Routing, VLANs and Network Segmentation

mustardpruneΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 4 χρόνια και 2 μήνες)

90 εμφανίσεις

Routing, VLANs and Network
Segmentation

Nick Rowlett


Technology Director



Sparta Schools


Cisco Certified Network

Administrator


Microsoft Certified System Administrator

Agenda

Open Systems Interconnection Reference Model

aka The OSI Model



Layer 2 switching protocols; discussion &
demonstration

Layer 3 protocols; discussion & demonstration

Layer 4


what to know!

Why would I want to segment
my Network?

HIGH SCHOOL

ELEMENTARY SCHOOL

MIDDLE SCHOOL

ADMIN BLDG.


vlan

1

vlan

2

TRUNK

I: The

OSI Reference Model

1: Physical

2: Data Link

3: Network

4: Transport

5: Session

6: Presentation

7: Application

LLC / MAC
-

00
-
14
-
22
-
AE
-
EB
-
B0

IP
-

172.20.64.100

Transmission
Medium

01001100 / IEEE802.x

Application

Transport

TCP / UDP

I: The

OSI Reference Model

7: Application

6: Presentation

5: Session

4: Transport

3: Network

2: Data Link

1: Physical


Transmission Medium


HUB

SWITCH


L2

ROUTING
-

L3

7: Application

6: Presentation

5: Session

4: Transport

3: Network

2: Data Link

1: Physical

VLAN Segmentation

VLAN: Virtual Local Area Network


Collision: When two hosts try to communicate at the exact same time


Unicast
: Traffic from one host to one host


Multicast: Traffic from one hosts to many hosts


Broadcast: Traffic sent to all hosts


Quality of Service (
QoS
): guaranteed performance, low latency/errors

HUB

1 collision domain


1 broadcast domain

LAYER 1

SWITCH

1 broadcast domain

LAYER 2

3 collision domains

(1 per port)

LAYER 2

VLAN 1

VLAN 2

Ethernet


IEEE 802.3



Transmitted in frames



Uses MAC addresses to communicate

MAC Addresses

000e.1eca.f834

00
-
0e
-
1e
-
ca
-
f8
-
34


Show mac
-
address
-
table



MAC



VLAN



PORT

000e.1eca.f834


9



Fa0/1



Unicast / Broadcast

FF:FF:FF:FF:FF:FF

Layer 2:

Layer 2 protocols


Spanning Tree


STP


RSTP


PVST


PVST+


MSTP


R
-
PVST


Link Aggregation


LACP


Proprietary



Spanning Tree

Root bridge
election

Determine
least cost path
to root bridge

Disable other
paths

Bridge Protocol Data Units (BPDU)

BPDU

Spanning Tree


Port states:


Blocking


Listening


Learning


Forwarding


Disabled

Normal Operation

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Spanning Tree


Topology Change Notification

Root

TCN

TCN

TCN

ACK

ACK

ACK

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Broadcast!

Spanning Tree


Portfast

(or similar)


Configure on KNOWN endpoint ports


Eliminates convergence time to forwarding state

DHCP (Anthropomorphized)

Can I get an IP
address? Anyone?

Yo

I can give you
192.168.1.1

Sounds good, I’ll
use it.

OK!

ARP


Address Resolution Protocol


“between” layers 2/3


Windows:
arp


a


Internet
Address Physical Address

Type


10.202.60.1

00
-
24
-
b5
-
da
-
ac
-
83

dynamic


10.202.61.255

ff
-
ff
-
ff
-
ff
-
ff
-
ff



static



Switches: show
arp


Layer 3 protocols


IPv4


IPv6


IPSec


Route sharing protocols


RIP, OSPF, EIGRP


ICMP (ping)

IP Address

192.168.1.1

255.255.255.0 (/24)

192.168.1.255

255.255.255.255

Host:

Subnet Mask:

Broadcast:

192.168.1.0

Network:

192.168.1.254

Gateway:

IP
Subnetting

192.168.1.1

11000000

1

2

4

8

16

32

64

128

11000000.10101000.00000001.00000001

IP
Subnetting

Host


11000000.10101000.00000001.00000001


Subnet Mask


11111111.11111111.11111111.00000000


(255)


(255)


(255)


(0)

Routing

Gateway of Last Resort:


0.0.0.0 via 172.20.0.254


Directly connected:



172.20.16.0/24 is directly connected, Vlan20


Static Route:



192.168.7.0/24 via 172.20.0.1


VLAN 1

192.168.1.2

192.168.1.3

10.10.10.2

10.10.10.3

VLAN 2

BROADCAST

BROADCAST

LAYER 3

LAYER 3 routing

VLAN 1

192.168.1.2

192.168.1.3

10.10.10.2

10.10.10.3

VLAN 2

10.10.10.1

192.168.1.1

‘Bad’ layer 3

VLAN 1

192.168.1.2

192.168.1.3

10.10.10.2

10.10.10.3

BROADCAST

INTERNET

10.10.10.2

VLAN 1: 10.10.10.1


VLAN 2: 10.10.20.2


QoS
: Prefer VLAN 2

10.10.10.5

10.10.20.17

IP PBX

VOICE CIRCUIT

10.10.20.2

TRUNK

VLANs 1, 2

HIGH SCHOOL

ELEMENTARY SCHOOL

MIDDLE SCHOOL

ADMIN BLDG.

ADMINISTRATION BUILDING:


NETWORK: 192.168.1.0/24


VLAN 101


ADMIN_VLAN


VLAN 101 IP: 192.168.1.1

MIDDLE SCHOOL:


NETWORK: 192.168.2.0/24


VLAN 201


MS_VLAN


VLAN 201 IP: 192.168.2.1

192.168.1.0/24

ELEMENTARY SCHOOL:


NETWORK: 192.168.3.0/24


VLAN 301


ES_VLAN


VLAN 301 IP: 192.168.3.1

192.168.1.0/24

192.168.2.0/24

HIGH SCHOOL:


NETWORK: 192.168.4.0/24


VLAN 401


HS_VLAN


VLAN 401 IP: 192.168.4.1

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

192.168.4.0/24

10.1.1.2/30

10.1.1.1/30

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

192.168.4.0/24

10.1.2.2/30

10.1.2.1/30

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

192.168.4.0/24

10.1.3.2/30

10.1.3.1/30

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

192.168.4.0/24

LAYER 2 TRUNK

LAYER 3 ROUTED

10.10.10.2

10.10.10.3

VLAN 1

10.10.10.1

VLAN 2

192.168.1.1

INTERNET

10.10.10.4

192.168.1.2

192.168.1.3

TRUNK

VLAN1

VLAN2

172.16.0.1

VLAN 3 (guest)

VLAN3

I: The

OSI Reference Model

7: Application

6: Presentation

5: Session

4: Transport

3: Network

2: Data Link

1: Physical


Transmission Medium


HUB

SWITCH


L2

ROUTING
-

L3

7: Application

6: Presentation

5: Session

4: Transport

3: Network

2: Data Link

1: Physical

Questions?