1 / 43

Advanced Ethernet Principals Using Westermo Equipment Westermo Data Communications UK Ltd

Advanced Ethernet Principals Using Westermo Equipment Westermo Data Communications UK Ltd Presenter: Graham Lee Esq. / Vincento “Coconut” Collis. Red Fox Industrial. Robust Industrial Data Communications - Made Easy. Family of Layer 3 Switches

hova
Download Presentation

Advanced Ethernet Principals Using Westermo Equipment Westermo Data Communications UK Ltd

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Ethernet Principals Using Westermo Equipment Westermo Data Communications UK Ltd Presenter: Graham Lee Esq. / Vincento “Coconut” Collis

  2. Red Fox Industrial Robust Industrial Data Communications - Made Easy • Family of Layer 3 Switches • High-Performance Ethernet Switch supports: • IGMP • VLAN • FRNT • QoS • Advanced Layer 3 Functions: • Routing • NAT & PAT • OSPF • Firewall • IPsec • Configurable Via: • HTTP, SSH, Telnet, Serial port www.westermo.co.uk

  3. Red Fox Industrial Configurable in three different ways: Web-screen configuration CLI configuration via SSH and Telnet Serial configuration via console port

  4. Slot-based contruction and port numbering Management port Mix of Ethernet and Fibre ports I/O and fault contact Configurable status LED’s I/O & Fault Contact Status LED’s Management port Slot 1 Management Slots 2 & 3 Additional ports

  5. OSI 7-Layer Model The OSI (Open Standards Interconnect) model is a definition of how devices should communicate, each layer performs a defined task and is separate to the layers above and below. Data from higher levels is encapsulated by the lower layers Communication protocols, TCP, UDP IP Addresses, Routers Ethernet, Mac addresses, Switches, Bridges Cat5e Cable, Fibre Optic, DSL, Radio

  6. Preamble Destination MAC Address Source MAC Address Type Field Version IHL Type Of Service Total Length Identification Flags Fragment Offset TTL Protocol Header Checksum Source IP Address Destination IP Address IP Options Src port Seq number Ack Number Data Offset Reserved Dst Port Padding Flags Window Checksum Urgent Pointer Options Cyclic Redundancy Check An Ethernet packet An example packet PDU OSI Layer TCP IP Ethernet Data from upper layers Maximum frame size = 1542 bytes

  7. Types of IP traffic • UDP Connection-less traffic • TCP Connection-based traffic • Broadcast One to all • Multicast One to many

  8. IGMP Multicast reserved addresses 224.0.0.0 to 239.255.255.255 Multicast subscribers Non- subscriber Multicast subscribers Non- subscriber

  9. 32 Bit Dotted Decimal Notation 192.168.100.100 Subnet mask segregates IP’s into groups 255.255.255.0 IP Addresses

  10. 192.168.10.0 255.255.255.0 11000000.10101000.00001010.00000000 192.168.10.255 255.255.255.0 11000000.10101000.00001010.11111111 Subnets

  11. .255 .0 .1 - .254 Subnet address Broadcast Address

  12. .255 .0 .193 - 254 .1 - .62 .192 .63 .191 .64 .129 - .190 .65 - .126 Subnet address Broadcast Address .128 .127

  13. Operate at Layer 2 Break up broadcast domains Create smaller, logical, network topologies Vlans can be created in one of two ways: Static – per port Dynamic – MAC address allocation Virtual LAN (Vlan)

  14. Grouping parts of a network based on department, function or service. What are Vlans for? • Controlling the proliferation of broadcasts throughout a network • Providing security throughout the network • Gives flexibility to network design

  15. Entire network unused Corporate network Industrial Network • Change the link port into a Vlan trunk port • 2 Vlans • 2 Broadcast domains • Default configuration • 1 Vlan • 1 Broadcast domain

  16. X X Inter-Vlan routing Switches cannot route between VLANs For packets to traverse different VLANs, they must be processed by a router

  17. Vlan Tag information adds 4 bytes of data onto an Ethernet frame making a maximum frame size of 1542 bytes Preamble Destination MAC Address Source MAC Address Type Field 802.1Q Header Version IHL Type Of Service Total Length Identification Flags Fragment Offset TTL Protocol Header Checksum Source IP Address Destination IP Address IP Options Src port Seq number Ack Number Data Offset Reserved Dst Port Padding Flags Window Checksum Urgent Pointer Options Cyclic Redundancy Check Vlan tagging + frame length • Some networking devices are unable to process frames larger than 1538 bytes. These devices require the tags to be removed before the frame is transmitted to them. • Ethernet at the Network layer can only process a maximum unit size (MTU) of 1500, so larger packets are segmented and then reassembled at the destination Data from upper layers

  18. Guarantees Bandwidth Quality of Service (QoS) • Reduces: • Jitter • Delay • Dropped Packets • Out of Order Delivery • Is Required for Some Applications • VoIP • Video Streaming • Absolutely Critical Data

  19. QoS works by assigning types of traffis with DSCP tags (Differentiated Service Code Points) which determine the exact level of service to be treated with. Westermo Switches link the QoS priority tags with the VLAN tags. This means that you cannot tag different types of traffic, but rather groups of hosts (which makes more sense in a control network)

  20. When to implement QoS Quality of Service (QoS) • When you are using an application which requires it: • VoIP • Video Streaming • Absolutely Critical Data • When there is contention for bandwidth • However, increasing bandwidth is always a better solution to increase network performance

  21. Redundancy and Fault Tolerance in networks

  22. FRNT V0 • Proprietary Westermo Redundancy Protocol • Controls topology failover • Fast (<20ms reconfiguration time)

  23. X X X X FRNT Member FRNT Member Focal Point Member devices communicate with focal point to determine topology Focal point detects a ring is created, so it shuts down one of its interfaces which links the ring Switches continue to communicate to report status of topology If a cable fault is detected, the focal point opens its blocked interface to allow full connectivity again

  24. Redundancy protocol which allows a switch level (layer 2) mesh topology Network convergance times of 30 secs and 3 secs Uses lowest MAC address or lowest bridge ID to determine Root bridge STP & RSTP

  25. X X X X X X Principal of root bridge Bridge ID: 8649 Bridge ID: 6039 Internet Bridge ID: 7432 Bridge ID: 4036 Bridge ID: 6696 Bridge ID: 9972 Bridge ID: 4189 Bridge ID: 5827

  26. Allows redundant entry/exit points to a network Does so via a “virtual” gateway IP address which two devices control the responses to Not to be confused with load-balancing VRRP

  27. X X Router ID: 210 Router ID: 50 Use multicast traffic to manage response to the virtual MAC address 00-00-5E-00-01-XX 00-00-5E-00-01-XX Router with the highest VRRP ID Is the ”Master” router If the master router encounters a fault the backup router will take over

  28. Setup FRNT ring. Use testing tools (ping, traceroute) to verify configuration Inspect port mirroring and wireshark Practical Time!!

  29. Routing • Routing occurs at layer 3 • All layer three devices have a routing table

  30. Understanding a Routing table Next hop Network Metric Network next hop Metric 172.16.0.0 directly connected 0 10.0.0.0 directly connected 0 192.168.0.0 directly connected 0 192.168.10.0 192.168.0.2 1 54.19.0.0 192.168.0.2 110 0.0.0.0 172.16.0.100 0 Routing tables read sequentially from top to bottom 0.0.0.0 172.16.0.100 0 Destination address How to get there How far away it is A routing table (sometimes called a Routing Information Base or RIB) has three main parts: When a device needs to send data, it will read down through the table to find where to send it. If no exact match is found, the default gateway will be used These titles basically mean: Notes: You can tell a lot from a routing table. For instance, from this example we know that this router has three different networks configured directly on it, and it knows how to get to a further two more via a router which exists on the 192.168.0.0 network. From the metrics on the two distant networks we can tell what routing protocol is used to advertise them.

  31. Manually configured Used in smaller networks Becomes a headache when employed in larger networks Not tolerant of topology changes Static routing

  32. “Gateway of last resort” Defines how to get to a network that is not explicitly defined Always the last route in the routing table Cannot have multiple default routes Default routing

  33. RIP V1 Distance-Vector protocol Uses timed updates Floods routing table every 30 secs Slow convergence time High overhead Simple to configure Uses “hop count” to determine best path Dynamic routing OSPF • Link-State protocol • Elects a “designated” router to manage topology updates • Updates topology based on keepalive “hello” packets • Floods routing updates upon topology change • Fast convergence time • Calculates the shortest path to destination NB: Other routing protocols exist, but are not implemented in WeOS (YET!!)

  34. How RIP works 172.16.0.0/16 192.168.0.1/30 192.168.10.0/24 A B 54.19.0.0/16 192.168.0.2/24 10.0.0.0/8 RIP is a nice and simple routing protocol, it advertises its entire routing table every 30 seconds out of all interfaces, although convergence time is slow, it is easy to configure Network next hop learned from 172.16.0.0 directly connected directly connected 10.0.0.0 directly connected directly connected 192.168.0.0 directly connected directly connected 192.168.10.0 192.168.0.2 192.168.0.2 54.19.0.0 192.168.0.2 192.168.0.2 Network next hop learned from 192.168.10.0 directly connected directly connected 54.19.0.0 directly connected directly connected 192.168.0.0 directly connected directly connected 172.16.0.0 192.168.0.1 192.168.0.1 10.0.0.0 192.168.0.1 192.168.0.1 Network next hop learned from 172.16.0.0 directly connected directly connected 10.0.0.0 directly connected directly connected 192.168.0.0 directly connected directly connected Network next hop learned from 192.168.10.0 directly connected directly connected 54.19.0.0 directly connected directly connected 192.168.0.0 directly connected directly connected

  35. OSPF Area 0 Area 1 E A B F C D OSPF can define Areas within an Autonomous Network (AS), this keeps routing tables smaller by limiting the total routes that each router needs to be aware of and speeds up network convergence OSPF sends out “hello” packets out of all configured interfaces. Routers build a “neighbourship” table so they are aware of others running OSPF. When routers become aware of each other via the “Hello” packets, they and they are within the same area, they will attempt to negotiate an “adjacency”. Once this is done, they will exchange routing information Routers A and E are “Area Boarder Routers” These routers are part of both areas, and will advertise “summary routes” to areas beyond their own.

  36. OSPF Area 0 Area 1 E A B F C D From here onwards, when a topology change occurs, affected routers will alert the DR of the change and the DR will then broadcast this change to all routers within the area – greatly cutting down of the packets being sent. When a network segment has not fully converged, there can be a lot of packets passing between routers as they attempt to determine the topology. To combat this, the two routers with the highest configured IP addresses will become the Designated Router (DR) and the Backup Designated Router (BDR). As OSPF alerts works upon change of state, this can generate a lot of extra traffic when a link goes down – exactly when additional traffic is not desired!

  37. Practical Time!! • Configure OSPF on your RedFox Industrial and connect it to the other red foxes here. • Use area 0 • Follow the worksheet • Verify OSPF is running and test connectivity.

  38. IPsec Standardised suite of protocols Allows secure, encrypted path for data Used for transferring sensitive data over an untrusted network (such as the internet)

  39. IPsec Tunnels • IKE - Internet Key Exchange • AH - Authentication Header • ESP - Encapsulated Security Payload Duration timers Dead-Peer-Detection Transport Mode Tunnel Mode Main Mode Aggressive Mode

  40. Firewall • Stateful inspection firewall (layer 4) • Permits / denys traffic between Vlans • Filters traffic based on source/destination ports and addresses, or protocol

  41. Three modes of operation: Network Address Translation • Static NAT • Statically configured one to one mapping of internal addresses to external • Dynamic NAT • Dynamic one to one mapping of internal addresses to external • NAT Overload • Dynamic mapping of multiple internal addresses to a single external through the use of port numbers (also referred to as PAT)

  42. SNMP SYSLOG Management and Reporting

  43. Link alarms Fault contact RedFox specific

More Related