Welcome today to Maxwifi Training day IT Network Design and Installation The objective of today is to cover my ass during the rally and on a more serious note, to ensure that all engineers are inept in basic TCP/IP design and installation using Specific Vendor technology primarily Cisco and also key trobleshooting tips from experience and also based on Conceptual and physical network models notably the OSI (opens Systems Interconnect) and the TCP/IP model
1. We have a baseline for all our networks which comprises of ADSL modems which can provide DHCP and NAT for multiple simultaneous connections to the internet or for more demanding client requirements, we provide ADSL load balancing which comprises of a multiple network m odel which we will come across in the next section.
This is a simple conceptual model of our event deployed network topology, we use Cisco ADSL routers to provide a bridge connection to the internal network. The internal network consists of The xrio qbalancer which sits transparently between the adsl router and our internal router. I will explain in more detail later on but it allows the xrio to “fool” the internal router into thinking that it is sending all engress (outgoing) packets to the adsl router when in fact the xrio intercepts it and then sends it to the appropriate adsl router using its own routing policy. This is the basic model of our network, but lets find out out how it works from the stance of The OSI Model
* The physical layer physically transmits signals across a communication medium. The data link layer transforms a stream of raw bits (0s and 1s) from the physical layer into an error-free data frame for the network layer. * The network layer controls the operation of a packet transmitted from one network to another, such as how to route a packet. * The transport layer splits data from the session layer into smaller packets for delivery on the network layer and ensures that the packets arrive correctly at the other end. * The session layer establishes and manages sessions, conversions, or dialogues between two computers. * The presentation layer manages the syntax and semantics of the information transmitted between two computers. * The application layer, the highest layer, contains a variety of commonly used protocols, such as file transfer, virtual terminal, and email.
WE will now take a quick look at the TCP/IP model which was origanally created by the US MOD in the 1970’s to allow data to converse multiple networks even under foreign attack. Its primary function was initiated during the cold war when a intermittent nuclear attack from Russia which would cause insurmountable damage to the U.S homeland and a solution was needed so that us bases could still communicate and send messages to each other. Now the TCP/IP mechanism has evolved into what we know of it today, a hybrid mesh network consisting of millions of smaller networks all communicating via packet switched networks , the TCP control Mechanism and the IP addressing system..so what is a IP Address
An IP address is a 32 bit logical address which can be uniquely assigned to each device on a layer 2 network. This 32-bit IP address has two parts: (note: draw a binary ip address with its numerical value on the board) one part identifies the network (with the network number) and the other part identifies the specific machine or host within the network (with the host number). An organization can use some of the bits in the machine or host part of the address to identify a specific subnet. Effectively, the IP address then contains three parts: the network number, the subnet number, and the machine number What do I mean by layer 2 network, well I mean a broadcast domain. A broadcast domain is a subset of devices which can communicate with each other via broadcasts e.g all devices on a switch (unmanaged switch, no vlans) are part of the same broadcast domain. So all devices in a broadcast domain need a unique layer 3 address (ip address) and a physical layer2 address (MAC address) to communicate. There are 5 main classes of IP Addresses , class A, class B, class C, class D and class E. Usable Class A IP addresses start from 1-126 (cannot use 127.x.x.x as an IP address as this has been set by RFC(request for comment) 3380 for the local loopback address. (used mostly in 10baseT networks when everything in a broadcast domain was connected to a hub-we will cover this later) Class B IP addresses start from 128 - 191 Class C IP addresses start from 192 - 223 Class D Multicast start from 224 - 188.8.131.52
There are 16,000 networks as we do not count the first two bits as this is a class b address so it will always begin with “10” so we use the other 6 instead aswell as the 8 in the second octet making a total of 14 bits for the network portion so we just go 2^14 -2 = 16,384 available networks with 65,534 available hosts in each network.
For a Class C network, there are 21 bits available for the network portion as we can only use 5 bits in the first octet because the first three bits will always be “110” (note: demonstrate on board- 192 - 223 = 11000000 - 11011111 are the binary equivalent of the usable IP address range. So this makes a total of over 2 million networks with each one supporting 254 IP addresses, this is of course the most favored IP address scheme in the world today with a few variations which we will cover later. (note: mention subnetting and the need for sub netting ( 256 IP addresses is still a waste when only using a point to point serial connection ) At this point , hand out a sheet containing some subnetting questions and ask for each ip address (look at the subnet and tell me How many ip addresses in that subnet 2. What is the network address for that subnet 3. What is the broadcast address for that subnet Get them to show their workings.
Class D addresses are in the range of 184.108.40.206 to 220.127.116.11, well we cant use them in the same way as class A,B and C addresses. These are Multicast addresses, a multicast is similar to a broadcast where in a certain subset of devices is listening using the same address and so when a device sends out a multicast packet , all devices listening on that multicast ip address will listen and respond to it. (e.g you are back at school, your are in a classroom, the teacher shouts out “chris” chris hears it and replies, well this is similar to a unicast packety on a network, (a unicast is one-to-one from one computer to another device) most packets on a network would be a unicast packet ( I.e a web session will be unicast, a ftp session will be unicast etc) A teacher then shouts out “class”, everyone can hear it and everyone acknowledges it as it refers to all of them. This is a broadcast, one computer sends out a broadcast packet or frame and everyone else hears it and responds (this is used for DHCP discovesr, ARP requests , WINS etc) A teacher then shouts out “Boys” considering that there are boys and girls in the classroom, everyone hears it but only boys respond as it is addressed to them, well this is your mulitcast, similar to a broadcast where everyone can hear it but only the ones that it addresses, respond.
Right, now a device has an IP address , it also has its subnet mask which tells it what its host id is and what network it is on and also other info as well like a default gateway and DNS. But In order to communicate with other devices , it needs a layer 2 address as all LAN networks operate and send data at layer 2. So going back to the OSI model, IP addresses and packets operate at layer 3, the network layer but what operates at layer 2.. Basically the pc places the layer 3 packet into a layer 2 frame. A frame is essentially a protocol data unit which contains layer 2 parameters such as preamble, the source and destination addresses (mac) 802.LLC Logical link control and checksum which is all encapsulated around the layer 3 packet. So the pc wants to send this frame to another computer, lets start off with on the same LAN, it has its IP address of the other pc but it needs the other pcs layer 2 MAC address. So…
ARP- Address resolution Protocol is basically a way to map a layer 2 mac address to a layer 3 IP address., so PC A wants to communicate with PC B (note: write this on board) it has its ip address either via DNS or manual input, so it has put its own ip address into the source IP on the packet and the destination ip address of PC B into the destination IP of the packet. It now encapsulates that packet inside a layer 2 frame , so it does the same thing again, it puts its own mac address into the source address (SA) field of the frame, but it now needs the destination Mac address so it does a ARP broadcast . Remember , a broadcast is a frame which is heard by everyone , so everyone hears it and PC B responds because the IP addess is its own. PC A:
So PC A asks the questions, who is 192.168.0.35 PC B recognising this is its own IP address, shouts I am 192.168.0.35 Now the frame in which PC B replies has PC A’s MAC address in its destination field (because PC A put its mac address into the source address field of the frame and the broadcast address into the destination field) and PC B has put its own MAC address into the source address of its reply frame. So now PC A has PC B’s MAC address because it obtains it from the reply frames source port and now those two can communicate via unicast as they know each others addresses. That is basically the ARP process, you will need to keep this in mind when setting up the Xrio load balancer as the xrio uses something called Proxy ARP to basically “trick the inside router” to thinking that it is sending its engress frames to the edge adsl router where as in fact it is sending it to the XRIO….
With two directly subnets on a router , one subnet will inadvertently overlap with the other connected subnet but NOT visa versa. Host A needs to send a packet to Host C but when it compares the host C’s ip address to its own subnet mask /16 so 255.255.0.0, they both match as they are both 172.16.0.0 networks when in reality host c is a /24 255.255.255.0 and belongs in 172.16.20.0 network which is of course different. So Host A misgiuded, sends a arp request for Host C to reveal their mac address to finish its frame but of course Host C never hears it as it is a broadcast and Host C is on the other side of the router and routers don’t allow broadcasts to propagate to other networks, so Host A will never get a response. Well that is where proxy arp steps in, it is a process performed by the router so when the router hears the ARP request, it recognises the ip address is in a different network, so it places its own mac address in the ARP reply and so Host A will now receive that reply thinking it is from Host C when in fact its host c’s ip address but the routers mac address. So now all frames for that mac address will be sent to the router and the router will now strip away that frame and encapsulate the ip packet inside a new frame with its own mac address as the source ip and Host C as the destination so now it is doing the same for HOST c,. The router is as it says on the tin, acting as a proxy between the two hosts. (Note: Briefy mention how Xrio works on this format , in that when the internal router sends a frame to what thinks is its default gateway, when it does the arp request, the xrio will intercept and will say that it is 192.168.0.1 (for example, that is the ip address of the adsl router, and the internal router will send rames to that mac address , the xrio will then receive the frame, strip off the layer 2 frame, check layer 3 parameters (ip addressetc and ports) and reroute that to one of the numerous adsl routers depending on its routing policy- we will cover this later.)
We currently only use LAN switchs in our networks to add devices to a single network (or multiple networks if using vlans) and most of our switches are 100BASETX which indicates 100MB using baseband (it only sends one signal on the wire at a time and does not use any times division multiplexing on the wire as in broadband and TX indicates it can receive and transmit at the same time. What does all this mean, well in the old days, hubs were used on networks to join devices to a network, but they could only operate at half duplex which means they can only transmit data onto the wire or receive but not both at the same time. This also meant that all computers on one segment shared the bandwidth as only one network device could transmit at a time ( so a 10 MB hub /10 devices meant you only got 1MB LAN speed). The other problem was collisions, when one device sends a frame out to the wire, the other devices can hear the wire being used and therefore waited untill the wire was clear before sending, this was a process derived from CSMA/CD (carrier sense mutiple access with carrier detection), but if one device was sending at the same time as another device then the frames will collide and these computers will know that there is a collision via loopback adapter (when a device sends out a frame, it also replicates that same frame and sends it back onto its own loopback adapter, if there is a collision, the frame that it receives on its loopback adapter will be different to the one it is sending out). So they then send out a jamming signal to all devices on the network to warn of the collision and to set a random timer so when gthat timer reachs 0 , the device resends its frame. So as you could see the more devices on a segment, the more satuated the network would become, so this is where switchs come in…
Switchs were the next logical step in the evolution of LAN Ethernet, They operated at layer 2 whereas hubs operated at layer 1, they isolated every device connected directly into them into there own segment, this of course not only allowed every device to use the full 100MB bandwidgth (or 1GB) because they all could send and receive at the same time without the fear of collisions because they all sent frames on a separate wire from each other) It also essentially doubled the bandwidth (200 MB / 2Gb) as they could receive and send at the same time , so switchs where a great step forward. So you use Full duplex on a switch (unless you are connecting a hub to a switch which then it should be half). Switches also brought in some intelligence to the game with the use of MAC Tables. Now as we covered earlier , frames sent from devices have a destination and source mac address, the switch basically reads the source address and maps it with the port that that frame came in. into its mac table. So essentially switch will have every device on the networks mac address and what port they came in, so now instead of sending that frame out every port to reach destination, it reads the destination mac address in the frame and looks that mac adress up in the table and sends it out via that port (unless it’s a broadcast which then is still sent out every port (apart from the one that it came in) When you first turn a switch on, or you just plug a device into the switch, the mac table will be empty(or that device wont be in the table) so of course the switch does not know where to send the frame so it initally sends the frame out via every port (apart from the one it is received on) and gthen as it now has that frames source mac address it can place that into its table and from then on, any frame destined to that device will be sent only through that port (this is LLC logical link control mechanism 802.2) So the next time someone mentions they have a network hub, refuse politely, if that same person says, oh it’s a switch sorry its sort of the same thing..attack them widly with a blunt object!!! Now, even though all devices are on different segments, they are still in the same broadcast domain, so they can still hear all broadcasts, this of course still increases bandwidth usage with the more devices on same LAN (or broadcast domain) so a new concept was developed , the VLAN (Virtual LAN)
So the problem before was if every device was on the same network, eventually the network would become so congested with layer 2 traffic that bandwidth would become an issue, TCP timeouts would occur and everyone would start to get a bit moody so we need to develop a way of having multiple networks , we could just place different people on different switchs but in a large campus or cooperate office, this would become a bit nasty so vlans where created , which allowed multiple broadcast domains on a single switch, this solved a lot of issues, especially with converged networks (I.e voip and real time data on the same network as web, email etc) we hopefully will cover this a bit more in QoS Now lets create a new problem, the finance department exists on two floors, away from each other and separated by multiple switches, but they need to be on the same layer 2 network (e.g SAGE server, file server etc) so we need to somehow span that vlan across multiple networks, well we can with the use of trunking. Trunking allows multiple vlans to propagate or transverse multiple switches so members of vlan b can all be on the same vlan but on several different switches, so you can have your entire switch network configured with the vlans that you need and members of vlan a can see each other even if they are on different switches but are still separated from other vlans which are also physically connected to the same switch. Basically there are two types of trunking 802.1q which we use as we use native vlan for voice and Cisco’s propitiatory trunking protocol ISL (inter switch link). WE will only ever use 802.1q (which is the non vendor specific trunking standard which means we can create trunks between two switchs not from the same vendor.
Basically, first thing first , we have never needed spanning tree as it basically protects us from loops in a redundant network(see example). If you remember from the switch mechanism, every braodcast frame is sent out every port apart from the one it is received on , well if you connect a switch to that switch, this concept will prevent a network loop becaise as a frame destined for the other switch is sent through the trunk it will be received by the other switch but the other switch will not pass it back because it is programmed not to send that frame through that port. So far so good.. What happens if we connect a third switch to the second switch and have a redundant link to the first switch, well if STP was not acrivated gthe frmae would go through from the first switch to the second switch, which does not pass it back to the first switch but will send it to the third switch, which will not send it back to the second switch but will send it to the first switch, so the first switch will receive it and will start the process again, so we now have a broadcast loop in the network, eventually more frames will loop and our network will saturate fast. STP activated will disable one link and keep the first link activate (it could be the other way round, the process which is called an ELECTION , allows the switchs to decide which switch is the bridge root (in this case SW1 is) and so all ports are active and up, then that root bridge will calculate the quickest hop path from all its switchs by using certain alghrythms (which we wont get into) anyway, it decides that from itself, the path will be b and then a so the link from switch a to sw1 will be made redundant and the port will be disabled (untill the link from a-b or b -1 goes down in which spanning -tree will send out a TCN(topology change notication) and all switchs will reelect and then that redundant link that was disabled will be reenabled dynamically. That is the basic conceptual understanding STP, when creating networks with redundant links (I.e when there is moreb then one path to a switch) make sure STP is turned on.
Cisco IOS is the native operating system of all Cisco routers and the newer Cisco Switchs CATOS was the 2900 series and earlier switch operating system. As you can see , their are multiple flavors of IOS,each one giving more functionality then the one below it WE use Advanced IP services IOS in all our routers due to the fact we need IPsec functionality and we are also looking into load balancing on Cisco routers which require this high end IOS.
You can establish you are in user mode by the arrow following the router name, it is also usually the first mode you are in when you first get into the router either via console or telnet. Cant do any modification to system or you cant reboot it, it is strictly a basic diagnostic mode.
Enabled mode allows for a higher authoritative control in the device. You can see more detailed output from Show commands such as NAT translations and access lists write up example show and debug commands I.e debug ip dhcp server packet Debug ppp authentication to debug chap authentication used on dsl pppoa link. Ping diagnostic tool- similar to one on a windows or apple prompt, used to ping devices to test its availability. Show example of extended ping where you replace the source address of the ping packet to any interface on router (to show if it is a local problem or a router problem. Traceroute - Uses ICMP to show hop route to destination, it sends out a initial icmp packet to first hop with a TTL of 0, so the next hop knows it’s the final destination and does not forward it instead it responds with its own icmp packet with its ip address in the source field. The router then sends out the icmp packet again but increments the ttl of 1 so now the next hop will ick it up, see the ttl is 1, will subtract 1 from it and forward it to the next hop, where the next hop will receive the icmp packet with ttl of 0 and will send it back with its IP address and this process will carry on untill we reach the destination ip address.
AS you can see, we are now in the thick of it, the configuation mode. In enabled mode, enter config t and it will take you into the config mode You can tell you are in config mode by the change of prompt it now has routername(config)# WE will go through the configuation and command lines for each of these features as well as diagnostic tools to trobleshoot them(show and debug)
WE will also cover switch configuation We use 2 different series of cisco switch, 3521 which is a older type of switch which we mostly use as endpoint switchs and they are only layer 2 and cant implement voice vlans. We also use cisco 3550 series switchs which offer much higher functionality such as layer 3 routing and CoS (class of service) tagging which allos Voice traffic to be seperated from non-voice traffic so when we plug a pc intot he back of a phone, they will be on different vlans. Also we will look at broadcast and multicast protection such as storm control which detects when a level of broadcasts reachs a unusual level (such as a broadcast storm) and then implicates an action (in our case, we set it to shut the port down). So now lets start on some pratical stuff…
NAT is a very important feature of the Cisco IOS , basically any business enterprise does not want to purchase a public IP address for every client in its network to connect to the internet, if this was the case, we would of run out of ip addresses a long time ago. So NAT with PAT overloading (cisco terminology) allows multiple LAN ip addresses to connect to external web servers or ftp servers etc using the same wan IP address. (note: write on board examples using NAT, )
Ok so lets Create a pool of outside global ip addresses to use for outside nat Now lets create a standard access list ( standard access list only allows you to define whether to permit or deny source ip addresses) (extended access lists allows you to define source and destination ip addresses and ports as well ( so you can allow web traffic from one network to another but nothing else) but in context of what we are doing, we only need a standard ACL Now we need to map the local IP which were defined in our acl to the public ip addresses which we defined in our nat pool “poolname” Next lets look at how to nat incoming traffic (I.e port forwarding)
Lets send incoming web traffic to our internal web server , 10.59.0.100 So the inside defines inside address, the source defines the source ip address, and we are using static nat (one-to one), we then define the transport protocol used (http uses tcp), then the internal ip address we are sending traffic to , in this case its 10.59.0.100, the port number (http uses port 80) Now we can define the interface where the traffic is originating from or the WAN IP ,and then the global port (which again is 80) So that is basically nat Any questions, if not then we will move on to assigning ip addresses to interface and then apply nat to that interface.
Ok, so lets define our inside interface where our lan network will be behind and our outside interface which connects to the wan network Then we give the approparate ip address to the interface, so lets start with inside If we go back to our access list which defines ou lan network, it is 172.16.0.0 so our lan interface will be the gateway for that network so lets make it 172.16.0.1 Ok so we have now giving that interface the correct ip address and told the router that it is the inside inteface for nat, that interface is ready so lets define the outside wan interface We said in our earlier slides that our wan ip addresses are 88.97.219.l110-112 so lets give it one of those addresses Ok so now we have assigned that interface with the correct wan ip and told the routerb that it is the outside interface for nat so now we know that traffic will route succesfully between these two interfacesbut what about traffic whose destination is not known to the router (I.E internet traffic, well we put in a static route…
Now routers, as you know are designed to send packets from one network to another, I order to do this they use route tables Note: do a show ip route to illustrate this point- you should see both lan and wan ip addresses and their interfaces. But where does the router send packets with a destination that is not in its routing table, well we use whats called a default route Ip route command is split into 2 components (similar to an extended acl) the destination network and the next hop (or interface) 0.0.0.0 0.0.0.0 indicates an ip address that is not in any of its known networks so we tell the router to send these packets to either the fastethernet 0/0 interface (wan) or the next hop (in our case the ip interface which is next after our wan interface- so behind the xrio, it would be the primary modem) Note: mention that we have to always define the next hop and NOT THE WAN INTERFACE when behind the xrio as xrio intercepts all arp requests which the fastethernet option relies on to obtain the next hop. So now we have the primary functions set up and done, lets look at secondary functions…DHCP
DHCP is a protocol used to assign ip addresses automatically to all clients on a broadcast domain, vlan , layer 2 network etc. You can assign multiple options in a dhcp pool such as DNS servers, gateway address and more granular options such as NTP server, tftp address Wins etc. If you use multiple lan interfaces (in our case, sub interfaces for each vlan we use , we can have a dhcp pool for each sub-interface). So lets configure our dhcp pool for our lan interface network 172.16.0.0
So lets configure a dhcp pool for our 172.16.0.1 interface Our lan interface ip address is 172.16.0.1 with a 255.255.0.0 subnet so we can assitain that the network is 172.16.0.0. First we create a dhcp pool and give it a name I.e voicepool or datapool epending on who we are giving the ip addresses out to. We then define the network where dhcp broadcast requests will be heard from .. So what should we give them The first and obvious one is the default gateway Second is DNS-servers, they need these to convert fqdns (www.google.com) to its actual ip address. We can assign other options such as tftp, wins but we don’t need them at the moment. So we have configured our router, lets write it to memory
Now we have set our router up, we need to save the changes to the statup config as all changes made to the router is written into the running-config or dram, so if the router is rebooted without saving, you will lose all changes since your last save (if you made one) There are two types of configuation mode- running and startup When the router boots up, it first places the `IOS into running memory, it then copies the startup-config into running -configuation You can also copy or save configs to a external tftp server so you can backup all your configs centrally. Note: take them through the config save process including tftp. Now that is the router configured , we will look the Cisco catalyst 3550 switch…
WE will now set up 3 vlans , one for voip, one for data and one for management We will assign a ip address to the management vlan and default gateway which will be routers fastethernet0/1’s interface Now we do this for every vlan we want , we want a vlan for voip and a vlan for data, but each vlan needs a different subnet to every other vlan for routing purposes but this switch is only connected to one router interaface, therefore only one default gateway so how do we get around this… We use virual sub interfaces on the router
Now we have created our first logical interface notice the Encapsulation dot1q 1 native command, this tells the router that this interface will be on vlan 1 so when we connect a switch to this router, all devices on vlan 1 on the switch will be on this vlan and therefore have this interface as default gateway and dhcp if dhcp pool is set up on the router Lets set up another interface for data
Now we have set up the sub-interfaces on the router, we need to set up a trunk between the router and switch The trunk will allow these vlans to propagate to the switch and then all we have to do is assign ports on the switch to each vlan and mission accomplished. Cisco ports are set by default to dynamic trunk negotation which means that when you plug the designated switch port into the router, they will auto - negotiate a trunk port but we don’t want that we want to statically trunk them. So now we want to assign ports 3 -10 to static switchports and to vlan 2 (18.104.22.168 255.255.0.0) network.
Now we have set up sub-interafces and the vlans on the switch to corrospond to those interfaces, we have set up intervlan routing where packets from each vlan are being routed through one router. Now if we want to use more then one switch, we would have to set up a trunk between each switch and create the same vlans on each switch That we want to use for the vlans. A easier way to span vlans on multiple switchs is via VTP- this allows you to delegate a switch to be vtp server, create all vlans on this switch and it will automatically propagate to all switchs in the same vtp domain.
First of all, we allocate one of our switchs as vtp server, so we set these commands to accomplish this We then log onto all other switchs and set them to clients via these commands Now we can only create vlans on vtp server switchs, so when we create a vlan, it will instantly replicate to all switchs instaed of the administrator Having to log onto each switch manually and setting up vlans . Now vlan have been created and we assigned ports to eaqch vlan, we want to now set up voice tagging on each port that we will plug voip phone into….
Now we want to separate different data coming through the same port, specifically voice from data. We want to separate these two types of traffic at layer2 /3 due to the aggressive nature of voip traffic. So we enable qos globally on the switch And then allow the switch to trust cos field So lets set this up
WE now tell the switchport to read the tos field in the layer 2 frame and thanks to cisco implementing pre-defined values for voip, can pick up voip traffic and separate it from voip and non-voip into different vlans. So now we have enabled voice vlan and defined it on the switch for the ports that will host voip, we can now write our switch config to memory in the same way we would do for the rourter and now move on to ouyr cisco wireless counterapart, cisco 1200 series aironet
We can now move onto our next device configuation toolset for the cisco 1200 series Aironet access point. They use a, b and g standards (802.11) A uses the 5Ghz frequency spectrum so not as susceptible to interference as the a g 2.4GHz spectrum The A radio is separate to the AB radio so we can broadcast either A on its own, b+g on their own or both together In this setip, we will configure the A+G radio with a ssid of Maxwifi and wpa encryption with a passphase of wirele55
So as you can see in this example, the configuation is modular which means you set up the ssid (service set identifier) separately from everything else, then you set up the dot11radio interface and then you apply the ssid to that interface, this will then broadcast that ssid on that radio WE have now set up the ssid MaxWiFi with wpa encryption and a passphase of wirele55, now we need to apply this to a radio…
So first thing to do is to get into the virtual radio interface and allow it to accept cipher keys so we use the command Encryption mode ciphers tkip - tkip is a form of hashing (similar to MD-chapv5 for ppp chap authentication) It basically runs a alghrythm againest the passkey which produces a cypto code (unrecognisable to the human eye), both ends runs the same Alghrythm againest the pasphase and will come up with the same cypto code or hash (so the passcode is never sent in clear text unlike wep) Now we setb the channel, we can either use cisco DFS(dynamic frequency system) to select the least congested channel detected or your own static channel, always best to do your own Gthen we just type ssid and the name of our ssid and we are done, the access point should now braodcast that ssid on the channel which we have selected and encrypted with wpa.
Training Day Slides
MaxWiFi Training Day IT Network Design and Installation Monday 24th November 2008 Tuesday 25th November 2008
What Do We Do? <ul><li>To provide a fast, reliable Internet solution to all clients while maintaining flexibility to accommodate bespoke networks based around clients key requirements </li></ul><ul><li>Ensure 100% reliability during all of the Event by providing fault tolerance and dynamic load balancing </li></ul>
OSI MODEL Ensures delivery of packets Transforms raw bits into frames Transmits signals across cable Controls and routes packets Establishes and maintains sessions Manages data conversion and syntex Top layer protocols, HTTP, FTP etc
TCP/IP Model <ul><li>Actual Implemented Network Model facilitating standards across vendors. </li></ul><ul><li>Similar to OSI model, based on packet-switching technology </li></ul><ul><li>Originally created by the U.S to maintain data communication even under foreign attack. </li></ul>
Internet Protocol (IP) <ul><li>32 bits representing a numerical address for each device on a network. </li></ul><ul><li>5 main classes of IP addresses </li></ul><ul><li>IP address is separated into 3 parts, network, subnet and host </li></ul><ul><li>Class A, B and C are used in defining hosts </li></ul><ul><li>Class D is used for multicasts addressing (routing protocols use multicasts to communicate routing updates and replies) </li></ul>
Class A IP addresses <ul><li>First octet I.E 10.59.0.34, 10 is the first octet, represents the Network number so there is up to 127 networks in a class a range (1-127) </li></ul><ul><li>Last three octets represents host number, so there are 16777214 available hosts for each network. </li></ul><ul><li>(we work this out by calculating how many bits there are in the host portion , there are 8 bits in each octet, 3 octets for host so 24 bits and each bit represents a 1 or 0 so its 2^24 -2(for the network and broadcast address) </li></ul>
Class B IP addresses <ul><li>First two octets I.E 172.16.0.34, represents the Network number so there is up to 16,000 networks in a class a range (1-127) </li></ul><ul><li>Last two octets represents host number, so there are 65,534 available hosts for each network. </li></ul><ul><li>(we work this out by calculating how many bits there are in the host portion , there are 8 bits in each octet, 2 octets for host so 16 bits and each bit represents a 1 or 0 so its 2^16 -2(for the network and broadcast address) </li></ul>
Class C IP Addresses <ul><li>First three octets I.E 192.168.0 .34, represents the Network number so using the formulae 2^21 we know there is up to 2097125 networks in a class C range </li></ul><ul><li>Last octet represents host number, so there are 254 available hosts for each network. </li></ul><ul><li>(we work this out by calculating how many bits there are in the host portion , there are 8 bits in each octet, 1 octet for host so 8 bits and each bit represents a 1 or 0 so its 2^8 -2(for the network and broadcast address) leaving 254 usable host IP addresses. </li></ul>
Class D and E Addresses <ul><li>Class D addresses are 22.214.171.124 to 126.96.36.199 </li></ul><ul><ul><li>Multicast addresses Used By Routing protocols to communicate between routers (routing updates etc) </li></ul></ul><ul><li>Class E addresses are 240.0.0.1 to 254.255.255.255, these are reserved and should not be used on any IP network. </li></ul><ul><li>ANY QUESTIONS SO FAR? </li></ul>
Whats in a frame? <ul><li>Layer 2 Protocol Data unit which encapsulates the layer 3 packet and transports it across the LAN to another PC or a router/gateway. </li></ul><ul><li>Contains Source and destination MAC address </li></ul>
ARP - Address Resolotion Protocol <ul><li>802.3 Ethernet mechanism to resolve mac address when only ip address is known </li></ul><ul><li>Broadcast mechanism so more network nodes on same network means more bandwidth intensive. </li></ul>
ARP - Address Resolution Protocol <ul><li>PC A: “who is 192.168.0.35” </li></ul><ul><li>PC B: “ I am 192.168.0.35” </li></ul>
Proxy ARP: <ul><li>Host A needs to send a packet to Host C , looks at its ip address and does arp request. </li></ul><ul><li>Router intercepts and places its own mac address in ARP reply </li></ul><ul><li>Router does the same for Host C replys </li></ul>
10BASET 100BASETX Networks <ul><li>10BASET represents old mostly outdated hub networks which ran on half duplex transmission </li></ul><ul><li>Computers connected to hubs shared bandwidth as only one frame could be on the wire at a time </li></ul><ul><li>CSMA/CD (Carrier sense multiple access/ carrier detection) would allow devices to sense collisions and resend after a random time sequence. </li></ul>
LAN Switches <ul><li>Full duplex, allowed devices to receive and send at same time. </li></ul><ul><li>Gave full bandwidth to every device connected. </li></ul><ul><li>Stackable - some switches are stackable- meaning they multiple clusters of switchs can operate as one logical switch. </li></ul><ul><li>LLC (logical link control 802.2) allows for intelligent frame switching due to mac table. </li></ul>
VLANS AND 802.1Q Trunk <ul><li>Allowed multiple networks on one switch </li></ul><ul><li>Separate voice traffic from data traffic </li></ul><ul><li>Span vlans across multiple switchs with use of 802.1q trunking </li></ul><ul><li>802.1q is vendor neutral trunk protocol which allows trunks to be created betwenn different vendor switches. </li></ul>
Spanning-Tree Protocol <ul><li>Allows a loop free redundant network </li></ul>
Cisco IOS and CLI <ul><li>Cisco Internetwork Operating system, giving a more granular approach to network design and implementation. </li></ul><ul><li>Each IOS offers different functionality in context of your business needs and objectives. </li></ul>
CLI Modes: User Mode <ul><li>Basic mode only allowing basic commands such as show system information and system output </li></ul><ul><li>Cant be used to modify configuation parametres or to restart system, essentially no damage can be done via this mode. </li></ul><ul><li>Can establish you are in user mode by the prompt </li></ul><ul><ul><li>Routername> </li></ul></ul>
Enabled Mode <ul><li>Higher privileged mode used for more authoritative commands. </li></ul><ul><li>Used to reboot device and to load/save configs. </li></ul><ul><li>Also used for debugging - probably key command in enabled mode for troubleshooting. </li></ul><ul><li>Used to telnet between devices </li></ul><ul><li>Show commands- see specific components of configuration such as access lists or ~NAT translations </li></ul><ul><li>Ping other devices or routers- extended ping </li></ul><ul><li>Traceroute- tests latency and diagnose problem on every hop to destination. </li></ul>
Router Configuation Mode <ul><li>Most Dangerous mode in the CLI, you can make global modifications to router </li></ul><ul><li>Create and Modify NAT </li></ul><ul><li>Create and Modify ACL (Access control Lists) </li></ul><ul><li>Make static Routes </li></ul><ul><li>QoS - class maps and policy maps </li></ul><ul><li>DHCP </li></ul><ul><li>IPSec VPN implentation </li></ul><ul><li>Dot1q vlan sub interfaces </li></ul><ul><li>Saving and loading configurations from tftp </li></ul>
Switch Configuration Mode <ul><li>VLAN setup </li></ul><ul><li>VTP (virtual trunk protocol) </li></ul><ul><li>Switch Port interfaces and static and dynamic trunking </li></ul><ul><li>Layer 3 features such as routing and intervlan routing </li></ul><ul><li>Voice Vlan tagging (Cisco 3550 series)and native Vlan </li></ul><ul><li>Saving and loading configurations from tftp </li></ul><ul><li>Spanning tree portfast. </li></ul><ul><li>Port security and storm control </li></ul>
NAT (Network Address Translation) <ul><li>Used to allow multiple devices share (or overload) a public ip address. </li></ul><ul><li>Define what ip addresses / range of ip addresses use what public ip address via Access lists </li></ul><ul><li>Static Nat is one-to-one mapping (one lan ip to one public) </li></ul><ul><li>NAT with PAT (port address translation) allows multiple LAN ip addresses to one public IP </li></ul><ul><li>Used to define incoming traffic to different servers (port forwarding) </li></ul><ul><li>Lets start of by creating a nat pool </li></ul>
NAT (Network Address Translation) <ul><li>Routername(config)#ip nat pool poolname 188.8.131.52 184.108.40.206 netmask 255.255.255.248 </li></ul><ul><ul><li>This creates nat pool containing 3 public ip addresses to use </li></ul></ul><ul><ul><li>Now we have created the pool, we need to define lan IP </li></ul></ul><ul><ul><li>Routername(config)# access-list 10 permit 172.16.0.0 0.0.255.255 </li></ul></ul><ul><ul><li>-Now we need to tell the router to use poolname with access list 10 </li></ul></ul><ul><ul><li>Routername(config)#ip nat inside source list 10 pool poolname overload </li></ul></ul>
NAT (Network Address Translation) <ul><li>Routername(config)#ip nat inside source static tcp 10.59.0.100 80 interface fastethernet0/0 80 </li></ul><ul><ul><li>Or </li></ul></ul><ul><li>Routername(config)#ip nat inside source static tcp 10.59.0.100 80 220.127.116.11 80 </li></ul><ul><ul><li>This now forwards incoming traffic with destination port 80 to 10.59.0.100 </li></ul></ul>
Sub-Interface Ip and Nat <ul><li>Lets define the inside interface(telling router that our fastethernet1 interface is for inside nat) and give it a ip address </li></ul><ul><ul><li>Routername(config)#interface fastethernet0/1 </li></ul></ul><ul><ul><li>Routername(config-if)#ip address 172.16.0.1 255.255.0.0 </li></ul></ul><ul><ul><li>Routername(config-if)#ip nat inside </li></ul></ul><ul><ul><li>Lets define the outside interface (telling router that our fastethernet0 interface is for outside nat) and give it a ip address </li></ul></ul><ul><ul><li>Routername(config)#interface fastethernet0/0 </li></ul></ul><ul><ul><li>Routername(config-if)#ip address 18.104.22.168 255.255.255.248 </li></ul></ul><ul><ul><li>Routername(config-if)#ip nat outside </li></ul></ul>
Static Routes <ul><li>Need to tell the router where to send packets with a unknown destination </li></ul><ul><li>In configuation mode, we define the route </li></ul><ul><ul><li>Routername(config)#ip route 0.0.0.0 0.0.0.0 fastethernet0/0 </li></ul></ul><ul><ul><li>Or </li></ul></ul><ul><ul><li>Routername(config)#ip route 0.0.0.0 0.0.0.0 22.214.171.124 </li></ul></ul><ul><ul><li>So now we have a router that can route from lan to wan , performing NAT and sending internet traffic correctly to the wan interface. </li></ul></ul><ul><ul><li>So lets look at DHCP next…. </li></ul></ul>
DHCP (Dynamic Host Configuation Protocol) <ul><li>Used to assign Ip addresses from a set pool </li></ul><ul><li>Assigns default gateway, DNS and other network information </li></ul><ul><li>Multiple dhcp pools for each interface or sub-interface for intervlan routing </li></ul><ul><li>TFTP assignment to voip phones </li></ul>
DHCP Configuation <ul><li>Routername(config)#ip dhcp pool poolname </li></ul><ul><li>Routername(dhcp-confg)#network 172.16.0.0 255.255.0.0 </li></ul><ul><ul><li>This tells the router to assign ip addresses to requests originating from the 172.16.0.0 interface </li></ul></ul><ul><li>Routername(dhcp-confg)#default-router 172.16.0.1 </li></ul><ul><ul><li>This tells the router to tell clients that the default gateway is 172.16.0.1 </li></ul></ul><ul><li>Routername(dhcp-confg)#dns-server 126.96.36.199 188.8.131.52 </li></ul><ul><ul><li>This tells the router to hand out 184.108.40.206 and 220.127.116.11 as the primary and secondary dns servers </li></ul></ul>
CLI- saving and loading configs <ul><li>Everything done in Configuation terminal is applied to running-configuation </li></ul><ul><li>Routername(config)#copy running-config startup-config </li></ul><ul><ul><li>Now the config is saved to nvram so when the router is rebooted,the config will be the same </li></ul></ul><ul><ul><li>Routername(config)#copy startup-config tftp://172.16.0.100 </li></ul></ul><ul><ul><ul><li>Copy the config to a tftp server (LAN or WAN) </li></ul></ul></ul><ul><ul><li>Routername(config)#copy tftp://172.16.0.100/startup.txt start </li></ul></ul><ul><ul><ul><li>Copys a configuation text file from tftp server to startup-config </li></ul></ul></ul>
Cisco Catalyst 3550 <ul><li>Similar to router IOS with three modes, user mode, exec mode and configuation mode </li></ul><ul><li>How to set up vlans, assign a ip address to a vlan for management purposes </li></ul><ul><li>Assign ports or range of ports to a vlan </li></ul><ul><li>Apply CoS tagging to allow voip traffic to be seperated from non-voip traffic on a switchport </li></ul><ul><li>Set up trunk ports using 802.1q trunking </li></ul><ul><li>Storm-control and portfast </li></ul>
Vlans and VTP <ul><li>Switchname(config)# </li></ul><ul><li>Switchname(config)#vlan 1 </li></ul><ul><li>Switchname(config-vlan)#name voip </li></ul><ul><li>We have now named a vlan, this now puts the vlan into the vlan database </li></ul><ul><ul><li>Now lets give this vlan a ip address of 172.16.200.1, this effectly gives this switch this ip address </li></ul></ul><ul><ul><li>Switchname(config)# interface vlan 1 </li></ul></ul><ul><ul><li>Switchname(config-vlan-if)#ip address 172.16.200.1 </li></ul></ul>
802.1q and sub-interfaces <ul><li>Create multiple interfaces from one physical interface, each sub-interface for each vlan </li></ul><ul><li>Created on router lan interface </li></ul><ul><ul><li>Lets create a Sub-interface </li></ul></ul><ul><ul><li>Routername(config)#interface fas0/1.1 </li></ul></ul><ul><ul><li>Routername(config-subif)#encapsulation dot1q 1 native </li></ul></ul><ul><ul><li>Routername(config-subif)#ip address 172.16.0.1 255.255.0.0 </li></ul></ul><ul><ul><li>Routername(config-subif)#ip nat inside </li></ul></ul>
802.1q and sub-interfaces <ul><li>Routername(config)#interface fas0/1.2 </li></ul><ul><li>Routername(config-subif)#encapsulation dot1.q 2 </li></ul><ul><li>Routername(config-subif)#ip address 18.104.22.168 255.255.0.0 </li></ul><ul><li>Routername(config-subif)#ip nat inside </li></ul><ul><ul><li>We have now set up a second interface in vlan 2 so all devices on vlan 2 on the switch/s will use this interface as gateway and obtain dhcp via this interface. </li></ul></ul><ul><ul><li>We have now got 2 sub-interfaces under the physical fastethernet0/1 interface, all we have to do is setup dhcp for new network and amend access list 10 to allow new network to be natted. </li></ul></ul>
Switchport Trunk <ul><li>`statically assign a trunk port between the router and switch </li></ul><ul><ul><li>Switchname(config)#interface fas0/1 </li></ul></ul><ul><ul><li>Switchname(config-if)#switchport trunk encapsulation dot1q </li></ul></ul><ul><ul><li>Switchname(config-if)#switchport mode trunk </li></ul></ul><ul><ul><li>Switchname(config-if)#speed 100 </li></ul></ul><ul><ul><li>Switchname(config-if)#duplex full </li></ul></ul><ul><ul><li>We have set up fastethernet port 1 on switch to trunk to router </li></ul></ul><ul><ul><li>Lets assign ports 3 to 10 on switch to vlan 2 data </li></ul></ul><ul><ul><li>Switchname(config)#interface range fas0/3 - 10 </li></ul></ul><ul><ul><li>Switchname(config-if)#switchport mode access </li></ul></ul><ul><ul><li>Switchname(config-if)#switchport access vlan 2 </li></ul></ul>
Cisco VTP (virtual trunk protocol) <ul><li>Allows easy implemantaion of Spanning Vlans via centralised managemant </li></ul><ul><li>Three modes of VTP- server, client and transparent </li></ul><ul><li>Create vlans on server and vlans will replicate on all switchs in same vtp domain </li></ul><ul><li>Our VTP domain is Maxwifi…so </li></ul>
Qos(quality of service) via CoS (class of service) <ul><li>Switchport to recognise voice traffic from non voice via layer 2 CoS </li></ul><ul><li>Set up a voice vlan and data vlan on same port </li></ul><ul><li>Enable qos to trust cos and voip traffic </li></ul>
Voice Vlan <ul><li>These commands will set up a port to separate voice and non voice into 2 different vlans </li></ul><ul><ul><li>Switchname(config)#mls qos </li></ul></ul><ul><ul><li>Switchname(config)#interface range fas0/2 - 12 </li></ul></ul><ul><ul><li>Switchname(config-if)#mls qos trust cos </li></ul></ul><ul><ul><li>Switchname(config-if)#mls qos trust device cisco-phone </li></ul></ul><ul><ul><li>Switchname(config-if)#switchport voice vlan 1 </li></ul></ul><ul><ul><li>Switchname(config-if)#switchport access vlan 2 </li></ul></ul><ul><ul><li>Now a pc plugged directly into a phone will use vlan 2 and the phone will use vlan 1 , seperating traffic. </li></ul></ul>
Cisco Aironet 1200 series <ul><li>GUI or CLI Based </li></ul><ul><li>Uses A, B and G standard (2.4 and 5GHZ) </li></ul><ul><li>Supports multiple modes of encryption including WEP and WPA with TKIP </li></ul>
Cisco 1200 aironet config <ul><li>We need to assign a static ip to the device or it will pick one up dynamically via dhcp </li></ul><ul><ul><li>Apname(config)#interface BVi1 </li></ul></ul><ul><ul><li>Apname(config-if)#ip address 22.214.171.124 255.255.0.0 </li></ul></ul><ul><ul><li>We have now assigned a ip so now we will set up SSID </li></ul></ul><ul><ul><li>Apname(config)#dot11 ssid MaxWiFi </li></ul></ul><ul><ul><li>Apname(config-ssid)#authentication open </li></ul></ul><ul><ul><li>Apname(config-ssid)#authentication key-management wpa </li></ul></ul><ul><ul><li>Apname(config -ssid)#guest-mode </li></ul></ul><ul><ul><li>Apname(config-ssid)#wpa-psk ascill wirele55 </li></ul></ul>
Cisco 1200 aironet setup <ul><li>We will now apply the ssid MaxWiFi to dot11radio0 interface </li></ul><ul><ul><li>Apname(config)#interface dot11radio0 </li></ul></ul><ul><ul><li>Apname(config-if)#encryption mode ciphers TKIP </li></ul></ul><ul><ul><li>This has set the interface to support TKIP cipher keys which is required for WPA </li></ul></ul><ul><ul><li>Apname(config-if)#channel least-congested </li></ul></ul><ul><ul><li>Or </li></ul></ul><ul><ul><li>Apname(config-if)#channel (1-13) </li></ul></ul><ul><ul><li>Apname(config-if)#ssid MaxWiFi </li></ul></ul><ul><ul><li>This will now broadcast MaxWiFi with wpa encryption </li></ul></ul>