More Related Content
Similar to Technical Training v1.1.pptx (20)
Technical Training v1.1.pptx
- 1. T E C H N I C A L T R A I N I N G
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 2. TRAINING PREREQUISITES
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
The training program assumes participants to have
operational familiarity With following concepts
Operational OS understanding.
OSI & TCP/IP layers and their Functions.
Ethernet Standards.
TCP/IP Protocol Suite
Protocols like HTTP, HTTPS, DNS, FTP, SSH etc.
Fundamentals of IP addressing
- 3. MODULE 1 - SWITCHING
Switching Services
LAN Switch Types
VLANs
VLAN trunking Protocols
Inter VLAN Routing
Layer 2 and Layer 3 Switching
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 4. MODULE 2 - ROUTING
IP Routing Basics
Static and Dynamic NAT
Port Forwarding
Static Routing
Dynamic Routing Basics
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 5. MODULE 3 - SECURITY
Types of Threats
Layer 2 Security
Layer 3 Security
IDS & IPS
VPN
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 6. MODULE 4 - CCNSP
About Cyberoam and Features
Cyberoam Deployment Modes
Appliance Access Control
Firmware and Backup Management
Boot Loader
Firewall Management
Layer 2 Firewall & Security Features
User Authentication and Login Restriction
User Types and Profile Management
External Authentication Types
Web and Application Filter
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 7. MODULE 4 - CCNSP
Cyberoam Web Proxy Features
Access Time, Data Transfer, Surfing Quota and QOS policies
Gateway Antivirus and Antispam
Cyberoam VPN Features
Gateway Management
Cyberoam Routing Features
Logging Management (Syslog/SNMP)
Diagnostic Tools
Use of CLI based IPSec route to add routes for destination routes on
tunnel.
Use CTAS at BO using HO’s AD and use of IPSec route for CTAS.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 8. Module 1
S W I T C H I N G
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 9. Switching Concepts
Layer 2 Switching
VLANs
Spanning Tree Protocol
Layer 3 Switching
Troubleshooting LAN Switching
OBJECTIVES
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 10. OSI REFERENCE MODEL
International standard organization (ISO) established a committee in 1977 to
develop an architecture for computer communication.
Open Systems Interconnection (OSI) reference model is the result of this effort.
In 1984, the Open Systems Interconnection (OSI) reference model was approved
as an international standard for communications architecture.
Term “open” denotes the ability to connect any two systems which conform to
the reference model and associated standards.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 11. OSI REFERENCE MODEL
The OSI model is now considered the primary Architectural model for inter-
computer communications.
The OSI model describes how information or data makes its way from application
programmes (such as spreadsheets) through a network medium (such as wire) to
another application programme located on another network.
The OSI reference model divides the problem of moving information between
computers over a network medium into SEVEN smaller and more manageable
problems .
This separation into smaller more manageable functions is known as layering.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 13. OSI: A LAYERED NETWORK MODEL
The process of breaking up the functions or tasks of networking into layers
reduces complexity.
Each layer provides a service to the layer above it in the protocol specification.
Each layer communicates with the same layer’s software or hardware on other
computers.
The lower 4 layers (transport, network, data link and physical —Layers 4, 3, 2,
and 1) are concerned with the flow of data from end to end through the
network.
The upper four layers of the OSI model (application, presentation and session—
Layers 7, 6 and 5) are orientated more toward services to the applications.
Data is Encapsulated with the necessary protocol information as it moves down
the layers before network transit.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 14. PHYSICAL LAYER
Provides physical interface for transmission of information.
Defines rules by which bits are passed from one system to another on a physical
communication medium.
Covers all - mechanical, electrical, functional and procedural - aspects for physical
communication.
Such characteristics as voltage levels, timing of voltage changes, physical data
rates, maximum transmission distances, physical connectors, and other similar
attributes are defined by physical layer specifications.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 15. DATA LINK LAYER
Data link layer attempts to provide reliable communication over the physical layer
interface.
Breaks the outgoing data into frames and reassemble the received frames.
Create and detect frame boundaries.
Handle errors by implementing an acknowledgement and retransmission scheme.
Implement flow control.
Supports points-to-point as well as broadcast communication.
Supports simplex, half-duplex or full-duplex communication.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 16. NETWORK LAYER
Implements routing of frames (packets) through the network.
Defines the most optimum path the packet should take from the source to the
destination
Defines logical addressing so that any endpoint can be identified.
Handles congestion in the network.
Facilitates interconnection between heterogeneous networks (Internetworking).
The network layer also defines how to fragment a packet into smaller packets to
accommodate different media.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 17. TRANSPORT LAYER
Purpose of this layer is to provide a reliable mechanism for the exchange of data
between two processes in different computers.
Ensures that the data units are delivered error free.
Ensures that data units are delivered in sequence.
Ensures that there is no loss or duplication of data units.
Provides connectionless or connection oriented service.
Provides for the connection management.
Multiplex multiple connection over a single channel.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 18. SESSION LAYER
Session layer provides mechanism for controlling the dialogue between the two
end systems. It defines how to start, control and end conversations (called
sessions) between applications.
This layer requests for a logical connection to be established on an end-user’s
request.
Any necessary log-on or password validation is also handled by this layer.
Session layer is also responsible for terminating the connection.
This layer provides services like dialogue discipline which can be full duplex or
half duplex.
Session layer can also provide check-pointing mechanism such that if a failure of
some sort occurs between checkpoints, all data can be retransmitted from the
last checkpoint.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 19. PRESENTATION LAYER
Presentation layer defines the format in which the data is to be exchanged
between the two communicating entities.
Also handles data compression and data encryption (cryptography).
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 20. APPLICATION LAYER
Application layer interacts with application programs and is the highest level of
OSI model.
Application layer contains management functions to support distributed
applications.
Examples of application layer are applications such as file transfer, electronic
mail, remote login etc.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 21. OSI IN ACTION
A message begins at the top application
layer and moves down the OSI layers to
the bottom physical layer.
As the message descends, each
successive OSI model layer adds a header
to it.
A header is layer-specific information that
basically explains what functions the
layer carried out.
Conversely, at the receiving end, headers
are striped from the message as it travels
up the corresponding layers.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 24. NETWORK LAYER PROTOCOLS AND INTERNET
PROTOCOL (IP)
Define the basic role of the Network Layer in data networks
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 25. Identify the basic characteristics and the role of the IPv4 protocol
NETWORK LAYER PROTOCOLS AND INTERNET
PROTOCOL (IP)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 26. Describe the implications for the use of the IP protocol as it is
connectionless
NETWORK LAYER PROTOCOLS AND INTERNET
PROTOCOL (IP)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 27. Describe the implications for the use of the IP protocol as it is
considered an unreliable protocol
NETWORK LAYER PROTOCOLS AND INTERNET
PROTOCOL (IP)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 28. NETWORK LAYER PROTOCOLS AND INTERNET
PROTOCOL (IP)
Describe the implications for the use of the IP as it is media
independent
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 29. Describe the role of framing in the Transport Layer and explain that
segments are encapsulated as packets
NETWORK LAYER PROTOCOLS AND INTERNET
PROTOCOL (IP)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 30. Identify the major header fields in the IPv4 protocol and describe each
field's role in transporting packets
NETWORK LAYER PROTOCOLS AND INTERNET
PROTOCOL (IP)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 31. Hub
A frame sent by one node is always sent to every other node. Hubs are also
called “repeaters” because they just “repeat” what they hear.
Receives a frame on one port and sends it out every other port, always.
Collision domain is not reduced
Traffic ends up in places where it’s not needed
HUB
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 32. Used to connect hosts to Ethernet LAN and to connect multiple
Ethernet LANs
Collisions are propagated
IP
LLC
802.3 MAC
IP
LLC
802.3 MAC
Hub
Hub
Ethernet
Hub
Ethernet
Hub
Host
Host
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
HUB
- 33. SWITCH
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
Learns the location of each node by looking at the
source address of each incoming frame, and
builds a forwarding table
Forwards each incoming frame to the port where
the destination node is
Reduces the collision domain
Makes more efficient use of the wire
Nodes don’t waste time checking frames not destined
to them
- 34. SWITCH FUNCTIONS
Various types of Ethernet Connectivity, 10M to 10G
Provides access to end-user devices
Core functions:
Address Learning
Forwarding/ Filtering
Loop Avoidance
Operates Using OSI Layer 2 Concepts by Default
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 36. BROADCAST AND COLLISION DOMAINS
Number of Collision Domains= (# of ports)
One Broadcast Domain
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 37. SWITCHES AND BROADCAST
A switch broadcasts some frames
When the destination address is not found in the table
When the frame is destined to the broadcast address (FF:FF:FF:FF:FF:FF)
When the frame is destined to a multicast Ethernet address
So, switches do not reduce the broadcast domain!
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 38. SWITCHING SERVICES
Layer 2 switching provides
Hardware-based bridging (ASIC)
Wire speed
Low latency
Low cost
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 39. LAN SWITCH TYPES
LAN switch types decide how a frame is handled when it’s received
on a switch port.
Latency
Definition: The time it takes for a frame to be sent out an exit port once the
switch receives the frame
Depends on the chosen switching mode
There are three switching modes
Cut-through (FastForward)
FragmentFree (modified cut-through)
Store-and-forward
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 40. CUT-THROUGH (REAL TIME)
The LAN switch copies only the destination address (the first six
bytes following the preamble) onto its onboard buffers.
Then looks up the hardware destination address in the MAC
switching table, determines the outgoing interface, and proceeds to
forward the frame toward its destination
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 41. FRAGMENTFREE
The switch waits for the collision window (64 bytes) to pass before
forwarding.
This is b/c if a packet has an error, it almost always occurs within the
first 64 bytes. (Note: Ethernet frames must be >= 64 and < 1518)
It’s the default switching method for the 1900 switches.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 42. STORE-AND-FORWARD
Cisco’s primary LAN switching method
In this mode, the LAN switch copies the entire frame onto its onboard
buffers and then computes the cyclic redundancy check (CRC).
Because it copies the entire frame, latency through the switch varies
with frame length.
The frame is discarded if:
It contains a CRC error
It’s too short (less than 64 bytes including the CRC)
It’s too long (more than 1518 bytes including CRC)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 43. LAN SWITCH TYPES
Cut-through (Fast Forward)
FragmentFree (modified cut-through)
Store-and-forward
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 44. LAYER 2 SWITCHING LIMITATION
Must break up the collision domains correctly.
Make sure that users spend 80 percent of their time on the local
segment.
Switches do not break up broadcast domains by default.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 45. BRIDGES/LAN SWITCHES
A bridge or LAN switch is a device that interconnects two or more Local Area
Networks (LANs) and forwards packets between these networks.
Bridges/LAN switches operate at the Data Link Layer (Layer 2).
Bridge
IP
LLC
802.3 MAC 802.3 MAC 802.5 MAC
LLC
IP
LLC
802.5 MAC
LAN LAN
Token-
ring
Bridge
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 46. BRIDGING VS. LAN SWITCHING
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
Bridges are software based, while switches are hardware based
because they use ASIC chip to help make filtering decisions.
A Switch can be viewed as a multiport bridge.
Bridges can only have one spanning-tree instance per bridge, while
switches can have many.
Switches have a higher number of ports than most bridges.
Both bridges and switches forward layer 2 broadcasts.
Bridges and Switches learn MAC addresses by examining the source
address of each frame received.
Both bridges and switches make forwarding decisions based on later 2
addresses.
- 47. www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
LAYER 2 SWITCHING
Switch ports - types
IOS Switch options
Dynamic Trunking Protocol (DTP)
IEEE 802.1Q
- 48. SWITCH PORTS
Layer 2-only interfaces associated with a physical port on the switch
Belong to one or more VLANs.
Can be access ports or a trunk ports
Dynamic Trunking Protocol (DTP) can negotiate with the port on the
other end of the link
Used for managing the physical interface and associated Layer 2
protocols
Configure switch ports by using the switchport interface configuration
commands.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 49. ACCESS PORTS
Belong to and carry the traffic of only one VLAN (unless it is
configured as a voice VLAN port)
Traffic is received and sent in native formats on the channel between
host and port with no VLAN tagging
Traffic arriving on an access port is assumed to belong to the VLAN
assigned to the port
If an access port receives a tagged packet (IEEE 802.1Q tagged), the
packet is dropped, and the source address is not learned
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 50. TRUNK PORTS
A trunk is a point-to-point link between one or more Ethernet switch
interfaces and another networking device such as a router or a switch
Ethernet trunks carry the traffic of multiple VLANs over a single link
e.g. between switch and router.
Can extend VLANs across an entire network
Example: The Cisco Catalyst 2960 switch supports IEEE 802.1Q
encapsulation
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 51. STATIC AND DYNAMIC ACCESS PORTS
Static access ports are manually assigned to a VLAN
VLAN membership of dynamic access ports is learned through
incoming packets
By default all ports are member of VLAN 1
Forwarding to and from the port enabled only when VLAN
membership of the port is discovered
Dynamic access ports assigned to a VLAN by a VLAN Membership.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 52. DYNAMIC TRUNKING PROTOCOL
DTP is a Cisco-only protocol - proprietary
Allows trunk to be dynamically established between 2 switches
Not all switches support DTP
Set one end of trunk using :
switchport mode trunk
Set opposite end using :
switchport mode dynamic auto|desirable
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 53. AUTO OR DESIRABLE?
Desirable makes the interface actively attempt to convert the link to a
trunk link
Interface becomes a trunk interface if the neighbouring interface is set
to trunk, desirable, or auto mode
This is the default mode for all Ethernet interfaces. If the neighbouring
interface is set to the access or non-negotiate mode, the link will
become a non-trunking link
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 54. AUTO
Auto makes the interface willing to convert the link to a trunk link if
the neighbouring interface is set to trunk or desirable mode.
Otherwise, the link will become a non-trunking link.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 55. 802.1Q
The IEEE standard that defines how Ethernet frames should be tagged
when moving across switch trunks
This means that switches from different vendors are able to exchange
VLAN traffic.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 56. TAGGED VS. UNTAGGED
Edge ports are not tagged, they are just “members” of a VLAN
You only need to tag frames in switch-to-switch links (trunks), when
transporting multiple VLANs
A trunk can transport both tagged and untagged VLANs
As long as the two switches agree on how to handle those
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 57. IOS SWITCH OPTIONS
Open Packet Tracer, configure terminal
Access the interfaces of the switch
Switch(config-if)#?
cdp Global CDP configuration subcommands
description Interface specific description
duplex Configure duplex operation
mac-address Manually set interface MAC address
shutdown Shutdown the selected interface
speed Configure speed operation
switchport Set switching mode characteristics
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 59. VIRTUAL LANS (VLANS)
VLAN Concepts
VLAN Configuration and Verification
Trunking with ISL & 802.1Q
VLAN Trunking Protocol (VTP)
VTP Configuration & Verification
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 60. VIRTUAL LANS (VLANS)
Definition: A logical grouping of network users and resources
connected to administratively defined ports on a switch.
Smaller broadcast domains
Organized by:
• Location
• Function
• Department
• Application or protocol
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 62. FEATURES OF VLANS
Simplify network management
Provides a level of security over a flat network
Flexibility and Scalability
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 63. BROADCAST CONTROL
Broadcasts occur in every protocol
Bandwidth & Broadcasts
Flat network
VLANs & Broadcasts
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 65. FLEXIBILITY & SCALABILITY
Layer-2 switches only read frames
Can cause a switch to forward all broadcasts
VLANs
Essentially create broadcast domains
• Greatly reduces broadcast traffic
• Ability to add wanted users to a VLAN regardless of their physical location
• Additional VLANs can be created when network growth consumes more
bandwidth
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 67. PHYSICAL LANS CONNECTED TO A ROUTER
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 68. VLANS REMOVE THE PHYSICAL BOUNDARY
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 69. VLAN MEMBERSHIPS
Static VLANs
Typical method of creating VLANs
Most secure
• A switch port assigned to a VLAN always maintains that assignment until changed
Dynamic VLANs
Node assignment to a VLAN is automatic
• MAC addresses, protocols, network addresses, etc
VLAN Management Policy Server (VMPS)
• MAC address database for dynamic assignments
• MAC-address to VLAN mapping
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 70. IDENTIFYING VLANS
Access links
A link that is part of only one VLAN
Trunk links
Carries multiple VLANs
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 71. FRAME TAGGING
Definition: A means of keeping track of users & frames as they travel the switch
fabric & VLANs
User-defined ID assigned to each frame
VLAN ID is removed before exiting trunked links & access links
802.1Q Trunk
Tagged Frames
VLAN X VLAN Y
VLAN X VLAN Y
Edge Ports
Trunk Port
This is called “VLAN Trunking”
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 72. VLAN ID METHODS
Inter-Switch Link (ISL)
Cisco proprietary
FastEthernet & Gibabit Ethernet only
IEEE 802.1q
Must use if trunking between Cisco & non-Cisco switch
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 73. INTER-SWITCH LINK (ISL) PROTOCOL
Definition: A means of explicitly tagging VLAN information onto an
Ethernet frame
Allows VLANs to be multiplexed over a trunk line
Cisco proprietary
External tagging process
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 74. VLAN TRUNK PROTOCOL (VTP)
Purpose: to manage all configured VLANs across a switch internetwork
& maintain consistency
Allows an administrator to add, delete, & rename VLANs
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 75. VTP BENEFITS
Benefits
Consistent configuration
Permits trunking over mixed networks
Accurate tracking
Dynamic reporting
Plug-and-Play
A VTP server must be created to manage VLANs
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 77. VTP MODES OF OPERATION
Server
Default for all Catalyst switches
Minimum one server for a VTP domain
Client
Receives information + sends/receives updates
Cannot make any changes
Transparent
Does not participate in a VTP domain but forwards VTP advertisements
Can add/delete VLANs
Locally significant
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 78. ROUTER WITH INDIVIDUAL VLAN ASSOCIATIONS
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 80. CONFIGURING VLANS
Creating VLANs
Assigning Switch Ports to VLANs
Configuring Trunk Ports
Configuring Inter-VLAN routing
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 81. CONFIGURING VTP
Switches are configured to be VTP servers by default.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 85. LAB
Assign VLAN membership according to below diagram
Configure trunk link between switches
Configure VTP in Switches and verify status
Check connectivity
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 86. www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
SPANNING TREE PROTOCOL
Switching Loops
Introduction to Spanning Tree Protocol
Electing Root Switch
Configuration and Verification of STP
- 87. SWITCHING LOOP
When there is more than one path between two switches
What are the potential problems?
Switch A Switch B
Swtich C
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 88. SWITCHING LOOP
If there is more than one path between two switches:
Forwarding tables become unstable
• Source MAC addresses are repeatedly seen coming from different ports
Switches will broadcast each other’s broadcasts
• All available bandwidth is utilized
• Switch processors cannot handle the load
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 89. Switch A Switch B
Swtich C
Node1 sends a broadcast frame (e.g. an ARP request)
Node 1
SWITCHING LOOP
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 90. Switch A Switch B
Swtich C
Switches A, B and C broadcast node 1’s frame out every port
Node 1
SWITCHING LOOP
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 91. Switch A Switch B
Swtich C
But they receive each other’s broadcasts, which they need to forward
again out every port!
The broadcasts are amplified, creating a broadcast storm…
Node 1
SWITCHING LOOP
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 92. SWITCHING LOOP
But you can take advantage of loops
Redundant paths improve resilience when
• A switch fails
• Wiring breaks
How to achieve redundancy without creating dangerous traffic loops?
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 93. SPANNING-TREE PROTOCOL (STP)
STP
Root Bridge
BPDU
Bridge ID
Nonroot Bridge
Root port
Designated port
Port cost
Nondesignated port
Forwarding port
Block port
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 94. Spanning-Tree Operations
• Selecting the root bridge
• Selecting the designated port
SPANNING-TREE PROTOCOL (STP)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 95. Spanning-Tree Port States
• Blocking
• Listening
• Forwarding
• Disabled
SPANNING-TREE PROTOCOL (STP)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 97. WHAT IS A SPANNING TREE
“Given a connected, undirected graph, a spanning tree of that graph is
a subgraph which is a tree and connects all the vertices together”.
A single graph can have many different spanning trees.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 98. SPANNING TREE PROTOCOL
The purpose of the protocol is to have bridges dynamically discover a
subset of the topology that is loop-free (a tree) and yet has just
enough connectivity so that where physically possible, there is a path
between every switch.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 99. SPANNING TREE PROTOCOL
Flavors of STP
Traditional Spanning Tree (802.1d)
Rapid Spanning Tree or RSTP (802.1w)
Multiple Spanning Tree or MSTP (802.1s)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 100. Switches exchange messages that allow them to compute the
Spanning Tree
These messages are called BPDUs (Bridge Protocol Data Units)
Two types of BPDUs:
• Configuration
• Topology Change Notification (TCN)
SPANNING TREE PROTOCOL
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 101. Traditional Spanning Tree (802.1d)
First Step
Decide on a point of reference: the Root Bridge
The election process is based on the Bridge ID, which is composed of:
• The Bridge Priority: A two-byte value that is configurable
• The MAC address: A unique, hardcoded address that cannot be changed.
TRADITIONAL SPANNING TREE
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 102. ROOT BRIDGE SELECTION (802.1D)
Each switch starts by sending out BPDUs with a Root Bridge ID equal
to its own Bridge ID
I am the root!
Received BPDUs are analyzed to see if a lower Root Bridge ID is being
announced
If so, each switch replaces the value of the advertised Root Bridge ID with this
new lower ID
Eventually, they all agree on who the Root Bridge is
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 103. All switches have the same priority.
Who is the elected root bridge?
Switch B Switch C
Switch A
32678.0000000000AA
32678.0000000000BB 32678.0000000000CC
ROOT BRIDGE SELECTION (802.1D)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 104. ROOT PORT SELECTION (802.1D)
Now each switch needs to figure out where it is in relation to the Root
Bridge
Each switch needs to determine its Root Port
The key is to find the port with the lowest Root Path Cost
The cumulative cost of all the links leading to the Root Bridge
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 105. Each link on a switch has a Path Cost
Inversely proportional to the link speed
e.g. the faster the link, the lower the cost
Link Speed STP Cost
10 Mbps 100
100 Mbps 19
1 Gbps 4
10 Gbps 2
ROOT PORT SELECTION (802.1D)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 106. Root Path Cost is the accumulation of a link’s Path Cost and the Path
Costs learned from neighboring Switches.
It answers the question: How much does it cost to reach the Root Bridge
through this port?
ROOT PORT SELECTION (802.1D)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 107. ROOT PORT SELECTION (802.1D)
Root Bridge sends out BPDUs with a Root Path Cost value of 0
Neighbor receives BPDU and adds port’s Path Cost to Root Path Cost
received
Neighbor sends out BPDUs with new cumulative value as Root Path
Cost
Other neighbor’s down the line keep adding in the same fashion
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 108. ROOT PORT SELECTION (802.1D)
On each switch, the port where the lowest Root Path Cost was
received becomes the Root Port
This is the port with the best path to the Root Bridge
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 109. 32678.0000000000BB 32678.0000000000CC
Cost=19 Cost=19
Cost=19
What is the Path Cost on each Port?
What is the Root Port on each switch?
Switch B Switch C
Switch A
32678.0000000000AA
1 2
1 1
2 2
ROOT PORT SELECTION (802.1D)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 111. ELECTING DESIGNATED PORTS
OK, we now have selected root ports but we haven’t solved the loop
problem yet, The links are still active!
Each network segment needs to have only one switch forwarding
traffic to and from that segment
Switches then need to identify one Designated Port per link
The one with the lowest cumulative Root Path Cost to the Root Bridge
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 113. ELECTING DESIGNATED PORTS
Two or more ports in a segment having identical Root Path Costs is
possible, which results in a tie condition
All STP decisions are based on the following sequence of conditions
Lowest Root Bridge ID
Lowest Root Path Cost to Root Bridge
Lowest Sender Bridge ID
Lowest Sender Port ID
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 114. 32678.0000000000BB 32678.0000000000CC
Cost=19 Cost=19
Cost=19
Switch B Switch C
Switch A
32678.0000000000AA
1 2
1 1
2 2
Designated
Port
Designated
Port
Designated
Port
In the B-C link, Switch B has the
lowest Bridge ID, so port 2 in
Switch B is the Designated Port
ROOT PORT SELECTION (802.1D)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 115. BLOCKING A PORT
Any port that is not elected as either a Root Port, nor a Designated
Port is put into the Blocking State.
This step effectively breaks the loop and completes the Spanning Tree.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 116. 32678.0000000000BB 32678.0000000000CC
Cost=19 Cost=19
Cost=19
Switch B Switch C
Switch A
32678.0000000000AA
1 2
1 1
2 2
Port 2 in Switch C is put into the Blocking State, because it is neither a
Root Port nor a Designated Port
ROOT PORT SELECTION (802.1D)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 117. SPANNING TREE PROTOCOL STATES
Disabled
Port is shut down
Blocking
Not forwarding frames
Receiving BPDUs
Listening
Not forwarding frames
Sending and receiving BPDUs
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 118. SPANNING TREE PROTOCOL STATES
Learning
Not forwarding frames
Sending and receiving BPDUs
Learning new MAC addresses
Forwarding
Forwarding frames
Sending and receiving BPDUs
Learning new MAC addresses
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 119. LAB
Identify root bridge in below scenario for VLAN 10, 20 and verify
port status
configure Switch 1 as a root bridge for vlan 10 and switch 2 for vlan
20
Enable port-fast on edge ports
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 120. www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
LAYER 3 SWITCHING
Introduction to Layer 3 Switching
VLAN Interface
Inter-VLAN routing using Layer 3 Switch
Inter-VLAN routing using Router
Configuring and Verifying Ether Channel
- 121. LAYER3 SWITCHING
Packet forwarding is handled by specialized hardware ASICs.
Goal is to capture the speed of switching and the scalability of routing.
Layer 3 switch acts on a packet as a router would
Determining the forwarding path based on Layer 3 information
Validating the integrity the L 3 header via checksum
Verifying packet expiration and updates accordingly
Processing and responding to any option information
Updating forwarding statistics in the Management Information Base (MIB)
Applying security controls if required
Implementing quality of service (QoS)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 122. MULTILAYER SWITCHING
Combines Layer 2 switching and Layer 3 routing functionality
moves campus traffic at wire speed and at same time satisfies Layer 3 routing
requirements
Accelerates routing performance through the use of dedicated ASICs.
MLS can operate at Layer 3 or 4.
• When operating as a Layer 3 switch, the switch caches flows based on IP
addresses.
• When operating as a Layer 4 switch, the switch caches conversations based on
source address, destination address, source port, and destination port
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 123. VLAN INTERFACE
VLAN interfaces in L3 switch
Switch#conf t
Switch(config)#interface vlan 10
Switch(config-if)#ip address x.x.x.x m.m.m.m
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 124. INTER-VLAN ROUTING USING L3 SWITCH
In Layer 3 switch inter-vlan routing can be enabled by below
command
Switch(config)#ip routing
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 125. INTER-VLAN ROUTING USING ROUTER
Inter-vlan routing using router known as “Router on a Stick”
Router(config)#interface FastEthernet0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config)#interface FastEthernet0/0.1
Router(config-subif)# encapsulation dot1Q VLAN-id
Router(config-subif)# ip address x.x.x.x m.m.m.m
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 126. LINK AGGREGATION
Also known as port bundling, link bundling
You can use multiple links in parallel as a single, logical link
For increased capacity
For redundancy (fault tolerance)
LACP (Link Aggregation Control Protocol) is a standardized method of
negotiating these bundled links between switches
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 127. LACP OPERATION
Two switches connected via multiple links will send LACPDU packets,
identifying themselves and the port capabilities
They will then automatically build the logical aggregated links, and
then pass traffic
Switch ports can be configured as active or passive
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 128. LACP OPERATION
Switches A and B are connected to each other using two sets of Fast
Ethernet ports
LACP is enabled and the ports are turned on
Switches start sending LACPDUs, then negotiate how to set up the
aggregation
Switch A Switch B
LACPDUs
100 Mbps
100 Mbps
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 129. LACP OPERATION
The result is an aggregated 200 Mbps logical link.
The link is also fault tolerant: If one of the member links fail, LACP will
automatically take that link off the bundle, and keep sending traffic
over the remaining link.
200 Mbps logical link
Switch A Switch B
100 Mbps
100 Mbps
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 130. DISTRIBUTING TRAFFIC
Bundled links distribute frames using a hashing algorithm, based on
Source and/or Destination MAC address
Source and/or Destination IP address
Source and/or Destination Port numbers
This can lead to unbalanced use of the links, depending on the nature
of the traffic
Always choose the load-balancing method that provides the most
distribution
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 132. TROUBLESHOOTING LAN SWITCHING
Overview of Normal LAN Switch
Forwarding Process
Common Layer 1 Problems
Isolate Interface Problems
Interface Status and Reason for
Nonworking Status
Isolate VLAN and Trunking Problems
Interface Speed and Duplex Issues
Analyzing Layer 2 Forwarding Path
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 133. 802.3 LAN DEVELOPMENT: TODAY’S LANS
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 134. DEVICES FUNCTION AT LAYERS
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 135. FACTORS THAT IMPACT NETWORK
PERFORMANCE
Network traffic (congestion).
Multitasking desktop operating systems (Windows, UNIX, and Mac)
allow simultaneous network transactions.
Faster desktop operating systems (Windows, UNIX, and Mac) can
initiate faster network activity.
Increased number of client/server applications using shared network
data.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 136. TYPICAL CAUSES OF NETWORK CONGESTION
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 137. ETHERNET 802.3
Performance of a shared-medium Ethernet/802.3 LANs is negatively
affected by factors such as the following:
The broadcast delivery nature of Ethernet.
Carrier sense multiple access collision detect (CSMA/CD) access method allows
only one host to transmit at a time.
Multimedia applications with higher bandwidth demand such as video and the
Internet.
The latency of additional devices added by the extension of LANs by using
repeaters.
The distance added by using Layer 1 repeaters.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 140. NETWORK LATENCY
Latency, or delay, is the time a frame or a packet takes to travel from the
source station to the final destination.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 141. ETHERNET 10BASE-T TRANSMISSION TIMES
Bit time (or slot time) — The basic unit of time in which 1 bit can be sent. For
electronic or optical devices to recognize a binary 1 or 0, there is a minimum
duration during which the bit is "on" or "off. “
Transmission time — Equals the number of bits being sent times the bit time for a
given technology. Another way to think about transmission time is as the time it
takes a frame to actually be transmitted. (Small frames take a shorter amount of
time, large frames take a longer amount of time to be transmitted.)
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 143. LAN SEGMENTATION
Segmentation allows network congestion to be significantly reduced
within each segment.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 144. LAN SEGMENTATION WITH ROUTERS
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 145. LAN SEGMENTATION WITH SWITCHES
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 150. MEMORY BUFFERING
Port-based memory buffering
Packets are stored in queues that are linked to specific incoming ports.
It is possible for a single packet to block all other packets because its
destination port is busy (even if the other packets could be delivered).
Shared-memory buffering
All packets use a common memory buffer.
Packets in the buffer are then linked (mapped) dynamically to the appropriate
destination port.
Helps balance between 10- and 100-Mbps ports.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 151. HOW SWITCHES AND BRIDGES FILTER FRAMES
Bridges and switches only forward frames, which need to travel
from one LAN segment to another.
To accomplish this task, they must learn which devices are
connected to which LAN segment.
Bridges are capable of filtering frames based on any Layer 2 fields.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 152. SWITCHES AND COLLISION DOMAINS
The network area where frames originate and collide is called the
collision domain. All shared media environments are collision domains.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 153. THREE METHODS OF COMMUNICATION
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 154. NETWORK TROUBLESHOOTING
Approach might vary slightly depending upon the scenario:
Lab
New implementation
Existing network
• Change made
• No changes made
Use all possible resources:
Support contracts
Web sites and newsgroups
Books
Friends and other people
Management
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 156. LAYER 1 PROBLEMS
Layer 1 errors can include:
• Broken cables
• Disconnected cables
• Cables connected to the wrong ports
• Intermittent cable connection
• Wrong cables used for the task at hand (must use rollovers, crossover cables, and
straight-through cables correctly)
• Transceiver problems
• DCE cable problems
• DTE cable problems
• Devices turned off
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 157. LAYER 2 PROBLEMS
Layer 2 errors can include:
• Improperly configured serial interfaces
• Improperly configured Ethernet interfaces
• Improper encapsulation set (HDLC is default for serial interfaces)
• Improper clock rate settings on serial interfaces
• Network interface card (NIC) problems
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 158. LAYER 3 PROBLEMS
Layer 3 errors can include:
• Routing protocol not enabled
• Wrong routing protocol enabled
• Incorrect IP addresses
• Incorrect subnet masks
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 159. VARIOUS COMMANDS
These commands show various levels of connectivity or lack of
connectivity:
Ping
Traceroute
Telnet
Show interfaces
Show cdp neighbors
Show ip protocols
Debug
Show running-config
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 160. Module 2
R O U T I N G
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 161. OBJECTIVES
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
Fundamentals of WAN
IP Routing Basics
Routing Protocols and Configurations
Routing Protocols Troubleshooting
Routing Protocols Redistribution
- 162. www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
FUNDAMENTALS OF WAN
Introduction to WAN
WAN Connection Types
WAN Encapsulation Protocols
Synchronous Serial Links
PPP Features
WAN Cabling Standards
DSL/ADSL/SDSL
NAT/PAT
TCP/IP Applications and Flow Control
TCPDUMP and Wireshark Outputs
- 163. DIFFERENCE BETWEEN LAN AND WAN
In general, a LAN is internally owned in a business whereas a WAN is
leased infrastructure.
The key to understanding WAN technologies is to be familiar with the
different WAN terms and connection types often used by service
providers.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 164. WAN TECHNOLOGY/TERMINOLOGY
Devices on the subscriber premises are called customer premises equipment
(CPE).
The subscriber owns the CPE or leases the CPE from the service provider.
A copper or fiber cable connects the CPE to the service provider’s nearest
exchange or central office (CO).
This cabling is often called the local loop, or "last-mile".
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 165. WAN TECHNOLOGY/TERMINOLOGY
A dialed call is connected locally to other local loops, or non-locally through a
trunk to a primary center.
It then goes to a sectional center and on to a regional or international carrier
center as the call travels to its destination.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 166. WAN TECHNOLOGY/TERMINOLOGY
Devices that put data on the local loop are called data circuit-terminating
equipment, or data communications equipment (DCE).
The customer devices that pass the data to the DCE are called data terminal
equipment (DTE).
The DCE primarily provides an interface for the DTE into the communication link
on the WAN cloud.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 167. WAN TECHNOLOGY/TERMINOLOGY
The DTE/DCE interface uses various physical layer protocols, such as High-Speed
Serial Interface (HSSI) and V.35.
These protocols establish the codes and electrical parameters the devices use to
communicate with each other.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 168. WAN TECHNOLOGY/TERMINOLOGY
The bps values are generally full duplex.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 169. Name Abbr. Size
Kilo K 2^10 = 1,024
Mega M 2^20 = 1,048,576
Giga G 2^30 = 1,073,741,824
Tera T 2^40 = 1,099,511,627,776
Peta P 2^50 = 1,125,899,906,842,624
Exa E 2^60 = 1,152,921,504,606,846,976
Zetta Z 2^70 = 1,180,591,620,717,411,303,424
Yotta Y 2^80 = 1,208,925,819,614,629,174,706,176
WAN TECHNOLOGY/TERMINOLOGY
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 170. WAN DEVICES
Frame Relay, ATM, X.25 switch
Frame Relay, ATM, X.25
switch
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 171. EXTERNAL CSU/DSU
For digital lines, a channel service unit (CSU) and a data service unit (DSU) are
required.
The two are often combined into a single piece of equipment, called the CSU/DSU.
To router
To T1 circuit
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 172. CSU/DSU INTERFACE CARD
The CSU/DSU may also be built into the interface card in the router.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 173. MODEMS
Modems transmit data over voice-grade telephone lines by modulating and demodulating
the signal.
The digital signals are superimposed on an analog voice signal that is modulated for
transmission.
The modulated signal can be heard as a series of whistles by turning on the internal
modem speaker.
At the receiving end the analog signals are returned to their digital form, or demodulated.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 174. WAN STANDARDS ORGANIZATIONS
WAN standards typically describe both physical layer delivery methods and data
link layer requirements, including physical addressing, flow control, and
encapsulation.
WAN standards are defined and managed by a number of recognized authorities.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 175. PHYSICAL LAYER STANDARDS
The physical layer protocols describe how to provide electrical, mechanical,
operational, and functional connections to the services provided by a
communications service provider.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 176. WAN - DATA LINK ENCAPSULATION
The data link layer protocols define how data is encapsulated for transmission to
remote sites, and the mechanisms for transferring the resulting frames.
A variety of different technologies are used, such as ISDN, Frame Relay or
Asynchronous Transfer Mode (ATM).
These protocols use the same basic framing mechanism, high-level data link
control (HDLC), an ISO standard, or one of its sub-sets or variants.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 177. HDLC FRAMING
The choice of encapsulation protocols depends on the WAN technology and the
equipment.
The address field is not needed for WAN links, which are almost always point-to-
point. The address field is still present and may be one or two bytes long.
Several data link protocols are used, including sub-sets and proprietary versions of
HDLC.
Both PPP and the Cisco version of HDLC have an extra field in the header to
identify the network layer protocol of the encapsulated data.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 179. CIRCUIT SWITCHED
When a subscriber makes a telephone call (or ISDN), the dialed number is used to
set switches in the exchanges along the route of the call so that there is a
continuous circuit from the originating caller to that of the called party.
The internal path taken by the circuit between exchanges is shared by a number
of conversations.
Time division multiplexing (TDM) is used to give each conversation a share of the
connection in turn.
TDM assures that a fixed capacity connection is made available to the subscriber.
POTS, ISDN
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 180. PACKET SWITCHING
Frame Relay, X.25,
ATM
An alternative is to allocate the capacity to the traffic only when it is needed, and share
the available capacity between many users.
With a circuit-switched connection, the data bits put on the circuit are automatically
delivered to the far end because the circuit is already established.
If the circuit is to be shared, there must be some mechanism to label the bits so that the
system knows where to deliver them.
It is difficult to label individual bits, therefore they are gathered into groups called cells,
frames, or packets.
The packet passes from exchange to exchange for delivery through the provider network.
Networks that implement this system are called packet-switched networks.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 181. USING LEASED LINES TO THE WAN CLOUD
To connect to a packet-switched network, a subscriber needs a local loop to the nearest
location where the provider makes the service available.
This is called the point-of-presence (POP) of the service.
Normally this will be a dedicated leased line.
This line will be much shorter than a leased line directly connected to the subscriber
locations, and often carries several VCs.
Since it is likely that not all the VCs will require maximum demand simultaneously, the
capacity of the leased line can be smaller than the sum of the individual VCs.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 182. ANALOG DIALUP
When intermittent, low-volume data transfers are needed, modems and analog
dialed telephone lines provide low capacity and dedicated switched connections.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 183. ISDN
Integrated Services Digital Network (ISDN) turns the local loop into a TDM digital
connection. Usually requires a new circuit.
The connection uses 64 kbps bearer channels (B) for carrying voice or data and a
signaling, delta channel (D) for call set-up and other purposes.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 184. TIME DIVISION MULTIPLEXING (TDM)
Two or more “channels” of information are transmitted over the same link by
allocating a different time interval for the transmission of each channel, i.e. the
channels take turns to use the link.
Some kind of periodic synchronizing signal or distinguishing identifier is required
so that the receiver can tell which channel is which.
TDM becomes inefficient when traffic is intermittent because the time slot is still
allocated even when the channel has no data to transmit
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 185. LEASED LINES
A point-to-point link provides a pre-established WAN communications path from
the customer premises through the provider network to a remote destination.
Point-to-point lines are usually leased from a carrier and are called leased lines.
Leased lines are available in different capacities.
Leased lines provide direct point-to-point connections between enterprise LANs
and connect individual branches to a packet-switched network.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 186. X.25
The first of these packet-switched networks
was standardized as the X.25 group of
protocols.
X.25 provides a low bit rate shared variable
capacity that may be either switched or
permanent.
X.25 is a network-layer protocol and
subscribers are provided with a network
address.
Virtual circuits can be established through
the network with call request packets to the
target address.
The resulting SVC is identified by a channel
number. X.25 technology is no longer widely
available as a WAN technology in the US.
Frame Relay has replaced X.25 at many
service provider locations.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 187. FRAME RELAY
Frame Relay differs from X.25 in several aspects.
Most importantly, it is a much simpler protocol that works at the data link layer rather than the
network layer.
Frame Relay implements no error or flow control.
The simplified handling of frames leads to reduced latency, and measures taken to avoid frame
build-up at intermediate switches help reduce jitter.
Most Frame Relay connections are PVCs rather than SVCs.
Frame Relay provides permanent shared medium bandwidth connectivity that carries both voice
and data traffic.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 188. ATM
Communications providers saw a need for a permanent shared network technology that
offered very low latency and jitter at much higher bandwidths.
Their solution was Asynchronous Transfer Mode (ATM). ATM has data rates beyond 155
Mbps.
As with the other shared technologies, such as X.25 and Frame Relay, diagrams for ATM
WANs look the same.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 189. ATM
ATM is a technology that is capable of transferring voice, video, and data through private
and public networks.
It is built on a cell-based architecture rather than on a frame-based architecture.
ATM cells are always a fixed length of 53 bytes.
The 53 byte ATM cell contains a 5 byte ATM header followed by 48 bytes of ATM payload.
Small, fixed-length cells are well suited for carrying voice and video traffic because this
traffic is intolerant of delay.
Video and voice traffic do not have to wait for a larger data packet to be transmitted.
The 53 byte ATM cell is less efficient than the bigger frames and packets of Frame Relay
and X.25.
Furthermore, the ATM cell has at least 5 bytes of overhead for each 48-byte payload.
A typical ATM line needs almost 20% greater bandwidth than Frame Relay to carry the
same volume of network layer data.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 190. DSL/ADSL/SDSL
Digital Subscriber Line (DSL) technology is a broadband technology that uses existing twisted-pair
telephone lines to transport high-bandwidth data to service subscribers.
The term xDSL covers a number of similar yet competing forms of DSL technologies.
DSL technology allows the local loop line to be used for normal telephone voice connection and an
always-on connection for instant network connectivity. The two basic types of DSL technologies
are asymmetric (ADSL) and symmetric (SDSL).
All forms of DSL service are categorized as ADSL or SDSL and there are several varieties of each
type.
Asymmetric service provides higher download or downstream bandwidth to the user than upload
bandwidth.
Symmetric service provides the same capacity in both directions.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 191. DSLAM
Multiple DSL subscriber lines are multiplexed into a single, high capacity link by
the use of a DSL Access Multiplexer (DSLAM) at the provider location.
DSLAMs incorporate TDM technology to aggregate many subscriber lines into a
less cumbersome single medium, generally a T3/DS3 connection techniques to
achieve data rates up to 8.192 Mbps.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 192. CABLE MODEM
Coaxial cable is widely used to distribute television signals.
This allows for greater bandwidth than the conventional telephone local loop.
Enhanced cable modems enable two-way, high-speed data transmissions using
the same coaxial lines that transmit cable television.
Some cable service providers are promising data speeds up to 6.5 times that of T1
leased lines.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 193. CABLE MODEM
Cable modems provide an always-on connection and a simple installation.
A cable modem is capable of delivering up to 30 to 40 Mbps of data on one 6 MHz
cable channel.
With a cable modem, a subscriber can continue to receive cable television service
while simultaneously receiving data to a personal computer.
This is accomplished with the help of a simple one-to-two splitter.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 194. WAN TOPOLOGIES
Star or Hub-and-Spoke
Full-Mesh
Partial-Mesh
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 195. THE DATA LINK LAYER IN THE INTERNET
A home personal computer acting as an internet host.
Technology like Ethernet cannot provide “high-level” functionality like connection
management and parameter negotiation
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 196. PPP DESIGN REQUIREMENTS [RFC 1557]
Functionality
Packet framing - encapsulation of network-layer datagram in data link frame
Multi-protocol - carry network layer data of any network layer protocol (not
just IP) at same time ability to demultiplex upwards
Bit transparency - must carry any bit pattern in the data field (even if
underlying channel can't)
Error detection - not correction
Connection liveness: detect, signal link failure to network layer
Authentication: who are you (or at least whose account do I bill for your dial-in
time?)
• This information is used by traffic management software to control bandwidth to
individual subscribers
Management features: loopback detection
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 197. PPP DATA FRAME
Flag: delimiter (framing)
Address: ignored. (historical)
Control: ignored. (historical)
Protocol: upper layer protocol to which frame delivered (e.g., PPP-LCP,
IP, IPCP, etc)
info: upper layer data being carried
check: cyclic redundancy check for error detection
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 198. BYTE STUFFING
flag byte
pattern
in data
to send
flag byte pattern plus
stuffed byte in transmitted
data
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 199. POINT-TO-POINT PROTOCOL (PPP)
Purpose
Transport layer-3 packets across a Data Link layer point-to-point link
Can be used over asynchronous serial (dial-up) or synchronous serial
(ISDN) media
Uses Link Control Protocol (LCP)
• Builds & maintains data-link connections
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 201. PPP MAIN COMPONENTS
EIA/TIA-232-C
Intl. Std. for serial communications
HDLC
Serial link datagram encapsulation method
LCP
Used in P-t-P connections:
• Establishing
• Maintaining
• Terminating
NCP
Method of establishing & configuring Network Layer protocols
Allows simultaneous use of multiple Network layer protocols
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 202. LCP CONFIGURATION OPTIONS
Authentication
PAP
CHAP
Compression
Stacker
Predictor
Error detection
Quality
Magic Number
Multilink
Splits the load for PPP over 2+ parallel circuits; a bundle
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 203. PPP SESSION ESTABLISHMENT
Link-establishment phase
Authentication phase
Network-layer protocol phase
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 205. PPP AUTHENTICATION METHODS
Password Authentication Protocol (PAP)
Passwords sent in clear text
Remote node returns username & password
Challenge Authentication Protocol (CHAP)
Done at start-up & periodically
Challenge & Reply
• Remote router sends a one-way hash MD5
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 206. CONFIGURING PPP
Step #1: Configure PPP on RouterA & RouterB:
Router__#config t
Router__(config)#int s0
Router__(config-if)#encapsulation ppp
Router__(config-if)#^Z
Step #2: Define the username & password on each router:
RouterA: RouterA(config)#username RouterB password cisco
RouterB: RouterB(config)#username RouterA password cisco
NOTE: (1) Username maps to the remote router
(2) Passwords must match
Step #3: Choose Authentication type for each router; CHAP/PAP
Router__(Config)#int s0
Router__(config-if)#ppp authentication chap
Router__(config-if)#ppp authentication pap
Router__(config-if)#^Z
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 211. WHAT IS NAT?
Similar to Classless Inter-Domain Routing (CIDR), the original intention
for NAT was to slow the depletion of available IP address space by
allowing many private IP addresses to be represented by some smaller
number of public IP addresses.
Benefits of NAT
You need to connect to the Internet and your hosts don’t have globally unique
IP addresses.
You change to a new ISP that requires you to renumber your network.
You need to merge two intranets with duplicate addresses.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 212. WHERE NAT IS TYPICALLY CONFIGURED
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 214. THREE TYPES OF NAT
Static
Dynamic
Overloading
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 215. STATIC NAT
Let’s take a look at a simple basic static NAT configuration:
ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside
!
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 216. DYNAMIC NAT
Here is a sample output of a dynamic NAT configuration:
ip nat pool NET 170.168.2.2 170.168.2.254 netmask 255.255.255.0
ip nat inside source list 1 pool NET
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 218. PAT
Here is a sample output of a PAT configuration:
ip nat pool NET 170.168.2.1 170.168.2.1 netmask 255.255.255.0
ip nat inside source list 1 pool NET overload
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 220. TRANSPORT CONTROL PROTOCOLS
The function of the Transport Layer is to
insure packets have no errors and that all
packets arrive and are correctly reassembled.
Two protocols are used:
User Datagram Protocol.
• Provides unreliable, connectionless delivery
service using Internet Protocol.
• Application programs utilizing UDP accepts
full responsibility for packet reliability
including message loss, duplication, delay, out
of sequence, multiplexing and connectivity
loss.
Transmission Control Protocol.
• Provides a reliable, connection delivery
service using Internet Protocol.
• It provides reliable packet delivery, packet
sequencing, error control, multiplexing.
Hardware
IP
Applications
TCP UDP
Packet
Packet Packet
Packet
Packet
TCP and UDP pass IP packets to
the applications
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 221. CONNECTIONLESS VS. CONNECTION-ORIENTED
PROTOCOLS
Connection-oriented
• Two computers connect before sending any
data, sender lets receiver know that data is on
the way; recipient acknowledges receipt of
data (ACK) or denies receipt (NACK). The
ACKing and NACKing is called handshaking.
(Type supported by TCP). Reliable, but carries
overhead burden.
Connectionless
• Computers involved know nothing about each
other or the data being sent. Makes no
attempt to cause networks senders and
receivers to exchange information about their
availability or ability to communicate with one
another, “best effort” delivery. (Type
supported by IP, UDP). Not reliable, but faster
and may be good enough. Also upper layer
apps may worry about errors and reliability
processing, so no need to do it twice.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 222. TRANSPORT LAYER PORTS
Both TCP and UDP use port numbers to pass to the upper layers.
Port numbers have the following ranges:
• 0-255 used for public applications, 0-1023 also called well-known ports, regulated by
IANA.
• Numbers from 255-1023 are assigned to marketable applications
• 1024 through 49151 Registered Ports, not regulated.
• 49152 through 65535 are Dynamic and/or Private Ports .
Port numbers are used to keep track of different
conversations that cross the network at the same
time.
Port numbers identify which upper layer service
is needed, and are needed when a host
communicates with a server that uses multiple
services.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 223. 9 Discard Discard all incoming data port
7 Echo Echo
19 Chargen Exchange streams of data port
20 FTP-Data File transfer data port
21 FTP-CMD File transfer command port
23 Telnet Telnet remote login port
25 SMTP Simple Mail Transfer Protocol port
53 DOMAIN Domain Name Service
79 Finger Obtains information about active users
80 HTTP Hypertext Transfer Protocol port
88 Kerberos Authentication Protocol
110 POP3 PC Mail retrieval service port
119 NNTP Network news access port
161 SMTP Network Management
179 BGP Border Gateway Protocol
513 Rlogin Remote Login In
Port Application Description
SOME WELL-KNOWN TCP PORTS
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 224. Destination Port
Source Port
PORTS FOR CLIENTS
80
80 1032
1. Client requests a web page from server
1032
2. Server responds to client
Clients and servers both use ports to distinguish what process each
segment is associated with.
Source ports, which are set by the client, are determined dynamically,
usually a randomly assigned a number above 1023.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 225. FCS
PREAMBLE
DESTINATION ADDR
00 00 1B 12 23 34
SOURCE ADDR
00 00 1B 09 08 07
FIELD
TYPE
ETHERNET
6
Source IP Address; 128.66.12.2
Destination IP Address; 128.66.13.1
IP Header
TCP Header
IP
HEADER
TCP
HEADER
DATA
Source Port 5512 Destination Port
23
Telnet
DATA LINK
LAYER
NETWORK
LAYER
TRANSPORT
LAYER
APPLICATION
LAYER
PROTOCOLS AND PORT NUMBERS
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 226. TCP OPERATION
TCP is a connection-oriented protocol.
TCP provides the following major services to the upper protocol layers:
Connection-oriented data management to assure the end-to-end transfer of data across the
network(s).
Reliable data transfer to assure that all data is accurately received, in sequence and with no
duplicates.
Stream-oriented data transfer takes place between the sender application and TCP and the
receiving application and TCP.
• To stream is to send individual characters not blocks or frames.
Prior to data transmission, hosts establish a virtual connection via a
synchronization process. The synch process is a 3-way “handshake”, which ensures
both sides are ready to transfer data and determines the initial sequence
numbers.
Sequence numbers give hosts a way to acknowledge what they have received. TCP
header contain SYN bits, or flags, to achieve this.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 227. TCP 3-WAY HANDSHAKE
TCP is a connection oriented protocol. Communicating hosts go through a synchronization
process to establish a virtual connection. This synchronization process insures that both
sides are ready for data transmission and allows the devices to determine the initial
sequence numbers.
Send ACK
ACK = y + 1
Receive SYN
Seq = x
Send SYN
Seq = y
ACK = x + 1
Receive SYN
Seq = y
ACK = x + 1
Send SYN
Seq = x
Receive ACK
ACK = y + 1
Sequence numbers are
reference numbers between
the two devices. The sequence
numbers give each host a way
to ACK the SYN, so the receiver
knows which connection
request the sender is
responding to.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 228. DENIAL OF SERVICE ATTACKS
1. Hacker initiates a SYN but spoofs the source
IP address.
DOS attacks are designed to deny services to legitimate users. DoS attacks are used
by hackers to overwhelm and crash systems. SYN flooding is a DoS attack that
exploits the three way handshake.
To defend against these attacks, decrease the connection timeout period and
increase the connection queue size. Software also exists that can detect these types
of attacks and initiate defensive measures.
Send SYN
Receive SYN
Send SYN/ACK
Send SYN
Send SYN
Send SYN
Send SYN
Send SYN
2. Target replies to the unreachable IP address
and waits for final ACK.
3. Hackers floods target with false SYN
requests tying up its connection resources,
preventing it from responding to legitimate
connection requests.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 229. TCP WINDOWS AND FLOW CONTROL
Data often is too large to be sent in a single segment. TCP splits the data into
multiple segments.
TCP provides flow control through “windowing” to set the pace of how much data
is sent at a time – i.e. how many bytes per window, and how many windows
between ACKs.
Window Size = 1 Window Size = 3
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 230. Window size determines the amount of
data that you can transmit before receiving
an acknowledgment. This is how TCP
assists in congestion control.
Sliding window refers to the fact that the
window size is negotiated dynamically
during the TCP session.
Expectational acknowledgment means
that the acknowledgment number refers
to the octet that is next expected.
If the source receives no acknowledgment,
it knows to retransmit at a slower rate.
WINDOWING AND WINDOW SIZE
Fast enough for
you?
I didn’t get all
of that, slow
down.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 231. SEQUENCE AND ACK NUMBERS
Each TCP segment is numbered before transmission so that the
receiver will be able to properly reassemble the bytes in their original
order.
They also identify missing data pieces so the sender can retransmit
them. Only the missing segments need to be re-transmitted.
Positive Acknowledgement and Retransmission
TCP utilizes PAR to control data flow and confirm data delivery.
Source sends packet, starts timer, and waits for ACK.
If timer expires before source receives ACK, source retransmits the packet and
restarts the timer.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 232. VERS
FCS
PREAMBLE DESTINATION
ADDRESS
SOURCE
ADDRESS
FIELD
TYPE
ETHERNET
0-65535
2
6
6
8 4
HLEN TOS Total Length
4 bits 4 bits 8 bits 16 bits
Identification
16 bits
Flags
3 bits
Fragment Offset
13 bits
TTL
8 bits
Protocol
8 bits
Checksum
16 bits
Source IP Address
32 bits
Destination IP Address
32 bits
IP Options(if any)
32 bits
TCP Data (if any)
Source Port Destination Port
Sequence Number
Acknowledgement Number
Offset U A P R S F
Reserved Receive Window Size
Checksum Urgent Pointer
16 bits 16 bits
32 bits
32 bits
4 bits 6 bits 16 bits
16 bits 16 bits
IP Header
TCP Header
IP Datagram
Options (if any)
DATA
IP
HEADER
TCP
HEADER
TCP ENCAPSULATION
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 233. Number of the calling port Number of the called port
Used to ensure correct
sequencing of the arriving data
Next expected TCP
octet
Number of 32-bit words in the
header
set to zero
Control setup and termination of
session
Number of octets sender is willing to
accept
Indicates the end of the urgent data
Upper layer protocol data
TCP SEGMENT FORMAT
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 234. DETAILS ON TCP FIELDS
Sequence Number
TCP numbers each byte in the TCP data with a sequence number.
The sequence number identifies the first byte in the data segment being
transmitted from the sending TCP to the receiving TCP.
Acknowledgement Number
The acknowledgement number contains the next sequence number the
receiving station (sending the acknowledgement) expects to receive. The
Acknowledgement flag is set.
Offset. It is perhaps more descriptive to call this field the TCP Header Length.
This field is required because the length of the options field is variable.
It indicates where the TCP header ends and the data begins. The header is 20
bytes without the options field.
Reserved
This field is reserved for future use and is set to zero.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 235. DETAILS ON TCP FIELDS
TCP software uses the 6 Code Bits to determine the purpose and
contents of the segment.
Urg
• This flag indicates that this segment contains an Urgent pointer field. 1 = Urgent, 0
= Not Urgent.
• This field presents a way for the sender to transmit emergency data to the
receiver. The URG flag must be set.
• The Urgent Pointer is a 16 bit positive offset that is added to the sequence number
field in the TCP header to obtain the sequence number of the last byte of the
urgent data.
• The application determines where the urgent data starts in the data stream.
• The field is normally used by the application to indicate the pressing of an
interrupt key during Telnet/Rlogin or a file transfer abort during FTP.
Ack
• This flag indicates that this segment contains an Acknowledgement field. 1 = Ack, 0
= No Ack.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 236. DETAILS ON TCP FIELDS
TCP software uses the 6 Code Bits to determine the purpose and
contents of the segment.
Psh
• The segment requests a Push. TCP software usually gathers enough data to fill the
transmit buffer prior to transmitting the data. 1 = Push, 0 = No Push. If an
application requires data to be transmitted even though a buffer may not be full
then a PUSH flag bit is set. At the receive side the PUSH makes the data available
to the application without delay.
Reset
• This field will Reset the connection. 1 = Reset, 0 = No Reset.
Syn
• This flag field is used to Synchronize sequence numbers to initiate a connection. 1
= Syn, 0 = No Syn
Fin
• The Finish flag bit is used to indicate the termination of a connection. 1 = Fin, 0 =
No Fin.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 237. UDP/TCP OPERATION COMPARISON
• There are two protocols at Layer 4 – TCP
and UDP. Both TCP and UDP use IP as
their underlying protocol.
• TCP must be used when applications
need to guarantee the delivery of a
packet. When applications do not need a
guarantee, UDP is used.
• UDP is often used for applications and
services such as real-time audio and
video. These applications require less
overhead. They also do not need to be
re-sequenced since packets that arrive
late or out of order have no value.
TCP UDP
Connection-oriented
delivery
Connectionless delivery,
faster
Uses windows and ACKs No windows or ACKs
Full header Smaller header, less
overhead
Sequencing No sequencing
Provides reliability Relies on app layer
protocols for reliability
FTP, HTTP, SMTP, and
DNS
DNS, TFTP, SNMP, and
DHCP
0 – 15 16 - 31 31 - 47 48 – 63 64
Source Port Destination Port Length Checksum Data…
UDP segment format
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 238. USER DATAGRAM PROTOCOL
UDP is a connectionless, unreliable Transport level service protocol. It is primarily used for
protocols that require a broadcast capability. i.e RIP.
It provides no packet sequencing, may lose packets, and does not check for duplicates.
• It is used by applications that do not need a reliable transport service.
• Application data is encapsulated in a UDP header which in turn is encapsulated in an
IP header.
UDP distinguishes different applications by port number which allows multiple
applications running on a given computer to send /receive datagrams independently of
one another.
FCS
IP HEADER
PREAMBLE
DESTINATION
ADDRESS
SOURCE
ADDRESS
FIELD
TYPE
ETHERNET
8-1500
2
6
6
8 4
UDP Source Port
0 15 16 31
UDP Message Length
Data
UDP Destination Port
UDP Checksum
. . .
UDP DATAGRAM
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 239. UDP PORT NUMBERS
Echo 7 Echo user datagram back to user
Discard 9 Discard user datagrams
Daytime 13 Report time in a user friendly fashion
Quote 17 Return "Quote of the day"
Chargen 19 Character generator
Nameserver 53 Domain Name Server
Sql-Net 66 Oracle Sequel Network
BOOTPS 67 Server port to download configuration information
BOOTPC 68 Client port to receive configuration information
TFTP 69 Trivial File Transport Protocol
POP3 110 Post Office Protocol - V3
SunRPC 111 Sun Remote Procedure Call
NTP 123 Network Time Protocol
SNMP 161 Used to receive network management queries
SNMP-trap 162 Used to receive network problem reports.
IRC 194 Internet Relay Chat
IPX 213 IPX - IP Tunneling
SysLog 514 System Log
RIP 520 Routing Information Protocol
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 240. LAB
Open Wireshark or Etherreal and Identify TCP/UDP Connections with
flags and reasons.
www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
- 241. www.cyberoam.com © Copyright 2012. Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Technical Training v1.1
IP ROUTING BASICS
Static and Connected Routes
IP Forwarding by Matching most Specific
Route
Configuring Static Routes
Verifying Routing Table