Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Networking Devices

Published byDidier Leblanc Modified over 5 years ago

Similar presentations

Presentation on theme: "Advanced Networking Devices"— Presentation transcript:

1 Advanced Networking Devices
Chapter 11

2 Objectives Describe the features and functions of VPNs
Define the capabilities and management of managed switches Configure and deploy VLANs Implement advanced switch features

3 Introduction Virtual Private Networks
Connect remote users to local resources Managing devices that handle switching, security, and more VLANs Technology built into better switches that segments a single network into multiple virtual networks Multilayer switches

4 Virtual Private Networks (VPNs)

5 VPN over the Internet Alternative to expensive remote connections
Connection using an encrypted tunnel Data is encrypted and decrypted at the endpoints Connecting computers must all have the same network ID

6 VPN Protocols (1 of 4) VPN client program protocol
Uses one of many tunneling protocols The remote client connects to the local LAN Queries the local DHCP server for an IP address Client is on the same network ID as the local LAN The remote computer has two IP addresses Internet connection’s IP address VPN client tunnel endpoint IP address

7 VPN Protocols (2 of 4) Figure VPN connecting computers across the United States

8 VPN Protocols (3 of 4) Figure Typical tunnel

9 Figure 11.3 Endpoints must have their own IP addresses
VPN Protocols (4 of 4) Figure Endpoints must have their own IP addresses

10 PPTP VPNs (1 of 5) Point-to-Point Tunneling Protocol (PPTP) PPTP VPNs
An advanced version of PPP PPTP VPNs Endpoints are on the client and the server—Routing and Remote Access Service (RRAS) Client side uses a virtual NIC that acquires a DHCP address When the client connects to the RRAS, PPTP creates a secure tunnel over the Internet Exam Tip (p. 320): A system connected to a VPN looks as though it’s on the local network, but performs much slower than if the system was connected directly back at the office because it’s not local at all.

11 PPTP VPNs (2 of 5) Single computer logs into a remote network
Becomes a member of that network

12 PPTP VPNs (3 of 5) Figure RRAS in action

13 Figure 11.5 Setting up a VPN connection in Windows 10
PPTP VPNs (4 of 5) Figure Setting up a VPN connection in Windows 10

14 Figure 11.6 VPN on a macOS system
PPTP VPNs (5 of 5) Figure VPN on a macOS system

15 Layer 2 Tunneling Protocol (L2TP) VPNs (1 of 2)
Developed by Cisco Included all the good features of PPTP Added support to run on most connections Moved the endpoint on the local LAN VPN concentrator can be an endpoint Can connect two remote LANs using two VPN concentrators Called site-to-site VPN connection Exam Tip (p. 322): Aside from host-to-site and site-to-site VPNs, you’ll sometimes see host-to-host connections discussed. A host-to-host VPN deals with a specific single connection between two machines using VPN software or hardware.

16 Layer 2 Tunneling Protocol (L2TP) VPNs (2 of 2)
L2TP has no authentication or encryption Uses IPsec for security Technically should be “L2TP/IPsec” VPN Works well with single client connecting to a LAN VPN clients in all operating systems support L2TP/IPsec

17 SSL VPNs VPNs using Secure Sockets Layer (SSL)
No special client software is required Clients connect using a Web browser Traffic is secured using SSL Most common types SSL Portal VPNs SSL Tunnel VPNs Note (p. 322): Many VPN connections use the terms client and server to denote the functions of the devices that make the connection. You’ll also see the terms host and gateway to refer to the connections, such as a host-to-gateway tunnel.

18 SSL Portal VPNs Client accesses the VPN and is presented with a secure Web page Able to access anything on that page Examples: , data, and links to other pages

19 SSL Tunnel VPNs The client browser runs an active control, e.g., Java or Flash Enables much greater access to the VPN-connected network Creates a more typical host-to-site connection than SSL portal VPNs The user must have sufficient permissions to run the active browser controls

20 DTLS VPNs Datagram TLS (DTLS) VPNs optimize connections for delay-sensitive applications After establishing a traditional TLS tunnel, DTLS VPNs use UDP datagrams rather than TCP segments for communication Cisco AnyConnect DTLS VPN is the prototypical example of this sort of VPN implementation

21 DMVPN Traditional VPN can be inefficient
All traffic may route through the main VPN A dynamic multipoint VPN (DMVPN) fixes this problem Enables direct VPN connections between multiple locations directly Typical DMVPN solution employs standard security (IPsec) to make all the connections secure from unwanted prying

22 Alternative VPNs Other popular VPN options beyond PPTP, L2TP, and SSL/TLS OpenVPN and SSH Most common VPN today offers pure (no L2TP) IPsec solutions IPsec VPN technologies use IPsec tunneling for VPNs Generic Routing Encapsulation (GRE) protocol paired with IPsec for encryption

23 Switch Management

24 Switch Management (1 of 3)
Methods of connecting managed switches Plug directly into a serial interface and use a virtual terminal program (e.g., PuTTY) to connect to a command-line interface Get the switch on the network and use a virtual terminal program to connect to a command-line interface Get the switch on the network and use the switch’s built-in Web interface Note (p. 323): These methods of switch management work for any type of managed device (such as routers).

25 Switch Management (2 of 3)
A console port is a special serial port on many managed switches A managed switch has the same configuration issues as a new router Basic configuration Update the firmware Configure a client or client software to connect to the managed switch Note (p.324): A managed switch enables you to configure every port on the switch in a lot of different ways, depending on the purpose and complexity of the switch. For example, it’s easy to set the speed and duplexing of a port to match the client. Exam Tip (p. 324): You configure a default gateway on a switch by telling the switch the IP address of the gateway router. For most implementations, plug in the IP of your Internet connection box, such as DSL or cable modem.

26 Switch Management (3 of 3)
Figure Plugging into a managed switch’s console port using a serial cable

27 In-Band and Out-of-Band Management
In-band management Configure a switch over the network Out-of-band management Dedicate one port on every managed device Configure the interface by directly connecting to that management port Plug all dedicated ports into a switch separated from the rest of the network (to prevent unauthorized access) Exam Tip (p. 324): You’ll find out-of-band management options— management URL, modem connection, console port—on switches and on routers. CompTIA uses the term console router to describe a router with out-of-band management capabilities.

28 Virtual LANs

29 Serious Networks Are Complex
Remote incoming connections Public Web or servers Wireless networks String of connected switches Tremendous amount of traffic Security issues

30 Virtual Local Area Network (VLAN) (1 of 5)
Enables segmentation of a network using switches Created by taking a single physical broadcast domain and breaking into multiple broadcast domains Assign each port to specific VLAN Special switches have extra programming to create virtual networks

31 Virtual Local Area Network (VLAN) (2 of 5)
Managed switches can handle multiple VLANs VLAN example Take single switch and turn it into two VLANs: VLAN1 and VLAN2 Assign ports to those VLANs Any host plugged into a VLAN1 port becomes part of the broadcast domain VLAN1

32 Virtual Local Area Network (VLAN) (3 of 5)
Figure Switch with two VLANs

33 Virtual Local Area Network (VLAN) (4 of 5)
Figure 11.9 Every port is VLAN1 by default

34 Virtual Local Area Network (VLAN) (5 of 5)
Figure Two switches, each with a VLAN 2 and a VLAN 1

35 Trunking (1 of 3) Most networks have more than one switch Trunking
Need to enable data to flow between switches Trunking Transferring VLAN traffic between switches Configure a port on each switch as a trunk port Native VLAN: VLAN designation for a trunk port The trunk port is configured to carry all traffic between all switches in a LAN

36 Trunking (2 of 3) Figure 11.11 Trunk ports
Check out the excellent Chapter 11 Challenge! Sim, “Trunking,” to test your understanding of trunking. You’ll find it here: .com/007. Figure Trunk ports

37 Trunking (3 of 3) Early days of VLANs VLANs today
Inter-Switch Link (ISL): Cisco’s proprietary form of trunking VLANs today Every Ethernet switch uses IEEE 802.1Q trunk to connect switches from different manufacturers

38 Configuring a VLAN-Capable Switch
Methods for performing configuration Use a serial (console) port Most common method: log into the switch using SSH and use command-line interface Access the switch with a Web browser interface Exam Tip (p.326): Expect a question or two on segmentation and interface properties of VLANs and 802.1Q. These will ask you about what each accomplishes and perhaps how a configuration screen should function. Note (p. 326): VLANs based on ports are the most common type of VLAN and are commonly known as static VLANs. VLANs based on MAC addresses are called dynamic VLANs. The latter method is never used these days.

39 Tagging (1 of 2) Enables a frame from a workstation in VLAN100 to make it to a destination workstation in the same VLAN Access ports are regular ports that have been configured as part of a VLAN Tag traffic with the appropriate VLAN when frames enter the switch

40 Tagging (2 of 2) Access ports connect to workstations
Trunk ports connect to other trunk ports The switch tags incoming frames with the appropriate VLAN The frames are routed to a destination workstation connected on the same switch or to a destination workstation connected a different switch (sent out the trunk port) Exam Tip (p.327): Expect a question or two on the CompTIA Network+ exam that checks your knowledge of tagging and untagging ports on VLAN switches. Also, you’ll get a question on why you would want to change a native VLAN (to mitigate against double-tagging attacks).

41 Virtual Trunking Protocol (VTP)
Large networks with many VLANS would require intensive work to update Virtual Trunking Protocol (VTP) Proprietary Cisco protocol that automates updates to multiple VLAN switches Three switch states: server, client, or transparent Updating the configuration of the server switch updates all other switches in the client state in minutes; transparent state does not update Note (p. 329): VTP offers VTP pruning, a tool for minimizing broadcast traffic. This can be a very useful tool on larger-scale networks. Note (p.329): Clients can update servers the same way servers update clients. The difference is that VLAN info can only be changed on servers.

42 InterVLAN Routing (1 of 4)
Early days: one router with multiple ports was the network backbone Forces all traffic to go through the router Not a flexible solution for adding VLANs Cisco 3550 Supports VLANs and virtual routers Works at Layers 2 and 3 InterVLAN Routing is the process of routing between two VLANs

43 InterVLAN Routing (2 of 4)
Figure One router connecting multiple VLANs

44 InterVLAN Routing (3 of 4)
Figure Cisco 3550

45 InterVLAN Routing (4 of 4)
Figure Setting up interVLAN routing

46 DHCP and VLANs By default, DHCP requests cannot pass through a router
When DHCP relay is enabled and configured within a router The router will pass DHCP requests and responses across the router interfaces Cisco implements DHCP relay through a configuration command called IP helper

47 Troubleshooting VLANs
Check the port assignment A device with an incorrect VLAN assignment Will not be seen Will not have access to resources it needs

48 Multilayer Switches

49 Multilayer Switches Example: Cisco 3550 Works at Layer 2 and Layer 3
Supports interVLAN routing Works at Layer 2 and Layer 3 Layer 2 forwards traffic based on MAC address Layer 3 (router) forwards traffic based on IP address Any port can be configured to work as a switchport or a router port Note (p. 331): Any device that works at multiple layers of the OSI seven-layer model, providing more than a single service, is called a multifunction network device.

50 Load Balancing Popular Internet servers cannot support load using a single system Load balancing: many servers look like one server Creates a server cluster Requests are distributed evenly Different load balancing methods are available It is common to use an advanced network device called a load balancer Note (p. 332): Coming to a consensus on statistics like the number of requests/day or how many requests a single server can handle is difficult. Just concentrate on the concept. If some nerdy type says your numbers are way off, nicely agree and walk away. Just don’t invite them to any parties.

51 DNS Load Balancing (1 of 3)
Oldest and still a very common method Each server has its own IP address Each DNS server has multiple “A” records with the same FQDN Round robin: the DNS server cycles through these records so the same domain name resolves to different IP addresses The BIND DNS server has more features

52 DNS Load Balancing (2 of 3)
Figure Multiple IP addresses, same name

53 DNS Load Balancing (3 of 3)
Figure Enabling round robin

54 Using a Content Switch Using a content switch for load balancing
Works at Layer 7 (Application) Designed to work with Web servers Reads incoming HTTP and HTTPS requests Handles SSL certificates and cookies Reduces Web servers’ workload Passes cookies to Web browsers Exam Tip (p. 333): The CompTIA Network+ exam refers to a content switch as a content filter network appliance.

55 QoS and Traffic Shaping (1 of 2)
Quality of service (QoS) Rules-based policies to prioritize traffic Controls maximum bandwidth Traffic shaping Bandwidth management Controls the flow of packets in or out Guarantees a certain amount of bandwidth/latency Popular where IT must control user activities Exam Tip (p. 333): The term bandwidth shaping is synonymous with traffic shaping. The routers and switches that can implement traffic shaping are commonly referred to as shapers.

56 QoS and Traffic Shaping (2 of 2)
Figure QOS configuration on a router

57 Port Bonding (1 of 2) Joining two or more connections’ ports logically in a switch so that the resulting bandwidth is treated as a single connection Throughput is multiplied by the number of linked connectors All of the cables from the joined ports go to the same device—another switch, a storage area network (SAN), a station, or other device

58 Port Bonding (2 of 2) Other names for port bonding Protocols
Link aggregation NIC bonding NIC teaming Protocols Cisco’s Port Aggregation Protocol (PAgP) IEEE’s Link Aggregation Control Protocol (LACP)

59 Network Protection Intrusion protection/intrusion detection
Port mirroring Proxy serving AAA

60 Intrusion Detection System (IDS) (1 of 3)
Inspects incoming packets Alerts network administrator Network based IDS (NIDS) Report to a central application Host-based IDS (HIDS) Monitors events such as system file modification

61 Intrusion Detection System (IDS) (2 of 3)
Exam Tip (p.335): Several companies enable signature management in the cloud, to help monitor and protect network traffic from malicious code, picking out known and suspect malware signatures with continuously updating definition files. Check out for a prototypical example. And look for a signature management question on the CompTIA Network+ exam. Exam Tip (p. 335): The CompTIA Network+ exam can refer to an IDS system by either its location on the network—thus NIDS or HIDS— or by what the IDS system does in each location. The network-based IDS scans using signature files, thus it is a signature-based IDS. A host-based IDS watches for suspicious behavior on systems, thus it is a behavior-based IDS. Figure Diagram of network-based IDS

62 Intrusion Detection System (IDS) (3 of 3)
Figure OSSEC HIDS

63 Intrusion Protection System (IPS)
Similar to an IDS Consequences due to active network traffic flow monitoring Can stop an attack while it is happening The network bandwidth and latency take a hit If the IPS goes down, the link might go down too Exam Tip (p. 337): Expect a question on the appropriate placement of a multilayer switch such as an IPS or IDS within a network. This tackles the differences among HIDS, NIDS, HIPS, and NIPS. Some of these devices might have routing functions as well as switching functions, so be prepared for either word to be used in the description.

64 Port Mirroring Copies data from ports to a single port
Works like a configurable promiscuous port Allows inspection of traffic to or from certain computers Local port mirroring copies data from ports on a switch to a specific port; must connect directly to the switch to monitor the data Remote port mirroring does not require connecting to the switch directly

65 Proxy Serving (1 of 3) A proxy server sits between clients and external servers Intercepts requests from clients Makes requests itself on behalf of clients The proxy server’s IP address is entered in the client’s connection settings Client’s requests are redirected to the proxy server

66 Figure 11.23 Setting a proxy server in Mozilla Firefox
Proxy Serving (2 of 3) Figure Setting a proxy server in Mozilla Firefox

67 Figure 11.24 Web proxy at work
Proxy Serving (3 of 3) Figure Web proxy at work

68 Proxy Caching (1 of 2) One benefit of using a proxy server: caching
Gives clients a faster response Forward proxy server Acts on behalf of clients Hands information to clients Reverse proxy server Acts on behalf of its servers Clients do not receive information about servers Tech Tip: Proxy Caching (p. 338) If a proxy server caches a Web page, how does it know if the cache accurately reflects the real page? What if the real Web page was updated? In this case, a good proxy server uses querying tools to check the real Web page to update the cache.

69 Figure 11.25 Squid Proxy Server software
Proxy Caching (2 of 2) Figure Squid Proxy Server software

70 AAA (1 of 2) Authentication, authorization, and accounting (AAA) are vitally important for security on switches to support port authentication Supported by intelligent switches Port authentication protects a network from unwanted people trying to access the network Authentication is required at the point of connection Cross Check (p.339): AAA You learned about AAA way back in Chapter 10, “Securing TCP/IP,” so crosscheck your memory and answer these questions. I remind you that the first A in AAA stands for authentication. What are the other two? Which jobs do they do to help lock down a TCP/IP network properly?

71 AAA (2 of 2) Critical for AAA authentication
RADIUS, TACACS+, 802.1X Configuring a switch for AAA is a complex procedure Try This! (p.340): Exploring Switch Capabilities If you have access to a managed switch of any kind, now would be a great time to explore its capabilities. Use a Web browser of choice and navigate to the switch. What can you configure? Do you see any options for proxy serving, load balancing, or other fancy capability? How could you optimize your network by using some of these more advanced capabilities?

Download ppt "Advanced Networking Devices"

Similar presentations

Defining Network Infrastructure and Security

Defining Network Infrastructure and Security
VLANs Virtual LANs CIS 278.

VLANs Virtual LANs CIS 278.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.

We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Mike Meyers’ CompTIA Network+ ® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005 ) © 2012 The McGraw-Hill Companies, Inc. All.

Mike Meyers’ CompTIA Network+ ® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N ) © 2012 The McGraw-Hill Companies, Inc. All.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.

Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Chapter 13 – Network Security

Chapter 13 – Network Security
Common Devices Used In Computer Networks

Common Devices Used In Computer Networks
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Similar presentations

Ads by Google