthorized people from accessing your private network Firewall examines all packets/messages inbound & outbound from the network o Physical Firewall One interface connected to internal organization has to be the MOST secure interface One interface to the Public May have more going to other security zones (like a Host or DMZ)
VPN Concentrators o VPN Concentrator used to create virtual private networks using a fleet of protocols to encrypt & decrypt traffic to terminated end points o Can also use software solutions running on servers or can be integrated into routers sitting at perimeter of your network I.e., Cisco allows you to have firewall & VPN capabilities & intrusion detection services tooall built into the OS of the Router or the Multi-Layer Switch device. o VPN Concentrator administration:Can use Unix-based command line interface (like with Routers & Gateways) OR via web interface Unix-based command line interface (like with Routers & Gateways) some are in a menu system similar to FDISK or BIOS Via web interface easier to work with web-based menu NOTE: if managing multiple hubs/routers/VPN Concentrators, use a third party management system, i.e., Computer Associates Manage users, groups; tunnels; IPtunnels SSL, secure shell, web VPN HTTP to access some let you use HTTPS
6. OSI MODEL
OSI = Open System Interconnection - Global networking framework standard - Control is passed through 7 layers, Most layers exist in all communication systems - Layers can be combined i.e., Microsoft combines several top layers, i.e., app/presentation/session + transport + network + data-link/physical Application Layer - Provides file, print, message services. - Protocols for service usage & advertisement. - Window for users & applications to access network services. Presentation - Provides data translation typically part of OS. - Converts inbound & outbound data from one format to another. - Also handles syntax, compression & encryption. Session - Establishes communication sessions between network devices. - Handles dialog control & coordinates sessions and connections, i.e., decides whether duplex, half-duplex, etc. OSI LAYERS Transport - Ensures data deliverability & reliability & priority. - Maintains data integrity. - Makes sure that packets are ordered & that there is no loss/duplication. - Responsible for routing & forwarding data packets. - Controls packet on basis of network state, priority, & quality of service, etc. - Provides error-free transmission of data frames. - Sends frames from network to physical layer. - Converts raw bits into frames & vice-versa. - Packages & transmits bits on the physical media. *Includes encoding & functions at the mechanical and electrical level.
Physical
7. MAC Addressing
*Note: layers 2-4 are where most networking type folks do their work Data Link / OSI Layer 2 o OSI Layer 2 = Data Link = TWO parts: LLC AND MAC, subdivided by IEEE into two layers - Reliable data transmission over various media (wireless, fiber, etc.) - Defines: o Physical addressing separate from network address; physical address defines how physical network devices are addressed o Topology how the network devices are physically connected, i.e., ring, star o Error notification alert/send message to upper layer protocols (3 & 4 & up) that theres been a transmission error o Frame sequencing putting in proper order o Flow control moderates data transmission rate so receiving network/device wont get overwhelmed w/more data than can handle at any given time. - IEEE subdivided data link into the two layersLLC & MAC - LLC = Logical Link Control o Manages communications between network devices on network over a single network link. o Supports both connectionless & connection-oriented upper-layer protocols o Defined by 802.3 fields in Layer 2 frames o Provides interface between MAC Sub-layer & Upper Layers - MAC Sub-Layer Management Functions: o To manage protocol access to underlying physical medium of the network o Controls node access to physical medium and is protocol-specific o Both MACs must support the same transmission rate to functionotherwise need intermediary device like router to provide translation o Encapsulates data into frames & starts frame transmission/recovery. - MAC Addressing (i.e., data link addressing) o Used to identify nodes/devices implementing IEEE MAC addresses on the data link layer o Must be unique for each LAN interface, i.e., NIC o 48-bit address, expressed as 12 hexadecimal digits, i.e.: 00-40-CA-47-C4-BF OR 0090.bf1f.e000 OR 0040.ca19.c776, etc. o To FIND MAC address, go to C: prompt & enter IPCONFIG /ALL find the Ethernet NIC Physical address o BIA = burned in address, burned into ROM & then stored in RAM o First 6 digits (24 bits) = OUI organizationally unique identifier. o Last 6 digits (24 bits) = Vendor Assigned, i.e., serial number assigned by the vendor - Address Resolution Protocol (ARP) o Method used in TCP/IP suite to map IP addresses to physical addresses in order to forward data/frames o Sending workstation checks its MAC Address Table (in NETWORK B this case an ARP table) HUB ROUTER o If nothing there for the desired destination address, sends out a broadcast hey, where are you?! o The desired destination hears the call, it compares its matching IP address to the message & responds with its MAC Address o IF going beyond your local network, forwards ARP request to its default gateway/next hop router (usually a Router or a multi-honed Server with 2 NICs) on same network. Gateway/Router forwards packets until gets to right network with router that has the MAC address of destinationif not, will send out its own broadcast to find the MAC address on its local network. - Basic Ethernet Frame Format o When datagrams come down OSI stack to Network (Layer 3), IP header is wrapped around that datagram & it becomes a packet o That packet gets passed down to Data Link Layer 2 & that information becomes encapsulated & becomes a frame - MTU = Maximum Transmission Unit = for Ethernet frame it is 1500 bytes Transmission order: left-to-right, bit serial FCS error detection coverage FCS generation span PRE 7 SFD 1 DA 6 SA 6
Length/Type
- PRE = Preamble; notifies receiving nodes that a frame is coming down the pipe; to synchronize reception of those frames on physical media on the incoming bit stream of the receiving device - SFD = Start of Frame Delimiter (also SOF); ends w/ two consecutive ON (1) bits to signify that next bit = left-most bit in the left-most byte of the destination address (i.e., hark!, destination address is next!) - DA = Destination Address; 6 bytes / 48 bits in hex format = MAC address - SA = Source Address; 6 bytes / 48 bits NOTE: SA & DA will change as moves thru network, but data will contain info about orig. IP addresses of the original SA & DA - Length/Type = # of MAC client data bytes in data field OR frame type ID - Data = the actual data, of course! - Pad - FSC = Frame Check Sequence; 4 bytes; contains CRC (cyclical redundancy check created by sending a MAC frame & seeing if its still the same after sendingif see problems, then can have the frame resent)
Data
Pad
FCS 4
46-1500
8. IP Addressing
IP Address = field in the IP header thats added to data as its moved around the network o Each field fits 32 bits source address & destination address o Four octets of 8 bits: 128 64 32 16 8 4 2 1 128 position = high order bit 1 position = low order bit o Each position is 2 to the nth power: 7 6 5 4 3 2 1 0 o Add all numbers of octet = 255 BUT have 256 values (0-255) Binary conversion to Base 10/Decimal: o Add up the position/bits where there is a value of 1, i.e. 11000000 = 128 + 64 = 192 1010100 = 128 + 32 + 8 = 168 01100101 = 64 + 32 + 4 + 1= 101 00101101 = 32 + 8 + 4 + 5 = 45 SO 11000000.1010100.01100101.00101101 = 192.168.101.45 NOTE: each IP address is two parts: o Network o The Location on the network Subnet Mask o Non-zero (1 = ON) bits tell us what parts are reserved for the Network address o Zeros (0 = OFF) bits tell us what parts are reserved for the host address Class A o First octet represents the networks; remaining three octets (24 bits) are for the hosts (224 hosts!) o 255.0.0.0 = Subnet Mask Address 1st Octet Octets for Number of Hosts per Class B Class Range Network Networks Network o Two octets for hosts = 16 bits for hosts A 1-127 1 126 16,777,214 o 255.255.0.0 = Subnet Mask B 128-191 2 16,384 65,534 Class C C 192-223 3 2,097,152 254 o First three octets for network = 24 bits for network D 224-239 o ONLY last octet for hosts = 8 bits E 240-247 o 255.255.255.0 = Subnet Mask NOTE: 127.0.0.1 used as loopback address for testing NOTE: do not count: D used for multicasting o XX.XX.XX.0 this is the network address (on a Class C) E used for experimental purposes o XX.XX.XX.255 this is the BROADCAST address o SO your possible number of hosts ALWAYS excludes these two addresses/values per network Private/Reserved Address Ranges o NOT recognized on the internet, info will be dropped PRIVATE/RESERVED ADDRESSES (by class) o Used commonly for examples or testing or training A 10.0.0.0 to 10.255.255.255 o RFC (request for comment) 1918 = docs used for reserved address standards o Corporations use reserved addresses internally via NAT (Network Address B 172.16.0.0 to 17.31.255.255 Translation) to extend the number of addresses available via IPv4 SO many C 192.168.0.0 to 192.168.255.255 companies can use the same network addresses behind their firewall, as long as have a PUBLIC IP address on the Firewall/on the other side Subnetworks & Subnetting o Create smaller broadcast domains within one large broadcast domain o Adjust Subnet Mask by partitioning bits between subnetworks & hosts, i.e.: -Class C usually 255.255.255.0 BUT if change to 255.255.255.192 THEN: first 2 bits of last octets are used for subnetworks & can use last 6bits for hosts CIDR = Classless Inter-Domain Routing o Assumes entire 32-bit address for usageno more classes! Put a forward slash (/) at end followed by # bits being used for the network o 192.168.101.45/24 o Number of available hosts = 2^n 2, where N is the number of bits being used for the host Main three ways to dole out IP addresses & subnet masks o Static directly assign by hand using software/GUI o Dynamic use DHCP to assign IP addresses automatically within a certain scope of addresses o APIPA (RFC 3330) Automatic Private IP Addressing assigns a temporary IP address in the range 169.254.0.1 169.254.255.254 (NOT publicly usable but some PCs/programs need an address to function in a Peer to Peer network & get your DHCP going) IP Version 6 (IPNG or IPv6) o Expands address space, security & quality of service over IPV4 more fields, space, bits o Governed by Internet Task Force (IETF) o Address space is 128 bits expressed in hexadecimal o ~340 UNDECILLION (?!) addresses total; IPV4 ~ 4 billion total o EXAMPLE: 3ff3:0501:0008:0000:0260:97ff:fe40:efab (For more info see http://www.pcsupportadvisor.com/nasample/c0655.pdf )
Zone C Zone A
o Non-Extended AppleTalk network Physical network segment that is assigned only a single network number (1-1024) (10-bit; 2^10) Each node # has to be unique for that network No more than one zone configured on it o Extended AppleTalk network Networks can extend beyond the zone, or multiple networks in one zone
Accounting Zone 103.10
100.51
Network 100
100.11
100.101 100.15
100.3
101.1
o Local Talk Has media access dependencies on lower layer protocols, i.e., Ethernet, FDDI, Token Ring. Four main media access protocols: Ether Talk Token Talk FDDI Talk Local Talk
Local Talk is a proprietary (Data Link) Layer 2 implementation cheap & efficient for small LANs Usually built into MAC products Uses twisted pair cabling, in a bus topology 300m segment limits; 32 nodes Routers (intermediate devices) can be used for a star topology o LLAP LocalTalk Link Access Protocol Media access protocol Communicates between LocalTalk & upper layer protocols Delivers frames between nodes, guarantees error-free delivery, and performs best effort delivery o AppleTalk addresses = 48 bits NETWORK (16 bits) NODE (16 Bits) SOCKET (16 Bits) 1-65536 Unique random # Unique to each NIC/interface 100 11 50 Using example above, AppleTalk address can be expressed as: 100.11.50 OR 100.11, Socket 50 Dynamically doled out when attached to network: provisional network layer address is handed out (kinda like APIPA) in the range of 65280-65534 Node = random #, unique though Socket = individual to each NIC/network interface/connection o ZIP = Zone Informational Protocol Used to communicate with router; supplies node with Node Number for the network Router replies to node with valid range for network Node selects a valid network numberthen broadcasts to be sure its untaken If another node responds, process starts all over againif not, then the node keeps the node number o AARP AppleTalk Address Resolution Protocol Layer 3 protocol Associates network address with nodes/services/sockets taking place on the network o RTMP Routing Table Maintenance Protocol Layer 4/Transport Layer protocol Based on RIP to establish routing tables using a hop count metric Hop Count = # devices to go through to get to another node Creates/maintains tables on intermediate devices using AppleTalk Stores entries for any network a packet has the potential of reaching Information is periodically exchanged by routers to ensure up to date Novell Netware IPX/SPX o Netware = Novells NOS o Combination of Layer 3 & 4 o Netware comes from XNS (Xeroxs Networking System, 70s 80s)
Transport Network Data Link Physical Ethernet IEEE 802.3 Token Ring IEEE 802.5 FDDI ARCnet PPP SPX
IPX
o IPX = Internetwork Packet Exchange (parallels to IP) Novells original Layer 3 protocol Uses IPX RIP (not TCPs RIP incompatible) or NLSP (Netware Link State Protocol) Network address must be unique Address expressed in Hexadecimal format of Network Number + node number, 80 bits total NETWORK (32 bits) MAC ADDRESS (48 Bits) 00000001 1c.0f1e.8d7a.a36c o SPX = Sequenced Packet Exchange (parallels to TCP) Less important to IPX than TCP is to IP o Encapsulation wrap upper layer protocol info into frames, so can support different protocols/environments
Ethernet_802.3 Added info/ bits at front so can operate in different environments 802.3 Ethernet_802.2 802.3 Ethernet_II Ethernet Ethernet_SNAP 802.3 802.2 LLC SNAP IPX IPX 802.2 LLC IPX IPX DATA
o Uses clear text, not secure HTTPS = HTTP-Secure, or HTTP over SSL o HTTPS:// is shown in the browser AND a graphical padlock as well o Secure connection o Uses TCP Port 443 (SSL Port) o TLS = Transfer Layer Security newer version, may replace SSL TELNET = Protocol AND a Program o C:\> telnet OR telnet blah.com >Username; >Password telnet /? lists switches available: -a, -t, -e, -f, -l, port o Unsecure, uses clear text o Terminal emulation allows you to log on to other computes on the internet, assuming you have access to run programs & commands o Uses TCP Port 23 SSH = Secure Shell o Uses TCP Port 22 o Develped by SSH Communications Security o Offers strong authentication & encryption, used for: Remote log in, running commands, moving files, etc. Replaces TELNET, RLOGIN, RSH, RCP, RDIST o PutTY = free telnet/SSH client ARP = Address Resolution Protocol o Used in TCP/IP usually Layer 2/3 (Data Link & Network Layers, respectively) o Dynamically (or manually) binds IP addresses to hardware (MAC) addresses o Broadcasts on network segment ONLY learns about local area & adds info to ARP cache To show interface address, MAC, & type (static vs dynamic): C:\> ARP - a NNTP = Network News Transport Protocol o Client/server protocol; handles usenet & newsgroup postings o NNTP readers included in all browsers (with most email programs too, even Outlook Express) o Newsreaders = separate NNTP clients (not part of an email program or browser, standalone program)
o o o o o o
WINS:
ISP
LAPTOP USER
DNS:
SWITCH
DNS SERVER
ROUTER
ISP
DNS Client
BRANCH OFFICE
Workstation A
WINS SERVER
ROOT
SOHO .COM .EDU .NET
DNS Domain Name System Sample scenario for student user at college, wanting to visit www.website.com from their college dorm room: 1. User sends Query > College> .EDU> Root > .COM 2. College > .COM > Website 3. College > Website > College > User Return message of: The IP Address is xxx.xxx.xxx.xxx 4. TCP/IP Communication from User > www.website.com via the IP Address
WEBSITE
COLLEGE
2
Mail www
User
TCP/IP Communication
o Configure dynamically at Host startup o TCP/IP stack initializes, contacts DHCP Server to get IP address, etc. o Usually have many logical servers, but one physical server or one group of physical servers
WINS Server
Mail Server
SWITCH
ROUTER
ISP
DNS Client
Directory Server
DNS Server
DHCP Server
o DHCP Lease process: 4 1. Workstation/Client broadcasts a DHCP Discover Packet 3 2. DHCP Server(s) return a DHCP Offer 2 SWITCH - If dont have a DHCP Server for each LAN, router can be ISP configured to forward broadcast to a selected DHCP Server 1 on a remote network or on another segment. DHCP SERVER - DHCP Lease terms may be minutes, days, etc. - If a servers offer doesnt get selected, it releases its offered ROUTER address for other Clients to use DNS 3. Client receives DHCP offer(s) & selects onesends a DHCP Client Request Packet to the selected DHCP Server 4. DHCP Server returns a DHCP ACK (yes) /NACK (no) NOTE: Server may do ARP first to see if the address requested is taken before returning an ACK/NACK response. If Client receives ACK, the lease maintenance is the Clients responsibility 5a. Client sends a DHCP request (prior to expiration of current lease in order to renew) OR 5b. Client sends a DHCP release (to release/finish lease prior to expiry date) to DHCP Server so can be used by other Clients If Client receives NACK, Client sends out another DHCP Discover Packet o Non-renewed leases are released for other Clients to use
SNMP Simple Network Management Protocol o o o o o o o o o o o o o o o o o o o o o o o o o o o o Manages networked devices, i.e., hubs, switches & routers RFC 1157 Monitors/controls via PDUs Protocol Data Units Devices run agents, or software used to gather info regarding performance, etc. Information is stored in an MIB Management Information Base SNMP v3 is the most current & most secure (as of the 2005 CBT Nuggets video) IP Masquerading source/destination addresses translated as pass thrurouter, firewall, proxy Allows many internal (private) hosts to access the internet (public) via single/couple addresses Internal addresses scheme is protected Overcomes the constraints of depleted IP address space with IP v4 (Privately) uses RFC 1918 addresses, Class A/B/C RFC792 used for error packets, control packets, informational packets for IP PING & TRACERT use ICMP Reports to sender if something has gone wrong in transmission/if packets not delivered Valuable for doing diagnostics & troubleshooting Standard for IP multicasting on the internet Helps keep established home membership in a group Keeps local routers up to date on members as hosts join/leave RFC 2236 = IGMP v3 LPD is Berkeley Printing system Provides network print services & spooling Uses TCP/IP to establish links between network printers & Clients/Workstations Developed for BSD Unix LDP is installed on printer/printer serverLPR is installed on Client device/Workstation Used especially on enterprise networks Assures time synchronization for TCP/IP networks References to radio & atomic clocks on internet Synchronizes distributed clocks to milliseconds Linux has free program NTPD or NTPDaemon available via freeware
Central Site / HQ
VPN Concentrator
ROUTER
BRANCH #2
Point to Point WAN o Solitary, pre-configured, dedicated path between customer & remote network o Usually consist of leased lines, with wire pairs being dedicated communication paths o More expensive, and price based on needed bandwidth & distance o Largely replaced by Frame Relay Circuitry Switching WAN o Data connections are active only when needed, otherwise are shut down (i.e., like telephone call) o One type is ISDN o DCE = Data Communication/Circuit Equipment I.e., CSU/DSU = Channel Service Unit / Data Service Unit (essentially, a modem) Carrier Network o DTE = Data Terminal Equipment
SWITCH
SOHO
DCE Customer
SWITCH
WAN
SWITCH
DCE Customer
SWITCH
Packet Switched WAN Customer o Most popular o Individuals can share resources of common carriers and reap a better cost benefit o Packet Switching multiplexes data into smaller packets so can take separate paths across carrier network to destination (i.e., insert multiplexers at the DCE locations of the above diagram) o Carrier uses Virtual Circuits through network (cloud in diagram) o Types of Packet Switched WANs: ATM asynchronous transfer mode Frame Relay SMDS switched multimegabit data services X.25 o Virtual Circuit logical link/connection created within a shared infrastructure network between two (2) networked devices o SVC - Switched Virtual Circuits created dynamically: 1. Establish circuit 2. Transfer data 3. Terminate circuit o PVC Permanent Virtual Circuits decrease bandwidth use for establishing communication circuit; need constant data flow Need constant data flow, since often used for used for file transfer, web access, email transfer More expensive $$$$$$ Frame Relay o Hi performance, flexible WAN protocol o Uses packet switching technology o Hosts can dynamically share medium AND bandwidth from the cloud o Layer 2 (Data Link) Suite o More efficient & better performance than X.25 o Uses DLCI for Layer 2 addressing DLCI = Data Link Connection Identifier ISDN Integrated Services Digital Network o Offered through regional telephone carriers o Circuit switching WAN
DCE
o Digitizes voice, data, graphics, music, etc. over existing copper phone lines o Digital telephony & data transfer o ISDN uses several devices / reference points DCE for ISDN = CSU/DSU, Channel Service Unit / Data Service Unit, which acts as interface between provider/carrier switches & DTE (Data Terminal Equipment - PC/Telephone/Server/Router) DCE can also be multiplexer, translators TA Terminal Adapter NT1 Network Termination 1 ; NT2 Network Termination 2
@PHONE CO. S TEL NT2 T NT1 U LT V ET
S TEL TA NT2
T NT1
U LT
V ET
o Two (2) main types: ISDN BRI & ISDN PRI IDSN BRI Basic Rate Interface o 2B + 1D Channel = 2 (64 Kbps) + 1(16 Kbps control/signal info) = 128 Kbps User Data D Channel MAY be used for data as well ISDN PRI Primary Rate Interface o 23B (64 Kbps) + 1 D (64 Kbps, data OR control info) = 1.544 Mbps = T1 line!! Can get fractional, using only SOME channels to bring down cost/speed to whatever is needed Above calcs only for USA/Canada/Japan UK/Australia have 30 B channels, with up to 2.048 Mbps FDDI Fiber Distributed Data Interface o Used for hi-speed LAN backbone & WANs like MAN, government WANs, etc. o Dual ring over fiber o SMF & MMF CDDI = over copper o Has 4 specifications: MAC defines medium access, frames, addresses, errors PHY physical layer specifications encoding, clocking, framing PMD physical medium dependent SMT station management configuration of stations, concentrations, servers, end user devices WAN Carriers OC Standard Transmission Rate o T1 DS1 = 1.544 Mbps ISDN PRI OC-1 51.85 Mbps E1 European = 2.048 Mbps OC-3 155.52 Mbps o T3 - E3 leased line connections; voice, data, etc. OC-12 622.08 Mbps 45 Mbps = 28 T1 channels OC-24 1.244 Gbps o OCX optical carrier for SONET OC-48 2.488 Gbps OC1 OC192 optical transmission, uses fiber optic lines OC-192 9.952 Gbps X.25 o ITU-T (International Telecummunications Unions Telecomm.) Global WAN Standard o Works with many connected systems o Used in packet switched networks of carriers/telecommunications companies o born in 1970s when need arose for a WAN standard o X.25 defines DTE, DCE & PSE o Also usees PAD (Packet Assembler / Disassembler) devices o Maps to layers 1, 2, 3 of OSI (Physical & Data Link & Network) o PSE Packet Switching Exchange cloud/matrix o PAD used when DTE device too simple to fully implement X.25 Use PAD between DTE & DCE
DTE PAD DCE
PC
WAP (Bridge)
WIRELESS ROUTER
PC
IEEE 802.11 Standards 802.11A Adds to the original 802.11 WLAN specifications up to 54 Mbps bandwidth @ 5GHz radio band Not frequently used even though faster than 802.11b Not compatible with 802.11a or 802.11g
802.11B Most popular WLAN spec (hotspots) Up to 11Mbps, w/fallback to 5.5, 2, 1 Mbps Transfer rates dependent on distance to WAP & # of other users Uses 2.4 GHz radio band/frequency Not compatible with 802.11a
802.11G Gaining in popularity (although N) Compatible with 802.11b, NOT 802.11a Up to 54Mbps w/fallbacks 2.4 GHz radio band/frequency Developed as higher speed technology when communicating with other 802.11g devices
WPAN Communication Methods: Infrared & Bluetooth Comparison Infrared Uses infrared light to carry data Needs hardware & software to function/communicate Governed by IrDA (Infrared Data Association) Laptops, printers, PDAs, phones, headsets Can also use USB port adapter ~ same rate as parallet port up to ~4Mbps Line of site range of ~18 if obstructed, bye-bye signal
Bluetooth Specification for short-range wireless Cell phones, pagers, PDAscan get a 3-in-1 phone to sync with desktop/laptop Bluetooth headsets VERY popular; keyboard/mouse, etc. Very popular for WPAN communication
Spread Spectrum method used to modulate data into manageable bits to get sent via wireless communication o Transmitted in bandwidth that is considerably greater than the frequency content of the original data DSSS: Direct Sequence Spread Spectrum FHSS: Frequency Hopping Spread Spectrum DS-CDMA: Direct Sequence Code-Division Multiple Access FH-CDMA: Frequency Hopping Code-Dvsn Multiple Access Stream divided into smaller chunks, which are assigned to frequency Repeated rapid swapping of frequencies/channels during channels across the spectrum transmission process, coordinated between sender & receiver Better performance than FHSS but more susceptible to interference Originally used to thwart electronic eavesdropping/jamming 802.11 a/b/g use DSSS (OFDM [Orthogonal Frequency-Division Used with original 802.11 standard Multiplexing] used for 802.11a/g higher & Broadband speeds) Used by Bluetooth
Dial-Up via PSTN & POTS POTS PC MODEM o POTS = Plain Old Telephone System o PSTN = Public Switched Tel. Network o V-Series V8 - V29 (9600 baud rate per second) baud rate = # times per second the carrier signal is changed V32, V34, V90 (56,000 baud rate) V110 asynchronous DTE can use ISDN (128,000 bps) o Advantages to & Features of Dial-Up Economical; great for backup to cable/DSL Flexible; easy to set up ad hoc connection 33,600 bps = V34 on POTS ISDN basic rate interface (BRI 2B + 1D channel) = 64 x 2 = 128 kbps DSL Digital Subscriber Line o Modem technology; uses existing twisted pair phone lines for high bandwidth data transfer o Mostly home usage, but some usage in small businesses o xDSL = different flavors of DSL ADSL, SDSL, HDSL, HDSL-2, G.HDSL, IDSL, VDSL o Dedicated; P2P access; over copper on local loop (last mile need to be ~ <1 mile from customer to a telco central office) o ADSL = Asymmetric DSL faster download than upload always on great for internet intranets, streaming video, remote access, etc. ADSL modems usu. offer various speeds/capacities 1.5 or 2.0 Mbps 8Mbps (or higher now) downstream speeds ADSL modems operate with IP & ATM (asynchronous transfer mode) o Other DSL options: SDSL equal upload & download transfer rates HDSL 2 pair of T1 = 784 k per pair HDSL-2 emerging alternative over single pair G.HDSL multi-rate version of HDSL-2 IDSL ISDN DSL, single pair @ 128 Kbps VDSL High-speed over short distance on existing copper lines Broadband Cable o CATV operators had to compete with DSL & Direct Satellite in the 1990s o Key operators (big cable companies like Time Warner, etc.) joined to form MCSN for IP solutions o Introduced DOCSIS 1.0 Standard (Data Over Cable Service Interface Specification) with assorted cable modems (Cable Labs) o Use either all coax OR hybrid-fiber-coax
Head End CMTS
HYBRID FIBER-COAX Customer Premises
PSTN /
ALL COAX
Cable Modem PC
Satellite Access o Use satellite in geostationary (GEO) orbit as a relay from vendor to customer o 2-way access through special satellite modem sending requests through satellite dish to satellite ~22,000 miles above equator o Usu. asymmetric slower than DSL, with some latency problems (i.e., not great for internet gaming or other interactive web access) o Need satellite dish & modem (external or internal)
ISP
NLB
Remote Access Server in DMZ, running RAS, NAT, Auth. VPN Windows 2000/2003 Unix/Linux-based (Mac OS X too) EXAMPLE 1
NOTE: this network interface must be FAST. Either: - Etherchannel (~100Mbps) - Fiber channel (FDDI Ring)
Perimeter (edge)
Corporate Network
Router + Built-in Firewall
ISP
MultiLayer Switch OR Hi-End Router EXAMPLE 2 smaller/simpler solution: using Router + Built-In Firewall here, in place of Perimeter Router. Can also use Multi-Honed Linux Server with Firewall
Perimeter (edge)
Corporate Network
ROUTER
ISP
MultiLayer Switch OR Hi-End Router EXAMPLE 3 more expensive solution, using second Multi-Layer Switch or High End Router & integrated Firewall
o RAS = modular solution can add whatever modules you need to do business o NLB = Network Load Balancing solution use 2+ servers, act as 1 logical server o Dual Homing = 2 NICs on one machine often = one Public, one Private (NAT); covered in RFC 1918 o DMZ = demilitarized zone own/separate security zone NOS Remote Access Services o Dial-up Services (dial on demand, DOD ISDN, telco/POTS) o Radius authentication & authorization Password + (Biometrics; Pin; Digital Certificate; Smart card; Token; Thumbprint) o Virtual private networking secure links (L2TP, PPP, IPsec, SSLVPN) between 2 different networks o Accounting & reporting services when, how long, disconnect time, etc. o Modular add-in services to NOSs can activate individual features across most OSs Popular NOS Solutions o Novell Netware Open Enterprise Server (SuSE) o Sun Solaris Secure Shell (replaced IPSec VPN standard) o Mac OS X (Unix-based component) o Linux (Red Hat, Debian, Mandrake) o Windows 2000/2003 RRAS / IAS RRAS = Routing & Remote Access Service uses OSPF, RIPv2 IAS = Internet Authentication Service Microsoft version of Radius for authentication & authorization & accounting (AAA) Client Connectivity via one of two methods: o Integrated remote access program (i.e., Internet Connect on Mac OS X) NOTE: Need security layer operating above this o Integrated VPN client OR- 3rd party solution, i.e. Cisco VPN Client secure tunnel for a VPN
Telecommuter
Central Site / HQ
VPN Concentrator
ROUTER
Remote Access Site
VPN TUNNEL
o Categories of VPNs: Remote Access VPN for the telecommuter/mobile user Access through their own ISP to terminating site on other side of the tunnel Use VPN software on client side Site to Site VPN LAN to LAN VPN Extend to another corporate site via the internet to extend the LAN More permanent solution usually involves use of a hardware/software combo & data usually encrypted
BRANCH #1
Internet
SOHO Tunneling allows one network to send data using another networks connection o Encapsulates the network protocols used by the client within the packets carried by the second network embeds own network info in the TCP/IP packets For example, when sending gift via USPS, put in an outer packaging to protect it
VPN CONCENTRATOR
INTERNET
VPN Concentrator
o Software Client = NetScreen; Cisco; etc allows administrators to set security policies for access (i.e., authentication, key exchange) Equivalent of PPP on steroids! Software clients used in situations with a couple of users hard to manage/implement/administrate with more than few users o Hardware Client used in larger settings remote office, many users Takes control away from end users, puts firmly into hands of administrators PPTP Point-to-Point Tunneling Protocol
o VPN Tunneling (encapsulation) protocol; uses encryption Documented in RFC 1999 o Included in NOSs; Microsoft uses for low cost secure remote access to corporate networks o Supports: TCP/IP; IPX/SPX; NetBEUI o Weaker security/confidentiality than IPSec L2TP Layer 2 Tunneling Protocol o IETF standard o Marriage of Microsofts PPTP & Ciscos L2F protocols o Based on IPSec; documented in RFC 2661 o Supports multiple protocols & NAT (Network Address Translation allows you to use private IP addresses & communicate over the internet) IPSec IP Security o Operates at Layer 3 (Network Layer of OSI Model) to encrypt & authenticate & manage keys for TCP/IP transmissions o Four Core IPSec Services: Confidentiality: encrypts data Date Integrity: no change to date in transit Authentication: verifies users & data origin; non-repudiation AntiReplay: ensures that each packet is unique o Authenticates in two phases: Key Management uses IKE (Internet Key Exchange) to manage keys; runs on UDP port 500. Determines which keys will be used by communicating nodes. Encryption two types available: 1. AH: Authentication Header only encrypts header, not data 2. ESP: Encapsulating Security Payload encrypts entire IP package/data payload for added security; DES, 3DES, AES o Most commonly run on routers or other VPN connectivity devices SSL Secure Sockets Layer o Encrypts data over internet o Uses Public Key Infrastructure (PKI) to encrypt data o Developed originally by Netscape, used widely by everyone now. o Main protocol for secure transactions between web browsers (end users) & servers o SSL3 offers: Privacy Authentication Message integrity o Indicated via: HTTPS + lock symbol (sometimes get a pop up too depending on web browser being used) o TCP port 443 (rather than HTTP port 80) o Establish unique SSL session each time client/server create SSL connection, created by the SSL handshake protocol. Client_hello & server_hello messages WEP Wired Equivalent Privacy o Uses keys to authenticate clients and to encrypt data in transit o Prevents eavesdropping & packet sniffing o Optional standard for 802.11 WLAN o All products must support same XX-bit of WEP (40 bit/64/128) o Flawed using the same key to encrypt & authenticate means if access one, access alltoo easy to break into, not very secure WPA WiFi Protected Access (created/endorsed by WiFi Alliance) o Meant be used with authentication server (Radius or Tacacs+) but doesnt need to be (can use WPA-Personal) o Can dynamically & rapidly change keys; uses stronger 48- or 128-bit keys o Improved data security & secure message authentication
Server (Table)
PAP: Password Authentication Protocol o Most basic/elementary form of authentication compares credentials to table of name-password pairs o Used as basic authentication of http o RFC 1334 o NOT secure/encrypted over network or internet; info IS encrypted on server side:
2. Checked against encrypted info on server side 1. User name/password sent in CLEAR TEXT 3. Acknowledgement sent back from server
CHAP = Challenge Handshake Authentication Protocol o Verifies the identity of a client with a 3-way handshake CHAP agent sends key to client a shared, secret key is used to encrypt the User Name & Password CHAP sends challenges out at regular intervals to weed out intruders disguised as client RFC1994 originally didnt prevent unauthorized access (!); access was determined by the router and/or server o MSCHAP = Microsofts version of CHAP V.1 & V.2 used by Windows 2000 & 2003; prevents unauthorized access IAS, RRAS, RAS at Server; all these use active directory database to determine level of access granted to Client o Encrypts the data load using the shared secret key o HASH = one-way function o CHAP Process: 1. Link Established Link established between Server & Client SERVER 2. MD5 (Message Digest 5) CLIENT MD5 Message Digest 5 = take credential info & once apply one-way 3. If MD5 does NOT match, connection is terminated has to it, you will have a fixed link result or DIGESTwhich is sent back to the authenticator IF MATCHES: all OK, connection continuesbut IF DOES NOT MATCH, connection is terminated RADIUS = Remote Auth. Dial In User Service o AAA = Authentication & Authorization & Accounting for network access and IP mobile availability (see notes below in AAA section) o Credentials are passed to NAS (Network Authentication Server) via PPPthen forwarded to RADIUS Server (Cisco Access Control Services, or ACS) o Radius uses following schemes: PAP, CHAP, EAP o Valuable for recording authorization, accounting, billing with extensive protocols o OPEN Protocol can use own customized version for own purposes o Used by ISPs to measure bandwidth usage o DIAMETER = planned replacement for RADIUS TACAS+ = Terminal Access Controller Access Control System o Predecessor to Extended TACAS o Used for authentication & authorization in UNIX networks & Cisco infrastructures o Offers limited accounting o Totally new replacement use TACAS OR RADIUS, not both o Stores usernames & passwords; encrypts communications to the NAS; authorizes o Centralized management for remote sites AAA = Authentication & Authorization & Accounting o Authentication = ensuring youre who you say you are o Authorization = verifying what you have access to o Accounting = when you log in/out, how long you accessed what, etc good for billing & auditing services o NOTE: when network gets larger, good idea to get dedicated AAA Server o LDAP = Lightweight Directory Access Protocol
EAP = Extensible Authentication Procotol o Extensible can be modified & customized o Universal, open protocol o Used in P2P & Wireless Networks (WLANs) o WPA & WPA2 use 5 EAP types: LEAP EAP-TLS EAP-MD5 EAP-TTLS PEAP o Defined by RFC 2284 o Supports passwords, tokens, token cards (ATM cards), digital certificates, PKI, biometric methods, etc. i.e., its versatile! KERBEROS o IETF Auth. Standard, using centralized ticket-granting server o Clients need to rely on a third-party to perform authentication & authorization on TCP/IP system o Encrypted tickets are transmitted in lieu of usernames & passwords o Applications & OSs must be kerberized o Key Distribution Center Implements: SWITCH AS: Authentication Service TGS: Ticket-Granting Service o Usually have redundancy & security, and database with all KDC usernames & passwords o AD (Active Directory) o Slave Server can be used as backup
Kerberized Client A Kerberized Client B
File System Mountable as local drive Encrypted Passwords supported Optimized for modem dial-up connections Unicode file names supported Secure anonymous requests allowed NO extra software required for file transfer NO extra drivers required for Win 3.11 NO extra drivers required for Win 95 NO extra drivers required for Win NT NO extra drivers required for OS/ 2 NO extra drivers required for Unix Used for internet & LAN networks
CIFS YES YES YES YES YES YES YES YES YES YES YES YES
o CIFS = Common Internet File System MAC OS/X Server (Tigernow moving to Leopard tho) o Uses AFP (Apple File Protocol) o Includes SMB & NFS to run on Mac OSX, Apple Share, Unix, Linux, Netware, Windows o Uses Unix core from BSD open source community o No proprietary technology is used Apache wb server, Sambe, Open LDAP, Kerberos o Fully supported with AFP over TCP/IP o Notes on MAC Stuffs: Mac-Finder allows you to browse the network. & dont need new software to connect MAC to Windows network LTLM2 LT Lan Manager 2 Netware (Now marketed as Suse Linux Enterprise Server) o Now open source o Uses TCP/IP o Interoperability is for migration o Netware versions add open source functionality o Moving away from NCP (NetWare Core Protocol) & IPX/SPX Now uses TCP/IP & CIFS o Marriage of: Netware technology & Suse Linux O/S Windows 2000/2003 NOS Windows 2000 Advanced Server o Control Panel Add/Remove Components can add Unix/Linux packages o IIS Internet Information Services o Control Panel | Administrative Tools DHCP can set scope/scope options time server, set router, name server, DNS/log servers DNS Forward & Reverse lookup zones database of information (resolves domain names to IP addresses & vice versa) IAS AAA (authentication, authorization, accounting) add clients, etc. Routing & Remote Access Server Terminal Services Manager 2000/2003 Lower Layer Services Provided: DHCP Routing & Remote Access IAS, IPSec Terminal Services IPv6, VPNs Wireless Networking Support Windows 2000/2003 NOS: Web Server / Web Application Server Remote Access / VPN Server (terminate VPN at Server side) DNS, DHCP, WINS Streaming Media Security Proxy Server IAS (Internet Authentication Server
PC
o General Procedure for preparing / installing a small office network: Cut cable to planned lengths from CWP to holes where wall plates are attached Run cables according to local building specifications Use crimping tools to strip cable: squeeze handle & keep the cable perpendicular to the tool blades; remove outer shielding to 11/2 exposure for insertion into punchdown blocks or keystone female jackstrim to for insertion into RJ-45 connector Use punchdown tool to set twisted wire pairs into place in keystone female jack or at patch panel or punchdown block o Guidelines: Always use more cable than necessary Test each part of a network as you install it (easier to keep track & replace right away if not functional) Stay at least 3 away from fluorescent light boxes & other electrical devices that may cause interference Cover cable with cable protector if it must be run across a floor Label both ends of each cable; keep a spreadsheet/record of the labeling scheme Use cable ties to keep cables bundled & neat & under control
Preparing & crimping Cat5 cabling:
WIRING DIAGRAM T568B (ATT) Color Code IDC Terminal White/Blue Pin 5 Blue Pin 4 White/Orange Pin 1 Orange Pin 2 White/Green Pin 3 Green Pin 6 White/Brown Pin 7 Brown Pin 8 RJ45 Jack Pin 5 Pin 4 Pin 1 Pin 2 Pin 3 Pin 6 Pin 7 Pin 8 Color Code T568A (EIA) IDC Terminal White/Blue Pin 5 Blue Pin 4 White/Green Pin 1 Green Pin 2 White/Orange Pin 3 Orange Pin 6 White/Brown Pin 7 Brown Pin 8 RJ45 Jack Pin 5 Pin 4 Pin 1 Pin 2 Pin 3 Pin 6 Pin 7 Pin 8
Network Interface Configuration - Workstation Network Interfaces: o PCI Network Interface Card usually 10/100 o USB converter dongle o PCMCIA card for laptop usually 10/100 LAN card Dongle extension to RJ-45 keystone OR Integrated/onboard dongle on the card itself OTHER TYPES: Wireless; Fiber Optic; Etc - Configuring the NIC o Lower Layer Configuration: GENERALLY can just plug in the network device & Plug-and-Play will take over, BUTenerally can just plus in the network device & Plug-and-Play will take over, but be sure to check device compatibility with your OS & download newest applicable device drivers if not included with the device Check Device Manager to be sure all is honky-dory o Upper Layer Configuration layer 3 & higher Network Connections | Right-Click on the Local Area Connection | Properties | General: Client for Microsoft Networks File & Printer Sharing for Microsoft Networks Internet Protocol (TCP/IP) | Properties | o Obtain IP Address Automatically o Use the following IP address: IP Address: 172.16.3.3 Subnet mask: 255.255.255.0 Default gateway: 172.16.3.2 o Obtain DNS server address automatically o Use the following DNS server addresses: Preferred DNS server: 172.16.3.2 (usually the default gateway) Alternate DNS server: o Advanced: IP Settings DNS WINS Options: TCP/IP Filtering (firewall essentially) Authentication Tab Enable IEEE 802.1x authentication for this network o Drop-down menu to select EAP Type & can set Properties Authenticate as computer when computer information is available Authenticate as guest when user or computer information is unavailable Advanced Tab Windows Firewall: Settings o General On (Can also check box to not allow any exceptions) Off (Not recommended unless have another firewall) o Exceptions o Advanced
OVERVIEW OF FIREWALLS - Firewall represents system of hardware and/or combination of hardware & software that provides a service: controlling access between two or more (2+) networks or broadcast domains o Zones: Outside corporate network Inside corporate network DMZ = De-Militarized Zone: place for specialized devices with needs for specialized access/security
Outside Internet Inside PIX
DMZ Firewall Services o Packet Filtering Also known as ACLs (Access Control Lists) limit amount of data or traffic coming into network; permit or deny traffic based on info stored in the header fields TCP header & IP header Denies everything until you tell it to permit something inbound & outbound ACLs can get verrrrry long & hard to manage Malicious users can still discover what packets meet the firewall criteria & send out arbitrary traffic to hack MTU = maximum transmission unit: very small & fragmented under the IP protocol (for widespread usability, but not too good for security) Packets can still get through by being fragmented Not all services can be packet filtered
e0 Internet e2
e1
o Proxy Services Proxy server a firewall that examines packets at higher layers of OSI Model above Network Layer 3 (Transport Layer 4, Session Layer 5, Presentation Layer 6, Application Layer 7) acts as go extra layer of protection between inside Proxy Services & Policies: Negotiate state of session; Authentication; Authorize what apps are available, etc. AAA (Authenticate, Authorize, Accounting) Servers are examples of proxy services General definition of proxy services: control upper application layer & usage Caches web pages to reduce traffic & limits types of internet activity (prevent certain type of usage) Proxy server represents a single point of failure for application services, authentication, & authorization policy High degree of performance overhead Not a scalable solution only for smaller offices
PIX Internet
Proxy Server
o Stateful Packet Filtering method used by Cisco PIX & others; combo of other two Used by most top of line firewall appliances & software, including Cisco PIX Stores complete session state date in a Flow Table for TCP or UDP in RAM memory on server or router Contains info in the fields of packet headers Firewall generates a connection object in memory a logical object; for the life of the session Connection objects will be compared to flow table & allowed or modified or denied based on policies set by administrator for the different security zones created Functions on packet-by-packet basis OR- can operate on entire connection between two endpoints Performs better than other methods can do ACLs & Proxy Services as well Higher end firewalls have more memory, can handle more applications, etc. Cisco Private Internet Exchange (PIX) Firewalls o Security appliances built for security & reliable, robust performance o Create security zones via Adaptive Security Algorithm (ASA) o Engines to inspect traffic on Layers 4 7 o Provide user-based authentication, rather than having to use a RADIUS server
23. VLANs
LAN Switches o Higher port density than bridges for less money o Allows for fewer users/network segment (collision domain) o Increase avg. available bandwidth per user Micro-segmentation: can generate a private network segment with full access with full bandwidth & no collisions o Layer 2 LAN switch forwards on Layer 2 frame address (MAC Address) o Layer 3 LAN switch can use Layer 2 and/or Layer 3 addressing o LAN Switches similar to transparent bridges or multiport bridging VLANs Defined o VLAN = broadcast domain created inside a switched network o Broadcast domains are boundaries where broadcast frames end (generally) need router to communicate beyond broadcast domain o Switches can support one or more VLANs o Broadcasts from one VLAN never unless you have a router or a multilayer switch that can do the communicating between VLANs for you!! VLAN Advantages: o Broadcast domain segments provide better bandwidth utilization o Isolating users can enhance security for company/network o Flexible deployment/VLAN assignment; based on factors other than physical location i.e., can reallocate ports on switch to be part of different VLANs as needed o Use TRUNKING to connect switches together Switch Port Modes o Access Mode (most common) Switch port belongs to one and ONLY one VLAN Typically, attached to end user devices: server, laptop, printer, etc. o Trunk Mode Can communicate with multiple VLANs & can interconnect switches Multiplexes the traffic between switches carrying multiple VLAN VLAN-B location STILL need to go above Layer 2 & need a Layer 3 device (such as a router) to have hosts on different VLANs communicate; this ONLY works to have same-VLAN-hosts talking to each other via Trunks
VLAN-C
SWIT
VLAN-A VLAN-B
SWIT
VLAN-C
Trunking Protocols o ISL: Inter-Switch Link, Commonly used by Cisco; Used to go above & beyond IEEE 802.1Q o Adds extra 0s & 1s to (encapsulates) frames in order to direct traffic to another part of VLANs Allow for physical expansion of VLANs o NOTE: this still only communicates within the same VLAN! Layer 3 (MultiLayer) Switching o Layer 2 Switch with added Layer 3 features Additional software features Manages broadcast/multicast traffic Routing Protocols and QOS (Quality of Service differentiate & control different types of traffic on network) Access List Security can filter & block based on Layer 3/4 protocols IP Fragmentation can connect different types of network topologies o Data flow can bypass routers Can be used for backbone of corporate network Beefed up version of b-router o Uses Store-And-Forward Switching Stores the entire frame, analyzes, and then sends out Differs from cut-through & fragment-free switchingStore-And-Forward largely used across the board now
Virus Scanning Engines o Virus Scan Engines use two basic methods: Compares virus signatures to a database, typically updated periodically from vendors website Heuristic Scanning scans for patterns of activity o Permanent Protection: essential but complicated and take more resources o On-Demand scans: require user intervention; only scans when user scans
o Network Load Balancing Aggregation or adapter teaming Software component of Windows 2000/2003; provides failover support for apps & network services running on IP networks i.e., if running IIS, can run NLB to run up to 32 servers to balance load & provide failover services Disaster Recovery: Backup & Restore o Part of Security Plan! Secure your data!!!! Lots of good software to backup PCs, Servers, configuration files for other hardware, etc. o XP: Accessories | System Tools | Backup Disaster Recovery: Offsite Storage o Take tapes/backup media offsite for storage either use a service or take it home o BUT can do Backup to Offsite Location via VPN too!! Disaster Recovery: Hot/Cold Spares o Hot Spares Extra unused component in standby mode Usually setup so occur without shutdown of server or device AND/OR without administrative intervention Most RAID arrays use hot spare drives Also seen on higher-end routers, MLS (multi-layer switches), VPNs, firewall appliances o Cold Spares Extra part which is not already running & ready to go Generally requires a shutdown or interruption of service, etc. Disaster Recovery: Hot/Warm/Cold Sites o Hot Site: $$$$$ Usually a hot-standby data center and/or office facility Able to handle full failover solution for entire business or organization in case of catastrophic event o Warm Site: $$$ Partly equipped, without live data SOOOO will need to update data o Cold Site: $ Air conditioned/heated, electrically prepared building/facility without equipment or communication links
Presentation
Session
The Middle Manager The Map Maker The Royal Horsemen The Kings Road
Transport
Physical
Troubleshooting Strategies - Define the Problem o Know your network Make a plan Know your network - Document the infrastructure! Create a baseline of activity (i.e., get to know regular activity so you can identify anomalies when they happen) o Problems typically become known via user input or software alerts o Some companies have total network management systems o Develop a quick concise problem statement, based on problem type: Configuration, i.e. change software settings, services, etc. Break-Fix, i.e. bad media/interface, PSU bad, OS, malware, etc. o Focus thought on obvious possible causes DONT PANIC!! o Fully document the symptoms -
1. DEFINE THE PROBLEM 2. GATHER DATA 3. ISOLATE THE PROBLEM 4. FORMULATE A PLAN OF ACTION 5. IMPLEMENT A SOLUTION 6. OBSERVE THE RESULTS
IS THE PROBLEM SOLVED?
Gathering Data & Collecting Information o Question the users: When did it first occur, how often? What are the effects? Is it reproducible, i.e., is it a consistent problem? Have there been any recent changes? Hardware, software, settings, server updates, etc. o Collect data from all sources if available Ask coworkers, check existing documentation on previous problems Network management services Logs, analyzer traces: system logs, event viewer Show & debug commands Troubleshooting tools
YES
NO
Isolate the Problem o Divide & Conquer! based on modular network design, i.e. end user access, server module, WAN module, VPN module, etc. o Know your network and its isolation boundaries o Focus on relevant things: prioritize your fires!! o Eliminate unnecessary information o Rule out causes one at a time via a regular, logical process of elimination
Formulate a Plan of Action o Attack the most probable, obvious cause first o Be ready to change only ONE variable at a time o Document the steps for recovery purposes (so you can undo whatever you just did & try something else) o Know when to say when cry uncle if necessary o Bring in expert consultants if necessary Implement A Solution o Apply your configuration change or your break-fixBe sure to document your implementation!!!! Observe The Results o Questions to ask yourself: Did you follow logical repeatable steps? Did you make the problem worse or cause other trouble? Did you have minimal impact on users? Did your actions cause security vulnerability? Have back-up configurations, data backup, redundancy, etc. Successful? YES then document the facts! Successful? NO repeat the process o Go back to Step 4 & formulate another plan of action Dont assume that you isolated the wrong problem, try another solution or tool first o If make several attempts & still not having success, then go back to Step 2 gather more data Additional resources for troubleshooting o FREE Internetwork Troubleshooting Handbook from Cisco www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/
IPCONFIG/ IFCONFIG
WINIPCFG NSLOOKUP