Embed Size (px)
Citation preview
CompTIANetwork+ N10-007
N10-007ExamObjectives(Domains)
• 1.0NetworkingConcepts 23%• 2.0Infrastructure 18%• 3.0NetworkOperations 17%• 4.0NetworkSecurity 20%• 5.0NetworkTroubleshootingandTools 22%Total 100%
NetworkingConcepts
Domain1.0
1.0NetworkingConcepts• 1.1BasicNetworking• 1.2OSIModel• 1.3ProtocolsandPorts• 1.4Switching• 1.5Routing• 1.6AdvancedSwitchingandRoutingConcepts• 1.7IPAddressing• 1.8NetworkTypesandTopologies• 1.9WirelessTechnologies• 1.10SummarizeCloudConceptsandtheirPurposes• 1.11ExplaintheFunctionsofNetworkServices
1.0NetworkingConceptsObjectives
• Describebasicnetworking• Explaindevices,applications,protocols,andservicesattheirappropriateOSIlayers
• Explainthepurposesandusesofportsandprotocols• Explaintheconceptsandcharacteristicsofroutingandswitching• Givenascenario,configuretheappropriateIPaddressingcomponents• Compareandcontrastthecharacteristicsofnetworktopologies,typesandtechnologies
• Givenascenario,implementtheappropriatewirelesstechnologiesandconfigurations
1.1BasicNetworking
• IntrotoNetworking• NetworkingArchitectures
IntrotoNetworking
• Twoormorecomputersconnectedtogether• Thecomputerscanbeanytypeofcomputingdevice• Theconnectioncanbewiredorwireless
WhatisaNetwork?
HowComputersCommunicateonaNetwork
BothSidesNeed:Applicationsthatwanttotalkto
eachotherCommonprotocol(language)
NetworkInterfacetoconnecttonetworkTransmissionMedia(wiredorwireless)
WhyHaveaNetwork?
• Sharedataandinformation• Remotecommunication• Shareresourcessuchasprinters,faxes,databases,andservices• Distributeacomputingworkload
• Sensor– Monitor• Client– Server• Multiplefacilitiesworkingtogether
• Costeffectivenessandreliability
BasicNetworking
Host1 Host2
Twohostswanttocommunicate
BasicComponentsofNetworking
Host1 Host2
Usually,bothhostshaveapplicationsthatwanttocommunicate
App App
BasicComponentsofNetworking(cont’d)
Host1 Host2
Usually,bothhostshaveapplicationsthatwanttocommunicate
Butmostappsarenotdesignedtouseanetworkdirectly
App App
BasicComponentsofNetworking(cont’d)
Host1 Host2
Usually,bothhostshaveapplicationsthatwanttocommunicate
Butmostappsarenotdesignedtouseanetworkdirectly
Theyneedtheoperatingsystemwithitsnetworkingservicestohelpthem
App App
BasicComponentsofNetworking(cont’d)
Host1 Host2
Networkinghasthefollowingcomponents:
App AppApplicationsthatwanttocommunicate
BasicComponentsofNetworking(cont’d)
Host1 Host2
Networkinghasthefollowingcomponents:
App AppApplicationsthatwanttocommunicate
Protocol ProtocolAcommonlanguage(protocol)
BasicComponentsofNetworking(cont’d)
Host1 Host2
Networkinghasthefollowingcomponents:
App AppApplicationsthatwanttocommunicate
Protocol ProtocolAcommonlanguage(protocol)
NIC NICAnetworkinterface
BasicComponentsofNetworking(cont’d)
Host1 Host2
Networkinghasthefollowingcomponents:
App AppApplicationsthatwanttocommunicate
Protocol ProtocolAcommonlanguage(protocol)
NIC NICAnetworkinterface
Atransmissionmediatophysicallyconnectthem
BasicComponentsofNetworking(cont’d)
Host1 Host2
Let’slookatthisagain,withexamples
WebBrowser WebServerApplicationsthatwanttocommunicate
BasicComponentsofNetworking(cont’d)
Host1 Host2
WebBrowser WebServerApplicationsthatwanttocommunicate
TCP/IP TCP/IPAcommonlanguage(protocol)
Let’slookatthisagain,withexamples
BasicComponentsofNetworking(cont’d)
Host1 Host2
Networkinghasthefollowingcomponents:
WebBrowser WebServerApplicationsthatwanttocommunicate
TCP/IP TCP/IPAcommonlanguage(protocol)
IntelPro1000MB
IntelPro1000MB
Anetworkinterface
BasicComponentsofNetworking(cont’d)
Host1 Host2
Networkinghasthefollowingcomponents:
WebBrowser WebServerApplicationsthatwanttocommunicate
TCP/IP TCP/IPAcommonlanguage(protocol)
IntelPro1000MB
IntelPro1000MB
Anetworkinterface
Atransmissionmediatophysicallyconnectthem
CAT6cable
NetworkingArchitectures
Client/Server
Host1 Host2
WebBrowser(Client)
WebServer(Server)
Clientinitiatestheconnection
ServerwaitsforclientstoconnectCanacceptorrejecttheconnectionattempt
Usuallyadedicated
computeractsastheserver
Peer-to-Peer
Host1 Host2
App App
Nodedicatedserver
Bothsidesactasclientandserver
Hierarchical
Mainframe/MiniComputer
App“Dumb”terminals(screenandkeyboard/mouse)connecttoamainframeorminicomputer
Terminalshavenoprocessingpowerontheirown
Allprocessingandstorageisperformedonthecentralcomputer
Activity1.1- BasicNetworking
• Let’sbuildasimplenetwork
1.2OSIModel
• Layer7– Application• Layer6– Presentation• Layer5– Session• Layer4– Transport• Layer3– Network• Layer2 – DataLink• Layer1- Physical
ISO/OSI– InternationalOrganizationforStandardization/OpenSystemsInterconnection
Physical
DataLink
Network
Transport
Session
Presentation
Application
1
2
3
4
5
6
7 Customer servicecounterforapptorequestnetworkservices
HTTP,HTTPS,FTP,TFTP,SMTP,POP3, IMAP4,SMB,NFS,RDP,LDAP,DNS,DHCP,SSH,Telnet,SNMP…
Bothsidesagreeoncommondataformat
Allencryption,multimediaformats,charactersets,encryption
Keepseparateconversationsseparate
Ports,namedpipes, NetBIOS,RPC
Establish,manage,teardownaconnection
TCP,UDP
Addlogicaladdress,choosethebestroute
IP,ICMP,IGMP
Formatthedatafortransmission,addphysicaladdress
LANandWANprotocols,ARP
Actuallytransmitpacketas1’sand0’s
Allphysicalandelectricalcharacteristicsofconnectorsandtransmissionmedia
Layer7- Application
Layer7– ApplicationLayer
• “Customerservicecounter”thatapplicationsusetorequestnetworkservices
• Usercantypicallyinteractatthislayer• Applicationsconnectbyspeakingalanguage(protocol)• CommonLayer7protocolsinclude:
• SMTP,POP3,IMAP,HTTP,HTTPS,RDP,DNS,DHCP,SMB,NFS,FTP,TFTP,Telnet,SSH,SIP,NTP,SNMP,LDAP,
• Atthislayerthedataiscalled“data”• Firewalls,proxies
Layer6- Presentation
Layer6– PresentationLayer
• Bothsidesnegotiateacommondataformat• Usermayormaynotbeabletointeractwiththislayer
• MightbepromptedtoinstallAdobeFlashPlayertowatchavideo• Commonformatsinclude:
• Multimediaformats– JPG,PNG,GIF,MP3,MP4,MKV,MOV,WAV,PDF…• Encryptionalgorithmandbitsize– DES,AES,MD5,SHA-1,160bit,128bit…• Compression– H.264,H.263,MPEG-4,MPEG-2,AAC,• Charactersets– ASCII,Unicode,EBCDIC
• Atthislayerthedataiscalled“data”• Firewalls
Layer5- Session
Layer5– SessionLayer
• Keepseparateconversationsseparate• Itisherethatahosthasthefirstconceptofcommunicatingwithanotherhost
• Usuallydonebyassigningports(sourceanddestination)toaconversation
• CanalsobeNetBIOSnamedpipesorUnixsockets• Atthislayerthedataiscalled“data”• Firewalls,packetfilteringrouters,multi-layerswitches• SOCKSproxies
Layer4- Transport
Layer4– TransportLayer
• Pivotallayer– abstractsthemechanicsofthenetworkfromthehigherlayers
• Starts,manages,andtearsdownthesession• Firstlayertoencapsulatethedatawithaheader• TCP,UDP• Firewalls,packetfilteringrouters,multi-layerswitches
Layer4– TransportLayer(cont’d)
• TCP:• Breaksupdataintomanageablepiecesfortransmission• Addssequencenumberstoeachsegmentforreassemblyatotherend• Embedsthesourceanddestinationportsintoitsheader• Establishesthesessionwithahandshake• Provideserrorcorrectionandflowcontrolduringsession• Tearsdownsessionwithahandshake
• UDP:• Embedsthesourceanddestinationportsintoitsheader• Dependsontheapplicationforsessionestablishment,management,errorcorrection,flowcontrol,andteardown
Dataiscalleda“Segment”
Dataiscalleda“Datagram”
Layer3- Network
Layer3– NetworkLayer
• EncapsulatesLayer4payloadwithaLayer3header• Addsalogicaladdress(usuallyIPaddress)• Choosesthebestroute• IP,ICMP,IGMP• Routers,Firewalls,multi-layerswitches
Dataatthislateriscalleda“packet”
Layer2– DataLink
Layer2– DataLink
• Addsaphysicalsourceanddestinationaddress• EncapsulatesLayer3packetintoaframe• Formatstheframetobesuitablefortransmissionmedia• Checksincomingframesforerrors
• Discardsframesthatdonotpassasimplecyclicalredundancycheck(CRC)• Hastwosublayers:
• LogicalLinkControl(LLC)– describestheLayer3payload• MediaAccessControl(MAC)– putsonthephysicaladdresses
• ARP,Ethernet,TokenRing,PPP,HDLC,FrameRelay• Switches,bridges
Dataatthislateriscalleda“frame”
Layer1- Physical
Layer1– PhysicalLayer
• Actualtransmissionoftheframeas1’sand0’s• Allelectricalandmechanicalaspectsofthetransmission• Includesconnectors,wiringtypes,wirelesstechnologies,baseband,broadband,modulation,speed,bandwidth,clockrate,voltages,frequencies,powerlevels…
• Hubs,repeaters,patchpanels,networkinterfacecards,RJ-45,STP,UTP,thicknet/thinnetcoax,CAT3/5/5e/6/6a/7,fiberoptic,2.4/5GHz,Wi-Fichannels,ZigBee,Z-Wave,infraredandotherwirelesstechnologies
Dataatthislayeriscalled“bits”
ProtocolDataUnit(PDU)
• Aspecificblockofinformationtransferredoveranetwork• ThistermisusedinreferencetotheOSImodel,describingdifferenttypesofdatathataretransferredateachlayer
• ThePDUforeachlayeroftheOSImodel:• Application=data• Presentation=data• Session=data• Transport=segment(TCP),datagram(UDP)• Network=packet• DataLink=frame• Physical=bit
Activity1.2– ExploringtheOSIModel
• Let’suseWiresharktoexplorethelayersoftheOSIModel
1.3ProtocolsandPorts
• ProtocolsandPortsOverview• TransmissionControlProtocol(TCP)• UserDatagramProtocol(UDP)• InternetProtocol(IP)• InternetControlMessagingProtocol(ICMP)• InternetGroupMessaging Protocol(IGMP)• AddressResolutionProtocol(ARP)• Layer7RemoteControlProtocols• Layer7FileTransferProtocols• Layer7Messaging Protocols• Layer7WebTrafficProtocols• Layer7StreamingMediaProtocols• Layer7InfrastructureManagementProtocols
ProtocolsandPortsOverview
WhatisaProtocol?
• Setofrulesor“language”forcommunication• Canexistatanylevel/layerofnetworking• Ahostwilluseseveralprotocolstomakeaconnectiononthenetwork• Examples:
TCP,UDP,IP,HTTP,FTP,etc..
WhatisaPort?
• Anumberassignedbytheoperatingsystemtoaprocess(application)• Distinguishesoneapplicationfromanotheronthenetwork• Aserverapplication/servicelistensonaport
• Waitsforincomingclientconnectionsthatconnecttothatport• Thisway,evenifthesamehosthasmultipleconnectionstothesameserver,theservercandistinguishbetweenthedifferentconnections
WhatisaPort?(cont’d)
• AclientapplicationtemporarilyborrowsaportfromitsOStomaketheconnection
• PortisusuallygivenbacktotheOSwhentheclientapplicationnolongerneedsit• OSthenloanstheavailableporttoanotherappthatneedsit
• Typically,clientandserverportsinaconnectionarenotthesame• PortsaremostcommonlyusedbyTCPandUDP
• TCPorUPDcanhavemultiplesessions(connections)atthesametime• Portsidentifytheupperlayerprotocol(HTTP,FTP,Telnet,etc..)thatTCPorUDPiscarrying
• Portsareusedtohelptheoperatingsystemdeterminewhichservicetodelivernetworktrafficto
WhatisanIPAddress?
• Anumberthatacomputerordeviceusestoidentifyitselfonthenetwork
• Typically,eachnetworkinterfacecardonacomputerhasitsownIPaddress
• EachIPaddressmustbeuniqueonthenetworksothereisnoconflict• IPaddressesareanalogoustophonenumbersorstreetaddresses• Example:
192.168.1.1
WhatisaSocket?
• Asocketisaportthatisinuse• Itisacombinationofprotocol,IPaddress,andport• Thiscombinationuniquelyidentifiestheconnection• Example:
TCP 192.168.1.5:80
Protocol IPAddress Port
TCP/IPSuite
• Suite(collection)of6coreprotocols:• TCP,UDP,IP,ICMP,IGMP,ARP• AllbutARPhaveanIANAassignedprotocolnumber(protocolID)
• TherearemanyauxiliaryprotocolsattheotherOSIlayers(especiallyLayer7)
Activity1.3.1– ExaminingProtocolsandPorts
• Let’sseehowprotocolsandportsworktogether
Connection-Orientedvs.Connectionless
WhatisaConnection-OrientedProtocol?
• Attemptstoensurereliabilityandcompletenessoftransmission• Usesahandshaketocreateandendasession
• Likesendingregisteredmail• Keepstrackoftheconversation• Ensuresthattheothersideisresponding
• Istheothersideacknowledgingreceivedpackets?• Resendspacketsthatarenotacknowledged• Acknowledgementsandresendsaddoverheadaslowtheconversation
• Respondstorequestsfromtheotherside• Receiverinformssenderhowmanypacketsitcanreceiveatatime• Senderspeedsuporslowsdownthetransmissionrateaccordingly
• Usedwhenreliabilityismoreimportantthanperformance• Filetransfers,email,videoondemand
WhatisaConnection-lessProtocol?
• Makesnoattempttoensurecompletenessofthetransmission• Nohandshake
• Doesnotevenknoworcareiftherecipientisonlineoroffline• Likesendingpostcards
• Expectshigherlevelprotocolsortheapptorequestresendsifsomeofthedatadidnotarrive
• Assumeslostpacketsarenotimportantorwillbere-transmitted• Usedwhenperformanceismoreimportantthanreliability
• Real-timevoiceorvideo• DNSorSNMPqueries
Connection-OrientedvsConnectionless
Connection-Oriented ConnectionlessTCP UDP,IP,ICMP,IGMP,ARPHandshaketosetup/tear downsession NohandshakeFlowcontrol /errorcorrection Noflowcontrol/errorcorrection“Reliable” “Unreliable”or“besteffort”Focusonreceiving allthedata Focus onspeed/performanceUsed fordownloadingfilesincludingwebpages,emails,filetransfers,video-on-demand,remotecontrol
Usedforreal-timecommunicationsthataretime sensitive,and/orcantoleratesomelossVoIP andvideoconferences,SNMP,DNS,DHCP
TransmissionControlProtocol(TCP)
TransmissionControlProtocol(TCP)
• Layer4host-to-hostprotocol• Providesreliable,connection-orientedcommunicationoverIPnetworksbetweentwoendpoints
• Attemptstoguaranteedelivery• Dataisbrokenintosmallersegmentswithsequence#s• Usesareceivewindow(slidingwindow)thattellssenderhowbigthereceiver’sbufferisfromsegmenttosegment
• PayloadoftheInternetProtocol(IP)• Embedssourceanddestinationportsinitsheader• Sessionestablishedbythree-wayhandshake(SYN– SYN/ACK– ACK)• Sessionclosedbyafour-wayhandshake(FIN-ACK-FIN-ACK)• ProtocolID6
TCPHeader
UserDatagramProtocol(UDP)
UserDatagramProtocol(UDP)• TCP’s“LittleBrother”• Layer4connectionless(“unreliable”)protocol• Usedprimarilyforestablishinglow-latencyandlosstoleratingconnectionsbetweenapplicationsontheInternet
• LikeTCP,UPDembedssourceanddestinationportsinitsheaderandisapayloadofIP
• Thisprotocolsendsshortpacketsofdata,calleddatagrams• UDPisanidealprotocolfornetworkapplicationsinwhichlatencyiscriticalbutlossisnot
• gaming,real-timevoiceandvideo• SNMP,DNSqueriesandDHCP• Applicationsthatprovideforwarderrorcorrectiontechniquestoimproveaudioandvideoqualityinspiteofsomeloss
• ProtocolID17
UPDHeader
Activity1.3.2– ComparingTCPandUDP
• Let’scomparethetwoprimarytransportlayerprotocols.
InternetProtocol(IP)
InternetProtocol(IP)
• Networklayerconnectionlessprotocol• ThemethodbywhichdataissentfromonecomputertoanotherontheInternet
• EachcomputerorhostontheInternethasatleastoneIPaddressthatuniquelyidentifiesitfromallothercomputersontheInternet
• ThemostwidelyusedversionofIPv4.• However,IPVersion6(IPv6)useandsupportiscontinuingtogrowworld-wide
• IPv6allowslongeraddressingandvastimprovementoverIPv4
• ProtocolID4
IPv4Header
InternetControlMessagingProtocol(ICMP)
InternetControlMessageProtocol(ICMP)• Anerror-reportingprotocolusedbynetworkdevices(e.g.routers)togenerateerrormessagesandmanagetrafficflow
• Layer3payloadofIP• AnyIPnetworkdevicecansendandreceiveICMPmessages• UsedbyPINGapplication• Hasmanymessagetypes/codesfordifferentpurposes:
• Echorequest• Echoreply• Destinationunreachable• Sourcequench• Redirect• Routersolicitation• Routeradvertisement• Timeexceeded
• ProtocolID1
ICMPMessage
ApplicationsthatUseICMP
• PING• AnapplicationthatusesICMPtoproveLayer3connectivity• NOTaprotocol– donotconfusewithICMP
• Traceroute• StreamofICMPechorequestsORUDPdatagramswithlimitedTTL• RouterthatdiscardstheexpiredpacketandsendsExpiredinTransitmessagewhileidentifyingitself
• Microsofttracerouteapplicationiscalledtracert
InternetGroupMessagingProtocol(IGMP)
InternetGroupManagementProtocol(IGMP)
• Usedbyhoststonotifyroutersthattheyarestillinterestedinreceivingmulticastsfromupstreamserver
• ProtocolID2
IGMPPacketFormat
AddressResolutionProtocol(ARP)
• UsedtomapMACaddressestoIPaddresses• SendsLayer2broadcast(FFFFFFFFFFFF)queryingalllisteningnodestoidentifywhichoneisusingthespecifiedIPaddress
• Mappingsaretemporarilystoredinthedevice’sARPcache• Doesnothaveanassignedprotocolnumber
ARPMessageFormat
Activity1.3.3– ExaminingtheLowerLayerProtocols• Let’slookatIP,ICMP,andARP
Layer7RemoteControlProtocols
Telnet
• Oldstyleremotecontrolprotocol• Providesclientwithacommandpromptonaremotedevice• TCPPort23• Alltransmissionsaresentandreceivedincleartext
R3#>
somecommand
SecureShell(SSH)• EncryptedreplacementforTelnet• Bothsidestradepublickeystoencryptthesession
• MostSSHapplicationscancreatetheirownpublic/privatekeypair
• AlsoincludesSecureCopy(SCP)andsecureFTP(SFTP)• AlsoknownasSecureSocketShell• TCPport22
R3#>
“#@^x.&$”
RemoteDesktopProtocol(RDP)
• Usedtointeractwiththedesktopofaremotecomputer• ChosenbyMicrosoftforitsTerminalServices• Clientsendskeystrokesandmouseclickstoserver• Serversendsbackscreenvideo• Computingactuallyhappensontheserver• Printer,speakers,drives,andfilesharescanbemappedbetweentheclientandserver
• TCP3389• Youhavedifferentchoicesforencryptionandcompression
RDPLoginScreen
• Clientappname=mstsc
Layer7FileTransferProtocols
ServerMessageBlock(SMB)
• MicrosoftFileandPrintprotocol• OriginallyTCP139usingNetBIOSoverTCP/IP• UpdatedasCommonInternetFileSystem(CIFS)TCP445• NowreferredtoasSMB3.0TCP445• Subjecttomanyexploitsincluding:
• EternalBlue• WannaCryransomware
FileTransferProtocol
• TCP21=commandport• TCP20=dataport• Requiresusertoauthenticate• Alltransmissionsareincleartext• ActiveMode:
• Clienttellstheserverwhatportit’susing• Theserverstartsthedataconnectioninaseparatesession• Theclient’sfirewallmayinterpretthatconnectionattemptasanunauthorizedoutsideconnectionandblocktheserver’sdataconnection
• PassiveMode:• Theclientstartsthedataconnectioninaseparatesession• Theclient’sfirewallnotestheclient’soutboundconnection,andpermitstheserver’sinboundresponse
FTPHandshake
SERVER SERVERCLIENT CLIENT
20Data
21Cmd
20Data
21Cmd
1026Cmd
1027Data
1026Cmd
1027Data
2024Data
ActiveFTP PassiveFTP
1
2
3
4
1
2
3
4
TrivialFileTransferProtocol(TFTP)
• UDPport69• SimplifiedversionofFTP• Noauthentication• Alltransmissionsareincleartext• Oftenusedtosave/loadrouterandswitchoperatingsystems,updates,andconfigurationfiles
• BecauseitusesUDPwithnoflowcontrolorerrorchecking,itisnotwellsuitedtocrossmultipleroutersortraversemanynetworksegments
SecureFileTransferProtocol(SFTP)
• SecureFileTransferProtocolisalsocalledSSHFileTransferProtocol• Encryptsthefiletransfer• Isanetworkprotocolforaccessing,transferringandmanagingfilesonremotesystems
• Requiresthattheclientbeauthenticatedbytheserver• Allowsbusinessestosecurelytransferbillingdata,fundsanddatarecoveryfiles
• RunsonTCPport22aspartoftheSSHsuite• Youcanchangetheportifdesired
Layer7MessagingProtocols
EmailProcess
ABC.com Email Server
ABC.com Email Client
ABC email client sends email message to
abc.com email server
MX company.com = mail
192.168.1.52 mail.company.com
XYZ.com DNS Server
XYZ.com Email Server
XYZ.com Email Client
SMTP
ABC email server sends email message to XYZ email server
MailboxDatabase
XYZ email client retrieves email
message from its mailbox
SimpleMailTransferProtocol(SMTP)
• Internet(TCP/IP)standardforelectronicmail(email)transmission• Transmissionsareincleartext• Usedforsendingemail
• Clienttoserver• Servertoserver
• TCPport25(IANAalsoallocatedUDP25butit’snotusedtoday)• Hasencryptedversions(SMTPusingSSL):
• TCPport587• TCPport465(legacy)
PostOfficeProtocol(POP3)
• OneofthemostcommonlyusedInternetmailprotocolsforretrievingemailsfromaserverbyalocalclient
• Supportedbyallmodernemailclientsandwebservers• Allowsyoutodownloademailmessagesonyourlocalcomputerandreadthemevenwhenyouareoffline
• Messagesaredownloadedlocallyandremovedfromtheemailserver
• POP3protocolworksontwoports:• Port110isthedefaultPOP3cleartextnon-encryptedport• Port995usesSSL/TLSencryptedsecureport
InternetMessageAccessProtocol(IMAP4)
• Amailprotocolusedforaccessingemailonaremotewebserverfromalocalclient
• IMAPisoneofthemostcommonlyusedInternetmailprotocolsforretrievingemails
• Supportedbyallmodernemailclientsandwebservers• MessagesstayonEmailserver• AllowsinteractivesessionwithEmailserver
• IMAPallowssimultaneousaccessbymultipleclients• Suitableifauserisgoingtoaccessemailfromdifferentlocationsorbymultipleusers
• TCP143(cleartext)• IMAP4/SSLusesTCP993
Activity1.3.4– ExaminingMessagingProtocols• Let’sexaminemessagingprotocols
Layer7WebTrafficProtocols
HyperTextTransferProtocol(HTTP)
• Usedtocarrywebtraffic• TCP80• Itisstateless,whichmeansitdoesn’tattempttorememberanythingaboutthepreviousWebsession
• Transmissionsareincleartext;isnotsecurefortransactions• Hasthefollowingrequests:GET,POST,PUT,HEAD,DELETE,OPTIONS
WebServers
HTTPProcess
HTTPGETRequest
UniformResourceLocator(URL)
• Usedtouniquelyidentifyaresourceovertheweb• Hasthefollowingsyntax:
protocol://hostname:port/path-and-file-namehttp://www.company123.com/docs/index.htmlhttp://extranet.company123.com:8888/login.aspx
• Protocol:Theapplication-levelprotocolusedbytheclientandserver• HTTP,HTTPS,FTP,etc..
• Hostname:TheDNSdomainname• www.company123.com• IPaddress(e.g.,192.128.1.2)oftheserver
• Port:TheTCPportnumberthattheserverislisteningforincomingrequestsfromtheclients(typically80or443)
• Path-and-file-name:Thenameandlocationoftherequestedresource,undertheserverdocumentbasedirectory.
HyperTextTransferProtocolSecure(HTTPS)
• EncryptedversionofHTTP• TCP443• UsesSecureSocketsLayer(SSL)toencryptdata• Stateless(likeHTTP)• ShouldnotbeconfusedwithSSL
Layer7StreamingMediaProtocols
SessionInitiationProtocol(SIP)
• Establishes,manages,tearsdownVoice-over-IP(VoIP)callsandmultimediaconferences
• TheSIPprotocolisamemberoftheVOIPProtocolFamily• TCPandUDP5060(unencrypted)and5061(TLSencrypted)
H.323
• RecommendationfromtheITUTelecommunicationStandardizationSector(ITU-T)
• Definestheprotocolstoprovideaudio-visualcommunicationsessionsonanypacketnetwork
• TCPport1720isusedbytheH.323teleconferencingprotocol(mostcommonlyencounteredinMicrosoftNetMeeting)duringcallsetupnegotiation
• OtherportsusedbyH.323:• 1718– Gatekeeperdiscovery(UDP)• 1719– GatekeeperRAS(UDP)• 1720– H.323Callsetup(TCP)• 1731– AudioCallcontrol(TCP)
Layer7InfrastructureManagementProtocols
DynamicHostConfigurationProtocol(DHCP)
• AnautomatedwaytoassignIPaddressestohostsonanetwork• ClientsrequestanIPaddressfromanylisteningDHCPserver• DHCPserverhaspre-configuredpoolofavailableIPaddresses• Serverleasesanaddressforalimitedtimetotheclient• DHCPisbasedontheearlierBOOTPprotocol• Communicationsarebybroadcastincleartextwithnoauthentication• UDP67isthedestinationportofaserver• UDP68isusedbytheclient
DomainNameSystem(DNS)
• Ahierarchicaldecentralizednamingsystemforcomputers,services,orotherresourcesconnectedtotheInternetoraprivatenetwork
• Usedforhumanconvenience• MapsfriendlynamestoIPaddresses• UsesUDPandTCPport53
• UDPforqueries• TCPforzonetransfers(replication)betweenservers
DomainNameSystem(DNS)(cont’d)
• Transmissionsareincleartext• RecordsarestoredonDNSservers• Serversareorganizedhierarchically:
• Rootservers,topleveldomainservers,nameservers
• Typesofrecords– A,AAAA,CNAME,MX,PTR,NS,SOA,SRV,TXT,andothers
• DNSSEC– accompanyingdigitalsignaturesverifyauthenticityofrecords
SimpleNetworkManagementProtocol(SNMP)• Usedtomonitorandmanagedevicesonnetworks• SNMPmanagerusesamanagementinformationbase(MIB)toaskanagentserviceondevices/servers/servicesabouttheircurrentstatus
• UDP161formanagerqueriesandagentreplies• UDP161fordeviceagentsto“raisetraps”(sendpre-configuredalerts)tothemanager
• Themanagerneedstousethesamecommunitystringasthedevice• Averysimpleauthenticationmechanism• Mostsystemsusebothpublicandprivatecommunitystrings
• v1,v2,v2carecleartext• v3isencrypted
SNMPProcess
TRAP:Ihaveaproblem!
SNMPManager
NetworkTimeProtocol(NTP)
• Widelydeployedtimesynchronizationservice• UDP123• TheNTPserver(hopefully)hastheprecisetime(probablyobtaineddirectlyfromanatomicclock)
• Sentincleartext• OftenusedinActiveDirectorydomainstosynchronizeinternalserverclockstoanexternalauthoritativesource
• Securityconcerns;Man-in-the-middle,DDoS,stackoverflows
SimpleNetworkTimeProtocol(SNTP)
• AlesscompleximplementationofNTP• Usesthesameprotocolbutwithoutrequiringthestorageofstateoverextendedperiodsoftime
LightweightDirectoryAccessProtocol(LDAP)
• Searchandcopydatafromdirectoryservices• ItisalightweightversionofX.500(DirectoryAccessProtocol)• TCP389• Openstandard• Quiteversatiledeployedbymanyproducts&businesstypes:
• DirectoryservicessuchasMicrosoftActiveDirectory• Telecommunications,finance,manufacturing,retail,education,andgovernment
• Providesdatastorage,scalability,highavailability,disasterrecovery,logging
LightweightDirectoryAccessProtocolSecure(LDAPS)• LDAPoverSSL• TCP636• Providesadditionalsecuritybysupporting:
• Automaticallyencodingpasswordswithone-waydigestsorencryption• ExtensibleauthenticationviatheSASLframework,certificates,Kerberostickets,multi-factor
• Passwordpolicyfeatureslikepasswordexpiration,passwordqualityvalidation,andaccountlockoutfromtoomanyfailedattempts
• Fine-grainedaccesscontrolthatcanimposerestrictionsonthedatathatisavailabletovariousclassesofusers
• Openstandard
1.4Switching
• Packet-switchedvs.Circuit-switchedNetwork• PropertiesofNetworkTraffic• ContentionManagement• InterfacePropertiesandSegmentation• Switching• SwitchingLoopManagement• VLANs
Packet-Switchedvs.Circuit-SwitchedNetworks
Circuit-SwitchedNetwork
• Oldtelephonesystem• AkaPSTNorPOTS
• Onceconnectionisestablished,thecircuitisyoursanddoesnotchangeuntilyouhangup
• Connectionisdedicatedandinuseevenifnoonespeaks/nodataisbeingtransmitted
Packet-SwitchedNetwork
• Voiceordataissentinpacketsthroughprovider’scloud• Trafficwillflowthroughdifferentrouters/switchesdependingonmomentaryconditions
• Nowastedbandwidth- morepacketscanbeplacedontothenetwork• Requiresgoodtrafficmanagementforcallqualitytobeacceptable
Circuit-Switchedvs.Packet-Switched
PropertiesofNetworkTraffic
Addressing
• Everypacketmusthaveasourceanddestinationaddress• Layer2Addressing
• Identifiesanodeonalocalnetworksegment• TypicallyaMACaddress• Usedtogetapacketacrossalocalsegmenttothenexthop• Changeswitheachnewnetworksegment
• Layer3Addressing• Identifiesanodeacrosstheentirenetwork• TypicallyanIPaddress• Remainsconstantacrossthepacket’sentirejourney
• Exception:itmightbetranslatedbetweenpublicandprivatenetworks
Unicast• Onesenderà onereceiver• Aone-to-onetransmissionfromonepointinthenetworktoanotherpoint
• Eachpointisidentifiedbyanaddress• TherearebothLayer2andLayer3unicastaddresses
Broadcast
• Onesenderà Everyonereceives• Thescopeofthebroadcastislimitedtoabroadcastdomain• Theoppositeofaunicast• Broadcastingislargelyconfinedtolocalareanetwork(LAN)technologies
• Ethernetandtokenringareexamples• IPv4Layer3broadcastaddress=255.255.255.255• Layer2broadcastMACaddress=FFFFFFFFFFFF• IPv6doesnotsupportbroadcasting
• Thesameresultcanbeachievedbysendingapackettothelink-localallnodesmulticastaddress
Multicast• Onesenderàmultiplereceivers• Receiversmust“tunein”tothemulticastasit’sbeingtransmitted• IPmulticastisabandwidth-conservingtechnology• Reducestrafficbysimultaneouslydeliveringasinglestreamofinformationtopotentiallythousandsofcorporaterecipientsandhomes
• Applicationsthattakeadvantageofmulticastincludevideoconferencing,corporatecommunications,distancelearning,anddistributionofsoftware,stockquotes,andnews
• IGMPisusedtodynamicallyregisterindividualhostsinamulticastgrouponaparticularLAN
• HostsidentifygroupmembershipsbysendingIGMPmessagestotheirlocalmulticastrouter
• IPv4MulticastaddressrangeassignedbyIANAis224.0.0.0– 239.255.255.255• IPv6includesmulticast(alongwithanycastandunicast)asapackettype
TransmissionModeMode Transmission
DirectionExample Comment
Simplex Onewayonly TVorradiobroadcast
Notusedonamodernnetwork
Half duplex Transmitterstaketurns
Hub,coaxbus LikeawalkietalkieNetworktrafficcanchangedirectiononthesamepathway
Fullduplex Bothsidessimultaneouslytransmitandreceive
Switch portinfullduplexmode
Likeatelephone.Requirestwopathways(eithertwowiresortworadiofrequencies)
ContentionManagement
WhatisNetworkContention?
• Multiplenodestrytousethenetworkatthesametime• Contentionleadstocollisions• Contentionneedstobemanaged
CSMA/CD
• CarrierSenseMultipleAccesswithCollisionDetection• TheLANaccessmethodusedinEthernetnetworks• Whenadevicewantstogainaccesstothenetwork,itcheckstoseeifthenetworkisfree
• Networkisnotfree,thedevicewaitsarandomamountoftimebeforeretrying
• Networkisfreeandtwodevicesaccessthelineatexactlythesametime,theirsignalscollideandbothstopandwaitarandomamountoftimebeforeretrying
• Whenthelineisfreethatlasttransmissionisresent
CSMA/CA
• CarrierSenseMultipleAccesswithCollisionAvoidance• MostlyusedonWi-Finetworkstoday
• HistoricallyusedonAppleTalknetworks
• WirelessAccessPointpollseachdevice(roundrobin)toseeifit’sreadytotransmit
• Ifthereisacollision,CSMA/CAdoesnotdealwithrecovery,itwaitsforthelinetobefree
CollisionDomain
• Anetworksegmentwherecollisionscanoccur:• Hub• Coaxbus
• Acollision occurswhentwodevicessendaframeatthesametimeonthesamenetworksegment
• Ifframescollidebothdevicesmustsendtheframesagain• Veryinefficientonacontention-basednetworklikeEthernet• Switchportsdividethenetworksegmentintocollisiondomains
BroadcastDomain
• AnetworksegmentwhereLayer2(ARP)broadcastsareallowedtopropagate
• IncludesallswitchportsinasingleVLAN• Evenacrossmultipleswitches• SwitcheswillpropagateARPsacrosstrunklinksandnon-trunkingsimpleuplinks
• RoutersandVLANsdividethesegmentintobroadcastdomains
Activity1.4.1– CreatingCollisionandBroadcastDomains• Let’sseehowtomanagetrafficthroughtheuseofcollisiondomainsandbroadcastdomains
InterfacePropertiesandSegmentation
InterfaceProperties
• Anetworkinterfacecard(NIC)shouldhaveatleastoneaddress• Typicallyaphysical(MAC)address• TheMACaddressisusuallyburnedintotheNIC’sfirmware• CanbetemporarilychangedbytheOS(usuallyforspoofingpurposes)
• Canalsohavealogical(IP)addressassignedtoit• WillbesuitedtoaspecificmediatypeandLayer2framing
• OnaLAN,usuallyEthernetorWi-Fi• IncludestheMTUofthatsegment
• Theinterfacewillhaveaspecificspeedandduplex• Mighthavetobemanuallyconfigured• Usuallycanbeauto-negotiated
MaximumTransmissionUnit(MTU)• Largestsizepacketorframethatcanbetransmittedonanetworksegment
• TCPusestheMTUtodeterminethemaximumsizeofeachpacketinanytransmission
• ToolargeanMTUsizemaymeanretransmissionsifthepacketencountersarouterthatcan'thandlethatlargeapacket
• ToosmallanMTUsizemeansrelativelymoreheaderoverheadandmoreacknowledgementsthathavetobesentandhandled
• MostLayer2protocolshaveadefaultMTU• Ethernetis1500bytes• DialupPPPis296bytes• MostsynchronousserialWANprotocolsare1500bytes
NetworkSegment
• Generaltermthatdescribesonediscretepartofanetworkwheretransmissionsoccurfreelyinanunmanagedway
• Hub• Coaxbus
• Collisionscanhappenonasegment• Thetransmissionmediaisusuallythesame
• Wired• Wireless
• Segmentsareusuallyconnectedtogetherby:• Bridge• Switch• Router
Repeater
• Adevicethatretransmitsasignal• Extendstheusefullengthoftransmissionmedium
• TraditionallyusedtoextendacoaxialbussegmentonanEthernetnetwork• Cannowextendtwistedpaircable• CanalsoextendthelengthofPoweroverEthernet(PoE)ontwistedpair
• Makesnodistinctionbetweengarbageandgoodtraffic• 5-4-3rule
Hub
• Amultiportrepeater• Createsabasicnetworksegment• MosthubsareEthernet• Mayhavedifferentporttypes
• MultipleRJ-45jacksinfront• BNCconnectorforThinnetcoaxinback
• Allhubports(ofthesametype)arepartofasinglesegment• Allhubportsarepartofthesamecollisiondomain• Hubsarehalf-duplexbynature• Today,theword“hub”isusedmoretorefertoaUSBhub
BasicHubExample
• Images\hub.gif
Activity1.4.2– CreatingaBasicNetworkSegment• Let’sseehowtocreateabasicnetworksegment
Switching
Switch
• AhardwaredevicethatmakesforwardingdecisionsbasedonLayer2(MAC)addresses
• Micro-segmentsabasicsegment• Eachswitchportbecomesasegment• Nocollisionsifthereisonlyonenodeperport
• Mostswitcheshavehighportdensity(alotofports)• TheswitchbuildsatemporarytablethatmapsMACaddressestoitsports
• Oldersoftware-basedswitcheswerecalled“bridges”• (“bridge”canalsorefertoanydevicethatconnectsdissimilarnetworksegmentssuchaswiredandwireless)
Layer2Addressing
• Aphysicaladdress“burnedinto”theNIC• Specifictothatnetworksegmentonly• Eachframewillhaveasourceanddestinationaddress• UsuallyaMACaddress
• 48-bit(12hexadecimalnumbers)physicaladdress• aaaa.bbbb.ccccaa:aa:bb:bb:cc:cc• Aka“burnedinaddress”or“physicaladdress”
• Canbeviewedusingthefollowingcommands:• Windows:ipconfig/all• Linux:ifconfig-a• Cisco:showinterface
MediaAccessControl(MAC)AddressTable
• UsedbyaswitchtomapMACaddressestoitsports• SwitchconsultsitsMACtabletodeterminewhichporttorepeataframeoutof
• Sometimesalsocalleda“CAM”(contentaddressablememory)table• NottobeconfusedwithanARPcache• OnaCiscoswitch,youcanviewtheMACtablebyenteringthefollowingcommand:
show mac-address-table
MACAddressTableExample
BasicSwitchExample
• Images\switch.gif
ASwitchConnectingMultipleDevices
TwoSwitchesExtendingaNetwork
CiscoSwitchingHierarchy
• Threelayermodel• Core
• High-speedbackbone
• Distribution• Trafficaggregation• ACLsandVLANrouting
• Access• Enddevicesplugin
CiscoSwitchingHierarchyExample
CiscoSwitchingHierarchywithRedundancy
PortMirroring
• Aswitchconfigurationthatcopiesallframesfromtheswitch’sbackplanetoaspecificport
• UsuallyyoupluganSNMPmanagerorothermonitoringdeviceintothemirroredport
• Thedevicecanthenreceivealltrafficthatcrossestheswitch• Portmirroringisalsoknownasswitchedportanalyzer(SPAN)androvinganalysisport(RAP)
• PortmirroringisimplementedinLANs,WLANs,andVLANsformonitoringandtroubleshootingpurposes
• Notallswitchessupportportmirroring• Multiplevendorsoffermonitoringsoftware
PoweroverEthernetPoEandPoE+(802.3af,802.3at)• Describesanyofseveralstandardorad-hocsystemswhichpasselectricpoweralongwithdataontwistedpairEthernetcabling
• Themaindifferencebetweenthe802.3af(PoE)and802.3at(PoE+)standardsisthemaximumamountofpowertheyprovideoverCat5cabling
• 802.3afmax=15.4watts• 802.3at(PoE+)=25.5watts
Activity1.4.3- Switching
• Let’screatesomeswitchednetworks
SwitchingLoopManagement
SwitchingLoop• Occursonanetworkwhenthereisaredundantlinkbetweenswitches
• Switchesbytheirnaturefloodbroadcasts,multicasts,andunknownunicastsoutallports(excepttheportitwasreceivedon)
• Loopscausebroadcaststorms:1. AhostsendsaLayer2broadcast(suchasanARPorDHCPdiscover)2. Theswitchrepeatsthebroadcastoutallotherports,includingthe
redundantlinktotheotherswitch3. Theotherswitchinturnrepeatsthebroadcastoutallitsports,includingthe
firstlinktothefirstswitch4. Theprocessrepeatsendlessly
SpanningTreeProtocol(STP)
• IEEE802.1d• Switchesself-organizetoidentifyredundantlinks• Switcheselecta“RootBridge”asafocalpoint
• SwitchwiththelowestBridgePriorityand/orMACaddresswinselection• TheRootsendsoutRootBridgeProtocolDataUnits(RootBPDUs)whichareforwardedbyallotherswitchesoutallotherports
• IfaswitchreceivesthesameRootBPDUfromtwoormoredifferentports,itknowsthereisaredundancy
• Redundantlinksareputinablockingstate• Adminconfiguredportpriority(lowerisbetter)• Linkspeed(fasterisbetter)• Portnumber(lowerisbetter)
Activity1.4.4– ManagingSwitchingLoops
• Let’suseSTPtocontrolswitchingloops
VLANs
VirtualLocalAreaNetwork(VLAN)
• Groupingofswitchportstocreateaseparatenetworksegment• Generallyusedforsecurityortrafficmanagement• Typicallyusedtoseparatedepartments,rooms,devicetypes,orsecuritylevels• YoucreatetheVLANontheswitch,thenaddphysicalportstotheVLAN• SwitchportsgenerallyonlybelongtooneVLANatatime
• Exception:whenanIPphoneconnectstothenetworkthroughaPC• SwitchporthasoneVLANforthephone,oneVLANforthePC
• Initially,allswitchportsareinthesamedefaultVLAN(usuallyVLAN1)• IfyouconfigureaporttojoinaparticularVLANandthenunjointheport,itrevertsbacktothedefaultVLAN
• IfyoudeletetheVLANwithoutunjoiningtheportsfromit,thoseportsbecome“orphaned”and(usually)gointoablockingstate
• theystopforwardingtraffic
GLASS-CORE10.1.2.2
PVST+Spanning-TreeRootforAllVLANs
DSW-G-110.1.2.3 DSW-G-2
10.1.2.4
DSW-1-110.1.2.5
DSW-1-210.1.2.6
DSW-2-110.1.2.7
DSW-2-210.1.2.8
SW-ACCOUNTING10.1.2.16
ASW-G-110.1.2.9
ASW-G-210.1.2.12
ASW-1-110.1.2.11 ASW-2-1
10.1.2.13ASW-2-210.1.2.14
Gi1/0/50,52Gi1/0/50,52
Gi1/0/45-46Gi1/0/23-24
Gi1/0/33,35Gi1/0/23,24
Gi1/0/40,52
Gi1/0/48,52
Gi1/0/51-52Gi1/0/25-26
CAMPUSVLANandSPANNING-TREECONFIGURATION
ASW-G-310.1.2.10
Gi1/0/23,24
Gi1/0/38,40
AllVLANs
VLAN1– 99DSW-G-1=Root
Secondary
VLAN100- 130DSW-1-1=
RootSecondary
VLAN140- 180DSW-1-2=
RootSecondary
VLAN200- 230DSW-2-1=
RootSecondary
VLAN240- 280DSW-2-2=
RootSecondary
PVST+ROOTforALLVLANs=CORE
ROOTSECONDARIESPERVLAN:1– 99=DSW-G-1100– 130=DSW-1-1140– 180=DSW-1-2200– 230=DSW-2-1240– 280=DSW-2-2
NOTE:ExceptforVLAN2,allVLANinterfacesresideinCORE
ALLswitcheshaveaVLAN2interfacefordevicemanagement
VLAN VLANINTERFACE
SubnetID DESCRIPTION– GROUND FLOOR
1 192.168.1.1 192.168.1.0/24 Production(adminarea)
2 10.1.2.2 10.1.2.0/24 Switchmanagement
4 192.168.4.1 192.168.4.0/24 Cameras
5 10.1.5.1 10.1.5.0/24 Phones
6 10.1.6.1 10.1.6.0/24 Access PointManagement
7 172.16.0.1 172.16.0.0/20 STUDENTWLAN
8 172.16.16.1 172.16.16.0/24 STAFFWLAN
9 10.1.9.1 10.1.9.0/24 ClassroomManagement
41 10.1.41.1 10.1.41.0/24 AcademicOffices
42 10.1.42.1 10.1.42.0/24 Library
VLAN VLANINTERFACE
SubnetID DESCRIPTION– FIRSTFLOOR
100 10.1.100.1 10.1.100.0/24 Classroom LAB100
110 10.1.110.1 10.1.110.0/24 Classroom110
120 10.1.120.1 10.1.120.0/24 Classroom120
130 10.1.130.1 10.1.130.0/24 ClassroomLAB130
140 10.1.140.1 10.1.140.0/24 Classroom140
150 10.1.150.1 10.1.150.0/24 Classroom150
160 10.1.160.1 10.1.160.0/24 Classroom160
170 10.1.170.1 10.1.170.0/24 Classroom170
180 10.1.180.1 10.1.180.0/24 Classroom180
VLAN VLANINTERFACE
SubnetID DESCRIPTION– SECONDFLOOR
200 10.1.200.1 10.1.200.0/24 Classroom LAB200
210 10.1.210.1 10.1.210.0/24 Classroom210
220 10.1.220.1 10.1.220.0/24 Classroom220
230 10.1.230.1 10.1.230.0/24 ClassroomLAB230
240 10.1.240.1 10.1.240.0/24 Classroom240
250 10.1.250.1 10.1.250.0/24 Classroom250
160 10.1.251.1 10.1.251.0/24 Classroom260
170 10.1.252.1 10.1.252.0/24 Classroom170
180 10.1.253.1 10.1.253.0/24 Classroom180
Trunking(802.1q)
• VLANscanbeextendedtootherswitchesviatrunklinks• TrunklinkscarrytrafficfromallVLANsfromoneswitchtoanother
• AbroadcastinaVLANwillextendacrossthetrunklinktoallswitchesandtheirportsthatusethatVLAN
• IEEE802.1QisthemostcommonprotocolforcarryingallVLANtrafficfromoneswitchtoanother
• 802.1QVLANframesaredistinguishedfromordinaryEthernetframes• 4-byteVLANtagisinsertedintotheEthernetheader
TaggingandUntaggingPorts
• AtagidentifieswhichVLANaparticularframebelongsto• Portsthatcomputers,phones,andenddevicesarepluggedintodonottagtheirframes
• TheenddeviceshavenoknowledgeoftheVLAN
• TagsareonlymeaningfulonatrunklinkthatcarriestrafficfromallVLANsbetweentwoswitches
• DefaultVLAN1trafficisuntagged(per802.1q)• AllotherVLANtrafficistaggedsothereceivingswitchknowswhichVLANtheframebelongsto
Activity1.4.5– CreatingVLANs
• Let’sseehowtocreateVLANs
1.5Routing
• ARP• IPAddressingBasics• Routers• RoutingBasics• NAT/PAT• RoutingProtocols• Firewalls
ARP
AddressResolutionProtocol(ARP)
• Layer2protocol• MapsIPaddressestophysical(MAC)addresses• UsesLayer2broadcaststoqueryalllisteningdevicestoseewho“owns”aparticularIPaddress
• ArequirementonEthernetandWi-Finetworks• TheARPcacheisatemporarylist(inRAM)oftheseMACtoIPmappings
• Entrieswillageoutinafewminutesifnotused
ARPCache
• DisplaysIP-to-MACmappings• arp-a(onPC)• showiparp(onCiscodevice)
Activity1.5.1– ExaminingARP
• Let’sseehowARPworks
IPAddressingBasics
IPAddress
• Layer3address• Logicaladdress
• Notburnedintothehardware• Caneasilybechangedorspoofed
• Uniquelyidentifiesanodeonanetwork• Cannotbeduplicatedonthesamenetwork• AnodewithaduplicateIPaddresswilldisplayanerrorandbeunabletogetonthenetwork
• Anodecanhavean:• IPv4address(example:192.168.1.17)• IPv6address(example:2600:1700:b170:2380::23• Both
SubnetMask
• A32- or128-bitnumberthatdividesanIPaddressintotwoparts:• Network• Host
• Aseriesofcontiguous1’sthatabruptlyend,followedby0’s• ThatdividinglineiswhatdividestheIPaddressintonetwork|host• NetworkIDfallsunderthe1’s|HostIDfallsunderthe0’s
• Usedbyanodetomakeadecision:• Isthedestinationonthesamenetworkasme?• Ifso,ARPtofindthedestinationMACaddressandthensendthepackettothedestination
• Ifnot,sendthepackettothedefaultgatewayforfurtherdelivery
ClassfulSubnetMasksinDifferentNotations
11111111.00000000.00000000.00000000=255.0.0.0=/811111111.11111111.00000000.00000000=255.255.0.0=/1611111111.11111111.11111111.00000000=255.255.255.0=/24
DefaultGateway
• Theexitpointforonenetworktoconnecttoothernetworks• Typicallyaninterfaceonthelocalrouter• Computersandothernetworkdevicessenddatathatisboundforothernetworkstothedefaultgateway
• Thedefaultgatewaymustknowwhattodowiththepacket• Deliverittoahostononeofitssegments• Relayittoanotherrouterfordelivery
ExampleofIPAddressingonWindows10
Activity1.5.2– ConfiguringIP
• Let’sconfigureIPsettingsondevices
Routers
Router• AdevicethatmakesforwardingdecisionsbasedonLayer3(IP)addresses
• Canbehardwareorsoftwarebased• Canconnectmanytypesofnetworksegmentsandmediatypes• Therouterbuildsaroutetabletodeterminethebestpath(interface)tosendthepacketoutof
Router(cont’d)
• Therouterwillreplaceorre-writethepacket’sLayer2headerasthepacketmovesfromonenetworktypetoanother.Examples:
• Ethernetà Ethernet• Ethernetà PPP• Framerelayà HDLC
• Therouterthatconnectsanetworksegmenttotheoutsideworldiscalledthe“defaultgateway”
BasicRouterandSwitchExample
Activity1.5.3– SettingUpaRouter
• Let’ssetuparouter
RoutingBasics
WhatisRouting?
• Themovementofpacketsbetweennetworks• Performedbyrouters• Routersmustknowwhattodowithapacket
• Musthaveanentryfortherouteinitsroutetable• ORmusthaveadefaultroute• Ifneitherexists,therouterwilldropthepacketandsendanICMPunreachablemessagetothesender
IPPacketFragmentation• RoutersusuallyfragmentIPpacketsthatexceedtheMTUofthenextsegment
• Fragmentedpacketsarereassembledbythefinalreceivinghost• OneformofDenial-of-Serviceistocraftfragmentedpacketsthatcannotbereassembled
• AnIPpacketcanhavea“Don’tfragment”flagraisedinitsheader• Inthatcase,anoversizedIPpacketisdroppedbytherouter
RoutedvsRoutingProtocols
• Routedprotocols=theactualusertraffic• Example:IP
• Routingprotocols=thelanguageroutersusetocompareandupdateeachother’sroutetables
• Processisdynamic• Aroutercanusemorethanoneroutingprotocolsforcompatibility• Canbean:
• interiorgatewayprotocol(IGP)forprivateinternalnetworks• exteriorgatewayprotocol(EGP)forpublicexternalnetworks(Internet)
• Example:RIP,OSPF,EIGRP,BGP• CanbeusedinbothIPv4andIPv6
StaticRouting
• Administratormanuallyentersroutesintotherouter• Onlyusefulifyouhaveveryfewrouteswithnoredundancy• Benefits
• Lessprocessingandlessresourcesascomparedtodynamicrouting• Lessbandwidthrequirementusedbydynamicrouting• Extrasecuritybecausemanuallyadmittingorrejectingrouting
• Disadvantages• Needtoknowthecompletenetworktopologyverywellinordertoconfigureroutescorrectly
• Topologychangesneedmanualadjustmenttoallroutersthingwhichisverytimeconsuming
Activity1.5.4– AddingStaticRoutes
• Let’ssetupstaticroutingbetweenrouters
DynamicRouting
• Routersuseroutingprotocolstolearnaboutdistantroutes• Eachrouterlearnsaboutthenetworksthatotherroutersareconnectedto
• Whennewnetworksareaddedorremoved,theroutersupdateeachother
DefaultRouting
• Thereisonlyonepossibleexitforthetraffictotake• Ahostcanspecifyitslocalrouter(defaultgateway)• Aroutercanspecifyanupstreamrouter
VLANRouting
• BecauseeachVLANhasitsownsubnet,routerscanroutebetweenVLANS
• VLANroutingcanbedonethefollowingways:• TherouterhasphysicalconnectionstoeachVLAN• Therouterinterfaceisconfiguredasatrunkport,dividedintosub-interfaces(oneforeachVLAN)
• Therouterisactuallyasoftwareprocessinsideamultilayerswitch• YouneedtocreateaVLANinterfaceforeachVLANthatneedstoberouted• EachVLANinterfacemustbeconfiguredwithanIPaddress,asthedefaultgatewayforthatVLAN
• AlldevicesontheVLANareconfiguredtousethatVLANinterfaceastheirdefaultgateway
RouterOnAStick
• SomeroutersallowtheirFastEthernetporttobeconfiguredasaVLANtrunklink
• Thephysicalinterfaceis“divided”intomultiplelogicalsub-interfaces• Eachsub-interfacebecomesthedefaultgatewayforthatVLAN• Theroutersendstheframebacktotheswitchonthesamelink,butnowwiththetagofthedestinationVLAN
• Thisconfigurationisknownas“routeronastick”
Activity1.5.5– RoutingBetweenVLANs
• Let’sroutebetweenVLANs
NAT/PAT
NetworkAddressTranslation(NAT)• AroutermighthavetotranslateprivateIPaddressestopublicIPaddressesbeforeroutingapackettotheInternet
• NATtranslatesIPaddressesonaninternalnetworktoIPaddressesonanexternalnetwork
• TherouterkeepsanentryofthismappinginitsNATtable• PureNATprovidesaone-to-onetranslationfromIPAddresstoIPaddress.Example:
10.1.2.20à24.1.1.1
• Allowsonlyonenodeatatimetousethesametranslatedaddress• Requiresmultipleavailableoutsideaddressestobeuseful
PortAddressTranslation(PAT)• Allowsmultipleinsidenodestoshareasingleoutsideaddress• Eachconnectionisassignedauniquesourceporttodistinguishitfromtheothers.Examples:10.1.2.20:50000à24.1.1.1:5000010.1.2.21:50001à24.1.1.1:50001
• PATisalsoreferredtoasNAToverload
Activity1.5.6– ConfiguringNAT/PAT
• Let’ssetuparoutertoNAT/PAT
RoutingProtocols
RoutingProtocols(IPv4andIPv6)
• Amethodforrouterstolearnroutesnotdirectlyconnectedtothem• Theroutersautomaticallyshareandcombinetheirroutetables
• DistanceVectorprotocols• RIPv1(obsolete)• RIPv2• BGP• EIGRP(wasproprietary,butisnowopenstandard)
• LinkStateroutingprotocols• OpenShortestPathFirst(OSPF)• IntermediateSystemtoIntermediateSystem(IS-IS)Distance-vectorroutingprotocols
DistanceVectorRoutingProtocols
• Distancevectorroutingmeansroutesareadvertisedasvectorsofdistanceanddirection:
• Distance=“metric”• Direction=whichinterfaceleadstothenexthoprouter/finaldestination
• Usesaroutingalgorithmwhereroutersperiodicallysendroutingupdatestoallneighborsbybroadcasting/multicastingentireroutetablesonafixedinterval
RoutingInformationProtocol(RIP)v1
• Theoriginaldistancevectorroutingprotocol• Averysimpleinteriorgatewayprotocol• Fullroutingtableisbroadcastoutallinterfacesevery30seconds• Routerconvergenceisslow(uptoseveralminutes)• IncomingRIPadvertisementsfromneighboringroutersareacceptedandaddedtotheroutetablewithnoverificationofsourceorvalidationofroute
• Metric=hopcount• Howmanymoreroutersmustthepacketpassthroughtoreachthedestination• Allnetworkspeedstreatedequally- noregardforbandwidth,delay,orotherconditionsonaparticularlink
RIPv2
• UpdatetoRIPv1• Updatesaresentbymulticast,notbroadcast
• Thisrelievesnon-routerdevicesonthesegmentfromhavingtoprocessabroadcastthatisnotmeantforthem
• Routerscanbeconfiguredtoauthenticateeachother• Routerscanbeconfiguredtotransmit/receivev1,v2,orboth
ChallengesandSolutionsofRIP
• Invalidroutescanstayinaroutetableforseveralminutes• Thisleadstorouterssendingtrafficto“blackholes”• Solution:ifoneofyourlinksgoesdown,transmitanimmediateupdateoutallotherlinkswithnodelay
• “Flapping”route(linkkeepsgoingupanddown)• Solution:Ifaneighborsendsyouanimmediateupdate,placeaholdontheroutebeforedeletingitfromyourowntable
• “CounttoInfinity”• Tworouterskeepfeedingeachotherfalseupdatesinarunawayprocess• Solutions:
• Maximumhopcountof16(inanyonedirectionfromthatrouter)• Splithorizon- Routerwillnotadvertiseoutaninterfacewhereroutewaslearned• Poisonreverse- immediatemarkadownedrouteasunreachable(16hops)
Link-stateRoutingProtocols
• Linkstateroutingismorecomplexthandistancevector• Routerconvergenceisveryfast• Routersquicklyupdateeachotheronthestateoftheirlinks• Iflinksdonotchangestate,• Everyrouterbuildsitsowntopologytable(routingdatabase)ofthenetwork
• Thebestroutefromthetopologytablegoesintotheroutetable• Ifitlearnsthataparticularlinkhasgonedown,itconsultsitsowndatabaseforthenextbestroute
• RequiresmoreRAMandprocessingpoweronaroutertocalculateandmaintaintheroutingdatabase
• OSPFandIS-ISareexamplesoflinkstateroutingprotocols
OpenShortestPathFirst(OSPF)
• Verywidelyusedinteriorgatewayprotocol• Routersarelimitedtoan“area”(eachwithmaxof400routers)• Trafficbetweenareastravelsthroughthebackbone“Area0”• Requiresawell-designedhierarchicalnetworktobeefficient
OSPFExample
HybridRoutingProtocol
• AroutingprotocolthatcombinesthebestfeaturesofDistanceVectorandLinkState
• EIGRPisanexampleofahybridroutingprotocol
EnhancedInteriorGatewayProtocol(EIGRP)• OriginallyCiscoproprietary
• Nowanopenstandard
• Actualrouteupdatesaresentonlyasneeded• Routerssendsimple“hello”packetstokeeptheirrelationshipalive• Usesfewnetwork(bandwidth)resources
• Uses5“K”constantstodeterminethemetric:• Bandwidth,delay,load,reliability,MTU• Defaultisbandwidth+delay
• Canloadbalancetrafficacrossunequalpaths• UsestheDUALalgorithmtoensuretherearenoroutingloops• Routerconvergenceisveryfast(seconds)• Generallythepreferredinteriorroutingprotocol
• Worksverywellinanyinteriornetwork• Evenifthenetworkisdisorganizedandpoorlydesigned
• EIGRPnetworkboundariesaredefinedbytheAutonomousSystem(AS)numbertheroutersbelongsto• AnASisanetworkthatfallsunderasingleadministrativeumbrella
EIGRPExample
BorderGatewayProtocol(BGP)
• THEexteriorgatewayprotocol(theonlyoneusedontheInternet)• IsaPathVectorprotocol
• Viewsanentireautonomoussystemasahop• BGPisalwaysusedbetweenISPs• MostISPsalsouseaninteriorversionofBGPwithintheirownnetwork
• Usesanumberofcriteriaforbestpathselection(the“weight”ofaninterface,shortestASpath,lowestorigin,andothers)
• ThefocusofBGPdesignandimplementationisonsecurityandscalability
BGPExample
Activity1.5.7– ConfiguringaRoutingProtocol
• Let’sconfigureRIP
Firewalls
FirewallOverviewProtects“trusted”privatenetworkfrom“untrusted”Internet
Privatenetwork
Internet
Controlsbothinboundandoutboundtrafficbasedonrulessetbyadministrator
DemilitarizedZone(DMZ)
• Anuntrustednetworkbetweentwofirewalls• Internet-facinghostsareplacedhere• Typicallyusedtoisolateand(somewhat)protectpublicserverssuchas:
• DNS• Webserver• MX(emailrelay)• Spamandwebtrafficfilteringappliances
TypicalDMZ
• AKA“ScreenedSubnet”• IPaddressesinDMZcanbepublicorprivate
LAN DMZ Internet
I’mabastionhost
ExternalFirewallInternalFirewall
“Dirty”DMZ
• External“firewall”isapacketfilteringrouter
LAN DMZ Internet
PacketFilteringRouter
Firewall
PerimeterNetwork
• Likea“sideyard”• Stilluntrusted• Containsthebastionhost(s)
LAN
PerimeterNetwork
Internet
Firewall
AccessControlLists
• Asetofrulesusedtocontroltrafficinandoutofafirewall,router,ormultilayerswitch
• EachpacketiscomparedtotherulesintheACLandprocessedaccordingly• Rulescaninclude:
• Protocol• SourceIPaddress• DestinationIPaddress• Sourceport• Destinationport
• ACLactionsareusuallypermitordeny• MostACLshaveanimplicit“deny”attheend
• Ifyouconfiguredenyrules,youneedtohavea“permitall”ruleattheendtoallowallothertraffic
PortForwarding
• Atechniquethatallowsexternaldevicestoaccesscomputersonaprivatenetworks
• UsesanIPaddressplusportnumbertoroutenetworkrequeststospecificinternaldevices
• Typicallyconfiguredonafirewall
Activity1.5.8– ConfiguringaFirewall
• Let’sseehowtoconfigureafirewall
1.6AdvancedSwitchingand
RoutingConcepts
• Ipv6Concepts• PerformanceConcepts• DistributedSwitching• Software-defined
Networking
IPv6Concepts
Addressing• AnIPv6addressis128bitsinlengthandwritteninhexadecimal• Every4bitscanberepresentedbyasinglehexadecimaldigit,foratotalof32hexadecimalvalues
• Colonsseparatethegroupsof4-bithexadecimaldigits(:)• Shortcutsfornotation
• Collapse/omitLeading0s– fe80:0000:0000:0000:a299:9bff:fe18:50d1asfe80:0:0:0:a299:9bff:fe18:50d1
• CollapseAll-0sHextets– 0000:0000:0000:0000:0000:0000:0000:0000as::• Youcanonlycollapseonce!
• Usebothoftheabovetogether– fe80:0000:0000:0000:a299:9bff:fe18:50d1asfe80::a299:9bff:fe18:50d1
IPv6UnicastAddressTypes• GlobalUnicast – similartoIPv4publicIPaddresses
• AddressesareassignedbyIANAandusedonpublicnetworks• Theseaddresseshaveaprefixof2000::/3,meaningalltheaddressesthatbeginwithbinary001
• UniqueLocal – similartoIPv4privateaddresses• Usedinprivatenetworks• NotroutableontheInternet• TheseaddresseshaveaprefixofFD00::/8
• Linklocal – similartoIPv4APIPA(selfassigned)addresses• Usedforsendingpacketsoverthelocalsubnet• Routersdonotforward packetswiththisaddressestoothersubnets• IPv6requiresalink-localaddresstobeassignedtoeverynetworkinterfaceonwhichtheIPv6protocolisenabled
• TheseaddresseshaveaprefixofFE80::/10
MethodsforTransitioningfromIPv4toIPv6
• DualStack• Tunneling• NAT
DualStack
• Indual-stackconfiguration,thedeviceisconfiguredforbothIPv4andIPv6networkstacks
• Thedual-stackconfigurationcanbeimplementedonasingleinterfaceorwithmultipleinterfaces
• Endnodesandrouters/switchesrunbothprotocols• IfIPv6communicationispossibleitisthepreferredprotocol
Tunneling
• A“tunnel”isatransmissioninwhichonepacketishiddeninsideanotherpacket
• MostfrequentlyusedinVPNs
• ThesamesolutioncanbeappliedtotunnelIPv6packetsinside(over)IPv4networks
• Differenttunnelingtypes:• 6to4- hidev6packetsinsidev4packets• 6rd(6rapiddeployment)- alightweightvariantof6to4• ISATAP- dualstacknodes(typicallyservers)actasproxiesonaLAN
“Tunneling”=hideapacketinsideapacket
InternetSender
VPNServer
FinalDestination
• Tunnelsaretypicallyencrypted• Tunnelscanbe:
• Host-to-host• Betweenrouters
6to4NetworkAddressTranslation(NAT)
• EdgerouterstranslatebetweenIPv6andIPv4astrafficgoesinandoutoftheirnetwork
RouterAdvertisement(RA)• Aperiodicmulticastannouncementofarouter’sIPv6address• HostslistenforRAstolearnwhatnetworktheyareon• Ifahostdoesnotwanttowait,itcansendaRouterSolicitation(RS)multicasttoaskanylisteningrouterwhatnetworkitison
• OncethehostknowsthenetworkID,itcanappenditsownMACaddress(plussomepadding)tocreateafullIPv6address
NeighborDiscoveryProtocol(NDP)• MulticastICMPmessage• Usedbyahostto:
• Discoverthelink-layeraddressofaneighboronthesamenetwork(locallink)• Verifythereachabilityofaneighbor• Trackneighboringdevices
Activity1.6– ExploringIPv6
• Let’sexploreIPv6
PerformanceConcepts
TrafficShaping
• Alsoknownas:• Packetshaping• QualityofService(QoS)• bandwidthmanagement
• Themanipulationandprioritizationofnetworktraffictoreducenetworkcongestionforapplicationsthatneedreal-timepriority:
• Voice• Video• Teleconferencing• Telemedicine• Networkmanagement
• Usedtooptimizeorguaranteeperformance,improvelatency,orincreaseusablebandwidth
QualityofService(QoS)
• Helpsmanagepacketloss,delayandjitteronyournetworkinfrastructure• AlsoanimportantfactorinsupportingthegrowingInternetofThings(IoT)• Appliedtoapplicationsthatbenefitfrommanagingpacketloss,delayandjitter
• Voice• Video
• Identifyandmarktrafficusing• ClassofService(CoS)- Ethernet(QoSenforcedbyswitch)• DifferentiatedServicesCodePoint(DSCP)- IP(QoSenforcedbyrouter)
• Tobemeaningful,mustbesupportedbyeverydevice(switch,router)alongthepacket’spath
DifferentiatedServicesCodePoint(Diffserv)
• AwaytoidentifyandmarktrafficsoQoScanbeappliedtothecorrectnetworktraffic
• Allowshigherprioritytraffictoreceivepreferentialtreatment
• AlsoknownasDSCP• MarksadatastreamintheLayer3packetheader• Variousapplicationscanbemarkeddifferently• Allowsnetworkequipmenttocategorizedataintodifferentgroups
• Routershaveoutboundtransmitqueueswithdifferentpriorities• TheyplacepacketswithdifferentDSCPcodesintotheappropriatequeue
ClassofService(CoS)
• AQoSmechanismthatworksatLayer2• Differentapplicationscanbemarkeddifferently• QoSisenforcedbyswitches
DistributedSwitching
DistributedSwitching
• Anarchitecturethatlinksremotetelecommunicationsportsintoalargerstructure
• Thenetworkismadeupofswitchingstationsthatareremotelydistributed
• Thestationsarecontrolledbyacentralizednetworkcontrolcenter• Thedistributedswitcheshavetwolevelsofcommunication:
• witheachother(oftenoverlonghaullinks)• withtheirlocalusers
• Distributedswitchingistypicallyimplementedinavirtualenvironment
Software-DefinedNetworking
Software-DefinedNetworking(SDN)
• Routingandswitchinglogicisremovedfromthedevices• Routing/switchingdecisionsaremadebyacentralsoftwaremodule• Routersandswitchesare“whitebox”genericdevicesthatdoasthey’retold
• Thisbird’seyeviewoftrafficallowsforbetter,moreresponsivetrafficmanagementandshaping
• Supportsbusinessneeds• Madepossiblethroughvirtualization• Centralcontrollerpotentialtargetforhacking
SDNConceptualModel
1.7IPAddressing
• Publicvs.Private• LoopbackandReserved• SubnetMask• DefaultGateway• VirtualIP• Subnetting• AddressAssignments
Publicvs.Private
PublicIPAddress
• AnIPaddressthatcanbeusedontheInternet• CoordinatedbytheInternetCorporationforAssignedNamesandNumbers(ICANN)
• RegionalInternetRegistries(RIRs)assignregion-specificblocksofIPaddressestoISPs
• ISPsgivethesenumberstocustomers• Examples:
• IPv4- 198.134.5.6• IPv6- 2605:e000:1129:80bc:0:588c:745a:ee82
PrivateIPAddress• LegitimateIPaddress,butnotusedontheInternet• Canbeusedandroutedonprivatenetworks• Usedoninternalnetworks• UsedtoextendthelifespanofIPv4/slowthedepletionofpublicIPaddresses
• MustbeNAT/PATtranslatedfortraffictotravelontheInternet• NATingisusedtoovercomethedepletingnumberofIPv4publicaddresses
PrivateIPAddress(cont’d)• Can(andtypicallydo)useVLSM• MustbetranslatedtoapublicaddressfortraffictogoontheInternet• IPv4PrivateAddressBlocks:
• 10.0.0.0/8 10.0.0.0- 10.255.255.255• 172.16.0.0/12 172.16.0.0- 172.31.255.255• 192.168.0.0/24 192.168.0.0- 192.168.255.255
• IPv6PrivateAddressBlock:• fc00::/7 (essentiallyfdxx:xxxx:xxxx)
PrivateIPv4AddressBlocks
RFC1918name IPaddressrange numberof
addresses
largest CIDR block(subnet
mask)Hostidsize Default
maskbits Description
24-bitblock 10.0.0.0–10.255.255.255 16,777,216 10.0.0.0/8
(255.0.0.0) 24bits 8bits single classAnetwork
20-bitblock 172.16.0.0–172.31.255.255 1,048,576 172.16.0.0/12
(255.240.0.0) 20bits 12bits16contiguous classBnetworks
16-bitblock 192.168.0.0–192.168.255.255 65,536 192.168.0.0/16
(255.255.0.0) 16bits 16bits256contiguous classCnetworks
AutomaticPrivateIPAddressing(APIPA)
• SelfassignedIPv4addresses• HostsuseifDHCPclientcannotobtainalease
• UsedbyMicrosoftandMacintosh
• 169.254.0.0/16• Notroutableonanynetwork,publicorprivate
Self-Assigned(LinkLocal)IPv6Addresses
• SimilartoIPv4APIPAaddresses• Everyinterfacehasalinklocaladdress,regardlessofanyotheraddressing
• fe80::3cbf:a6e0:5923:3545%127(Preferred)
LoopbackandReserved
Loopback
• Asoftwareinterfacewhichcanbeusedtoemulateaphysicalinterface
• Theloopbackinterfacesarealwaysupandrunningandalwaysavailable,evenifotherphysicalinterfacesintherouteraredown
• Routerloopbacksareoftenusedtoidentifytherouterandfordiagnosticsandtesting
• IPv4loopbackaddressis127.0.0.1• IPv6loopbackaddressisexpressedas::1(all0swithasingle1)
ReservedIPv4AddressesSeveralTypes:• Private
• NotusedontheInternet• 10.0.0.0/8• 172.16.0.0/12• 192.168.0.0/16
• APIPA• Notroutable• Self-assigned• 169.254.0.0/16
• Loopback• Notroutable• Assignedtoaloopbackinterface• 127.0.0.0/8oraprivateaddress
ReservedIPv6AddressesLink-localaddresses• Designedtoonlybeusedonalocalphysicallink/non-routable• Self-assigned• Everylinkrequiredtohavealink-localaddress• SimilartoIPv4APIPAaddresses• Thelink-localaddressblockisFE80::/10
FE80 toFEB0Theseaddressesareforuseinaprivatenetwork,likeIPv4's10.0.0.0/8,172.16.0.0/12,and192.168.0.0/16IPranges
• TheprivateIPsubnetisFD00::/7withtheeighthbitsetto1,soit'seffectivelyFD00::/8.ThesubnetrangesfromFD00toFDFF.
ReservedIPv6Addresses(cont’d)
Privateaddresses• Routable,butonlyinaprivatenetwork,notontheInternet• SimilartoprivateIPv4addresses• TheprivateIPsubnetisFD00::/7withtheeighthbitsetto1• It’seffectivelyFD00::/8• ThesubnetrangesfromFD00toFDFF
Let’sTakeAnotherLookattheWindows10IPAddressExample
SubnetMask
SubnetMask
• Allnodesonasubnetmusthavethesamesubnetmask• Ifanodehasadifferentsubnetmaskfromtheothers,itmayseeothernodes(includingitsdefaultgateway)asbeingonadifferentnetwork
• Useipconfig/ifconfigtoverifysubnetmaskconfiguration
DefaultGateway
DefaultGateway
• Everynodethatyouwanttobeabletosend/receivetrafficoutsideitsnetworkmusthavethecorrectdefaultgateway
• Theremaybesomenodesyoudonotwanttoleavetheirsegment/bereachablebyoutsidedevicesforsecuritypurposes
• IPcameras• IPphones
• Ifyoupingadevicewithnodefaultgateway,itwillprobably:• Receivethepacketok• Beunabletorespondbecauseithasnowaytoleaveitsownsegment
• Usethefollowingtotestthatanodehasthecorrectdefaultgatewayconfigured:• ipconfig/ifconfig• ping• tracert/traceroute
VirtualIP
VirtualIP• AnIPaddresssharedbymultipleserversorrouters• Typicallyusedforfailoverclusters,networkloadbalancing,orredundantrouters
• ClientssendtraffictothevirtualIPratherthanindividualdeviceIPs• UsetheclustermanagementtoolstoverifyvirtualIP• Ensurethatallhostspointtotherouter’svirtualIPasthedefaultgateway
• EnsurethatDNSrecordspointtothevirtualIPofthecluster/NLB
Subnetting
WhatisSubnetting?
• Dividingalargernetworkintosmallersub-networks(subnets)• Thesubnetsareconnectedbyrouters• Thesubnetmaskisusedbyallhoststodetermineifthedestinationisonthesameordifferent(sub)network
• Allhostsonthesamesubnet(includingthedefaultgateway)mustusethesamesubnetmask
• Requiredsothatallcanagreeupontherangeofaddressesthatbelongtothatsubnet
ClassfulAddressing
• RFC791• TheInternet'sfirstmajoraddressingschemeforIPv4• Fiveclasses:A,B,C,D,E• Classesdistinguishedbythehighorderbits• TheInternetAssignedNumbersAuthority(IANA)oversawallclassfulnetworkassignments
• TheHostportionwasassignedbylocalorganization’snetworkadministrator
• Routersprocessedpacketsaccordingtotheirclassfulnetwork
ClassesA,B,C,D,andEDeterminedbyhighorder(farleft,greater)bitsinfirstoctetA- 000000000- 127.x.y.z /8255.0.0.0
01111111B- 10000000128- 191.x.y.z /16255.255.0.0
10111111C- 11000000192- 223.x.y.z /24255.255.255.0
11011111D- 11100000224- 239.x.y.z N/A- multicasting
11101111E- 11110000240- 255.x.y.z N/A- experimental
11111111
ClasslessIPAddressing• Addressesthelimitations(wastefulness)ofclassfuladdressing• AppliesacustomsubnetmasktoallocateonlytheneedednumberofhostIDstoanetwork
• Usedinsubnettingtodivideaclassfulnetworkintosmallersubnets
VariableLengthSubnetMask(VLSM)
• Customized(classless)subnetmask• Oftenmorethanonesubnetmaskisusedinanetwork• Requirescarefulsubnetdesigntobeimplementedwell
ClasslessSubnetMaskExamples
11111111.11111111.11110000.00000000=255.255.240.0=/2011111111.11111111.11111000.00000000=255.255.248.0=/2111111111.11111111.11111100.00000000=255.255.252.0=/2211111111.11111111.11111110.00000000=255.255.254.0=/2311111111.11111111.11111111.00000000=255.255.255.0=/24
ClasslessSubnetMaskExamples(cont’d)
11111111.11111111.11111111.10000000=255.255.255.128=/2511111111.11111111.11111111.11000000=255.255.255.192=/2611111111.11111111.11111111.11100000=255.255.255.224=/2711111111.11111111.11111111.11110000=255.255.255.240=/2811111111.11111111.11111111.11111000=255.255.255.248=/2911111111.11111111.11111111.11111100=255.255.255.252=/30
ClasslessInter-DomainRouting(CIDR)Notation• CIDRistheuseofVLSMontheInternet• CIDRnotationisashorthandwayofrepresentingasubnetmask
• Thenotationcanapplytoanylengthsubnetmask,classfulorclassless
StepstoSubnet
1. WriteouttheIPaddressinbinary2. Inserttheoriginalsubnetmasktoshowthedividingline3. Refertothesubnettingtabletodeterminehowmanybitstomove
themask4. Movethemasktothenewlocation5. Re-calculatethenetworkIDandsubnetmask
128 64 32 16 8 4 2 1 #ofsubnets needed
7 6 5 4 3 2 1 0 #of bitstomovethemask
SubnettingTable
Activity1.7– LearningtoSubnet
• Let’slearnhowtosubnet
AddressAssignments
StaticAddressing
• Manuallyconfiguredonadevice• Doesnotchange• DevicesthatshouldusestaticIPaddresses:
• Routers/gateways• Servers• Switches• Firewalls• Proxies• Anydevicethatneedstoalways“befound”atthesameaddress
DynamicHostConfigurationProtocol(DHCP)
• AservicethatautomaticallyassignsIPaddressestoclients• Canbeprovidedbyservers,routers,orotherdevices• Usesabroadcast-basedDORAhandshaketoassignanIPaddresstoaclient
• TheDHCPleaseisusuallyforalimitedtime• Clientsmustrequestanextensionoftheleasetocontinuetousetheaddress
DHCPv6• Performedbymulticast
• IPv6doesnotsupportbroadcasts
• AKAStatefuladdressautoconfiguration• WithStatelessauto-configuration,hostcanbuildaddressusingMAC-toEUI64andlinkprefixfromrouteradvertisements
AutomaticPrivateIPAddressing(APIPA)
• DHCPclientsthatcannotobtainaleasewillselfassignanaddress• TheaddressrangereservedforAPIPAis169.254.0.0/16• Canbeusedforaverysmallorhomenetworkwithusersthathavelittlenetworkingknowledge
• NotusefulforNATclientsbecausetheydonotknowtheaddressoftheirdefaultgateway
• However,APIPAaddressescannotberoutedonanynetwork,publicorprivate
EUI-64
• TheIEEE’s64-bitExtendedUniqueIdentifier(EUI-64)format• AfterahostobtainsthenetworkIDfromtherouter,itusesitsownMACaddresstocreatethehostIDpartoftheIPv6address
• The48-bitMACaddressispaddedwithFFFEinthemiddletomakeittherequisite64-bitslong:
62-45-BD-D5-11-CBà 6245:BDFF:FED5:11CBFinalIPv6addressthenbecomessomethinglikethis:
IPReservations
• UsedbyDHCPservertoprovidethesameIPaddresstothesamehost• Basedonthehost’sMACaddress• HostmuststillgothroughtheDHCPprocess• TheIPaddressstaysthesame,butotherinformationcanbeupdatedperiodicallythroughrenewalofthelease:
• Defaultgateway• DNSserveraddress• Domainname• AnyotherDHCPscopeoptions
1.8NetworkTypesandTopologies
• WiredTopologies• WirelessTopologies• NetworkTypes• TechnologiesthatFacilitatethe
InternetOfThings(IoT)
WiredTopologies
Logicalvs.Physical
• Networktopologydefinesthelayoutofanetwork• Thetopologydetermineshowdevicesconnectandcommunicate• Topologiesareeitherphysicalorlogical
• physical– physicallayoutofdevicesonanetwork• Logical- thewaythatthesignalsworkonthenetworkmediaorhowdatatraversesthenetworkfromonedevicetoanother
Point-to-Point
• Onlytwonodesonalink• Examples:• WANlinkbetweentwolocations• Line-of-sightwirelessbetweentwobuildings• Uplink/trunklinkbetweentwoswitches• TwoPCsconnectedbyacrossovercable
Point-to-PointTopologyExamples
287
Bus• Inbusthereisamaincablethatconnectsalldevicesonanetwork
• ItiscalledthebackboneThisisoftenusedtodescribethemainnetworkconnectionscomposingtheInternet
• Advantage-Busnetworksarerelativelyinexpensiveandeasytoinstallforsmallnetworks;Ethernetsystemsusebus
• Disadvantage- Ifthereisabreakinthemaincable,thenetworkgoesdownandproblemscanbedifficultto
Star
• Inastar,networkdevicesareconnectedtoacentralcomputer,calledahub
• Nodescommunicateacrossthenetworkbypassingdatathroughthehub
• Alsoknownas:• Hub-and-Spoke• Point-to-multipoint• EspeciallyonWANsorwireless
• Advantage– ifonedevicemalfunctions,theremainderofnetworkstillfunctions
• Disadvantage- ifcentralcomputerfails,thewhonetworkisdown
StarTopologyExamples
SwitchorHub
Point-to-MultipointWirelessExample
Ring• Inaring,thenetworkdevicesarearrangedinaringorloop
• Datatraversesthereceivingthedatathatisaddressedtoit
• Advantage– regeneratessignalwhenpassingdatathrougheachdevice,socansupportalargernetwork
• Disadvantage– canbeslowerthanstar;Ifonedevicegoesdownallofdeviceswillbeimpacted
DualRing
• UsedinFDDIMANs• Redundantringsprovidefaulttolerance
Mesh• Inmesh,networkdevicesareconnectedwithredundantinterconnections
• Everydeviceisconnectedtoeveryotherdevice
• Canbethoughtofasaredundantstar• Twotypesofmeshtopologies
• Fullmesh- Everyhasacircuitconnectingittoeveryotherdeviceinanetwork
• Expensive,butgoodforbackbone• Partialmesh- Islessexpensivewithlessredundancy
• Goodfordevicesthatconnecttobackbone
HybridTopology
• Anycombinationofthevarioustopologiestocreatealargernetwork
STAR STAR
Point-to-Pointlink
WirelessTopologies
TopologiesUsedbyWireless
• Point-to-Point• Point-to-Multipoint/Star• Mesh
InfrastructureMode
• Star/hub-and-spoketopology• Wirelessaccesspointisthehub• MostWi-Fitopologyishierarchical(star)
Ad-hocMode• FullMeshtopology• Nocentralaccesspoint• Peer-to-peerwirelessnetwork• Eachnodecreatesapoint-to-pointlinkwitheveryothernode• Practicallimitof10devices• Example:laptopsinaconferenceroom
NetworkTypes
BoundedandUnbounded
• Bounded• Wired• Youcancontrolitsboundaries
• Unbounded• Wireless• Youcan’tfullycontrolitsboundaries
Wired(Bounded)CommunicationMedia
• CopperCable– carrieselectricalsignals• FiberOpticCable– carriesLEDorlaserlight
Wireless(Unbounded)Network• Wi-Fi• Cellular• Bluetooth
• Wirelesssimplyusesradioinsteadofcables
• BothLANsandWANscanhavepartsoftheirnetworkbewireless
TypesofNetworks
LAN10m– 1km
Room,floor,building,campus
CANSeveralkm
Campusofbuildings
MAN10kmCity
WAN10km– wholeworldCity,state,country,continent,world
PAN1meter
Basedaroundaperson
LocalAreaNetwork• Limitedtoasmallgeographicalregion
• Afloor,building,orcampus
• UsesLAN-basedordual-usenetworkprotocols/technologies• Ethernet• Wireless• TokenRing• ATM
• Oneorganizationusuallyownsalltheequipment/infrastructure
SmallOffice/HomeOffice(SOHO)LANExample
• Createsawired/wirelessnetworkinyourhomeoroffice
• NeedsaroutertoconnecttotheInternet
Internet
WirelessLAN
• LANbasedonwirelesstechnologies• Wi-Fithemostcommonimplementation• CanalsoincludeBluetooth,Infrared,ZigBeeandothershort-rangewirelesstechnologies
• Addedsecurityrisksbecausethenetworkis“unbounded”(youcan’tcontrolitsborder)
CampusAreaNetwork(CAN)
• AlargeLAN,coveringacampusofbuildings• Likelytohaveahigh-speedfiberopticbackbone• SmallerMANnetworksaresometimesreferredtoas“CANs”
MetropolitanAreaNetwork(MAN)
• Anetworkthatconnectsuserswithcomputerresourcesinageographicareaorregion
• Typicallyaroundatown/municipality(5- 50km)• LargerthanaLAN• SmallerthanaWAN
• UsesMAN-specificprotocols• LAN(high)speedonfiberopticcable• Oftenusedbycompaniestoconnectmultiplesitesaroundtown• SimilartoanInternetServiceProvider(ISP),butnotownedbyasingleorganization
• Oftenseveralsmallernetworksformalargernetwork• Customersconnecttothesenetworks
MANProtocols
• ATM• AsynchronousTransferMode
• FDDI• FiberDistributionDataInterface
• SMDS• SwitchedMulti-megabitDataService
WideAreaNetwork(WAN)
• Connectsremotelocations• Acrosstowns,states,evencontinents• Ownedbyaserviceprovider
• Likelytousedifferentnetworkprotocolsinvariousnetworksegments• Customerspayfortheprovidertoconnecttheirremoteoffices• TraditionallymuchslowerthanLANsorMANs• TheInternetisthelargestexampleofaWAN
TheInternetistheUltimateWAN
• Comprisedofthousandsoftelecomsallconnectedtogether• WhenatelecomprovidesInternetservice,itiscalledan“ISP”(InternetServiceProvider)
• Permitsbillionsofdevicesandpeopletocommunicateacrosstheglobe
CellularNetwork• AtypeofWAN• Usescellulartechnology• Cellphonesconnecttocelltowers• Celltowersconnecttoeachother
ControllerAreaNetwork(CAN)Bus
• Arobustvehiclebusstandard• Designedtoallowmicrocontrollersanddevicestocommunicatewitheachotherinapplicationswithoutahostcomputer
• Acarisacommonexample
StorageAreaNetwork
• Aspecialized,high-speednetwork• Providesblock-levelnetworkaccesstostorage• SANsarecomposedofhosts,switches,storageelements,andstoragedevicesthatareconnectedbyavarietyoftechnologies,topologies,andprotocols
• SANscanspanmultiplesites• Advantages
• Increasespeedandreliabilityinstorageorapplication• Mayimprovesecurity• CanplayanimportantroleinBusinessContinuity
PersonalAreaNetwork
• Acomputernetworkorganizedaroundanindividualperson• Setupforpersonaluseonly• Devicestypicallyincludeacomputer,phone,printer,tabletand/orotherpersonaldevices
• Canusemanytechnologies(wiredorwireless)• TraditionallywasBluetooth-based
• USBandFireWirecanlinktogetherawiredPAN• Alsoknownasapiconet(especiallyBluetoothimplementations)
TechnologiesthatFacilitatetheInternetofThings(IoT)
InternetofThings
• TheconceptofconnectinganytypeofdevicetotheInternet• Alldeviceshaveuniqueidentifiers
• mosthavestandardizedonIPv6• SomeuseUUIDsorMACaddresses
• Devicescantransferdataoveranetworkwithoutrequiringhuman-to-humanorhuman-to-computerinteraction
ScopeoftheInternetofThings
• AKAInternetofEverything• AccordingtoCisco,thenumberofdevicesconnectedtotheInternetexceedstheentirehumanpopulationofEarth
• Let’slookatIoTprojectionsandvision:• Images\ciscoinfographic- ArikHesseldahl- News- AllThingsD.html
SecurityConcernsofInternetofThings
• Currently,hackershijackhomerouters,set-top-boxesandnetwork-attachedstoragedevices
• Lessinterestinthedatatheycontain• MoreinterestinIoTcontrollercomputingpower:
• Minebitcoins• Sendspam• Crackpasswords
• Mostdevicescanberemotelycontrolledthroughasmartphoneapp• Ifyourphoneishacked,itmakesyourentirehomenetworkvulnerable
802.11
• AKAWi-Fi• Asetofmediaaccesscontrol(MAC)andphysicallayer(PHY)specifications
• Hasmanyvariants:• 802.11,a,b,g,n,ac,ax• ManyothersnotimplementintheUSImages\802.11-standards-timeline.pdf
• UsedtoimplementWLANs• 900 MHzand2.4,3.6,5,and60 GHzfrequencybands• Everincreasingspeedandthroughput
• Somevariantstradedbandwidthfordistance• Generallytoopower-intensiveforsmallIoTdevices
ZigBee
• Anopen-sourcewirelesslanguagethateverydaydevicesusetoconnecttooneanother
• IEEE802.15.4• Cheapandlowpower• 250kb/s• 2.4GHz(mostcommon)• Somecountriesuseotherfrequencies(784MHz,868MHz,914MHz)
• Meanttocreatesafe“smart”homes• NotIP-based
• UsesMACaddressing• AES-128symmetricencryption
ZigBeeDeviceExamples
• Lighting• Voicecontrol• Homeenergymanagement• Thermostat/humiditycontroller• Securityalarmhub• Homeautomation• Smokealarm/gas/motionsensor
Z-Wave
• Proprietarywirelesstechnology• DirectcompetitortoZigBee
• 100kb/s• 908.4MHz• Won’tinterferewithWi-Fi• Mightinterferewithsomecordlessphones
• NotIP-based• Uses(upto)64-bithexadecimaladdressing
• SupportsAES-128encryption• Butnotallmanufacturersimplementit
Z-WaveDeviceExamples
• Exampledevices:• Lighting• Thermostats• Smartlocks• Garagedooropeners• Voicecontrol• Ratandrodenttraps• Smoke/Co2/motionsensorsandalarms• Homeenergy/watermanagement
Thread
• Anopenwirelessprotocol• DevelopedbyaconsortiumofGoogle'sNestLabs,SamsungElectronics,ARMandothers
• Designedtobeasmart-homenetworkingprotocolthatcouldsupporttheInternetofThingsforyearstocome
• NativelyhandlesIPv6• LikeZigBee,isbasedonthe 802.15.4radiostandard
WeMO
• Proprietary(Belkin)• PiggybacksonexistingWi-Finetworks• Self-healing,low-powermesh• UsesWPA2Wi-Fisecurity• Upto250devices• Battery-operateddevicescanberechargedthroughthehomenetwork• Examples:
• Lighting• Coffeemakers• Crockpots
BluetoothMesh
• BuildsupontheBluetoothLowEnergystandard• CompatiblewithanyBluetooth4.0LEdevice
• Allowsdevicestocommunicatewitheachotherinadistributednetwork
• SimilartohowZigBeeandZ-Wavedevicesconnect
• Muchlongerrange—upto300feet• Lowtransmissionratemakesitunsuitablefordata-heavyapplicationssuchasvideo
ANT/Ant+• Aproprietary(but openaccess) multicast wirelesssensornetwork technology• Conceptuallysimilarto,butnotcompatiblewith,BluetoothLE• Ultra-lowpower(ULP)wirelesscollection,automatictransferandtrackingofsensordata
• ANT+isaninteroperabilityfunctionthatcanbeaddedtothebaseANTprotocol.• AllowsforthenetworkingofnearbyANT+devices• Facilitatestheopencollectionandinterpretationofsensordata• Allowsaccessoriessuchasheartratemonitors,speed/cadencesensors,footpodsandpowermetersto“talk”toANT+compatibledevicesandfitnessequipment
• Currentfocusisonsport,wellnessmanagementandhomehealthmonitoring• Examples:Nike,Adidas,Fitbit
BluetoothLowEnergy(LE)
• AKABluetoothSmart• Designedforverylowpoweroperation• Optimizedforstreamingdatatransfersuchaswirelessaudio• Uses16- or32-bitdeviceuniqueidentifiers(UUIDs)• Usedbymostmodernsmartphones• Usedinmedicalmonitors
• Glucose,BP,Heartrate,etc..
• 2.4GHz
ComparisonofIoTTechnologies
Z-Wave ZigBee WeMo ThreadBluetoothmesh
BluetoothLE Ant
Operatingrange(feet) 100 35 100 100 330 33- 1970 100
Maxno.devices 232 65,000 Router-
dependent 250-300 32,000 8(canbeextended) 65,533
MaxDatarate 9.6-100kb/s 40-250kb/s Router-dependent 250kb/s 1mb/s 2mb/s 60kb/s
Frequency 908/916MHz(U.S.)
915MHz/2.4GHz 2.4GHz 2.4GHz 2.4GHz 2.4 GHz 2.4GHz
Networktype Mesh Mesh Star Mesh Mesh Scatternet(extendedstar)
P-P,star,tree,mesh
Encryption AES-128 AES-128 WPA2 AES AES-128 AES-128 AES64/128bit
Near-FieldCommunications(NFC)
• Asetof communicationprotocols thatenabletwoelectronicdevicestoestablish communication
• Devicesmustbeveryclose4cm(1.6inches)• Oftenusedbysmartphonesforpoint-of-saletransactions• Canalsobeusedfor:
• Filesharing• Inventorycontrol/lossprevention
NFCTags
• Asmallmemorychipattachedtoanantenna
• AnNFCreader(e.g.mobilephone)activatestheantennaandchipwithitselectricfield
• Contentscanthenbetransferredfromchiptoreader
RadioFrequencyIdentification(RFID)
• Useselectromagneticorelectrostaticcouplingtouniquelyidentifyanobject,animalorperson
• RFIDtagsdonotrequirepower• Commonlyusedfor:
• Accesscontrol(RFIDbadges)• Inventorycontrol/lossprevention
Infrared(IR)
• Usesinfraredlight• Theoriginalwireless• Requiresline-of-site,mirrors,orextenders• Originallyusedbylaptopmiceandremotecontrols• Stillusedinhomeentertainmentsystems
1.9WirelessTechnologies
• RadioBasics• 802.11Standards• Wi-FiFrequencies• Wi-Fi AntennaConcepts• Bluetooth• Cellular• SiteSurveys
RadioBasics
HowRadioWorks
• Data/voice/videopiggybacksona“carrier”frequency• Radioisaverybroadspectrumofelectromagneticfrequenciesthatcanbeusedtocarryvoice,video,dataoranyotherkindofinformation
• Rangesbetweensoundandinfrared
WhatisRadio?
LightTrickthatDemonstratestheExistenceofWaves
ModulationTypes
WhatInterfereswithRadio?
• Obstructionsthatreflectorabsorbthewaves:• steel,concrete,mountains,water,forests,atmosphericconditions
• Otherelectromagnetictransmissionsthat“confuse”oroverwhelmthereceivingdevice:
• otherdevicestransmittingattoocloseproximity/frequency• wavereflections• solarandelectricalstormactivity• burstsofradiantenergyfrommachines,motors,appliances,faultyelectricalcircuits,powerlines
• Earth’smagneticfield
ElectromagneticWavesHaveThreeBasicFeaturesüWavelength(distancebetweenpeaks)measuredinmeters/millimeters
üFrequency(howoftenthewaverepeats)measuredinhertz(Hz)orcyclespersecond
üAmplitude(powerlevelorintensityofthewave)measuredinwatts,kilowatts(thousandsofwatts)ormilliwatts(thousandthsofwatts)
RadioFrequenciesareTypicallyMeasuredin:
• Kilohertz(thousandcyclespersecond)• Megahertz(millioncyclespersecond)• Gigahertz(billioncyclespersecond)
WirelessLANsusemicrowavefrequencies
Intelecommunications,theterm“radio”nowincludesmicrowavefrequencies
Modulation• Theactofpiggy-backingasignal(voice/video/music/data)ontopofapowerful“carrier”wave
• Thecarrieristheappropriatepower/frequency/waveformforthetransmissionmedia(air,water,wire,fiberopticcable)
• Themodulatedcarrieristhentransmittedthroughthemedia• Thereceiverpicksupthetransmissionandstripsoffthecarrier(demodulates)sothatonlythedataisleft
ASingleRadioFrequency…
…isModulatedtoCarryData
Wi-FiChannels
SpectrumAnalyzerViewofWirelessSignals
Imagescourtesymetageek.com
802.15.4ZigBee802.11ac
802.15Bluetooth
CordlessPhone MicrowaveOven
802.11n
Wi-FiJammer!
MaterialsthatBlockRadio
• Concrete/earth/stone/brick/• Metal/buildings• Hills• Water
802.11Standards
802.11
• OriginalWi-Fistandard(legacy)• 2.4GHz• 1– 2Mb/sspeed• UsedeitherFHSSorDSSSmodulation
802.11andtheOSIModel
• Layers1&2
Layer1Sublayers:PhysicalLayerConvergenceProcedure(PLCP)- addpreambleandPHYheader
PhysicalMediumDependent(PMD)- modulateandconverttobits
Layer2Sublayers:LogicalLinkControlLLC- receiveMACServiceDataUnit(allupperlayerdata)
MediaAccessControl(MAC)- addsource/destMACaddresses,BSSID
Atthislayertheframeiscalledan“MPDU”
FHSSandDSSSSignalspreadacrossbothspaceandtimeDatabitsmodulatedwitha“chip”signalspreadout(aswellashop)simultaneouslyacrossmultiplefrequenciesinthechannel
Candeliverupto11Mb/s
SignalspreadacrosstimeCarrierRFconstantlyhoppingaround
differentfrequencieswithinthechannelRobust,butcanonlydeliverupto3Mb/s
DSSSModulation
• RFCarrierismultipliedwithanextradigitalsignal• pseudonoisecodes(aka“chips”)
• Theresultingcarriersignalbecomesverywide• AllowstheWi-Fisignaltobelowerthanthesurrounding“noise”threshold
• Youcanstillreceiveanddecodewithoutlossofquality
802.11a
• Oneofthefirst Wi-Fiwirelessnetworkcommunicationstandards• 5.0GHzkeptitoutofcongested2.4GHzband• Maximumtheoreticalbandwidthof54Mbps
• 6Mbpsmorecommon
• Shortdistance- upto75feetoutdoors• OrthogonalFrequencyDivisionMultiplexing(OFDM)modulation
OFDMModulation• Dividesagivenchannelintomanynarrowersubcarriers• Spacingissuchthatthesubcarriersareorthogonal• Theywon’tinterferewithoneanotherdespitethelackofguardbands(unusedfrequencies)betweenthem
802.11b• ThefirstwirelessLANstandardtobewidelyadopted• Builtintomanylaptopcomputersandotherformsofequipment• 2.4GHz
• OperatedinthecongestedISMband• Competitionwithgaragedooropeners,cordlessphones,babymonitors,etc.
• 11Mbpsmax• Upto400feetoutdoors
• Couldbesignificantlyextendedwithadirectionalantennaandmorepower• Longerdistancemadeitmorepopularthan802.11a• Antennanotcompatiblewitha- youhadtohaveadualantennatooperatebothaandb
• DirectSequenceSpreadSpectrum(DSSS)modulation
802.11g• Providedhigherspeedsof802.11awhileoperatingat2.4GHz• Replacedthe802.11bstandard• Maximumrawdatathroughputof54Mbps
• Practicalmaximumthroughputofjustover24Mbps
• 150feetindoors• DirectSequenceSpreadSpectrum(DSSS)modulation
802.11n
• Developedtoprovidemuchbetterperformance• Rawspeedis600Mbps• Backwardscompatiblewithearlier802.11a/b/gstandards• 175+feetindoors• OrthogonalFrequencyDivisionMultiplexing(OFDM)modulation
802.11ac
• GigabitWi-Fi• VeryHighThroughputupto7Gbps• 5.8GHzISMband• 256QuadratureAmplitudeModulation(QAM)
256QAM
• RFcarriersignalisdividedinto“constellations”• Sub-signalsthatareoutofphase(non-interfering)witheachother
• Eachconstellationismodulatedwithpartofthedatasignal
802.11ah(HaLow)
• 900MHzforextendedrange• Lowenergyconsumption(competeswithBluetooth)• Largegroupsofstations/devicescancooperatetosharesignal• 347Mbpsmax• SuitedforIoT• (upto)256QAMmodulation
802.11ax
• Designedtoimproveoverallspectralefficiency,especiallyindensedeploymentscenarios
• 2.4/5GHz• OFDMA*+1024QAMmodulation• Expectedtohave4xthroughputof802.11ac• Stillindevelopment- expectedpublicreleasedate2019
*OrthogonalFrequencyDivisionMultipleAccess
Wi-FiFrequencies
SpeedandDistance• Speed=throughputinKbps,Mbps,orGbps• Speedcanbenegotiateddownuntilthelinkisstableforbothsides• Thespeeddecreasesasthedistancebetweenthetransmitterandreceiverincreases
ChannelBandwidth• Channelwidthcontrolshowbroadthesignalisfortransferringdata• Byincreasingthechannelwidth,speedandthroughputofawirelessbroadcastcanbeincreased
• Higherchannelbandwidthscansupportahigherdatarateandmorebandwidth
2.4GHz
• PartoftheIndustrial,Medical,Scientific(ISM)band• Unlicensed– anyonecantransmitwithinpowerlimits
• Longerwaveformrequiresanantennaofappropriatelength• Abletoreachfartherthanthe5GHzfrequencywhichmeansmorecoverage
• Fewerchanneloptionswithonlythreeofthemnon-overlapping• Manydevicesuse2.4GHzfrequencieswhichcauseinterference
• Microwaves,cordlessphones,babymonitors
2.4GHzChannels• Achannelisactuallyarangefrequencies• 22MHzwide• Dataisspreadacrossthechannelrange• Channels1,6,11,and14aretheonlynon-overlappingchannels*• Ch.12– 13alsousedbyEurope• Ch.12- 14alsousedbyJapan
*USonly- othercountrieshavedifferentpatterns
5.0GHz
• AlsopartoftheISMband• Shorterwaveformneedsshorterantennalength
• 2.4and5GHzantennasarenotcompatible
• Shorterdistancethan2.4GHz• Fewerinterferencesourcesthan2.4GHz• 45channels• 23non-overlappingchannels• Alsousedbyradarandmilitary
Wi-FiAntennaConcepts
AntennaDirection
Unidirectional/Omnidirectional
• Omnidirectionalantennasradiate signalfroma360-degreefield• Theygenerallyarelongrod-likecylinders
• Unidirectionalantennasradiatesignalina45-90degreedirectionalfield
• Anarrowerfieldfocusesthesignal• Allowsthesignaltotravelfarther
• RegardlessofOmniorUni,anotherconsiderationsisgain• thehigherthedBi(gain)thefurtheritwillreach
Wi-FiAntennaExamples
14dBidirectional 25dBidirectionalYAGI 5dBiomni 9dBiomni
ChannelBonding
• Channelbondingisanarrangementofcommunicationslinksinwhichtwoormorelinksarecombinedforredundancyorincreasedthroughput
• Channelsbondedcanbewiredlinksandcellularlinksforwirelessbonding
• 802.11(Wi-Fi),channelbondingisusedinSuperGtechnology• Twostandard54Mbpschannelsarebondedtogethertoprovide108Mbpsthroughput
• Firstusedin802.11a
MultipleInputMultipleOutput(MIMO)
• Theuseofmultipletransmitandreceiveantennasonaradio• Multipliesthecapacityofaradiolink• Sendmultiple“streams”ofdataatthesametime• FirstusedinWi-Fi802.11n
• Alsousedincellular3G&4G,andWIMAX4G
MultiUserMIMO(MU-MIMO)
• AKANext-GenACorACWave2• AllowsaWi-Firoutertocommunicatewithmultipledevicessimultaneously
• Decreasesthetimeeachdevicehastowaitforasignal• Dramaticallyspeedsupanetwork• MostrouterstodayuseMU-MIMOantennas
MU-MIMOExample
ExamplesofRouterswithMU-MIMOAntennas
Bluetooth
Bluetooth
• OSILayers1&2• 802.15• Apacket-basedwirelessprotocolforexchangingdataovershortdistances
• Devicesusea“profile”tospecifydesiredbehavior/features• Uses48-bithexadecimaladdressing
Bluetooth(cont’d)
• Requiresdevicesto“pair”(formaconnection)• Devicesthatautomaticallycreateaconnectionare“bonded”• Createsahub-and-spokepiconet
• 1“master”,7“slaves”
• Currentversions:• 4.0(includesLowEnergy)• 5.0(IoT)• AESencryption• 1- 3mb/sdatatransferrate
CommonBluetoothUseCases
• Wirelessmouse/keyboard/joystick• Wirelessheadset/earphone• WiiorPS3gamingcontroller• Wirelessprinter• Fileanddatatransferbetweenphones• Transmit/streamhealthsensordata• IoTdevices
BluetoothDeviceClasses
Class MaxPermittedPower(mw) TypicalRange(meters) Common Uses
1 100 100 Bluetoothaccesspoint,industrialdevices
2 2.5 10 Phones, mostconsumerdevices
3 1 1 Headsets
4 0.5 0.5 Headsets
BluetoothPiconet
BluetoothScatternet
• Slaveofonepiconetisthemasterofanotherpiconet
• Onenodemightbetheslaveoftwomasters
• Amastercancommandaslaveto“park”(becomeinactive)untilthemasterwakesitbackup
BluetoothProtocolintheOSIModel
Cellular
WhatisaCellularNetwork?
• Acommunicationnetworkwherethelastlinkiswireless• Thenetworkisdistributedoverlandareascalledcells• Eachcellisservedbyatleastone(butusuallythree)transceivers
CellTowerExamples
CellTowerPlacement
BenefitsofCellular
• Morecapacitythanasinglelargetransmitter• Thesamefrequencycanbeusedformultiplelinksaslongastheyareindifferentcells
• Mobiledevicesuselesspowerthanwithasingletransmitterorsatellite
• Thecelltowersarecloser
• Largercoverageareathanasingleterrestrialtransmitter• Additionalcelltowerscanbeaddedindefinitelyandarenotlimitedbythehorizon
TDMA
• TDMA(TimeDivisionMultipleAccess)isatechnologyusedindigitalcellulartelephonecommunication
• Divideseachcellularchannelintothreetimeslotsinordertoincreasetheamountofdatathatcanbecarried
CDMA
• CodeDivisionMultipleAccess• AcompetingcellphoneservicetechnologytoGSM• OriginallydesignedbyQualcommintheU.S.• PrimarilyusedintheU.S.andportionsofAsiabyothercarriers• Usesa“spread-spectrum”technique
• electromagneticenergyisspreadtoallowforasignalwithawiderbandwidth
GSM
• GlobalSystemforMobilecommunications• AvariantofTDMA• Worldwidethemostpopularcellulartechnology
• 80%oftheworldusesit
• NotusedintheUSA
SiteSurveys
SiteSurvey
• Physicalvisitandwalkthroughofanexistingorpotentiallocation• Usedtoidentifyexistingorpotentialchallengestoinstallingthenetwork
• Awirelesssitesurveyfocuseson:• Requiredcoverage• Antennaplacementanddesign• Cabledistances• Powerdistributiontoaccesspoints• Placementofwirelesscontrollers• PhysicalobstructionstoRFsignal• PotentialRFI/EMIinterferencesources
PredictiveSiteSurvey
• Avirtualsurveyofasite• Usesrelevantinformationaboutthesitetoplanthewirelessnetwork• Savesmoneyoverthetraditionalsurvey• Makesassumptionsandmaymissactualphysicalissues
Wi-FiCoverageHeatMap
Activity1.9– UsinganRFSpectrumAnalyzer
• Let’suseaspectrumanalyzertolookatWi-FichannelsandRFI
1.10Summarize
CloudConceptsandtheirPurposes
• TypesofServices• CloudDeliveryModels• SecurityImplications/Considerations
TypesofServices
WhatisaCloud?
• Aserviceprovider’sdatacenter• CustomersconnectovertheInternetviabrowserorVPN• Assets/servicesarevirtualized• Customerscanputdesireditemsinashoppingcartandquickly“standthemup”
• TherearethreeprimarycategoriesofCloudservices:• Software-as-a-Service(SaaS)• Platform-as-a-Service(PaaS)• Infrastructure-as-a-Service(IaaS)
Software-as-a-Service(SaaS)
• Typicallyofferedasasingleinstanceofasingleapplication• AMicrosoftSQLdatabase• Oneemailserver/system
• Softwareislicensedonasubscriptionbasisandcentrallyhostedbythirdparty
• Theprovidertakescareoftheconfigurationandmaintenanceoftheservice
• Thecustomercustomizesthedeploymentfrompre-configuredsetofoptions
• Thismodelistheleastcomplexfromthecustomer’sperspective
Platform-as-a-Service(PaaS)
• Acloudcomputingmodelinwhichathird-partyproviderdeliversandmaintainsaplatform(usuallyaserverwithoperatingsystem)forthecustomertodevelop/buildandruntheirownserviceon
• Savesthecustomerfromhavingtoinstallandmaintainin-househardwareandsoftware
• Thecustomerchoosesthedesiredlevelofperformance,whichtheprovidertranslatesinternallytoacertainamountofhardware
• Thecustomerisusuallyresponsiblefortheconfigurationoftheoperatingsystemandapplication
• Usedpredominantlyforapplicationdevelopmentanddeployment
Infrastructure-as-a-Service(IaaS)
• Athird-partyhoststheinfrastructurecomponentsconventionallypresentinanon-premisesdatacenter,includingservers,storageandnetworkinghardware,redundancyandvirtualization
• Usuallyincludesbilling,monitoring,logaccess,security,loadbalancingandclustering,storageincludingbackups,replicationandrecovery
• Thecustomeriscompletelyresponsibleforchoosing,configuring,securing,andutilizingallcomponents
• Requiresahighlearningcurve• Thisisthemostcomplexmodelfromthecustomer’sperspective
Otheras-a-ServiceTypes
• XaaS– EverythingasaService• Anycombinationoftools,products,ortechnologiesthataprovidercanofferfromtheircloud
• SometimesusedasanumbrellatermtoencompassSaaS,PaaS,andIaaS
• DBaaS– DatabaseasaService• SaaSthatspecificallyfocusesondatabases
• DaaS– DesktopasaService• VDIvirtualdesktopswithappspre-installed• Userstemporarilydownloadtotheirdevice
Otheras-a-ServiceTypes
• SECaaS– SecurityasaService• Providerintegratestheirsecurityservicesintoyourcorporateenvironment
• IDaaS– IdentityasaService• Cloud-basedsinglesignonauthenticationandaccesscontrol
• CaaS– CommunicationasaService• VoIP,InstantMessaging,collaboration,videoconferencing
• MbaaS– MobileBackendasaService• Allowswebandmobileappdeveloperstolinkapplicationswithbackendcloudapplicationsandstorage
• MaaS– MalwareasaService• Rentabotnet(“stresser”)• NottobeconfusedwithMobilityasaServiceorMonitoringasaService
TrydoingaGooglesearchfor“networkstresser”
CloudDeliveryModels
PublicCloud
• Aserviceprovidermakesresources,suchasvirtualmachines(VMs),applicationsorstorage,availabletothegeneralpublicovertheInternet
• Publiccloudservicesmaybefreeorofferedonapay-per-usagemodel
• Themaindifferencebetweenpublicandprivatecloudsisthattheindividualororganizationisnotresponsibleforanyofthemanagementofapubliccloudhostingsolution
• Thedataisstoredintheprovider'sdatacenterandtheproviderisresponsibleforthemanagementandmaintenanceofthedatacenter
PrivateCloud
• Aprivatecloudisacloudcomputingmodelthatinvolvesasecurecloudbasedenvironmentwhereonlythespecifiedorganizationcanaccessitsresources
• Datacentermaybewhollyin-houseonthecompany’spremises,orprovidedbyathirdparty
• Privatecloudservicescanvaryconsiderablyfromatechnicalaspect,thereforeitisusuallycategorizedbythefeaturesthattheyoffertotheirclient
Hybrid
• Hybridcloudisacloudcomputingenvironmentwhichusesamixofon-premises, privatecloud,andthird-party, publiccloudserviceswithadaptationbetweenthetwoplatforms
• Byallowingloadstomovebetweenprivateandpubliccloudsascomputingneedschange,thehybridcloudgivesorganizationsgreaterflexibilityanddatadeploymentoptions
RelationshipbetweenLocalandCloudResources• ThetraditionalITmodeladvantagesanddisadvantages
• Advantages:Verysecure/fullcontrolofapplicationsanddata• Disadvantages:OwnHardware/upgrades,software/upgrades,power/issues,redundancyandbusinesscontinuity,largein-houseITdepartment
• Cloudcomputingmodeladvantagesanddisadvantages• Advantages:Flexibilityandscalabilitywithhardware,software,powerissues,redundancyandbusinesscontinuityarehandledbyvendor,andsmallerITdepartment
• Disadvantages:Securitymightbeaprimaryconcern,expertisewithapplicationneeds
CloudConnectivityMethods
• Webportal– customeraccessesthecloudthroughawebsite• VPN– customermakesaVPNconnectionovertheInternettothecloudsystem
• PubliccloudservicesmayofferVPNappliancesornativeVPNthroughthenetworkservicescontrol
• Directconnection- Amorepredictableconnectionmightbedirectprivateconnectionviaco-locationfacilities
• Referredtoascloudhotels,cloudproviderspartnerwithlargedatacenterproviders• DirectconnectionscomeintwoEthernetspeedsof1Gbpsor10Gbps
• Telcomanaged– IndividualsororganizationshaveawidervarietyofconnectivitywithTelcoproviders
• TelcoprovidersofferMPLSandEthernetconnectionoptionsandavarietyofcontractlengths
SecurityImplications/Considerations
CloudSecurityImplications/Considerations
• Youarenotincontrolofyourdata• Theprovidermusthavegoodcontrolsandassurancesinplace• Youwillneedtoimplementcompensatingcontrolstocoveranygapsdiscoveredintheprovider’ssecurity
• Youwillberesponsibleforthesecurityofanyaspectofthecloudthatyouarepermittedtoconfigure
IaaSSecurityImplications/Considerations
• Similartotheconcernsofatraditionalcorporatedatacenter• Youthecustomerwillberesponsibleforallaspectsofsecurityatalllevelsofyournetwork
• Providerisresponsibleforsecurityofphysicalequipmentandpersonnelthatmaintainsthephysicalequipment
• Youthecustomerareresponsibleforensuringcompliancestandardsareevaluatedandmet
• Anauditorwillneedtobeabletodetermineifcompliancerequirementsaremet
PaaSSecurityImplications/Considerations
• Theproviderisresponsibleforphysicalequipmentandplatform/systemavailability
• Youthecustomerareresponsiblefor:• Anyapplicationsyouhaveconfiguredonthatplatform• Monitoringaccessandusage• Keepingtrack ofregulatorycompliance
• Oneofthefeaturesyouwillhavetodecideoniswhetherornotyouwillinclude(andpayfor)redundancy
SaaSSecurityImplications/Considerations
• Theproviderisresponsibleformostofthesecurity• Youthecustomerarefocusedonapplicationconfigurationanddataprotection
• Youarealsolikelytobeconcernedwithmaintaining:• IdentityandAccessManagement(IAM)controls(e.g.,singlesign-onandfederation)
• Dataprotection technology(e.g.,datalosspreventionandencryption)
• Youmightchoosetointegrateyouron-premisesdeploymentwiththeSaaSdeployment
Activity1.10– ExploringCloudServices
• Let’sexplorecloudservices
1.11ExplaintheFunctionsofNetwork
Services
• DNSService• DHCPService• NTP• IPAM
DNSService
DomainNameSystem
• MapsIPaddressesto“friendly”hostnames• Existsforhumanconvenience• AllowsIPaddressestochange• Placesallorganizationsinasinglehierarchy• Usesahierarchicalnamingscheme• Distributeddatabasemanagementandnamelookuppermitsorganizationstomanagetheirownrecords
DNSHierarchicalStructure
• TheDNShierarchyiscomprisedofthefollowingelements• RootLevel,TopLevelDomains,SecondLevelDomains,Sub-domain,andHosts
• TheDNSrootzoneisthehighestlevelintheDNShierarchytree• Itanswerstherequestsforrecordsintherootzone• ProvidesalistofauthoritativenameserversfortheappropriateTLD(top-leveldomain)
• Theyarethefirststepinresolvingadomainname
• ThenextlevelintheDNShierarchyisTopleveldomains(therearemany)
• Theyareorganizationalhierarchyandgeographichierarchy
Hierarchycontinued
• ThenextlevelintheDNShierarchyisTopleveldomains(therearemany)
• Theyareorganizationalhierarchyandgeographichierarchy
• ThenextlevelintheDNShierarchyistheSecondLevelDomains• Thisincludesthemainpartofthedomainname
• Thesub-domainisthenextlevelintheDNShierarchy• Thesub-domaincanbedefinedasthedomainthatisapartofthemaindomain
• Theonlydomainthatisnotalsoasub-domainistherootdomain
DNSHierarchy
.com
Root “.”
.net .org .edu .uk
ituonline google comptia
europe americas
A50.57.255.51www.ituonline.com
MX192.168.45.67mail.ituonline.com
I’mdelegatingyoutomanage
europe.comptia.orgdatabase
PointerstoTLDNSservers
TopLevelDomains
Domains
Sub-domains
americas.comptia.orgrecordsareintheparentcomptia.org
database
DNSProcess
.comDNS Server
192.168.1.52 mail.company.com192.168.1.68 www.company.com
company.comDNS Server
Root (“.”) DNS Server
Local DNS Server
DNS Client
“I need the IP address for www.company.com.”
“Please hold while I retrieve the information
for you.”
“Ask the .com server –here’s its address.”
“Ask the company.com server – here’s its address.”
“Yes I have it. Here it is.”
“www.company.com?”
DNSProcess(cont’d)
.comDNS Server
company.comDNS Server
Root (“.”) DNS Server
Local DNS Server
DNS Client
“Thanks.”
“Here you go.”192.168.1.52 mail.company.com
192.168.1.68 www.company.com
192.168.1.52 mail.company.com192.168.1.68 www.company.com
RecordTypes
• DomainNameServicescontain:• ResourceRecords• InformationTypes• OtherandPseudoRecords
A,AAAA
• ThemostbasictypeofDNSrecord• MapfriendlynamestoIPaddresses• TheAAAA(alsoquad-Arecord)specifiesIPv6addressforgivenhost
• ItworksthesamewayastheArecord
CanonicalName(CNAME)
• Domainnamealiases• ComputersontheInternetoftenperformsmultiplerolessuchasweb-server,ftp-server,chat-serveretc..
• Tomaskthis,CNAMErecordscanbeusedtogiveasinglecomputermultiplenames(aliases)
• Forexample,aservermaybebothaweb-serverandanftp-server,sotwoCNAMErecordsconfigured
• YoualsoneedtheoriginalArecordtofindouttheactualIPaddressofthehost
• TheCNAMErecordspointtotheArecord• Thisway,youonlyneedtoupdateonerecordiftheIPaddresschanges
MailExchanger(MX)
• Usedtospecifythee-mailserver(s)responsibleforadomainname• EachMX-recordpointstothenameofane-mailserverandholdsapreferencenumberforthatserver
• Ifadomainnameishandledbymultiplee-mailservers,aseparateMX-recordisusedforeache-mailserver
• YoualsoneedtheArecordtoknowtheactualIPaddressoftheserver
NameServer(NS)
• TheDNSserversthatareauthoritativeforazone• Haveacopyofthedatabase
• AzoneshouldcontainoneNS-recordforeachofitsDNSservers(primaryandsecondaryservers)
• Thisisimportantforzonetransfer(replication)purposes
• NSrecordshavethesamenameasthezoneinwhichtheyarelocated.• AveryimportantfunctionoftheNS-recordisdelegation
• ADNSserverthatishigherupinthenamespacetreepointsdowntothenextDNSserverthathastherecordsforanindependentchilddomain
• Forexample,the.comDNSserverdelegatescontroltotheMicrosoft.comserver
Service(SRV)
• Specifiesthelocationofaservice• Therecordismadeof3parts:
• Service• Protocol(usuallyTCP/UDP)• Domainname
• AcommonimplementationisinActiveDirectory• SRVrecordspointtothedomaincontrollersresponsibleforthevariousroles
Pointer(PTR)
• Usedforreverselookups• MapsIPaddressestofriendlynames
• ThereverseofwhatA-recordsandAAAA-recordsdo
• AnIPv4PTRrecordshowstheIPaddressinreverse,with"in-addr.arpa"appendedtotheend
• AnIPv6PTRrecordshowseachhexdigitoftheIPaddressinreverseorder• dotsbetweeneachdigit• "ip6.arpa"appendedtotheend
• PTRrecordsareoftenusedforsecurity• AnodeusinganIPaddressmustbeabletoidentifythedomainit’sfrom
TXT(SPF,DKIM)• TXT(Text)recordscontainfreeformtextofanytype
• AfullyqualifieddomainnamemayhavemanyTXTrecords• TXTrecordsusuallyeasilyreadinformationaboutaserver,network,datacenter,orotherinformation
• ThemostcommonusesforTXTrecordsare:• SenderPolicyFramework(SPF)• DomainKeys(DK)• DomainKeysIdentifiedE-mail(DKIM)
• AnSPFrecordisatypeofDNSrecordthatidentifieswhichmailserversarepermittedtosendemailonbehalfofanorganization
• DKsareadeprecatede-mailauthenticationsystem• Verifythedomainnameofane-mailsenderandthemessageintegrity
• DKIMisanemailauthenticationmethoddesignedtodetectemailspoofing
Internalvs.ExternalDNS
• AnExternalDNSservercontainsonlyrecordsthatthegeneralpublicneedstoknow:
• Webserver• Mailexchanger• PublicDNSservers
• AnInternalDNSservercontainsalloftheprivateDNSrecordsthatthecompanyuses(foralloftheinternalserversandresources)
• ItmightalsoincludepublicrecordsforinternalclientsthatneedtogoouttotheInternettoaccessthoseservices
Third-party/Cloud-hostedDNS
• YoucanoutsourcethemanagementofyourDNSserverstoathirdparty• Mostcommonlydoneforpublicrecords• Alsodoneaspartofaclouddeployment• Advantages:
• Fasterresolutionofexternalfacingservers• Internaltoexternalresolution• Bettersecurityandprotectionagainstnewestthreats• Redundancytoavoidsingle-pointsoffailure
• Disadvantages:• Youmightnothavedirectcontrolovertherecords• Youmighthavetorequesttheproviderupdatetherecordsforyou,resultingindelaytimes
Forwardvs.ReverseLookup
• Forwardlookup=youknowthenamebutyouneedtheIP• Reverselookup=youknowtheIPbutyouneedthename• NslookupisausefulcommandlinetooltoqueryaDNSserver
• Itusesreverselookups• Youwon’tbeabletouseittoqueryaDNSserverthatdoesnothaveareverselookupzoneconfigured
DNSStatistics
• 13DNSRootNameServers• Currently1528TLDshttps://en.wikipedia.org/wiki/List_of_Internet_top-level_domains#N_%E2%80%A6_O
• ~330.6milliondomainnameshttps://blog.verisign.com/domain-names/verisign-domain-name-industry-brief-internet-grows-to-330-6-million-domain-names-in-q1-2017/
MostDomainRegistrationsbyTLD
https://blog.verisign.com/domain-names/verisign-domain-name-industry-brief-internet-grows-to-330-6-million-domain-names-in-q1-2017/
MostDomainRegistrationsbyCountryCodeTLD
Activity1.11.1– SettingupDNS
• Let’ssetupDNS
DHCPService
DHCPDORALeaseProcess
• Layer2Broadcast• Leasecanbelimitedtimeorindefinite
• Leasewillinclude:• IPAddress• SubnetMask
• Leasecanincludeoptions:
• DefaultGateway• DNSServer(s)• DNSDomainName• Otheroptions
DISCOVER
OFFER
REQUEST
ACK
DHCPCLIENT DHCPSERVER
MACReservations
• YoucanreservespecificIPaddressesinaDHCPpoolforparticularhosts
• BasedonMACaddresses• Whenthehostbroadcastsadiscovermessage,theDHCPservercheckstoseeifitsMACaddressmatchesanyofthereservations
• ThisensuresthatthesameMACalwaysgetsthesameIPaddress• UsefulifyouneedtoensurethatserversalwayshavethesameIPaddress,butthatotherDCHPconfigurationoptionsmightbeupdated
DHCPPool
• AblockofavailableIPaddressesforaparticularDHCPscope• Mayormaynotincludetheentirerangeofpossibleaddressesforthatsubnet
• Probablyhasafewaddressesexcludedfromthepool
IPExclusions
• IPaddressesinasubnetrangethataresetasideforstaticconfiguration
• Ensuresthattheseaddressesarenotaccidentallyleasedouttoclients• Exclusionsoftenincludethefirst10,20,orevenmoreIPaddressesinasubnet
• Theseaddressesarethenusedtostaticallyconfiguretherouter,switches,servers,printers,etc..
ScopeOptions
• ADHCPscopeisasetofconfigurationsforaparticularnetworksegment• Thescopeisdefinedbyitsbasenetworkaddressandsubnetmask• Scopeoptionsareadditionalinformationfortheclients:
• Addressofthedefaultgateway• Domainnametobeused(afavoritetechniqueofISPs)• AddressoftheWINSserver(deprecatedMicrosoftLANnameresolutionserver)• NetBIOSnodetype(deprecated)
• Scopesalsohaveotherconfigurationoptionssuchasleasetime,reservations,andexclusions
• ADHCPserverwillhaveonescopeforeachnetworksegment/subnetitservices
DHCPLeaseTime
• Thelengthoftime(indaysorhours)thataclientmayusetheIPaddress
• Theclientisresponsibleforenforcingtheleaseandattemptingtorenewtheleasebeforetheleasetimeisup
• Ifaclientdoesnotrenewitslease,theDHCPservermarkstheaddressaspotentiallyunused
• EventuallytheIPaddressisreturnedtothepoolforanotherclienttouse
DHCPProcessTimetoLive(TTL)• DuringtheleaseprocessaDHCPclientsendsarequestforIPinformation
• IfnoDHCPserverrespondstotheclientrequest,theclientsendsDHCPDiscovermessagesatintervalsof0,4,8,16,and32seconds,plusarandomintervalofbetween-1secondand1second.
• IfthereisnoresponsefromaDHCPserverafteroneminute,theclientcanproceedinoneoftwoways:
• IftheclientisusingtheAutomaticPrivateIPAddressing(APIPA)alternateconfiguration,theclientself-configuresanIPaddressforitsinterface.
• Iftheclientdoesnotsupportalternateconfiguration,suchasAPIPA,orifIPauto-configurationhasbeendisabled,theclientnetworkinitializationfails
DHCPRelayAgent/IPhelper
• AhardwaredeviceorsoftwareprogramthatcanpassDHCPorBOOTPmessagesbetweenDHCPclientsandservers
• NecessaryiftheDHCPserverisonadifferentsubnetfromitsclients• MostrouterscanbeconfiguredasDHCPrelayagents
Activity1.11.2– SettingUpDHCP
• Let’ssetupDHCP
NTP
NetworkTimeProtocol(NTP)
• Usedtosynchronizetheclocksofcomputersoveranetwork• TheNTPclientinitiatesatime-requestexchangewiththeNTPserver,thencreatesalink
• Oncesynchronized,theclientupdatestheclockaboutonceevery10minutes,usuallyrequiringasinglemessageexchange
• NTPservers,ofwhichtherearethousandsaroundtheworld,haveaccesstohighlypreciseatomicclocksandGPSclocks
• AtypicalimplementationistohavealocalNTPserver• Synchronizeswithapublicservice• Thensynchronizesallinternalservers• ActiveDirectoryPDCEmulatordomaincontrollerisanexample
NTPEnterpriseTimeCoordination
TheU.S.NavalObservatoryAlternateMasterClockatSchrieverAFB(Colorado)
NISTCesiumFountainAtomicClock
Stratum0
Stratum1YourADPDCorrouter
Stratum2DevicesthatsynctoStratum1
Stratum3DevicesthatsynctoStratum2
IPAM
InternetProtocolAddressManagement(IPAM)• AmethodofautomaticallytrackingandmanagingIPaddressusageinyourenterprise
• Youcanmonitorandascertain:• FreeIPaddressspaceexists• Subnetsthatareinuseareasexpectedandwhoisusingthem• ThestatusofeachIPaddress(permanentortemporary)• Defaultroutersthatthevariousnetworkdevicesusethem• ThehostnameassociatedwitheachIPaddress• ThespecifichardwareassociatedwitheachIPaddress
IPAMManagementConsoleExample
