Advanced Networking Devices Chapter 12

Objectives Discuss client/server and peer-to-peer topologies Define capabilities and management of managed switches Describe the features and functions of VPNs Configure and deploy VLANs Implement advanced switch features

Introduction Simple devices each work at one OSI layer Hubs: Layer 1 Switches: Layer 2 Routers: Layer 3 Protocols function at upper layers High-level view of network components Servers, clients, peer-to-peer networks, and connections

Client/Server and Peer-to-Peer Topologies

Historical/Conceptual Client/Server

Client/Server Topology Dedicated servers Clients never functioned as servers Earliest networks used this model Example: Novell Netware servers

Figure 12.1 A simple client/server network

Figure 12.2 Novell Netware in action Note (p. 328): Novell Netware as marketed today is a form of SUSE Linux. It is no longer a unique server-only operating system. Figure 12.2 Novell Netware in action

Peer-to-Peer Microsoft’s early Windows versions Any system acts as a server, a client, or both Depends on the configuration Windows 9x is a common example Lack of security was a problem with no user accounts Permissions: Read Only or Full Control Easy to share but hard to control access Exam Tip (p. 329): The “old school” client/server model means dedicated servers with strong security. Clients see only the server. In the peer-to-peer model, any system is a client, server, or both, but at the cost of lower security and additional demands on the system resources of each peer.

Figure 12.3 Sharing options in Windows 98

Client/Server and Peer-to-Peer Today Test Specific Client/Server and Peer-to-Peer Today

Client/Server and Peer-to-Peer Today Every modern operating system has abandoned the classic client/server or peer-to-peer label Windows, Linux and OS X: Are capable of acting as a server or a client Provide robust security through user accounts, permissions, and other measures

Client/Server and Peer-to-Peer Today (cont’d.) Client/server and peer-to-peer now refer to applications Examples: Outlook (a dedicated client) and Exchange (a dedicated server) Peer-to-peer (P2P) applications Act as both client and server Examples: Bit Torrent (an entire protocol), LimeWire, and DC++ Note (p. 330): I’m using the term “server” here to mean that you can share files and folders with other computers over a network, a server function. Don’t confuse client versions of common operating systems, such as Windows 8.1, with specific server versions, such as Windows Server 2012 R2.

Figure 12.4 Transmission downloading

Virtual Private Networks (VPNs)

VPN over the Internet Alternative to expensive remote connections Connection using an encrypted tunnel Data is encrypted and decrypted at the endpoints Connecting computers must all have the same network ID

VPN Protocols VPN client program protocol Uses one of many tunneling protocols The remote client connects to the local LAN Queries the local DHCP server for an IP address Client is on the same network ID as the local LAN The remote computer has two IP addresses Internet connection’s IP address VPN client tunnel endpoint IP address

Figure 12.5 VPN connecting computers across the United States

Figure 12.6 Typical tunnel

Figure 12.7 Endpoints must have their own IP addresses

PPTP VPNs Point-to-Point Tunneling Protocol (PPTP) PPTP VPNs An advanced version of PPP PPTP VPNs Endpoints are on the client and the server—Routing and Remote Access Service (RRAS) Client side uses a virtual NIC that acquires a DHCP address When the client connects to the RRAS, PPTP creates a secure tunnel over the Internet Exam Tip (p. 333): A system connected to a VPN looks as though it’s on the local network, but performs much slower than if the system was connected directly back at the office because it’s not local at all.

Host-to-Site Connection Single computer logs into a remote network Becomes a member of that network

Figure 12.8 RRAS in action

Figure 12.9 VPN connection in Windows

Figure 12.10 VPN on a Macintosh OS X system

Layer2 Tunneling Protocol (L2TP) VPNs Developed by Cisco Included all the good features of PPTP Added support to run on most connections Moved the endpoint on the local LAN VPN concentrator can be an endpoint Can connect two remote LANs using two VPN concentrators Called site-to-site VPN connection Exam Tip (p. 333): Cisco made hardware that supported PPP traffic using a proprietary protocol called Layer 2 Forwarding (L2F). L2F did not come with encryption capabilities, so it was replaced by L2TP a long time ago. You’ll sometimes see the term on the CompTIA Network+ exam as an incorrect answer. Exam Tip (p. 334): Aside from host-to-site and site-to-site VPNs, you’ll sometimes see host-to-host connections discussed. A host-to-host VPN deals with a specific single connection between two machines using VPN software or hardware.

Figure 12.11 Cisco 2811 Integrated Services Router

L2TP VPNs (cont’d.) L2TP has no authentication or encryption Uses IPsec for security Technically should be “L2TP/IPsec” VPN Works well with single client connecting to a LAN VPN clients in all operating systems support L2TP/IPsec Note (p. 334): The years have seen plenty of crossover between Microsoft and Cisco. Microsoft RRAS supports L2TP, and Cisco routers support PPTP.

SSL VPNs VPNs using Secure Sockets Layer (SSL) No special client software is required Clients connect using a Web browser Traffic is secured using SSL Most common types SSL Portal VPNs SSL Tunnel VPNs Note (p. 334): Many VPN connections use the terms client and server to denote the functions of the devices that make the connection. You’ll also see the terms host and gateway to refer to the connections, such as a host-to-gateway tunnel.

SSL Portal VPNs Client accesses the VPN and is presented with a secure Web page Able to access anything on that page Examples: e-mail, data, and links to other pages Tech Tip: Alternatives to PPTP, L2TP, and SSL (p. 334) There are other VPN options to PPTP, L2TP, and SSL, and some of them are quite popular. First is OpenVPN, which, like the rest of what I call “OpenXXX” applications, uses Secure Shell (SSH) for the VPN tunnel. Second is IPsec. The tech world is now seeing some pure (no L2TP) IPsec solutions that use IPsec tunneling for VPNs, such as Cisco Easy VPN. Another alternative is the Generic Routing Encapsulation (GRE) protocol. You can use GRE to make a point-to-point tunnel connection, like with VPN, that carries all sorts of traffic over Layer 3, including multicast and IPv6 traffic.

SSL Tunnel VPNs The client browser runs an active control, e.g., Java or Flash Enables much greater access to the VPN-connected network Creates a more typical host-to-site connection than SSL portal VPNs The user must have sufficient permissions to run the active browser controls With tunnel VPNs, in contrast, the client Web browser runs some kind of active control, such as Java or Flash, and gains much greater access to the VPN-connected network. SSL tunnel VPNs create a more typical client-to-site connection than SSL portal VPNs, but the user must have sufficient permissions to run the active browser controls.

Switch Management

Switch Management Methods of connecting managed switches Plug directly into a serial interface and use a virtual terminal program (e.g., PuTTY) to connect to a command-line interface Get the switch on the network and use a virtual terminal program to connect to a command-line interface Get the switch on the network and use the switch’s built-in Web interface Note (p. 335): A managed switch enables you to configure every port on the switch in a lot of different ways, depending on the purpose and complexity of the switch. For example, it’s easy to set the speed and duplexing of a port to match the client.

Switch Management (cont’d.) A console port is a special serial port on many managed switches A managed switch has the same configuration issues as a new router Basic configuration Update the firmware Configure a client or client software to connect to the managed switch Exam Tip (p. 335): You configure a default gateway on a switch by telling the switch the IP address of the gateway router. For most implementations, plug in the IP of your Internet connection box, such as DSL or cable modem.

Figure 12.12 Plugging into a managed switch’s console port using a serial cable

In-Band and Out-of-Band Management In-band management Configure a switch over the network Out-of-band management Dedicate one port on every managed device Configure the interface by directly connecting to that management port Plug all dedicated ports into a switch separated from the rest of the network (to prevent unauthorized access)

Virtual LANs

Serious Networks are Complex Remote incoming connections Public Web or e-mail servers Wireless networks String of connected switches Tremendous amount of traffic Security issues

Virtual Local Area Network (VLAN) Enables segmentation of a network using switches Created by taking a single physical broadcast domain and breaking into multiple broadcast domains Assign each port to specific VLAN Special switches have extra programming to create virtual networks

VLANs (cont’d.) Managed switches can handle multiple VLANs VLAN example Take single switch and turn it into two VLANs: VLAN1 and VLAN2 Assign ports to those VLANs Any host plugged into a VLAN1 port becomes part of the broadcast domain VLAN1

Figure 12.13 Switch with two VLANs

Figure 12.14 Switch with two VLANs

Figure 12.15 Two switches, each with a VLAN 2 and a VLAN 1

Trunking Most networks have more than one switch Trunking Need to enable data to flow between switches Trunking Transferring VLAN traffic between switches Configure a port on each switch as a trunk port Native VLAN: VLAN designation for a trunk port The trunk port is configured to carry all traffic between all switches in a LAN

Figure 12.16 Trunk ports

Trunking (cont’d.) Early days of VLANs VLANs today Inter-Switch Link (ISL): Cisco’s proprietary form of trunking VLANs today Every Ethernet switch uses IEEE 802.1Q trunk to connect switches from different manufacturers

Configuring a VLAN-Capable Switch Methods for performing configuration Use a serial (console) port Most common method: log into the switch using SSH and use command-line interface Access the switch with a Web browser interface Note (p. 337): VLANs based on ports are the most common type of VLAN and are commonly known as static VLANs. VLANs based on MAC addresses are called dynamic VLANs.

Configuration Process Define the VLANs Assign ports to VLANs Process is known as VLAN assignment) Whatever computer plugs into that port, its traffic will be tagged with that port’s VLAN Note (p. 337): VLANs based on ports are the most common type of VLAN and are commonly known as static VLANs. VLANs based on MAC addresses are called dynamic VLANs.

Figure 12.17 Catalyst 2970 Series Device Manager

Figure 12.18 Defining VLANs in Cisco Network Assistant

Figure 12.19 Assigning a port to a VLAN

Tagging Enables a frame from a workstation in VLAN100 to make it to a destination workstation in the same VLAN Access ports are regular ports that have been configured as part of a VLAN Tag traffic with the appropriate VLAN when frames enter the switch

Tagging (cont’d.) Access ports connect to workstations Trunk ports connect to other trunk ports The switch tags incoming frames with the appropriate VLAN The frames are routed to a destination workstation connected on the same switch or to a destination workstation connected a different switch (sent out the trunk port)

Virtual Trunking Protocol (VTP) Large networks with many VLANS would require intensive work to update Virtual Trunking Protocol (VTP) Proprietary Cisco protocol that automates updates to multiple VLAN switches Three switch states: server, client, or transparent Updating the configuration of the server switch updates all other switches in the client state in minutes; transparent state does not update Note (p. 339): Clients can update servers the same way servers update clients. The difference is that VLAN info can only be changed on servers.

InterVLAN Routing Early days: one router with multiple ports was the network backbone Forces all traffic to go through the router Not a flexible solution for adding VLANs Cisco 3550 Supports VLANs and virtual routers Works at Layers 2 and 3 InterVLAN Routing is the process of routing between two VLANs

Figure 12.20 One router connecting multiple VLANs

Figure 12.21 Cisco 3550

Figure 12.22 Setting up interVLAN routing

DHCP and VLANs By default, DHCP requests cannot pass through a router When DHCP relay is enabled and configured within a router The router will pass DHCP requests and responses across the router interfaces Cisco implements DHCP relay through a configuration command called IP helper

Troubleshooting VLANs Check the port assignment A device with an incorrect VLAN assignment Will not be seen Will not have access to resources it needs

Multilayer Switches

Multilayer Switches Example: Cisco 3550 Works at Layer 2 and Layer 3 Supports interVLAN routing Works at Layer 2 and Layer 3 Layer 2 forwards traffic based on MAC address Layer 3 (router) forwards traffic based on IP address Any port can be configured to work as a switchport or a router port Note (p. 342): Any device that works at multiple layers of the OSI seven-layer model, providing more than a single service, is called a multifunction network device.

Load Balancing Popular Internet servers cannot support load using a single system Load balancing: many servers look like one server Creates a server cluster Requests are distributed evenly Different load balancing methods are available It is common to use an advanced network device called a load balancer Note (p. 343): Coming to a consensus on statistics like the number of requests/day or how many requests a single server can handle is difficult. Just concentrate on the concept. If some nerdy type says your numbers are way off, nicely agree and walk away. Just don’t invite them to any parties.

DNS Load Balancing Oldest and still a very common method Each server has its own IP address Each DNS server has multiple “A” records with the same FQDN Round robin: the DNS server cycles through these records so the same domain name resolves to different IP addresses The BIND DNS server has more features

Figure 12.23 Multiple IP addresses, same name

Figure 12.24 Enabling round robin

Using a Multilayer Switch Web clients cache the DNS server’s IP address Reduces load balancing effectiveness Using a multilayer switch for load balancing Hide all Web servers behind one IP address Use a multilayer switch (Layers 3 and 4) Router performing NAT and port forwarding Queries hidden Web servers and sends HTTP requests to servers with lighter load

Using a Content Switch Using a content switch for load balancing Works at Layer 7 (Application) Designed to work with Web servers Reads incoming HTTP and HTTPS requests Handles SSL certificates and cookies Reduces Web servers’ workload Passes cookies to Web browsers Exam Tip (p. 344): The CompTIA Network+ exam refers to a content switch as a content filter network appliance.

Figure 12.25 Layer 7 content switch

QoS and Traffic Shaping Quality of service (QoS) Rules-based policies to prioritize traffic Controls maximum bandwidth Traffic shaping Bandwidth management Controls the flow of packets in or out Guarantees a certain amount of bandwidth/latency Popular where IT must control user activities Exam Tip (p. 345): The CompTIA Network+ exam uses the generic term traffic filtering, which means traffic shaping—the filtering of traffic based on type of packet or other rules. Exam Tip (p. 345): The term bandwidth shaping is synonymous with traffic shaping. The routers and switches that can implement traffic shaping are commonly referred to as shapers. The CompTIA Network+ exam refers to such devices as bandwidth shapers. Additionally, the exam uses the term packet shaper to describe a traffic shaping device that controls the flow based on packet rules.

Figure 12.26 QOS configuration on a router

Port Bonding Joining two or more connections’ ports logically in a switch so that the resulting bandwidth is treated as a single connection Throughput is multiplied by the number of linked connectors All of the cables from the joined ports go to the same device—another switch, a storage area network (SAN), a station, or other device

Port Bonding (cont’d.) Other names for port bonding Protocols Link aggregation NIC bonding NIC teaming Protocols Cisco’s Port Aggregation Protocol (PAgP) IEEE’s Link Aggregation Control Protocol (LACP)

Network Protection Intrusion protection/intrusion detection Port mirroring Proxy serving AAA

Intrusion Detection System (IDS) Inspects incoming packets Alerts network administrator Network based IDS (NIDS) Report to a central application Host-based IDS (HIDS) Monitors events such as system file modification

Figure 12.27 Diagram of network-based IDS Exam Tip (p. 347): The CompTIA Network+ exam can refer to an IDS system by either its location on the network—thus NIDS or HIDS— or by what the IDS system does in each location. The network-based IDS scans using signature files, thus it is a signature-based IDS. A host-based IDS watches for suspicious behavior on systems, thus it is a behavior-based IDS. Figure 12.27 Diagram of network-based IDS

Figure 12.28 OSSEC HIDS

Intrusion Protection System (IPS) Similar to an IDS Consequences due to active network traffic flow monitoring Can stop an attack while it is happening The network bandwidth and latency take a hit If the IPS goes down, the link might go down too Exam Tip (p. 348): The CompTIA Network+ exam refers to intrusion detection and prevention systems collectively by their initials, IDS/IPS.

Port Mirroring Copies data from ports to a single port Works like a configurable promiscuous port Allows inspection of traffic to or from certain computers Local port mirroring copies data from ports on a switch to a specific port; must connect directly to the switch to monitor the data Remote port mirroring does not require connecting to the switch directly

Proxy Serving A proxy server sits between clients and external servers Intercepts requests from clients Makes requests itself on behalf of clients The proxy server’s IP address is entered in the client’s connection settings Client’s requests are redirected to the proxy server

Figure 12.29 Setting a proxy server in Mozilla Firefox

Figure 12.30 Web proxy at work

Proxy Caching One benefit of using a proxy server: caching Gives clients a faster response Forward proxy server Acts on behalf of clients Hands information to clients Reverse proxy server Acts on behalf of its servers Clients do not receive information about servers Tech Tip: Proxy Caching (p. 349) If a proxy server caches a Web page, how does it know if the cache accurately reflects the real page? What if the real Web page was updated? In this case, a good proxy server uses querying tools to check the real Web page to update the cache.

Figure 12.31 Squid Proxy Server software

AAA Authentication, authorization, and accounting (AAA) are vitally important for security on switches to support port authentication Supported by intelligent switches Port authentication protects a network from unwanted people trying to access the network Authentication is required at the point of connection

AAA (cont’d.) Critical for AAA authentication RADIUS, TACACS+, 802.1X Configuring a switch for AAA is a complex procedure

Figure 12.32 802.1X configuration on a Cisco 2811 Exam Tip (p. 351): CompTIA drops the + symbol when discussing TACACS+, as mentioned in Chapter 11. You’ll see this subject on the exam as TACACS/RADIUS misconfigurations. Try This! Exploring Switch Capabilities (p. 352) If you have access to a managed switch of any kind, now would be a great time to explore its capabilities. Use a Web browser of choice and navigate to the switch. What can you configure? Do you see any options for proxy serving, load balancing, or other fancy capability? How could you optimize your network by using some of these more advanced capabilities? Figure 12.32 802.1X configuration on a Cisco 2811