1 / 20

Networking and Reality at DOIT

Networking and Reality at DOIT. VLANs and Security Zones. Communication. The OSI Model is our framework that we use to communicate between end users. What is the OSI Model?.

evangeline-dillard
Download Presentation

Networking and Reality at DOIT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Networking and Reality at DOIT VLANs and Security Zones

  2. Communication • The OSI Model is our framework that we use to communicate between end users.

  3. What is the OSI Model? • The Open Systems Interconnection Basic Reference Model (OSI Reference Model or OSI Model for short) is a layered, abstract description for communications and computer network protocol design, developed as part of Open Systems Interconnection (OSI) initiative. It is also called the OSI seven layer model. The layers, described below, are, from top to bottom, Application, Presentation, Session, Transport, Network, Data Link and Physical.

  4. Common Protocols in OSI Model

  5. Physical • Physical Layer 1 connectivity • Communication Medium such as CAT5 copper cable, multi-mode and single-mode fiber optic cable, wireless frequencies. • Upcoming technologies include CWDM and DWDM

  6. Data Link • Data Link layer 2 Connectivity – Switches • Attachment of Local Area Network devices - PCs, Servers • (Ethernet Adapter Card) • 10/100/1000 Copper or Gigabit Fiber • Unique MAC Address 00-0F-1F-8E-DA-FC (Burned in address) • Auto-negotiable for speed and duplex • Non-routable traffic • Broadcast to communicate to another device using ARP • Subnet-mask – ie 255.255.255.0 and IP address will determine if Layer 2 or Layer3 communication needed • Example – Vlan2 159.247.8.5/24 need to arp to find/communicate to Vlan2 159.247.8.6/24 • Example – Vlan2 159.247.8.5/24 need Layer 3 Network Routing to access Vlan3 159.247.80.10 • Default gateway to access Layer 3 (Router/Firewall) • IP for routing • From a Data Centric viewpoint, it about VLANs • VLANs live in VTP Domains which remain isolated from each other. • DOIT has several VTP Domains • Building Switch VTP Domain - • BackBone Switch VTP Domain - • Internet\Intranet Switch VTP Domain - • ARP – Address Resolution Protocol

  7. Network • Network layer 3 Network Routing (IP Protocol) • Routers perform packet delivery from a source to a destination via one or more networks. • Network Routing is accomplished by using a dynamic routing table. (Static Routes are normally redistributed into a dynamic routing protocol). • Routers and Firewalls are both Layer 3 devices. • Routers and Firewall are connected to Layer 2 (Switching) • Your Default Gateway is your Local Router. • VLAN to VLAN communication need Layer 3 routing • Example – Vlan2 159.247.8.5/24 need Layer 3 to access Vlan3 159.247.80.10 • Unique public IP addressing scheme with subnet masking • (159.247.x.x) • Private addressing need Network Address Translation (Internet use) • 10.x.x.x, 172.16.x.x-172.31.x,x, 192.168.x.x (x=0-255)

  8. Transport • Transport layer 4 – Transfer of data between end users • Transmission Control Protocol (TCP). Reliable delivery • TCP requires a 3 way handshake (syn, syn ack, syn ack) • TCP keeps track of transmitted data using sequence numbers and will retransmit unacknowledged packets • Tcp port 80 –http • Tcp port 25 – SMTP • Tcp port 23 – Telnet • Tcp port 21 – FTP • User Datagram Protocol (UDP), Unreliable delivery • Udp Port 53 –dns (Domain Name Services) • Udp Port 161 -snmp (Simple Network Management Protocol)

  9. Session, Presentation, Application • Session layer 5 controls the dialogues/connections (sessions) between computers. • It establishes, manages and terminates the TCP connections between the local and remote application • Presentation layer 6 transforms the data to provide a standard interface for the Application layer • Data representation (EBCDIC/ASCII conversion) • Data encryption/decryption • Application layer 7 interfaces directly to and performs common application services for the application processes • ftp application service/process • telnet application service/process • CICS application software • Oracle

  10. Sniffer Packet Decode

  11. Sniffer Packet Decode

  12. Client to Server Data Flow

  13. http://ct.gov

  14. Commands for Troubleshooting • Information to that we need IP address, subnet mask, default gateway Netstat –r (routes) or Route print Netstat –an (port listeners) Tracert (Windows) Ping Ipconfig /all

  15. VLAN • Virtual Local Area Network • IEEE 802.1Q aka (VLAN Tagging) • Allows for the creation of logical LAN segments within one or more physical switch. • VLANs permits the sharing of a switch with isolation • VLANs communicate with one another using layer-3 routing. • VACL – Virtual Access Control List • Layer 2 Access filter (Local Ethernet LAN segment only) • VLAN are defined within the construct of a VTP Switch Domain (Virtual Trunking Protocol Domain) • 802.1Q allows for the Trunking of VLANS over one or more physical interface.

  16. VLANs • How we do it: • Every physical switch port connection is placed into a VLAN or VLAN Trunk. • A Trunk can carry multiple VLANs by using VLAN Tags) • Switches can be is assigned into a VTP Switch Domain (VLAN Trunk Protocol) which can share VLAN information across switches. (Redundancy) • Product we use: • Cisco Catalyst Switches • Network Interface Cards that supports 802.1Q can Trunk VLANs • Best practices or procedures: • Place similar devices in a separate VLAN for security: prevent access and cross contamination (VLANs Framework for Security Zone) • Place all Internet DMZ Web Servers on a separate VLAN zone • Place all Internet DMZ Application on a separate VLAN zone • Place all Internet DMZ Data Base on a separate VLAN zone • Issues and implication: • Access between VLANs require Layer 3 Network Routing using Routers/Firewall. • Places an overhead on the firewall (con) • Provides security access (pro) • Will add some latency to the user response time (con) • Standard involved: • IEEE 802.1Q VLAN Standard • ISL Cisco Proprietary VLAN Trunk Protocol between Cisco devices

  17. VLAN Tagging

  18. Conclusion • Questions? • Thank you for your attention!

More Related