Networking and Reality at

warmersafternoonΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 3 χρόνια και 10 μήνες)

65 εμφανίσεις

Networking and Reality at
DOIT

VLANs and Security Zones

Communication


The OSI Model is our framework that we
use to communicate between end users.

What is the OSI Model?


The
Open Systems Interconnection Basic
Reference Model

(
OSI Reference Model

or
OSI
Model

for short) is a layered, abstract description
for communications and computer
network
protocol

design, developed as part of
Open
Systems Interconnection

(OSI) initiative. It is
also called the
OSI seven layer model
. The
layers, described below, are, from top to bottom,
Application, Presentation, Session, Transport,
Network, Data Link and Physical.


Common Protocols in OSI Model


Physical


Physical Layer 1

connectivity


Communication Medium such as CAT5
copper cable, multi
-
mode and single
-
mode
fiber optic cable, wireless frequencies.


Upcoming technologies include CWDM
and DWDM


Data Link


Data Link layer 2

Connectivity


Switches



Attachment of
Local Area Network

devices
-

PCs, Servers


(Ethernet Adapter Card)


10/100/1000 Copper or Gigabit Fiber


Unique MAC Address 00
-
0F
-
1F
-
8E
-
DA
-
FC (Burned in address)


Auto
-
negotiable for speed and duplex




Non
-
routable traffic


Broadcast to communicate to another device using ARP


Subnet
-
mask


ie 255.255.255.0 and IP address will determine if Layer 2 or Layer3
communication needed


Example


Vlan2 159.247.8.5/24

need to arp to find/communicate to
Vlan2 159.247.8.6/24


Example


Vlan2 159.247.8.5/24

need Layer 3 Network Routing to access
Vlan3 159.247.80.10


Default gateway to access Layer 3 (Router/Firewall)


IP for routing



From a Data Centric viewpoint, it about VLANs


VLANs live in VTP Domains which remain isolated from each other.


DOIT has several VTP Domains


Building Switch VTP Domain
-



BackBone Switch VTP Domain
-



Internet
\
Intranet Switch VTP Domain
-



ARP


Address Resolution Protocol


Network


Network layer 3

Network Routing (IP Protocol)


Routers perform packet delivery from a source to a destination via one or
more networks.


Network Routing is accomplished by using a dynamic routing table. (Static
Routes are normally redistributed into a dynamic routing protocol).


Routers and Firewalls are both Layer 3 devices.


Routers and Firewall are connected to Layer 2 (Switching)


Your Default Gateway is your Local Router.


VLAN to VLAN communication need Layer 3 routing


Example


Vlan2 159.247.8.5/24

need Layer 3 to access
Vlan3 159.247.80.10



Unique public IP addressing scheme with subnet masking


(159.247.x.x)


Private addressing need Network Address Translation (Internet use)



10.x.x.x, 172.16.x.x
-
172.31.x,x, 192.168.x.x (x=0
-
255)

Transport


Transport layer 4


Transfer of data between end users



Transmission Control Protocol

(TCP).
Reliable delivery


TCP requires a 3 way handshake (syn, syn ack, syn ack)


TCP keeps track of transmitted data using sequence
numbers and will retransmit unacknowledged packets


Tcp port 80

http


Tcp port 25


SMTP


Tcp port 23


Telnet


Tcp port 21


FTP


User Datagram Protocol

(UDP),
Unreliable delivery


Udp Port 53

dns
(
Domain Name Services)


Udp Port 161
-
snmp
(Simple Network Management Protocol)

Session, Presentation, Application


Session layer 5

controls the dialogues/connections (sessions)
between computers.


It establishes, manages and terminates the TCP connections between
the local and remote application



Presentation layer

6

transforms the data to provide a standard
interface for the Application layer


Data representation (EBCDIC/ASCII conversion)


Data encryption/decryption



A
pplication layer

7

interfaces directly to and performs common
application services for the application processes


ftp application service/process


telnet application service/process


CICS application software


Oracle

Sniffer Packet Decode

Sniffer Packet Decode

Client to Server Data Flow

http://ct.gov

Commands for Troubleshooting


Information to that we need


IP address, subnet mask, default gateway

Netstat

r (routes) or
Route print

Netstat

an (port listeners)

Tracert (Windows)

Ping

Ipconfig /all

VLAN


Virtual Local Area Network


IEEE 802.1Q aka (VLAN Tagging)


Allows for the creation of logical LAN segments within one or more
physical switch.


VLANs permits the sharing of a switch with isolation


VLANs communicate with one another using
layer
-
3

routing.


VACL


Virtual Access Control List


Layer 2 Access filter (Local Ethernet LAN segment only)


VLAN are defined within the construct of a VTP Switch
Domain (Virtual Trunking Protocol Domain)



802.1Q allows for the Trunking of VLANS over one or
more physical interface.





VLANs


How we do it:


Every physical switch port connection is placed into a VLAN or VLAN Trunk.


A Trunk can carry multiple VLANs by using VLAN Tags)



Switches can be is assigned into a VTP Switch Domain (VLAN Trunk Protocol) which
can share VLAN information across switches. (Redundancy)


Product we use:


Cisco Catalyst Switches


Network Interface Cards that supports 802.1Q can Trunk VLANs


Best practices or procedures:


Place similar devices in a separate VLAN for security: prevent access and cross
contamination (VLANs Framework for Security Zone)


Place all Internet DMZ Web Servers on a separate VLAN zone


Place all Internet DMZ Application on a separate VLAN zone


Place all Internet DMZ Data Base on a separate VLAN zone


Issues and implication:


Access between VLANs require Layer 3 Network Routing using Routers/Firewall.


Places an overhead on the firewall (con)


Provides security access (pro)


Will add some latency to the user response time (con)


Standard involved:


IEEE 802.1Q VLAN Standard


ISL Cisco Proprietary VLAN Trunk Protocol between Cisco devices


VLAN Tagging

Conclusion



Questions?


Thank you for your attention!