Starter Tutorials on Reliable Lan Switching

1,286 views

Published on

As the progresses we will keep on increasing the complexity of the network

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,286
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Starter Tutorials on Reliable Lan Switching

  1. 1. 2013Starters Toutorial on Reliable LAN SwitchingCDi Communications, Inc.Netwind Learning Center, 4327 South Hwy 27, Suite 331 Clermont(Orlando), FL 34711Toll Free Tel: 800.617.5586 (407.656.2277)Toll Free Fax: 877.557.3064e-mail us at: salesinfo@netwind.comCopyright © 1996-2013 Netwind Learning Center / CDi Communications, Inc.
  2. 2. 11 Table of Contents1 Table of Contents ................................................................................................................................................................ 12 Reliable and Secure Campus LAN Switching ....................................................................................................................... 2 2.1 Basic Wireless Router Configurations ........................................................................................................................ 3 2.2 Configuring Multiple Wifi for seamless roaming and less congestion ....................................................................... 5 2.3 Configuring Wireless Mac Address Filtering on Linksys WRT 300 N .......................................................................... 7 2.3.1 What is a MAC Address ..................................................................................................................................... 7 2.3.2 Implementation of Wireless MAC Address Filtering ......................................................................................... 7 2.4 Broadcast & Collision Domains, CSMA/CD, and VLAN ............................................................................................... 9 2.4.1 What is a broadcast domain ? ........................................................................................................................... 9 2.4.2 Collision domains and role of CSMA/CD............................................................................................................ 9 CSMA/CD (Carrier sense Multiple Access and Collision Detection) .................................................................................. 12 2.4.3 What is a VLAN ? ............................................................................................................................................. 12 2.5 IP Addressing ............................................................................................................................................................ 13 2.5.1 What is an IP Address ? ................................................................................................................................... 13 2.5.2 IP Addresses (Binary to Decimal and Decimal to Binary Conversion )............................................................. 14 2.5.3 Public and Private IP Addresses ....................................................................................................................... 16 2.5.4 Classes of IP Addresses .................................................................................................................................... 16 2.5.5 Sub netting: ..................................................................................................................................................... 19 2.6 Configuring VLANS on Cisco Switch ........................................................................................................................ 25 2.7 Configuring Trunk Ports on Cisco Switches ............................................................................................................. 27 2.7.1 Access Port ...................................................................................................................................................... 27 2.7.2 Trunk Port ........................................................................................................................................................ 27 2.7.3 Trunk Configuration commands on Cisco Switches and Routers .................................................................... 27 2.8 Configuring DHCP on Cisco 3560 Switch .................................................................................................................. 28 2.8.1 What is Dynamic Host Configuration Protocol (DHCP)? .................................................................................. 28 2.8.2 What is the DHCP Scope? ................................................................................................................................ 28 2.8.3 DHCP Configuration commands ...................................................................................................................... 29 2.9 Configuring InterVLAN Routing on Cisco 3560 Switch ............................................................................................. 30 2.10 Access Control List (ACL) .......................................................................................................................................... 32 2.10.1 What is ACL ? ................................................................................................................................................... 32 2.10.2 Standard access list: ........................................................................................................................................ 32 2.10.3 Extended access list: ........................................................................................................................................ 32 2.10.4 Named based access list: ................................................................................................................................. 32 2.10.5 Access Control List configuration command on a Cisco 3560 switch .............................................................. 33
  3. 3. 22 Reliable and Secure Campus LAN SwitchingSuppose this is your first day in office as a Cisco Network Engineer and your supervisor hands in a complexnetwork diagram and task you to interconnect different devices in different departments. Your task is to achievefollowing goals • Everyone in branch must have access to internet and e-mail server. • The CEO should have access to all servers, printers, and computers. • Only finance department must have access to finance server, printer, and computers. • The only operation department must have access to operations printer, and computers. • Computers in finance department may communicate with each other but not with computers of another department and same goes for the operations department. • No employee can access computers and printers of managers, CEO or CFO. • Managers can access the computers of their respective department.Network diagram that you need to complete is belowYou are expected to finish the project in a short time and have no clue from where to start. We are here to helpyou out in a step by step fashion. As the time progresses we will keep on increasing the complexity of thenetwork by adding more devices, scenarios interconnected with each other securely.
  4. 4. 32.1 Basic Wireless Router Configurations First step is to bring CEO and CFO laptops and printers on a local area network using Linksys WRT 300 N router,so that they can start using network printer and sharing files with each other. We will also connect Linksys WRT300 N router to the internet so that senior executives have access to the internet. It is assumed that your DSLmodem is already configured for internet access by service provider. Connect the internet port of the router tothe Ethernet port of DSL Modem.Open GUI of Linksys WRT 300 N and do below mentioned steps • Give IP address to router as 192.168.1.1 with a subnet mask of 255.255.255.0 • Enable DHCP Server with a start IP Address of 192.168.1.33 and the maximum number of users as 10. • Now Click on the wireless and then basic wireless setting and set the SSID as NY Branch
  5. 5. 4 • Now Click on Wireless Security and make security mode as “WPA2 Personal” , make Encryption as “AES” and set your secret paraphrase for WiFi connectivity.Your Linksys WRT 300 N is configured for internet access, and file & printer sharing. You can connect CFO andCTO laptop to wifi network “NY Branch” and connect the Pinter with LAN port of Linksys WRT 300N using astraight UTP Cable. Assign an IP Address of “192.168.1.201” to the Printer with a subnet mask of 255.255.255.0.CTO and CFO can browse the internet, send prints to network printer and can share files with each other.We will discuss IP addressing and sub netting in details but for the time being following IP Addressing Schemawould be handy to retain.Servers and Networking Devices 192.168.1.1 – 192.168.1.30Laptops and Desktops and Tablets 192.168.1.33 – 192.168.1.190Printers 192.168.1.201 - 250
  6. 6. 52.2 Configuring Multiple Wifi for seamless roaming and less congestionBelow is what you accomplished on Day -1, i.e. bringing C Level Executives on local area network ( LAN) andInternet using Linksys WRT 300 N routers.You need to move on and bring managers’ laptops and printer on the network. We are adding anotherperformance related restriction here • SSID and Security Key of Both LinkSys WRT 300 N Routers should be same.Below are the advantages of keeping SSID and Security Key same on both wireless access points ( AP ) / Routers • Users are able to roam between the two locations seamlessly without facing any disconnection • You are able to accommodate a double number of users on the same wireless networkYou will configure the Managers’ wireless router ( Linksys WRT 300 N ) exactly the same way as you configuredthe wireless router on Day-1 except three changes. 1. In wireless settings, you will make wires channel as 1 for router-1 and make wireless channel as 6 for router-2 , this will help keep both wireless signals in the non overlapping range, thus doubling the number of users being accommodated. 2. Assign an IP address of 192.168.1.2 to the Managers’ Wireless Router 3. Enable the DHCP on Managers’ router with start IP address of 192.168.1.43 and the maximum number of users as 10.Assign an IP address of 192.168.1.202 to managers’ printer with default gateway as 192.168.1.2 and connect itto the LAN port of managers’ wireless router Linksys WRT 300 NThere must be a communication channel between the two wireless routers so that wireless clients connecting toManagers’ wifi can have an IP assigned by DHCP running on the C level wireless router. Here comes the role ofour access switch Cisco 2950, connect the LAN ports of both wireless routers to Fast Ethernet Ports of CISCO2950 Switch using a crossover UTP Cable.
  7. 7. 6Now the next step is to connect your DSL Modem or Internet CPE to Ethernet port of the Cisco 2950. Here youinternet connectivity is operational for managers and C level executives and they can access each other laptopsand printers. Below is how your network looks like today.Below is how your IP addressing scheme is looking now.Servers and Networking Devices 192.168.1.1 – 192.168.1.30C Level Wireless Router 192.168.1.1Managers’ Wireless Router 192.168.1.2Laptops and Desktops and Tablets 192.168.1.33 – 192.168.1.190Available Host IPs for Dynamic client IP in DHCP 192.168.1.33 -192.168.1.42Server of C Level router.Available Host IPs for Dynamic client IP in DHCP 192.168.1.43- 192.168.1.52Server of Managers’ router.Printers 192.168.1.201 – 250C Level Printer IP 192.168.1.201Managers’ Printer IP 192.168.1.202
  8. 8. 72.3 Configuring Wireless Mac Address Filtering on Linksys WRT 300 NThe problem we inherited from previous scenario is that wireless clients are being connected to randomwireless access points as they SSID and security key is same. We did this to implement seamless roaming but weare having serious information security concern here. The solution is to implement wireless Mac addressfiltering, which will allow us to specify which wireless clients are allowed to connect to a particular wirelessaccess point.First we need to understand what wireless Mac address filtering and then we will implement it on Linksys WRT300 N2.3.1 What is a MAC AddressA Media Access Control address (MAC address) is a unique identifier assigned to network interfaces forcommunications on the physical network segment. MAC addresses are most often assigned by the manufacturerof a network interface card (NIC) and are stored in its hardware, the cards read-only memory. Wireless MACAddress Filtering & its Implementation2.3.2 Implementation of Wireless MAC Address FilteringWireless MAC address filtering is a method by which you control the access to your network devices fromunauthorized devices by defining a list of authorized MAC Addresses which can connect to your network device.You can obtain the MAC address of wireless NIC of CEO laptop by going to command prompt and typingipconfig /all .Below is the result of the command in which MAC address is being highlighted.Physical Address................: 0090.2B41.3871IP Address......................: 192.168.1.36Subnet Mask.....................: 255.255.255.0Default Gateway.................: 192.168.1.1DNS Servers.....................: 0.0.0.0
  9. 9. 8Now you will add this MAC address to allowed wireless client list in your C level Router and deny access to allother devices. • Open the GUI of C level wireless Router • Click on Wireless, then Wireless MAC Filter • Check “Enable” • Check “Permit PCs listed below to access wireless network”You can add up to 50 wireless clients in the list. Repeat the same process for CFO laptop.Add wireless Mac address of operation manager and finance manager laptops to allowed client list on Managersrouter.Here you go, only C level Executives will be able to connect to the C level Router and only Managers will be ableto connect to Managers Router. You have added layer of security also by only authorizing trusted wirelessclients. If someone get to know the SSID and Security Key of your Wifi, he/she still cannot access your wifinetwork.Your task is not finished yet, following is a serious information security issue in above network:C level wireless clients and printers are in the same broadcast domain and managers can access C Levelexecutives’ devices. In Next topics we will learn what broadcast domains, collision domains, IP Addressing andhow we can use Vlans to create multiple broadcast domains, and segregate traffic between different networks.
  10. 10. 92.4 Broadcast & Collision Domains, CSMA/CD, and VLANWe carried following problems from our last network diagram :All wireless clients are in the same broadcast domain and able to communicate with each other.The solution is to create multiple broadcast domains on a single switch using VLANs. First we have to understandwhat a broadcast domain is ? What a collision domain is? And what is the role of the CSM / CD. We will alsolearn IP Addressing before jumping into VLAN Configuration.2.4.1 What is a broadcast domain ?In an Ethernet LAN, a set of terminals that receive a broadcast transmitted by any one of the terminals in theSame network is known as a broadcast domain. On switches that have no support for virtual LANs (VLAN),A switch simply sends all broadcasts on all interfaces, except the interface on which it receivedThe frame. Consequently, all the interfaces on an individual switch are in the single broadcast domain.Also, if the switch attaches to other switches and hubs, the interfaces on those switches and hubsare also in the same broadcast domain.2.4.2 Collision domains and role of CSMA/CDJust imagine yourself in the old world of Hubs and Repeaters. As you know repeaters were used in the networkfor the re-generation of the signal for its transmission for longer distances. In a simple network topology asgiven below:
  11. 11. 10In the above network, all the hosts are connected to a hub. If PC1 will send some packets to PC0, the packets willbe broadcast to all the hosts on the hub, that’s why a hub is a single broadcast domain. In suchScenarios, it’s quite a possibility that when PC1 is sending some packets, in the same instant PC2 is also sendingpackets, as the medium is shared and there are maximum chances for packet collision. From this we canconclude that a hub has a single broadcast and a single collision domain:The Major drawback of such a network scenario, if we increase the number of hosts in above network, there willbe un-necessary broadcasts and collisions, which will ultimately affect the network performance and will causeunbearable latency and congestion in the network:
  12. 12. 11So to avoid such a case we use Switch. A switch is a data link layer device. The switch learns the MAC addressesof the all the hosts connected to its interfaces using ARP (Address Resolution Protocol). Once MAC addresses arelearned by a switch and maintained in its CAM table, then a switch will not send un- necessary broadcasts.Switch only broadcast, in case it doesn’t know about any host, once it knows about some host, it neverbroadcast again to trace that host. A thumb rule to remember is that, each switch port is a collision domain andeach switch is a single broadcast domain. It’s illustrated in below diagram:A few more things to remember: each switch has a single broadcast domain; the broadcast domain can beexpanded via creating Vlans on a switch. For example 2 vlans will create two broadcast domains on a switch.One more point, router’s each interface is a single broadcast and a single collision domain.
  13. 13. 12CSMA/CD (Carrier sense Multiple Access and Collision Detection) is a media access mechanism used on ashared Ethernet to avoid collision of different packets. Let suppose we have two stations on our shared Ethernetmedium A and B. In the language of CSMA, station A first scan the shared Ethernet medium or listen for anyongoing packet transmission on the medium. If it senses some packets, it will stop from transmission, in case itsense that the link is free, it will transmit its packets.If at the same instance station B is also transmitting, station A will sense the collision and will back off for acertain amount of time ( mostly in milliseconds), this is how it avoid collision of packets in the network. In realitythe collision is detected by voltage changes. Everyone on the network is notified about the collision via a JamSignal and hosts stop sending data. After a random timer the hosts will again start scanning or listening to thenetwork, if its free they will start sending packets.Use of CSMA/CD is now obsolete in modern networks, switches and full duplex connection don’t use CSMA/CDany more. But it was one of the best protocols of the good old days!2.4.3 What is a VLAN ?A VLAN is group of ports which acts as an independent switch inside a switch. By default port in different Vlanscannot communicate with each other, however communication between different VLans can be made possibleusing intervlan routing. An access switch port can be part of one vlan only while a trunk port may carry trafficof multiple vlans. Configuring VLANs in a network of Cisco switches is done by defining the Vlan # andassociating the switch ports with VLAN.
  14. 14. 132.5 IP AddressingIts time to learn IP Addressing before jumping into VLAN configurations. In the real life, we as human beings,trace each other via the use of different sort of addresses and location services. The same pattern was appliedwhen computer networks were designed, in the form of IP addressing. An IP address is just like the homeaddress of a computer node! As is the rule in real life, when we want to send some Mail, we write a destinationaddress on it and it is delivered by the postal services to the concerned person. Same is the case in computernetworks, when one Computer wants to send some data to another computer, it writes down the destinationaddress on the data ( packet in computer networks) and the packet is sent via the Postal service ( our networkservices) of the computer system.2.5.1 What is an IP Address ?In simple words, an IP Address is a decimal representation of the address of different network nodes whichenable them to exchange data packets with each other and hence many network applications. So what is theabbreviation of IP? Internet Protocol, so simple!The IP address evolution began in 1969. The original IP address was of 5 bits only! Which means according tobinary calculations it was able to cover a network of only 32 nodes! ( 2 to the power of 5 = 32), which wasenough at that time for the experimental requirements of that time, mostly interconnection of differentresearch organizations. Gradually it was increased to 32 bits, the currently used range in IPv4, which is enoughfor around 4 billion network nodes only! (Only? Yes, because it has become short for the ever expanding humanworld, that’s why techno geek has moved toward IPv6). Especially advent of smart phones and smart sensordevices which are able to connect to internet through easily available wifi spots and 3 G cellular connection willmake it possible in the near future that a tech savvy person will be carrying around 4 -10 devices with him/herwith a public IP address.In technical terms, IPv4 is represented by 4 blocks, each separated by a dot (.) and each block composed of 8bits, represented as follows:00000000.00000000.00000000.0000000010000000.00000000.00000000.0000000011000000.00000000.00000000.00000000Don’t give up if you are learning for the first time, as IP addresses are not represented in binary, as it would notbe able for everyone to remember the binary digits, for ease they are represented in decimal representation ofits binary form.So an IP address: 192.168.100.2 and 11000000.10101000.01100100.00000010 are same.In simple words, each block can be written as:11000000 = 19210101000 =16801100100 =10000000010 =2As now we have discussed IP addressing, its representation/bits requirements, and now we will do a littlediscussion on how to convert from Binary to decimal and decimal to Binary.
  15. 15. 142.5.2 IP Addresses (Binary to Decimal and Decimal to Binary Conversion )Now we will discuss how to convert a binary representation of an IP address in decimal one and vice versa. Wewill take following sample IP Address:11000000.10101000.01100100.00000010Each block is comprised of 0 or 1, 0/1 in binary represent On/Off states respectively. We will take below chart toconvert the above binary into decimal or base 10 systems. To convert the first Octet (an octet is composed of 8bits) into decimal:11000000 = 1*128 + 1*64 + 0*32 + 0*16 + 0*8 + 0*4 + 0*2 + 0*1 = 128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 = 19210101000 = 1 *128 + 0*64 + 1*32 + 0*16 + 1*8 +0*4 + 0*2 + 0*1 = 128 + 0 + 32 + 0 + 8 + 0 + 0 + 0 = 168And so onIn the above conversion process each bit in (11000000) is multiplied by its corresponding bit position value indecimal starting from least significant bit to the most significant bit. Please remember below mentioned chartfor efficient conversion of Binary into decimal:The 8th bit position will be multiplied by 128, 7th bit position will be multiplied by 64 and so on!Conversion from Decimal to Binary is a little tricky. Suppose we want to convert 15 from decimal into binary.Consider below mentioned chart, which combination of digits added together can give a sum of 15? After a littlebrainstorming on below mentioned chart we conclude 8+4+2+1 sums up to 15, so we will change the status ofthese bits to ON (1) and will turn OFF (0) all the remaining bits:128 64 32 16 8 4 2 1128 64 32 16 8 4 2 10 0 0 0 1 1 1 1
  16. 16. 15So the resulting value of 15 in an 8 bit binary representation is 00001111! Another example to solidify theconcepts:Conversion of 130 into binary:130 can be made from summing 128 and 2, so we will ON these bits and will turn OFF the remaining bits:128 64 32 16 8 4 2 11 0 0 0 0 0 1 0So 130 = 10000010 in binary, I hope now you can easily convert between binary and decimals. The interestingthing about the above chart is that, it can be used for binary to decimal conversion as well. Suppose we want toconvert 11100100 into decimal, simply put these values according to its bit positions and then add upcorresponding decimal values to get the value.128 64 32 16 8 4 2 11 1 1 0 0 1 0 0= 128 + 64 + 32 + 4 = 228 Please do the following examples yourself to clarify the concepts:Convert: 192.168.140.20 in binary.Convert: 11110011 in decimal.After learning conversion between decimal and binary notations, we will turn our focus to private and public IPaddresses and classes of IP Addresses.
  17. 17. 162.5.3 Public and Private IP AddressesContinuing our IP addressing discussion. IP addresses can be further divided into Private IP addresses and PublicIP Addresses. To preserve IP address space Private IP Addresses were introduced. Private IP addresses are usedon the internal network and never advertised to the public network. Private IP addresses are defined in belowmentioned ranges:10.0.0.0 - 10.255.255.255Addresses: 16,777,216172.16.0.0 - 172.31.255.255Addresses: 1,048,576192.168.0.0 - 192.168.255.255Addresses: 65,536Private IP addresses go through a process of NATing if they want to communicate with Public Internet.Public addresses are those addresses which are advertised on the public network, inter-networks etc.2.5.4 Classes of IP AddressesSeveral classes of IP addresses have been defined for Network identification and network address assignmentaccording to design requirements. For these classes numeric ranges were defined, each range can be used for aspecific number of hosts and network addresses. IP address classes are: A, B, C, D, E. Each class has its own Hostand Network Ranges. The IP address classes were developed keeping in mind: to accommodate largecompanies with a lot of host requirements and small companies with minimum host requirements!The normal range used mostly in public network is Class A, B and C. Class D and Class E are used for specialpurposes. • Class D: this range IP addresses are used for Multicast addressing requirements. • Class E: this range is reserved for research and scientific purposes.Before moving forward into this class discussion, let us discuss one more important aspect of IP addressing. IPaddressing is a hierarchical design. The telephone number system is the best example of a hierarchical designmodel. A telephone number is composed of Country Code, Area Code, and local exchange code. The same istrue for an IP address. An IP address is made of two parts, one part is called the Network Portion and the secondpart is called the Host Portion. The Network portion of the IP address is used to keep track of the domain towhich some specific host belongs and the host portion of the IP address is used to trace the machine orcomputer node.
  18. 18. 17Below we will discuss Class A, B and C in more detail.2.5.4.1 Class A IP Addresses:The first octet of the Class A address is composed of Network Portion and its most significant bit is always off. Allother three octets denote the host portion. Simply we can say:N.H.H.H0xxxxxxx.H.H.HIf we want to calculate the range of Class A IP addresses, we can move as:00000000.H.H.H (0.H.H.H)01111111.H.H.H (127.H.H.H)If the 1st portion of an IP address is in range (0-127), then that IP address belongs to Class A! But as you know127.0.0.1 range is reserved for loop back interface and we can’t use it for Class A and also not use an IP addressstarting from 0 , then the revised range would be from (1-126)! A few examples of Class A IP address are:10.0.0.1100.2.3.1110.130.13.4123.4.1.1102.5.4.2 Class B IP Addresses:The first two octets of Class B IP address are composed of Network Portion, and the other two octets arecomposed of Host portion, in doted representation it can be given as:N.N.H.HThe most significant two bits in the first octet are kept 10,10xxxxxx. xxxxxxxx. H. HSo the range of Class B IP address space can be calculated from its first octet as follow:10000000 to 10111111 (128 – 191)Some examples of Class B IP addresses are:130.50.3.3170.16.3.1172.31.3.3
  19. 19. 182.5.4.3 Class C IP Addresses:The first three 8 bit portions of a class C IP address are composed of Network Portion, and the last one denotesthe host portion. It can be simplified as:N.N.N.HThe three most significant bits are kept 110 despite all bit position changes. So the range for Class C IP addressspace can be calculated as:110xxxxx. xxxxxxxx. H. H11000000- 11011111192 – 223Some examples of Class C IP address are:192.168.100.3220.221.120.135210.49.66.110All of the above discussion regarding IP address Classes can be summed up in below table:IP Address 1st Octet Range Usable Network and Host IDsClass A (N.H.H.H) 1-126 Networks : 2^8-2 and Hosts= 2^24-2Class B (N.N.H.H) 128-191 Networks : 2^16-2 and Hosts= 2^16-2Class C (N.N.N.H) 191-223 Networks : 2^24-2 and Hosts= 2^8-2Two more ranges for your technical mind:D: Multicast range: 224 – 239 (Examples: 224.0.0.9)E: IP Address range for R&D: 240 – 255 (Example: 241.0.0.9)
  20. 20. 192.5.5 Sub netting:One of the most important topics in Computer Networks and CISCO realm is sub netting. The main motivationbehind sub netting was the best utilization of the scarce resources of available IP addresses. In simple words,sub netting is the process of taking a single Network address and creating further smaller Network IDs from it,called Subnets (Sub Networks). In the process of sub netting , bits can be borrowed from the host portion of anIP Address, the borrowed bits are added to the Subnet Mask of that IP address. We will further clarify the subnetting process via different examples. The main goal behind sub netting a given network address is to createour required number of smaller network IDs and to achieve our desired number of hosts per subnet ID.2.5.5.1 What is a Subnet Mask?We will end this discussion with Subnet mask. A subnet mask is used by routers and end machines to check, towhich network, the host belongs. The network ID of the IP address is calculated by Logical ANDING of the Subnetmask with the IP Address. Each Class has its own subnet mask:Class A Subnet Mask is: 255.0.0.0 and is also denoted by /8 In binary: 11111111.00000000.00000000.00000000Class B Subnet Mask is: 255.255.0.0 and is also denoted by /16 In binary: 11111111.11111111.00000000.00000000Class C Subnet Mask is: 255.255.255.0 and is also denoted by /24 In binary: 11111111.11111111.11111111.00000000
  21. 21. 202.5.5.2 Sub Netting a Class C IP AddressWe learned what a sub net mask is, and what is sub netting. Now we will learn how to sub net. The basic Subnetting process starts from below mentioned questions: • How many subnets are required? • How many hosts per subnet are required? • Compute the effective subnets? • Compute the valid host IP Addresses?For keeping the sub netting process simple we will stick to these questions for time being, will further add upthings as per demand.The anatomy of a typical Class C address is:N.N.N.H with subnet mask 255.255.255.0 or /24Suppose we have an IP address: 192.168.10.0 /24 and our network design requirement is 8 subnets!For 8 subnets, how many bits we can take from the host portion (last octet) of the given IP address? For this, justdo a mental calculation using below formula:2^y = 8, two to the power which value can give us 8? Simply2^3 = 8, great! For getting 8 subnets, 3 bits can be borrowed from the host portion of the given IP address(192.168.10.0), the borrowed bits are moved to the given subnet mask:11111111.11111111.11111111.11100000 3 borrowedThe new Subnet mask is: 255.255.255.224 in CIDR Notation /27!Now the mystery of hosts per subnet! As we have borrowed three bits from the last octet of the host portion,how many bits are remaining? 5! Yes, you are right, 5 bits are remaining. So the number of usable hosts persubnet will be given as:2^5-2 = 32 – 2 = 30From above two steps, we have achieved two tasks:We will have 8 subnets and there will be 30 usable host addresses per subnet!
  22. 22. 21Okay, now the tricky part, what are the valid subnets block size? Please keep this formula in mind:Subnet block size = 256 – subnet mask modified octet.As we have new subnet mask 255.255.255.224, the modified octet is the last one (224), soSubnet block size = 256 – 224 = 32So our subnet block will start from 0, 32, and 64 and will go on for increment of 32. So our 10 new subnets are:192.168.10.0192.168.10.32192.168.10.64192.168.10.96192.168.10.128192.168.10.160192.168.10.192192.168.10.224All the valid hosts and IP ranges given by each subnet can be summarized in below table:IP Address Network Address 1st Host Address Last Host Address Broadcast Address192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.30 192.168.10.31192.168.10.32 192.168.10.32 192.168.10.33 192.168.10.62 192.168.10.63192.168.10.64 192.168.10.64 192.168.10.65 192.168.10.94 192.168.10.95192.168.10.96 192.168.10.96 192.168.10.97 192.168.10.126 192.168.10.127192.168.10.128 192.168.10.128 192.168.10.129 192.168.10.158 192.168.10.159192.168.10.160 192.168.10.160 192.168.10.161 192.168.10.190 192.168.10.191192.168.10.192 192.168.10.192 192.168.10.193 192.168.10.222 192.168.10.223The usable host portion for each octet is highlighted! And we are done with sub netting for Class C! Was itsimple? No, you will need some practice to get the full command on it  Now we can use the above mentionedIP plan, in our network design, a single IP has been converted into 8 usable sub networks and each networkhaving 30 host capacity, isn’t it amazing?
  23. 23. 222.5.5.3 Sub netting a Class B Address:We will use the method explained previously to subnet a Class B address and a class A address. The networkdesign requirements are the same as above (i.e. 8 sub networks required):Given Class B Address is: 172.16.0.0Default Class B Mask: 255.255.0.0How many host bits needed? 3! Yes absolutely right. Okay now we are going to embed these 3 bits in the Class Bmask:11111111.11111111.00000000.00000000 11111111.11111111.11100000.00000000The modified Subnet mask is 255.255.224.0 /19So what’s next? Yeah, you got it,Subnet block size = 256 – subnet mask modified octetSubnet block size = 256 – 224 = 32As we have taken bits from 3rd octet, our new subnets are:172.16.0.0 – 172.16.32.0 – 172.16.63.0 – 172.16.95.0 – 172.16.127.0 - - - - - > 172.16.224.0IP Address Network Address 1st Host Address Last Host Address Broadcast Address172.16.0.0 172.16.0.0 172.16.0.1 172.16.31.254 172.16.31.255172.16.32.0 172.16.32.0 172.16.32.1 172.16.62.254 172.16.62.255172.16.63.0 172.16.63.0 172.16.63.1 172.16.94.254 172.16.94.255172.16.95.0 172.16.95.0 172.16.95.1 172.16.126.254 172.16.126.255172.16.127.0 172.16.127.0 172.16.127.1 172.16.158.254 172.16.158.255172.16.159.0 172.16.159.0 172.16.159.1 172.16.190.254 172.16.190.255
  24. 24. 23As only 3 bits were reserved, the number of usable hosts per subnet is:Usable hosts per subnet = 2^13-2 = 8190! (8190 hosts/subnet)2.5.5.4 Sub netting Class A Address:If you have mastered Class B and Class C sub netting then Class A is not that hard! The network designrequirements are the same as above (i.e. 8 sub networks required) and we have a Class A IP address of 10.0.0.0:Given Class A Address is: 10.0.0.0Default Class B Mask: 255.0.0.0How many host bits needed? 3! Yeah that’s right. Okay now we are going to embed these 3 bits in the Class Amask:11111111.00000000.00000000.00000000 11111111.11100000.00000000.00000000The modified Class A mask is 255.224.0.0 /11Pretty easy!As we have modified our second octet in the Subnet Mask of Class A, so it will be subtracted only from 256, so:Subnet block size = 256 – subnet mask modified octetSubnet block size = 256 – 224 = 32So our new subnets are:10.0.0.0 - 10.32.0.0 - 10.64.0.0 – And so onThe feel of the 8 subnets would be best visible in the tabular form as follows :IP Address Network Address 1st Host Address Last Host Address Broadcast Address10.0.0.0 10.0.0.0 10.0.0.1 10.31.255.254 10.31.255.25510.32.0.0 10.32.0.0 10.32.0.1 10.63.255.254 10.63.255.25510.64.0.0 10.64.0.0 10.64.0.1 10.95.255.254 10.95.255.25510.96.0.0 10.96.0.0 10.96.0.0 10.127.255.254 10.127.255.25510.128.0.0 10.128.0.0 10.128.0.1 10.159.255.254 10.159.255.25510.160.0.0 10.160.0.0 10.160.0.1 10.191.255.254 10.191.255.25510.192.0.0 10.192.0.0 10.192.0.1 10.223.255.254 10.223.255.25510.224.0.0 10.224.0.0 10.224.0.1 10.255.255.254 10.255.255.255
  25. 25. 24Believe me, by just looking at the above given examples, you will be frightened by sub netting, but if you actuallybegin practicing them, then you will realize that how easy sub netting is. So don’t give up, reread the aboveexamples, you will find plenty of sub netting problems online. Remember, only Practice and more Practice arethe key to success in sub netting.One very interesting tool while practicing Subnetting is Solar Winds, Advance Subnet Calculator. You candownload it and verify your sub netting from it. For example, for above Class A Subnetting, the Solar WindsSubnetting Calculator output is:This sub netting tool is awesome and you will love it!
  26. 26. 252.6 Configuring VLANS on Cisco SwitchWe carried following problems from our last network diagram :All wireless clients are in same broadcast domain and able to communicate with each other.Solution is to create multiple broadcast domains on a single switch using VLANs.Below is the procedure to configure Vlans on a cisco switchSwitch#config terminal (this command takes you in configuration mode)Switch(config)#interface fastEthernet0/1 ( enables configuration of Interface Fa 0/1)Switch(config-if)#switchport access vlan 2 ( make fa 0/1 part of VLAN 2)Switch(config-if)#exit (go back in configuration mode)Switch(config)#vlan 2 (go In configuration of VLAN 2)Switch(config-vlan)#name c-level-ap ( assign a name to VLAN )Repeat the same process and create VLAN 3 with name Managers-AP and put interface Fast Ethernet 0/2 in thisVLAN. Fast Ethernet 0/1 is the interface with which C level wireless router is connected and Fast Ethernet 0/2 isthe interface with which Managers’ wireless router is connected.Now traffic from the C level router and Managers router is segregated from each other on switch level and theycannot access each other devices .Now our task is to subnet our network into smaller portions and each subnet must be able to accommodate atleast 14 hosts so that we can configure each subnet in each VLAN. Subnetting letsyou generate numerous logical networks available within a specific Class A , B , or C network . If you do not optfor subnetting , you are only able to utilize just one network from your Class A , B , or C network , and it is notrealistic . To be able to subnet a network, expand the original mask using a portion of the bits from the host IDportion of the address to build a sub network ID . To illustrate, given a Class C network of 192.168.1.0 whichhas original mask of 255 .255 .255 .0, you can create subnets in this manner:
  27. 27. 26IP Address 192.168.1.0 11000000 10101000 00000001 00000000Subnet Mask 255.255.255.240 11111111 11111111 11111111 11110000By borrowing 4 bits from host portion of network in last octet you are able to create 16 subnets (24 ) and 14hosts ( 24-2).Below is a useful link to calculate variable length subnet mask for variety of network scenarioshttp://www.vlsm-calc.net/Following table lists the Subnets of each VLAN in our scenarioVLAN Network ID / Subnet Broadcast IP Address Available Host IP Address RangeNumberVLAN2 192.168.1.32/255.255.255.240 192.168.1.47 192.168.1.33 -192.168.1.46VLAN3 192.168.1.48/255.255.255.240 192.168.1.63 192.168.1.49 - 192.168.1.62VLAN4 192.168.1.64/255.255.255.240 192.168.1.79 192.168.1.65 -192.168.1.78VLAN5 192.168.1.80/255.255.255.240 192.168.1.81 192.168.1.82- 192.168.1.94Now its time to configure different subnets for different vlans on cisco 3560 switch, go into configuration modeof your cisco 3560 switch and give following commandsinterface vlan 2ip add 192.168.1.33 255.255.255.240 interface vlan 3ip add 192.168.1.49 255.255.255.240interface vlan 4ip add 192.168.1.65 255.255.255.240interface vlan 5ip add 192.168.1.82 255.255.255.240These commands will assign IP address to each VLAN in its respective subnet.
  28. 28. 272.7 Configuring Trunk Ports on Cisco SwitchesIn our last two lectures, we put our wireless clients in different VLANS and configured wireless Mac addressfiltering on CISCO WRT 300 N. Our next challenge is to to bring our departmental desktops on LAN too. In orderto achieve the result we want to get rid of individual DHCP servers running in each subnet . Before we do thatwe need to configure a single trunk port which will carry traffic of all VLANs to Cisco 3560 on which we willconfigure our DHCP server. We also configured access switch ports when configuring VLANs on Cisco 2950switches, but did not explain the difference between a trunk port and an access port. First we will understandthe difference between trunk port and access port then we will configure trunk ports on Cisco switches androuter.2.7.1 Access PortAn access port can be part of a single VLAN and can carry traffic of single VLAN. Access ports are usuallyconfigured for end devices in a network.2.7.2 Trunk PortTrunk port can carry traffic from two or more Vlans in a single link. Trunk ports are used usually configured onuplinks between access and distribution switches and routers. Major reason for using trunk ports is thatinterfaces on Cisco distribution switches and Cisco routers comes with a price tag. You don’t want an interfacefor each Vlan. Instead a single link carrying traffic from all VLANs serve our purpose. ISL and 802.1 q are thetrunking protocols used for defining trunk ports. Both trunk ports must have a similar Trunking protocolconfigured on them. ISL is a Cisco proprietary protocol While 802.1 q is an IEEE standard. ISL and 802.1Q differin how they add a header to the Ethernet frame before sending it over a trunk. Cisco switches make use of theDynamic Trunk Protocol (DTP) to dynamically know whether the device on the other end of the cable wants toperform Trunking and, if so, which Trunking protocol to use. If we set the mode of DTP desirable, switchesautomatically negotiates the Trunking parameters and forms trunk.2.7.3 Trunk Configuration commands on Cisco Switches and RoutersConnect your Cisco 2950 access switches with Cisco 3560 distribution switch using a straight UTP Cable ongigabit interfaces of Cisco 3560 switch. Go into configuration mode of Cisco 3560 switch and enter followingcommandsSwitch(config)#inter gigabitEthernet 0/1Switch(config-if)#switchport mode dynamic desirableRepeat the process on other interfaces of Cisco 3560 switch. Similarly repeat the command on the interfaces ofdepartmental and wifi access switches which are connected to distribution switch through uplink.You can check the status of your trunks by following commandSwitch#show interfaces trunk
  29. 29. 282.8 Configuring DHCP on Cisco 3560 SwitchAfter configuring trunk ports which are linking Cisco 2950 access switches to Cisco 3560 distribution switches,we are all set to configure a single DHCP server for the whole network on a Cisco 3560 switch. Before that dofollowing steps: • Disable DHCP servers on wireless routers. • Connect all the desktops and printers in the operations department to operations access switch through straight UTP Cables. • Connect all the desktops and printers in the finance department to finance access switch through straight UTP Cables. • Create Vlan 4 on operations switch ,name it operations-vlan, and make all the ports connecting the devices part of vlan-4. • Create vlan-5 on finance switch and name it finance-vlan, and make all the ports connecting the devices part of vlan-5. • Remove the static IP address of printers and set them to obtain an IP from DHCP. • Set all desktops to get IP from DHCP serverWe must first understand, what is DHCP and DHCP scope2.8.1 What is Dynamic Host Configuration Protocol (DHCP)?Dynamic Host Configuration Protocol ( DHCP ) is a client/server protocol that completely on its own supplies anInternet Protocol ( IP ) host with its IP address as well as associated configuration information such as the subnetmask and default gateway . RFCs 2131 and 2132 clearly define DHCP as an Internet Engineering Task Force ( IETF) standard based on the Bootstrap Protocol ( BOOTP ) , a protocol with which DHCPshares numerous functioning features . DHCP helps network devices to secure requisite TCP/IPconfiguration data from a DHCP server2.8.2 What is the DHCP Scope?A Dynamic Host Configuration Protocol ( DHCP ) scope is the continuous range of potential IP addresses that theDHCP server will be able to lease to network devices on a subnet . Scopes in general specify a single physicalsubnet on your network to which DHCP services are available . Scopes are the prime method for the DHCPserver to control the distribution and assignment of IP addresses and any linked configuration parameters toDHCP clients on the network .
  30. 30. 292.8.3 DHCP Configuration commandsWe studied DHCP scope in the previous section, now we also need to define separate scope for each VLAN inCisco 3560 switch. Following command will serve the purposeip dhcp pool vlan”#”network “Network Address” “Subnet Mask”Where # is VLAN number for example VLAN2Network Address is Network IP Address for example 192.168.1.32Subnet Mask is 255.255.255.240 for all Vlans in our case.For instance following commands will configure a DHCP scope for clients present in VLAN 2 , such that there willbe a maximum of 14 hosts allowed in the VLAN and start IP address of hosts will be 192.168.1.33 and end IPaddress will be 192.168.1.46. Repeat the process for all VLANs and remember to remove static IP Addressesfrom Printers and let them have an IP assigned by DHCP.Now devices in different VLANs cannot communicate with each other, but we have to get the CEO and CFO tocommunicate with the rest of the company. We will achieve this by learning interVLAN routing and accesscontrol lists ( ACL)
  31. 31. 302.9 Configuring InterVLAN Routing on Cisco 3560 SwitchIn our former scenario, VLANs segregated Hosts into different broadcast domains and Layer 3 subnets. NowHosts in Vlan2 cannot communicate with hosts in vlan3 unless we configure the inter VLAN routing. Layer 2-onlyswitches require a Layer 3 router. The router may be present as a separate device in the network or it may beanother module of a Layer 3 switch. Layer 3 Switches like Cisco 3560 incorporate routing capability within theswitch. The Cisco 3560 switch gets a packet, decides that the packet needs to be sent to another VLAN, androutes the packet to the correct port on the other VLAN. A good network topology fragments the network basedon the departments or functions. For instance, the Finance VLAN only has hosts that belong to FinanceDepartment, and the Operations VLAN only has hosts that are present in the Operations Department. If youconfigure inter VLAN routing on a Cisco 3560 switch, the hosts in VLAN 2,3,4,5 will be able to communicate witheach other without being in the same broadcast domain in a single subnet. Such Network topology allows thenetwork administrator to restrict communication between VLANs with the use of access lists. We will learn inthe next topic, how we can use access control lists to restrict communication between different VLANs.Now that we have understood the theory behind inter VLAN routing, its time to configure interVLAN routing oncisco 3560 distribution switch. We need to configure inter VLAN routing for following user defined VLANs • VLAN 2— Traffic Coming from C Level Access Point • VLAN 3— Traffic coming from Managers’ Access Point • VLAN 4— Operations Vlan • Vlan5 ---- Finance VlanWe must enable IP routing globally so that Cisco 3560 switch can act as layer 3 device and can provide thefunctionality of Inter VLAN routing.
  32. 32. 31Go into configuration mode of Cisco 3560 Switch and give following commandsSwitch(config)# ip routing //Enables IP Routing on Cisco 3560 SwitchThe default gateway settings on every machine needs to be the VLAN interface IP address that matches on aCisco 3560 Switch . For example, for Finance department machines, the default gateway is 192 .168 .1 .82 whichis the IP address which we created for VLAN 5 interface on a Cisco 3560 switch. The access layer switches, whichare the Catalyst 2950, are already trunked to the Catalyst 3560 switch.Now hosts in all VLANs will be able to communicate with each other but this communication is not allowedaccording to our information security criteria which stated that machines in operations and finance VLAN shouldnot be able to access C level machines and CEO and CFO should be able to access machines in rest of thedepartments. We will achieve this goal by understanding Access Control List and implementing Access ControlList in Next Topic.
  33. 33. 322.10 Access Control List (ACL)Now our task is to make ACL at Cisco Distribution 3560 switch end so that no employee can reach computersand printers of managers, CEO or CFO and allow CEO to get all servers, printers, and computers. So we are goingto block IP address of Finance and Operation Department from accessing the wireless network (192.1681.1.0)and only allow CFO or CEO network t ( 192.168.1.33 – 192.168.1.46) to use the rest of the network. For this wewill use Named based extended access control list. Before configuration we need to know the basic conceptbehind the Access Control list.2.10.1 What is ACL ?Access Control list (ACL) is a control list that block or allow particular traffic in a network. It mainly works inascending order. In the Cisco environment there are three basic types of access lists.2.10.2 Standard access list:Standard access list mainly identifies network traffic using source IP address in the packet. We can create astandard access list using access-list number 1-99 or 1300-1999.Syntax:access-list [acl number] [permit/deny] [network-address/ host/any][wildcard mask][log]Here permit and deny keyword allow and discard a particular rule. And the host keyword is used to find aparticular host and any keyword is any host in the network. Wildcard mask is used to identify a particular hostor certain range of networks. Log keyword is used for logging.2.10.3 Extended access list:Extended access is more robust than Standard access list. It identifies network traffic using source anddestination IP address, protocols, port number of upper layer application.Syntax:access-list [acl number] [permit/deny] [protocol-type] [source-network-address/host /any][wildcard mask][destination-network-address/host /any][wildcard mask][log]Here protocol-type field identifies layer 4 or layer 3 protocol type.2.10.4 Named based access list:Named based access list is another way of creating standard or extended access list which are easy tounderstand. In normal standard and extended access list we cannot easily change access list. But in namedbased access list we can easily edit the access list.
  34. 34. 33Syntax:ip access-list [standard/extended] [name of acl] [permit/deny] [protocol-type] [source-network-address/host/any][wildcard mask] [destination-network-address/host /any][wildcard mask][log]After creating the access list we have to apply it to an interface. ACL mainly are implemented on inbound oroutbound interfaces according to network traffic flow.Syntax:ip access-group [acl-number/ acl-name ] in|outTo see the configuration of access list write show access-list in privileged mode.2.10.5 Access Control List configuration command on a Cisco 3560 switchFirst we will enter into configuration mode of Cisco 3560 switch then create two named based extended ACLone for Finance and Operation Department and another for CFO and CEOACL 1:Switch(config)#ip access-list extended FIN&OPSwitch(config-ext-nacl)#deny ip any 192.168.1.0 0.0.0.255Switch(config-ext-nacl)#permit ip any anyACL 2:Switch(config)#ip access-list extended CLEVELSwitch(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.15 anyNow we will add ACL 1 in outbound and ACL 2 in the inbound end of all VLAN using following command.Switch(config)# interface vlan 2Switch(config-if)#ip access-group FIN&OP OUTSwitch(config-if)#ip access-group CLEVEL INHere you go, you can implement rest of information security policies by defining making more access controllists.

×