Upload
ahmed-badr
View
247
Download
0
Embed Size (px)
Citation preview
7/30/2019 Backbone Cairo
1/43
Introduction toComputer Networking &
Security
7/30/2019 Backbone Cairo
2/43
2/21
1. Introduction
2. The OSI model
3. Switches
4. Routing
5. Introduction to Backbone design
6. Introduction to Security
i. Firewalls
ii. VPNs
iii. AAA
Contents
7/30/2019 Backbone Cairo
3/43
3/21
Network topologies
Introduction
7/30/2019 Backbone Cairo
4/43
4/21
Layer Name
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Open Systems Inter-connection (OSI) Layers
The OSI Model
7/30/2019 Backbone Cairo
5/43
5/21
Link layer device:
stores and forwards Ethernet frames
examines frame header and selectively forwards frame basedon MAC dest address
Transparent:
hosts are unaware of presence of switches
Plug-and-play:
switches do not need to be configured
Switches have interfaces more than Hubs
Switch:A-to-A and B-to-B simultaneously, no collisions
A-to-A and A-to-A simultaneously, full duplex
switch
A
A
B
B
C
C
Switches
7/30/2019 Backbone Cairo
6/43
6/21
Self learning:
A switch has a switch table
entry in switch table:
(MAC Address, Interface, Age)
Stale entries in table dropped (Age can be 60 min)
switch learns which hosts can be reached through which interfaces
When frame received, switch learns location of sender: incomingLAN segment
Records sender/location pair in switch table
Switches [Contd]
7/30/2019 Backbone Cairo
7/43
7/21
Mac Addresses 6 bytes long represented as 12 digit hexadecimal number
example : 00-14-22-C9-5B-69
VLANs and trunking
STP (spanning tree protocol) Spanning-Tree Protocol (STP) prevents loops from being formed
when switches or bridges are interconnected via multiple paths
Spanning-Tree Protocol implements the 802.1D IEEE algorithmby exchanging BPDU messages with other switches to detect
loops, and then removes the loop by shutting down selectedbridge interfaces
This algorithm guarantees that there is one and only one activepath between two network devices
Switches [Contd]
7/30/2019 Backbone Cairo
8/43
8/21
1. Introduction
2. The OSI model
3. Switches
4.Routing5. Introduction to Backbone design
6. Introduction to Securityi. Firewalls
ii. VPNs
iii. AAA
Contents
7/30/2019 Backbone Cairo
9/43
9/21
Routing
IP Addresses IP Classes
Private IP Ranges
Subnetting
Routing
Routing scenario
7/30/2019 Backbone Cairo
10/43
10/21
IP Addresses
7/30/2019 Backbone Cairo
11/43
11/21
Subnetting
Given an ip address from a class C range (192.168.100.5) with subnet
mask 255.255.255.240 ( / 28),then how many hosts can exist in the samesubnet ? and how many subnets can be used within the same class C ?
First:
Comparing with the default mask (/24) , we are Using 4 bits for subnetting,this gives (2^4=16)subnets with ((2^4)-2=14)host per subnet.
Second:
AND between 192.168.100.5 and 255.255.255.240,
192.168.100.00000101
255.255.255.11110000
= 192.168.100.00000000
This host belongs to Subnet number is : 192.168.100.0 mask255.255.255.240
7/30/2019 Backbone Cairo
12/43
12/21
Subnetting (cont.)
Then we can write this as :
Subnet 0 : 192.168.100.0
start ip : 192.168.100.1
end ip : 192.168.100.14
Subnet 1: 192.168.100.16start ip : 192.168.100.17
end ip : 192.168.100.30
Subnet 16 : 192.168.100.240
start ip : 192.168.100.241
end ip : 192.168.100.254
7/30/2019 Backbone Cairo
13/43
13/21
Routing steps
Longest match in the routing table Lowest admin distance
Default route (gateway of last resort)
Forwarding the packet
Routing Protocols Static Routing
Dynamic Routing
Routing
7/30/2019 Backbone Cairo
14/43
14/21
Routing Scenario
PC1R2R1
PC2
SW1 SW2
S.IP D.IP S.MAC D.MAC
7/30/2019 Backbone Cairo
15/43
15/21
1. Introduction2. The OSI model
3. Switches
4. Routing
5. Introduction to Backbonedesign
6. Introduction to Security
i. Firewalls
ii. VPNs
iii. AAA
Contents
7/30/2019 Backbone Cairo
16/43
16/21
MPLS
Why Is MPLS? What MPLS?
MPLS network components.
Label Distribution in MPLS Networks
Building MPLS-Based Services
L3 MPLS VPNs
Building a legacy Backbone ( IGP , BGP ,MPLS )
7/30/2019 Backbone Cairo
17/43
17/21
MPLS
7/30/2019 Backbone Cairo
18/43
18/21
Why MPLS?
Needed a single infrastructure that supports multitude of
applications in a secure manner
Load balance traffic to utilize network bandwidth efficiently
Allow core routers/networking devices to switch packets
based on some simplified header Leverage hardware so that simple forwarding paradigm can
be used
7/30/2019 Backbone Cairo
19/43
19/21
What Is MPLS?
Multi Protocol Label Switching is a technology for
delivery of IP services.
MPLS technology switches packets (IP packets, AAL5frames) instead of routing packets to transport the data.
MPLS packets can run on other Layer 2 technologiessuch as ATM, FR, PPP, POS, Ethernet.
Other Layer 2 technologies can be run over anMPLS network.
7/30/2019 Backbone Cairo
20/43
MPLS Network components.MPLS core, MPLS Edge, Remote Customer Sites
1. At Ingress Edge:
Label impositionClassify & Label
packets
2. In the Core:
Label swapping orswitching
Forward using labels (not IPaddr). Label indicates serviceclass and destination
Label Switch Router(LSR) or P (Provider)router
Router OR ATM switch +
label switch controller
Edge Label SwitchRouter OR(ATM Switch/ Router)
Provider Edge- PE
3. At Egress Edge:
Label disposition
Remove labels and forwardpackets
CustomerA
CustomerB
COS/EXP = Class of Service: 3 Bits; S = Bottom of Stack; TTL = Time to Live
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Label 20bits EXP S TTL-8bits
PE P
P
PE
7/30/2019 Backbone Cairo
21/43
21/21
Label Distribution Protocol Operations
Discovery Mechanisms
Session Establishment
Label Distribution and Management
Label Binding
Label AdvertisementLabel Distribution
7/30/2019 Backbone Cairo
22/43
22/21
LDP Peer Discovery Mechanism
Basic Neighbor discovery
Discover directly attached neighborspt-to-pt links (including Ethernet)
LDP link Hellos are sent periodically using UDP port 646
Establish a session & Exchange prefix/FEC & label information
Extended neighbor discovery
Establish peer relationship with a non-directly connected router
LDP Targeted Hellos are sent using UDP port 646
Exchange FEC and label information
May be needed to exchange service labels
LSRs discover LDP peers by exchanging LDPHello messages
7/30/2019 Backbone Cairo
23/43
IP Packet Forwarding Example
0
1
1
128.89
171.69
0
128.89.25.4 Data 128.89.25.4 Data
128.89.25.4 Data 128.89.25.4 Data
Packets ForwardedBased on IP Address
128.89
171.69
Address
PrefixI/F
1
1
128.89
171.69
Address
PrefixI/F
0
1
128.89
171.69
Address
Prefix I/F
0
1
7/30/2019 Backbone Cairo
24/43
MPLS with Downstream Unsolicitedmodestep I Core Routing Convergence
128.89
171.69
1
01
InLabel AddressPrefix
128.89
171.69
OutIface
1
1
OutLabel InLabel AddressPrefix
128.89
171.69
OutIface
0
1
OutLabel InLabel AddressPrefix
128.89
OutIface
0
OutLabel
0
You Can Reach 171.69 Thru Me
You Can Reach 128.89 and
171.69 Thru Me
Routing Updates
(OSPF, EIGRP, )
You Can Reach 128.89 Thru Me
MP S i h D U li i d
7/30/2019 Backbone Cairo
25/43
1
Use Label 7 for 171.69
Use Label 4 for 128.89 and
Use Label 5 for 171.69
Use Label 9 for 128.89
128.89
01
0
Label Distribution
Protocol (LDP)(Downstream Allocation)
171.69
InLabel AddressPrefix
128.89
171.69
OutIface
1
1
OutLabel InLabel AddressPrefix
128.89
171.69
OutIface
0
1
OutLabel InLabel AddressPrefix
128.89
OutIface
0
OutLabel
4
5
-
-
9
7
4
5
-
9
MPLS with Downstream Unsolicitedmode stepII: Assigning labels
MPLS ith D t U li it d
7/30/2019 Backbone Cairo
26/43
1
0
1
128.89.25.4 Data4128.89.25.4 Data
128.89.25.4 Data
128.89.25.4 Data9
Label Switch Forwards
Based on Label
128.890
171.69
InLabel AddressPrefix
128.89
171.69
OutIface
1
1
OutLabel InLabel AddressPrefix
128.89
171.69
OutIface
0
1
OutLabel InLabel AddressPrefix
128.89
OutIface
0
OutLabel
4
5
-
-
9
7
4
5
-
9
MPLS with Downstream Unsolicitedmode stepIII: Forwarding Packets
7/30/2019 Backbone Cairo
27/43
27/21
Building MPLS-BasedServices
7/30/2019 Backbone Cairo
28/43
28/21
What Is a Virtual Private Network?
VPN is a set of sites orgroups which are allowed to communicate witheach other
VPN is defined by a set of administrative policies
Policies established by VPN customers
Policies could be implemented completely by VPN service providers
Flexible inter-site connectivity
Ranging from complete to partial mesh
Sites may be either within the same or in different organizations
VPN can be either intranet or extranet
Site may be in more than one VPN VPNs may overlap
Not all sites have to be connected to the same service provider
VPN can span multiple providers
7/30/2019 Backbone Cairo
29/43
29/21
VPN A
VPN B
VPN CVPN A VPN B
VPN C
VPN A
VPN B
VPN CVPN A
VPN C
VPN B
Hosting
Multicast
VoIP
Intranet
Extranet
IP L3 vs. MPLS L3 VPNs
Overlay VPN
ACLs, ATM/FR, IP tunnels, IPSec, etc requiring n*(n-1)
peering points
Transport dependent
Groups endpoints, not groups
Pushes content outside the network
Costs scale exponentially
NAT necessary for overlapping address space
Limited scaling
QoS complexity
MPLS-Based VPNs
Point to Cloud single point of connectivity
Transport independent
Easy grouping of users and services
Enables content hosting inside the network
Flat cost curve
Supports private overlapping IP addresses
Scalable to over millions of VPNs
Per VPN QoS
7/30/2019 Backbone Cairo
30/43
30/21
How Does It Work?MPLS L3 VPN Control Plane Basics
VRF
VRF
VRF
LDP LDPLDP
iBGPVPNv4Label Exchange
iBGPVPNv4 iBGPVPNv4
PE1PE3
PE2
CE1
CE4
CE3
1. VPN service is enabled on PEs (VRFs are created and applied to VPN site interface)
2. VPN sites CE1 connects to a VRF enabled interface on a PE1
3. VPN site routing by CE1 is distributed to MP-iBGP on PE1
4. PE1 allocates VPN label for each prefix, sets itself as a next hop and relays VPN site
routes to PE3
5. PE3 distributes CE1s routes to CE2
(Similar happens from CE2 side)
CE2
P1 P2
VRF VRF
7/30/2019 Backbone Cairo
31/43
31/21
How Does it work?How control plane information is separated
MPLS VPN Control Plane Components: Route Distinguisher: 8 byte fieldunique value assigned by a provider to each VPN to make a route unique
so customers dont see each others routes
VPNv4 address: RD+VPN IP prefix;
Route Target: RT-8bytes field, unique value assigned by a provider to define the import/export rules for theroutes from/to each VPN
MP-BGP: facilitates the advertisement of VPNv4* prefixes + labels between MP-BGP peers
Virtual Routing Forwarding Instance (VRF): contains VPN site routes
Global Table: Contains core routes, Internet or routes to other services
PE1
P1 P2
PE2
CE2CE1
IPv4 RouteExchange
VPN-IPv4
Net=RD:16.1/16NH=PE1Route Target100:1Label=42
16.1/16
IGP/eBGPNet=16.1/16
IGP/eBGPNet=16.1/16No VPN
routes inthe Core(P)
ip vrf YellowRD 1:100route-target export 1:100route-target import 1:100
7/30/2019 Backbone Cairo
32/43
32/21
CE1Forwards
IPv4 Packet
How does it work?How Data Plane is separated
1. PE1 imposes pre allocated label for the prefix
2. Core facing interface allocates IGP label
3. Core swap IGP labels
4. PE2 strips off VPN label and forwards the packet to CE2 as an IP packet
IPv4
IPv4
IPv4
PE1 PE2
CE2CE1IPv4 IPv4
CE2Receives
IPv4 Packet!Interface S1/0ip vrf forwarding Yellow!
P1 P2
7/30/2019 Backbone Cairo
33/43
33/21
Verify VPN Prefix - Labels
PE1# sh ip bgp vpnv4 vrf Red labels
Network Next Hop In label/Out label
0.0.0.0 10.1.21.5 22/nolabel10.1.10.0/24 10.1.100.3 nolabel/3710.1.11.0/24 10.1.100.3 nolabel/32
10.1.15.0/24 0.0.0.0 34/aggregate(Red)
PE2# sh ip bgp vpnv4 vrf Red label
Network Next Hop In label/Out label
0.0.0.0 10.1.100.1 nolabel/2210.1.10.0/24 10.1.24.10 37/nolabel10.1.11.0/24 10.1.26.11 32/nolabel
10.1.15.0/24 10.1.100.1 nolabel/34
P2
PE3 loop0: 10.1.100.3
PE1 loop0: 10.1.100.1
P1 loop0: 10.1.100.2
7/30/2019 Backbone Cairo
34/43
34/21
Building a legacy MPLSBackbone
7/30/2019 Backbone Cairo
35/43
Building a legacy MPLS Backbone( IGP , BGP ,MPLS )
Customer A
branch1
Customer A
branch 2
PE P
P
PE
VRFs areconfigured and
BGP routingupdates areexchanged
IGP routing
updates withinthe cloud
+
all nodes areMPLS enabled
PE-CE routing
Core router used forlabel swapping,doesn't participatein the routingupdates
7/30/2019 Backbone Cairo
36/43
36/21
1. Introduction
2. The OSI model
3. HUBs and Switches
4. Routing
5. Introduction to Backbone design
6.Introduction to Securityi. Firewallsii. VPNs
iii. AAA
Contents
I t d ti t S it
7/30/2019 Backbone Cairo
37/43
37/21
The Main 3 Security Components
Confidentiality
Integrity Availability
Introduction to Security
I t d ti t S it
7/30/2019 Backbone Cairo
38/43
38/21
Firewall TechnologiesPacket filtering
Proxy
Stateful Inspection
Firewall Zones
Firewall Policies
00000000000000000000000000000 000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000
000000000000000000000000000
000000000000000000000000000
0000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Corporate Network
Firewall providesaccess control
Deny Traffic
Allow TrafficDeny Some Attacks
Introduction to Security [Contd]Firewalls
7/30/2019 Backbone Cairo
39/43
39/21
Nat & PAT and Access Lists
NAT
One to one translation
Access public network
PAT
many to One translation
Lack of public IPs
Access Lists
Standard & Extended
Simple Security
I t d ti t S it
7/30/2019 Backbone Cairo
40/43
40/21
VPN Concept VPN Modes
Transport
Tunnel
VPN Phases
VPN Variables
Encryption algorithm
Hash algorithm
Authentication method
Diffie-Hellman group
Introduction to Security [Contd]VPN (Virtual Private Networks)
Introd ction to Sec rit
7/30/2019 Backbone Cairo
41/43
41/21
Authentication Authorization
Accounting
Introduction to Security [Contd]AAA
References
7/30/2019 Backbone Cairo
42/43
42/21
www.ieee.com www.Cisco.com
www.juniper.com
www.ietf.org
www.net130.com
References
7/30/2019 Backbone Cairo
43/43
Questions?