Introduction to Computer Networking & Security

Contents
1. Introduction 2. The OSI model 3. Switches

4. Routing
5. Introduction to Backbone design 6. Introduction to Security

i. Firewalls
ii. VPNs iii. AAA
2/21

Introduction
Network topologies

3/21

The OSI Model

Open Systems Inter-connection (OSI) Layers Layer 7 6 Name Application Presentation

5
4 3 2 1
4/21

Session
Transport Network Data Link Physical

Switches
Link layer device: stores and forwards Ethernet frames examines frame header and selectively forwards frame based on MAC dest address Transparent: hosts are unaware of presence of switches Plug-and-play: switches do not need to be configured Switches have interfaces more than Hubs
A B

switch

Switch: A-to-A and B-to-B simultaneously, no collisions A-to-A and A-to-A simultaneously, full duplex
B
5/21

C A

Switches [Contd]
Self learning:
A switch has a switch table entry in switch table: (MAC Address, Interface, Age) Stale entries in table dropped (Age can be 60 min) switch learns which hosts can be reached through which interfaces When frame received, switch learns location of sender: incoming LAN segment Records sender/location pair in switch table

6/21

Switches [Contd]
Mac Addresses 6 bytes long represented as 12 digit hexadecimal number example : 00-14-22-C9-5B-69 VLANs and trunking STP (spanning tree protocol) Spanning-Tree Protocol (STP) prevents loops from being formed when switches or bridges are interconnected via multiple paths Spanning-Tree Protocol implements the 802.1D IEEE algorithm by exchanging BPDU messages with other switches to detect loops, and then removes the loop by shutting down selected bridge interfaces This algorithm guarantees that there is one and only one active path between two network devices
7/21

Contents
1. Introduction 2. The OSI model 3. Switches

4.Routing
5. Introduction to Backbone design

6. Introduction to Security
i. Firewalls ii. VPNs
8/21

iii. AAA

Routing
IP Addresses IP Classes Private IP Ranges Subnetting Routing Routing scenario

9/21

IP Addresses

10/21

Subnetting
Given an ip address from a class C range (192.168.100.5) with subnet mask 255.255.255.240 ( / 28),then how many hosts can exist in the same subnet ? and how many subnets can be used within the same class C ? First: Comparing with the default mask (/24) , we are Using 4 bits for subnetting, this gives (2^4=16)subnets with ((2^4)-2=14)host per subnet. Second: AND between 192.168.100.5 and 255.255.255.240, 192.168.100.00000101 255.255.255.11110000

= 192.168.100.00000000
This host belongs to Subnet number is : 192.168.100.0 mask 255.255.255.240
11/21

Subnetting (cont.)
Then we can write this as : Subnet 0 : 192.168.100.0 start ip : 192.168.100.1 end ip : 192.168.100.14 Subnet 1: 192.168.100.16 start ip : 192.168.100.17 end ip : 192.168.100.30 Subnet 16 : 192.168.100.240 start ip : 192.168.100.241 end ip : 192.168.100.254

12/21

Routing
Routing steps
Longest match in the routing table Lowest admin distance Default route (gateway of last resort) Forwarding the packet

Routing Protocols
Static Routing Dynamic Routing

13/21

Routing Scenario

PC1

R1

R2

PC2

SW1

SW2

S.IP

D.IP

S.MAC

D.MAC

14/21

Contents
1. Introduction 2. The OSI model

3. Switches
4. Routing

5. Introduction to Backbone design

6. Introduction to Security

i. Firewalls
ii. VPNs
15/21

iii. AAA

 MPLS
Why Is MPLS? What MPLS? MPLS network components. Label Distribution in MPLS Networks Building MPLS-Based Services
L3 MPLS VPNs

Building a legacy Backbone ( IGP , BGP ,MPLS )

16/21

MPLS

17/21

Why MPLS?
Needed a single infrastructure that supports multitude of applications in a secure manner Load balance traffic to utilize network bandwidth efficiently Allow core routers/networking devices to switch packets based on some simplified header Leverage hardware so that simple forwarding paradigm can be used

18/21

What Is MPLS?
Multi Protocol Label Switching is a technology for
delivery of IP services. MPLS technology switches packets (IP packets, AAL5 frames) instead of routing packets to transport the data.

MPLS packets can run on other Layer 2 technologies such as ATM, FR, PPP, POS, Ethernet.
Other Layer 2 technologies can be run over an MPLS network.

19/21

MPLS Network components.

MPLS core, MPLS Edge, Remote Customer Sites
1. At Ingress Edge:
Label imposition Classify & Label packets PE P

2. In the Core: Label swapping or switching

Forward using labels (not IP addr). Label indicates service class and destination P

Edge Label Switch Router OR

(ATM Switch/ Router)

3. At Egress Edge: Label disposition

Remove labels and forward packets

Provider Edge- PE
PE Customer A Customer B

Label Switch Router (LSR) or P (Provider) router

Router OR ATM switch + label switch controller

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Label 20bits

EXP S

TTL-8bits

COS/EXP = Class of Service: 3 Bits; S = Bottom of Stack; TTL = Time to Live

Label Distribution Protocol Operations

Discovery Mechanisms Session Establishment

Label Distribution and Management

Label Binding Label Advertisement Label Distribution

21/21

LDP Peer Discovery Mechanism

LSRs discover LDP peers by exchanging LDP Hello messages
Basic Neighbor discovery
Discover directly attached neighborspt-to-pt links (including Ethernet) LDP link Hellos are sent periodically using UDP port 646 Establish a session & Exchange prefix/FEC & label information

Extended neighbor discovery

Establish peer relationship with a non-directly connected router LDP Targeted Hellos are sent using UDP port 646 Exchange FEC and label information May be needed to exchange service labels

22/21

IP Packet Forwarding Example

Address Prefix 128.89 171.69 Address Prefix 128.89 171.69 Address Prefix I/F 0 1 128.89 171.69 I/F 0

I/F 1 1

128.89 0 0 1 1 128.89.25.4 Data 128.89.25.4 Data

128.89.25.4

Data

128.89.25.4

Data
171.69

Packets Forwarded Based on IP Address

MPLS with Downstream Unsolicited mode

step I Address Core Routing Convergence In Out Out In Address Out
Label Prefix 128.89 Iface Label 1 Label Prefix 128.89 0 Out Iface Label In Address Label Prefix 128.89 Out Out Iface Label 0

171.69

171.69

0 1 0

128.89

You Can Reach 128.89 and 171.69 Thru Me

You Can Reach 128.89 Thru Me

1

Routing Updates (OSPF, EIGRP, )

You Can Reach 171.69 Thru Me

171.69

MPLS with Downstream Unsolicited mode stepII: Assigning labels

In Address Label Prefix 128.89 Out Out Iface Label 1 4 In Address Label Prefix 4 128.89 Out Out Iface Label 0 9 In Address Label Prefix 9 128.89 Out Out Iface Label 0 -

171.69

171.69

0 1 0

128.89

Use Label 4 for 128.89 and Use Label 5 for 171.69

Use Label 9 for 128.89

1

Label Distribution Protocol (LDP)

(Downstream Allocation)

Use Label 7 for 171.69

171.69

MPLS with Downstream Unsolicited mode stepIII: Forwarding Packets

In Address Label Prefix 128.89 Out Out Iface Label 1 4 In Address Label Prefix 4 128.89 Out Out Iface Label 0 9 In Address Label Prefix 9 128.89 Out Out Iface Label 0 -

171.69

171.69

0 0

128.89 Data

128.89.25.4

1
9 128.89.25.4 Data 4 128.89.25.4 Data 1 128.89.25.4 Data

Label Switch Forwards Based on Label

171.69

Building MPLS-Based Services

27/21

What Is a Virtual Private Network?

VPN is a set of sites or groups which are allowed to communicate with each other VPN is defined by a set of administrative policies Policies established by VPN customers Policies could be implemented completely by VPN service providers Flexible inter-site connectivity
Ranging from complete to partial mesh

Sites may be either within the same or in different organizations

VPN can be either intranet or extranet

Site may be in more than one VPN

VPNs may overlap

Not all sites have to be connected to the same service provider

VPN can span multiple providers
28/21

IP L3 vs. MPLS L3 VPNs

VPN B VPN A VPN C VPN C

Multicast
VPN B
Intranet

VoIP
VPN A VPN A VPN B VPN C VPN A VPN B VPN C

Hosting
Extranet

MPLS-Based VPNs Point to Cloud single point of connectivity Transport independent Easy grouping of users and services Enables content hosting inside the network Flat cost curve Supports private overlapping IP addresses

Overlay VPN
ACLs, ATM/FR, IP tunnels, IPSec, etc requiring n*(n-1) peering points Transport dependent Groups endpoints, not groups Pushes content outside the network Costs scale exponentially NAT necessary for overlapping address space

Limited scaling 29/21 complexity QoS

Scalable to over millions of VPNs

Per VPN QoS

How Does It Work?

MPLS L3 VPN Control Plane Basics
iBGPVPNv4 Label Exchange

CE4

CE3
VRF

P1

P2

VRF
VRF PE3

VRF PE1 LDP iBGPVPNv4

LDP

LDP iBGPVPNv4

PE2

CE1

VRF

CE2

1. 2. 3. 4.

VPN service is enabled on PEs (VRFs are created and applied to VPN site interface) VPN sites CE1 connects to a VRF enabled interface on a PE1 VPN site routing by CE1 is distributed to MP-iBGP on PE1 PE1 allocates VPN label for each prefix, sets itself as a next hop and relays VPN site routes to PE3 5. 30/21 PE3 distributes CE1s routes to CE2 (Similar happens from CE2 side)

How Does it work?

How control plane information is separated
VPN-IPv4 Net=RD:16.1/16 NH=PE1 Route Target 100:1 Label=42

16.1/16

CE1
IGP/eBGP Net=16.1/16

P1

No VPN routes in the Core(P)

IGP/eBGP Net=16.1/16

P2

CE2

IPv4 Route Exchange

PE1
ip vrf Yellow RD 1:100 route-target export 1:100 route-target import 1:100

PE2

MPLS VPN Control Plane Components:

Route Distinguisher: 8 byte fieldunique value assigned by a provider to each VPN to make a route unique so customers dont see each others routes VPNv4 address: RD+VPN IP prefix; Route Target: RT-8bytes field, unique value assigned by a provider to define the import/export rules for the routes from/to each VPN MP-BGP: facilitates the advertisement of VPNv4* prefixes + labels between MP-BGP peers Virtual Routing Forwarding Instance (VRF): contains VPN site routes Global Table: Contains core routes, Internet or routes to other services
31/21

How does it work?

How Data Plane is separated

IPv4

IPv4

IPv4

CE1
IPv4 CE1 Forwards IPv4 Packet

P1
PE1
! Interface S1/0 ip vrf forwarding Yellow !

P2
PE2

CE2
IPv4 CE2 Receives IPv4 Packet

1. PE1 imposes pre allocated label for the prefix 2. Core facing interface allocates IGP label 3. Core swap IGP labels 4. PE2 strips off VPN label and forwards the packet to CE2 as an IP packet
32/21

Verify VPN Prefix - Labels

PE1# sh ip bgp vpnv4 vrf Red labels Network Next Hop In label/Out label PE1 loop0: 10.1.100.1

0.0.0.0 10.1.10.0/24 10.1.11.0/24 10.1.15.0/24

10.1.21.5 22/nolabel 10.1.100.3 nolabel/37 10.1.100.3 nolabel/32 0.0.0.0 34/aggregate(Red)

PE3 loop0: 10.1.100.3 PE2# sh ip bgp vpnv4 vrf Red label Network Next Hop 10.1.100.1 10.1.24.10 10.1.26.11 10.1.100.1 In label/Out label nolabel/22 37/nolabel 32/nolabel nolabel/34

P2
P1 loop0: 10.1.100.2
33/21

0.0.0.0 10.1.10.0/24 10.1.11.0/24 10.1.15.0/24

Building a legacy MPLS Backbone

34/21

Building a legacy MPLS Backbone ( IGP , BGP ,MPLS )

Customer A branch1 PE P IGP routing updates within the cloud + all nodes are MPLS enabled P PE-CE routing PE

Customer A branch 2 VRFs are configured and BGP routing updates are exchanged Core router used for label swapping, doesn't participate in the routing updates

Contents
1. Introduction 2. The OSI model 3. HUBs and Switches

4. Routing
5. Introduction to Backbone design

6.Introduction to Security
i. Firewalls ii. VPNs
36/21

iii. AAA

Introduction to Security
The Main 3 Security Components

Confidentiality

Integrity

Availability

37/21

Introduction to Security [Contd]

Firewalls

Firewall Technologies Packet filtering Proxy Stateful Inspection Firewall Zones Firewall Policies
Corporate Network

00000000000000000000000 0000 00000000000000000000000 0000 00000000000000000000000 0000 000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000 000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Deny Traffic Deny Some Attacks Allow Traffic

38/21

Firewall provides access control

Nat & PAT and Access Lists

NAT
One to one translation Access public network

PAT
many to One translation Lack of public IPs

Access Lists
Standard & Extended Simple Security

39/21

Introduction to Security [Contd]

VPN (Virtual Private Networks)

VPN Concept VPN Modes Transport Tunnel VPN Phases VPN Variables Encryption algorithm Hash algorithm Authentication method Diffie-Hellman group

40/21

Introduction to Security [Contd]

AAA

Authentication Authorization Accounting

41/21

References
www.ieee.com www.Cisco.com www.juniper.com www.ietf.org www.net130.com

42/21

Questions?