Documente Academic
Documente Profesional
Documente Cultură
Contents
1. Introduction 2. The OSI model 3. Switches
4. Routing
5. Introduction to Backbone design 6. Introduction to Security
i. Firewalls
ii. VPNs iii. AAA
2/21
Introduction
Network topologies
3/21
5
4 3 2 1
4/21
Session
Transport Network Data Link Physical
Switches
Link layer device: stores and forwards Ethernet frames examines frame header and selectively forwards frame based on MAC dest address Transparent: hosts are unaware of presence of switches Plug-and-play: switches do not need to be configured Switches have interfaces more than Hubs
A B
switch
Switch: A-to-A and B-to-B simultaneously, no collisions A-to-A and A-to-A simultaneously, full duplex
B
5/21
C A
Switches [Contd]
Self learning:
A switch has a switch table entry in switch table: (MAC Address, Interface, Age) Stale entries in table dropped (Age can be 60 min) switch learns which hosts can be reached through which interfaces When frame received, switch learns location of sender: incoming LAN segment Records sender/location pair in switch table
6/21
Switches [Contd]
Mac Addresses 6 bytes long represented as 12 digit hexadecimal number example : 00-14-22-C9-5B-69 VLANs and trunking STP (spanning tree protocol) Spanning-Tree Protocol (STP) prevents loops from being formed when switches or bridges are interconnected via multiple paths Spanning-Tree Protocol implements the 802.1D IEEE algorithm by exchanging BPDU messages with other switches to detect loops, and then removes the loop by shutting down selected bridge interfaces This algorithm guarantees that there is one and only one active path between two network devices
7/21
Contents
1. Introduction 2. The OSI model 3. Switches
4.Routing
5. Introduction to Backbone design
6. Introduction to Security
i. Firewalls ii. VPNs
8/21
iii. AAA
Routing
IP Addresses IP Classes Private IP Ranges Subnetting Routing Routing scenario
9/21
IP Addresses
10/21
Subnetting
Given an ip address from a class C range (192.168.100.5) with subnet mask 255.255.255.240 ( / 28),then how many hosts can exist in the same subnet ? and how many subnets can be used within the same class C ? First: Comparing with the default mask (/24) , we are Using 4 bits for subnetting, this gives (2^4=16)subnets with ((2^4)-2=14)host per subnet. Second: AND between 192.168.100.5 and 255.255.255.240, 192.168.100.00000101 255.255.255.11110000
= 192.168.100.00000000
This host belongs to Subnet number is : 192.168.100.0 mask 255.255.255.240
11/21
Subnetting (cont.)
Then we can write this as : Subnet 0 : 192.168.100.0 start ip : 192.168.100.1 end ip : 192.168.100.14 Subnet 1: 192.168.100.16 start ip : 192.168.100.17 end ip : 192.168.100.30 Subnet 16 : 192.168.100.240 start ip : 192.168.100.241 end ip : 192.168.100.254
12/21
Routing
Routing steps
Longest match in the routing table Lowest admin distance Default route (gateway of last resort) Forwarding the packet
Routing Protocols
Static Routing Dynamic Routing
13/21
Routing Scenario
PC1
R1
R2
PC2
SW1
SW2
S.IP
D.IP
S.MAC
D.MAC
14/21
Contents
1. Introduction 2. The OSI model
3. Switches
4. Routing
i. Firewalls
ii. VPNs
15/21
iii. AAA
MPLS
Why Is MPLS? What MPLS? MPLS network components. Label Distribution in MPLS Networks Building MPLS-Based Services
L3 MPLS VPNs
16/21
MPLS
17/21
Why MPLS?
Needed a single infrastructure that supports multitude of applications in a secure manner Load balance traffic to utilize network bandwidth efficiently Allow core routers/networking devices to switch packets based on some simplified header Leverage hardware so that simple forwarding paradigm can be used
18/21
What Is MPLS?
Multi Protocol Label Switching is a technology for
delivery of IP services. MPLS technology switches packets (IP packets, AAL5 frames) instead of routing packets to transport the data.
MPLS packets can run on other Layer 2 technologies such as ATM, FR, PPP, POS, Ethernet.
Other Layer 2 technologies can be run over an MPLS network.
19/21
Provider Edge- PE
PE Customer A Customer B
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Label 20bits
EXP S
TTL-8bits
21/21
22/21
I/F 1 1
128.89.25.4
Data
128.89.25.4
Data
171.69
171.69
171.69
0 1 0
128.89
171.69
171.69
171.69
0 1 0
128.89
171.69
171.69
171.69
0 0
128.89 Data
128.89.25.4
1
9 128.89.25.4 Data 4 128.89.25.4 Data 1 128.89.25.4 Data
171.69
27/21
Multicast
VPN B
Intranet
VoIP
VPN A VPN A VPN B VPN C VPN A VPN B VPN C
Hosting
Extranet
MPLS-Based VPNs Point to Cloud single point of connectivity Transport independent Easy grouping of users and services Enables content hosting inside the network Flat cost curve Supports private overlapping IP addresses
Overlay VPN
ACLs, ATM/FR, IP tunnels, IPSec, etc requiring n*(n-1) peering points Transport dependent Groups endpoints, not groups Pushes content outside the network Costs scale exponentially NAT necessary for overlapping address space
CE4
CE3
VRF
P1
P2
VRF
VRF PE3
LDP
LDP iBGPVPNv4
PE2
CE1
VRF
CE2
1. 2. 3. 4.
VPN service is enabled on PEs (VRFs are created and applied to VPN site interface) VPN sites CE1 connects to a VRF enabled interface on a PE1 VPN site routing by CE1 is distributed to MP-iBGP on PE1 PE1 allocates VPN label for each prefix, sets itself as a next hop and relays VPN site routes to PE3 5. 30/21 PE3 distributes CE1s routes to CE2 (Similar happens from CE2 side)
16.1/16
CE1
IGP/eBGP Net=16.1/16
P1
IGP/eBGP Net=16.1/16
P2
CE2
PE1
ip vrf Yellow RD 1:100 route-target export 1:100 route-target import 1:100
PE2
IPv4
IPv4
IPv4
CE1
IPv4 CE1 Forwards IPv4 Packet
P1
PE1
! Interface S1/0 ip vrf forwarding Yellow !
P2
PE2
CE2
IPv4 CE2 Receives IPv4 Packet
1. PE1 imposes pre allocated label for the prefix 2. Core facing interface allocates IGP label 3. Core swap IGP labels 4. PE2 strips off VPN label and forwards the packet to CE2 as an IP packet
32/21
PE3 loop0: 10.1.100.3 PE2# sh ip bgp vpnv4 vrf Red label Network Next Hop 10.1.100.1 10.1.24.10 10.1.26.11 10.1.100.1 In label/Out label nolabel/22 37/nolabel 32/nolabel nolabel/34
P2
P1 loop0: 10.1.100.2
33/21
34/21
Customer A branch 2 VRFs are configured and BGP routing updates are exchanged Core router used for label swapping, doesn't participate in the routing updates
Contents
1. Introduction 2. The OSI model 3. HUBs and Switches
4. Routing
5. Introduction to Backbone design
6.Introduction to Security
i. Firewalls ii. VPNs
36/21
iii. AAA
Introduction to Security
The Main 3 Security Components
Confidentiality
Integrity
Availability
37/21
Firewall Technologies Packet filtering Proxy Stateful Inspection Firewall Zones Firewall Policies
Corporate Network
00000000000000000000000 0000 00000000000000000000000 0000 00000000000000000000000 0000 000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000 000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
38/21
PAT
many to One translation Lack of public IPs
Access Lists
Standard & Extended Simple Security
39/21
VPN Concept VPN Modes Transport Tunnel VPN Phases VPN Variables Encryption algorithm Hash algorithm Authentication method Diffie-Hellman group
40/21
41/21
References
www.ieee.com www.Cisco.com www.juniper.com www.ietf.org www.net130.com
42/21
Questions?