REPORT ABOUT OUR NETWORK - WebRing

reekydizzyNetworking and Communications

Oct 28, 2013 (3 years and 9 months ago)

95 views



I



R
EPORT ABOUT OUR NETW
ORK


1
A
.

C
LASSFUL AND
C
LASSLESS
A
DDRESSING



We were given the classless address 172.16.64.0/21. If this had been a classful
address it would have been class C and could only support 253 hosts and the
broadcast and network addresses. C
lassful addressing gives strict boundaries between
the network prefix and the host number, in the case of a classC, only the last octet can
be used for hosts and this allows for a large number of networks with few hosts. The
first 3 octets cannot be change
d. This means the finite number of addresses are
allocated in an inefficient manner. A class C may be allocated to a network with only
20 host, thus wasting 233.


With classless addressing, the remaining IP addresses are allocated in blocks reletive
to th
e size of the network that will use them. If Organisation needs 1000 hosts it will
be given the block e.g. 172.16.0.0 to 172.16.3.255 which would allow 1024 addresses,
this would be written as 172.16.0.0/22, meaning that the network can borrow up to 2
bits

of the third octet. This cuts down on potential waste.


For our network classless addressing allows us to use some bits from, in this case the
third octet and using variable
-
length subnet masking we can allocate these to subnets
and hosts as required. Th
e /21 at the end of the address means we cannot change the
first 21 bits. The remaining 11 bits are ours to play with.


1
B
.

V
ARIABLE
-
L
ENGTH
S
UBNET
M
ASKING



With non
-
variable
-
length subnet masking, the mask is established at the start of the
process and a
ll subnets use this mask. If an organisation, with a class C address,
requires 5 subnets then the first 3 bits of the last octet need to be used for the subnet
number, this leaves just 5 bits for hosts the each subnet, representing 27 in decimal.


With var
iable length, the mask can be change to reflect the number of hosts required.
Starting with the largest subnet and working down, we can see how many hosts we
need and adjust the mask to make best use of our available addresses. This allows
bigger subnets a
nd cuts down on waste especially with smaller subnets.


1
C
.

E
XTENDING
O
UR
N
ETWORK



Gateshead requires an extra subnet of no more than 100 and Durham one of 10.


S
UBNET

Require
d Hosts

Network address

Broadcast address

First usable
host

Last usable
host

Su
bnet mask

NCL 1

500

172.16.64.0

172.16.65.255

172.16.64.1

172.16.65.254

255.255.254.0

GHD 1

240

172.16.66.0

172.16.66.255

172.16.66.1

172.16.66.254

255.255.255.0

GHD 2

100

172.16.67.0

172.16.67.102

172.16.67.1

172.16.67.101

255.255.255.128

DUR 1

60

172
.16.67.103

172.16.67.165

172.16.67.104

172.16.67.164

255.255.255.192

NCL 2

30

172.16.67.166

172.16.67.198

172.16.67.167

172.16.67.197

255.255.255.224

DUR 2

10

172.16.67.199

172.16.67.211

172.16.67.200

172.16.67.210

255.255.255.240

NCL
-

GHD

2

172.16.67.
212

172.16.67.215

172.16.67.213

172.16.67.214

255.255.255.252

NCL
-

DUR

2

172.16.67.216

172.16.67.219

172.16.67.217

172.16.67.218

255.255.255.252






II




2
A
.

T
HE
F
UNCTION OF AN
I
NTERNET
R
OUTER



The main functions of an internet router are, broadly, to loca
te the best routing path
and to transport packets. The optimal path depends upon various criteria called
routing metrics. Examples of these include:


Hop Count:



This is the number of nodes a packet has to travel through to get to its destination.


Bandwi
dth:



This is the size of the amount of data that can be transferred in a given time.


Reliability:



In some cases a reliable connection may be more important than a fast one.



There are two sorts of router, static and dynamic. Routers have a routing ta
ble that
keeps information on routing metrics, interfaces, destinations and the protocol. A
static router has its table pre
-
programmed and these can only be changed manually.


Dynamic routers update their routing tables constantly. This is especially good
if, for
example, a link goes down, the router can recalculate the best path and bypass this
broken link. With link state routing, each router gets the cost of transmitting to its
directly connected neighbours and puts this in its routing table. This is the
n sent, in
the form of a link state packet, to all routers within the network, smaller messages,
more messages.



(
DIAGRAM FROM MICROSO
FT SEE REFERENCES
)



With distance vector routing, each router talks only to its directly connected
neighbours. Each sends its routing table to the other at regular intervals and the
optimal paths are reca
lculated if a vector it receives has a better path, larger messages,
less messages.


When a packet is sent, it is given a header with the senders address, the destination
address, information to show where it belongs in the message so the message can be
reassembled its size, a check sum to ensure data integrity and data to show the end of
the packet.



III




Each router uses this information and its own routing table to send the packet to the
next node on the path to its final destination.


2
B
.

W
HY WE USED
RIP



Our network utilised the Routing Information Protocol (RIP). We used version 2 as
this allows the use of variable
-
length subnet masking. RIP is good for relatively small
networks with uniform technology. RIP allows a maximum hop count of 15, our
networ
k is small and will never require a greater hop count than that.


RIP has been a standard implementation because of its ease to implement. It uses
distance vector routing. The network we were asked to produce is comparatively
simple and does not need to u
se link state routing, which is more complex.


3
A
.

N
ETWORK REDUNDANCY





Redundancy means the introduction of surplus equipment to ensure the network can
continue to function should there be a failure in either equipment o
r links. If there are
two possible paths for transmissions to travel on then the loss of one path would not
result in the network going down. In the example, figure 2, if switch A was to fail, all
the traffic could be diverted through switch B. Link
-
level
redundancy is the
introduction of multiple links between two devices in the network. Equipment level
redundancy is the introduction of spare nodes within the network.


Redundancy can cause problems. Whilst switch A is up and running, switch B
should be d
isabled to avoid loops. The spanning tree protocol (STP), provides back up
links and detects loops and, if necessary disables equipment to avoid loops. There are
several problems that can result:



Broadcast storms



If two switches provide a link (A and

B), and both are in operation, and a host sends
a message, switch A picks it up and attempts to forward it, it sends it to B and then B
sends it back. This loop can continue even after the message reaches its destination as
both switches continue to broad
cast it to each other.



IV



MAC database instability



If a host sends a frame to the router, its MAC address is the source address and the
router’s MAC is the destination. Both switches A and B will receive this message at
port 0. Switch B does not know the M
AC of the router and so will send the message
to segment 2 and on to switch A. B will remove the host MAC address on port 1 and
add a new mapping on port 0 of the host MAC. The frame cannot be sent because the
mapping of the MACs has become unstable.


3
B
S
ETTING UP
STP

ON THE NETWORK


Root Bridge



Every network should only have one root bridge. It should have the lowest bridge ID
number
.

This is where the paths that frames take through the network they are
assigned. It should be located centrally on the n
etwork to provide the shortest path to
other links on the network. Unlike other bridges, the root bridge always forwards
frames out over all of its ports. In the example network the root bridge would be
switch A as this has a lower bridge ID, 2048 aaa.aaa.
aaa.


Root Port for Switch B



The root port for switch B will be port 1. Normally this would be the port with the
lowest cost to the root. In our example this port is attached to segment 2 which is at
100Mbps. So port 0, the non
-
designated of switch B wi
ll be blocked.

Designated Port


All ports on the root bridge are designated ports so both port 0 and 1 on A will be
designated. The designated port on B will be 1 as port 0 is blocked.


The State of Each Port



All designated ports are always in the forw
arding state allowing them to receive and
forward messages on the segment. So all ports on A and port 1 on B are in the
forwarding state.


4
A
N
ETWORK
S
ECURITY AND
F
IREWALLS



There are a number of reasons for network security. Confidentiality is important
.
Only the sender and intended recipients should be able to see and understand the
message. The sender encrypts the data and the recipient decrypts it. Authentication of
the sender and receiver makes sure each end of the connection is what it is meant to
b
e to ensure no one gets information to which was not intended for them.


The message should be able to get through intact. It must not be able to be altered on
route and if it is altered, this should be detected. Making sure, when a message is sent,
that

there is proof of it, both of you sent and who received.


Making sure viruses etc cannot get onto the network is very important. One of the
main attacks on a network is denial of service. All services should be available to all
legitimate users at all ti
mes. Some

common network vulnerabilities include:
inadequate router access control; user accounts with unjustifiably liberal privileges;
software that has weaknesses; unsecured and unmonitored remote access points; lack


V



of effective policies and procedures
; mis
-
configured firewall access; hosts running
unnecessary services; simple, easily guessed passwords; and inadequate logging,
detection, and monitoring capabilities.




Firewalls are machines or software that lie between the network and the connection
t
o the outside world. They are the first line of defence for a network. On larger
networks they will be machines. The firewall checks all messages and drops any that
do not meet the networks security standards. There are several techniques these
include: a
proxy server hides the network addresses by intercepting all the messages.
Packet filtering checks all packets and drops any that do not meet the networks
security settings. Circuit relay validates the connections at the start and unless a
session has been

validated everything is dropped.


Firewalls can check the validity of the connection, making sure everybody is who
they say they are. This keeps all messages confidential and stops unauthorised persons
intercepting important data. Keeping out potential a
ttacks is a very important function
of the firewall. Attackers can send viruses and spy ware etc and also try and prevent
service by setting up fake TCP connections and clogging up the outgoing connection.
Many attacks are indiscriminate, the hacker scans
for unprotected networks and hosts
using software, even a very simple firewall can fool these searches and protect the
network. Firewalls can also stop people within the company accessing sites they
should not.


4
B
.

T
EST PALN FOR OUR ACC
ESS CONTROL LIST



Our network had some stipulations. DUR and GHD should only be able to access
NCL B, all routers could telnet each other and NCL B has full access. We achieved
this using a simple access control list (ACL):


access
-
list 101 permit ip host 172.16.67.66 any

access
-
list 101 deny ip any any


Test plan



Firstly we checked all routers had a telnet connection. This was simply a case of
trying to telnet each of the three routers from each other. The control list we put in did
not affect this.


Using ping, we
then tried to access each host on each subnet from all the hosts on the
network. NCL B was able to ping all the other three example host but GHD and DUR
could not ping any host other than the example file server at NCL B. At the same time
pinging all hosts

and interfaces from NCL B, this too was successful and unaffected
by the ACL.


4
C
.

C
HANGING THE
ACL

FOR NEW ACCESS NEEDS



By allowing a single host FTP access to DUR from GHD, we only allow this
protocol.


The following ACL should be applied to the ser
ial interfaces 0/0 on both the GHD
and the DUR routers. This would allow only these two hosts to exchange files. They
should be set to allow both incoming and outgoing transmissions.




VI



These are based on the revised ip addressing scheme shown at the start o
f this report.

At GHD

access
-
list 102 permit ftp 192.16.67.104 0.0.0.0 any eq 21

access
-
list 102 deny ftp any any


(GHD config
-
if)#ip access
-
group 102 in

(GHD config
-
if)#ip access
-
group 102 out


At DUR

access
-
list 103 permit ftp 192.16.66.2 0.0.0.0 any eq
21

access
-
list 103 deny ftp any any


(DUR config
-
if)#ip access
-
group 103 in

(DUR config
-
if)#ip access
-
group 103 out


At the config serial interface 0/0 prompts, each respective ACL should be put onto the
interface.



To test this ACL, the best answer woul
d be to open up the tftp server and attempt to
send a test file across the connection. We would have to try this both ways and check
that the file arrived in tact.

































VII



References


U
NDERSTANDING
IP

A
DDRESSING
.

[
ONLINE
].

A
VAILABLE
AT

HTTP
://
WWW
.3
COM
.
COM
/
OTHER
/
PDFS
/
INFRA
/
CORPINFO
/
EN
_US/501302.
PDF

[
ACCESSED ON
09/05/05]


R
OUTERS
.

[
ONLINE
].

A
VAILABLE AT

HTTP
://
WWW
2.
RAD
.
COM
/
NETWORKS
/1997/
NETTUT
/
ROUTER
.
HTML

[
ACCESSED ON
09/05/05]


C
ISCO
R
OUTING
B
ASICS
.

[
ONLINE
].

A
VAILABLE AT

HTTP
://
WWW
.
CISCO
.
COM
/
UNIVERCD
/
CC
/
TD
/
DOC
/
CISINTWK
/
ITO
_
DOC
/
ROUTING
.
HTM

[
ACCESSED ON
09/05/05]


C
ISCO
I
NTRODUCTION TO
IGRP.

[
ONLINE
].

A
VAILABLE AT

HTTP
://
WWW
.
CISCO
.
COM
/
WARP
/
PUBLIC
/103/5.
HTML

[
ACCESSED ON
10/05/05]


E
XTREME NETWORKS
.

[
ONLINE
].

A
VAILABLE AT

HTTP
://
WWW
.
EXTREMENETWORKS
.
COM
/
SERVICES
/
DOCUMENTATION
/E
XTREME
W
ARE
U
S
ER
622
-
C
HAPTER
17.
ASP

[
ACCESSED ON
10/05/05]


RFC

1722.

[
ONLINE
].

A
VAILABLE AT

HTTP
://
RFC
.
SLIM
.
SUMMITMEDIA
.
CO
.
UK
/
RFC
1722.
HTML

[
ACCESSED ON
10/05/05]


M
ICROSOFT
.

RIP

VERSION
2.

[
ONLINE
].

A
VAILABLE AT

HTTP
://
WWW
.
MICROSOFT
.
COM
/
RESOURCES
/
DOCUMENTATION
/W
INDOWS
/2000/
SERVER
/
RESKIT
/
EN
-
US
/D
EFAULT
.
ASP
?
URL
=/
RESOURCES
/
DOCUMENTATI
ON
/W
INDOWS
/2000/
SERVER
/
RESKIT
/
EN
-
US
/
INTWORK
/
INAE
_
IPS
_
NXTL
.
ASP

[
ACCESSED ON
10/05/05]


E
MBEDDED
.
COM
.

[
ONLINE
].

A
VAILABLE AT

HTTP
://
WWW
.
EMBEDDED
.
COM
/
SHARED
/
PRINTABLE
A
RTI
CLE
.
JHTML
?
ARTICLE
ID=256005
15

[
ACCESSED ON
11/05/05]


802.1
D
STP.

[
ONLINE
].

A
VAILABLE AT

HTTP
://
WWW
.
ZYXEL
.
COM
/
SUPPORT
/
SUPPORTNOTE
/
VES
1012/
APP
/
STP
.
HTM

[
ACCESSED ON
11/05/05]


B
URKS
.

[
ONLINE
].

A
VAILABLE AT

HTTP
://
BURKS
.
BTON
.
AC
.
UK
/
BURKS
/
FOLDOC
/
SUBJECTS
/1.
HTM

[
ACCESSED ON
11/05/05]