Networking Basics

Tools used in this Class

PacketTracer 7

1. Components of a switch/router

1.1 Hardware components

Memory - Cisco routers (and switches) generally contain four types of memory:

• ROM (Read-Only Memory) - contains a bootstrap program called ROM Monitor. When a router is
powered on, the bootstrap runs a hardware diagnostic called POST (Power-On Self-Test)

• Flash - the bootstrap then attempts to locate and load the Cisco IOS (Internetwork Operating System)
stored in Flash memory. Flash memory can be erased or overwritten, thus making the Cisco
IOS upgradeable.

• NVRAM (Non-Volatile RAM) - If the bootstrap does find the IOS in Flash, it is loaded into RAM and
attempts to find a Startup Configuration (startup-config) file in NVRAM. NVRAM is non-volatile, thus its
contents will survive a power-cycle.

If the IOS cannot find a startup-config file in NVRAM, it will attempt to load a configuration file from a
TFTP server (this request is broadcasted to 255.255.255.255). If no TFTP server responds, the IOS will enter
Initial Configuration Mode, a series of interactive questions intended for quick configuration of the router.

• RAM (Random-Access Memory) - If the IOS does find a startup-config file in NVRAM, this file is loaded
into RAM, and becomes the Running Configuration (running-config). RAM is a volatile memory, and thus
its contents will be lost if the router is power cycled.

ASIC processor (Application Specific Integrated Circuit)

A switch is a layer 2 device (can be also L3 device to some extent) that makes traffic decisions based on the layer 2
frame destination MAC address.

Some switches can also process data at the network layer (L3) by additionally incorporating routing functionality
that most commonly uses IP addresses to perform packet forwarding; such switches are commonly known as
layer-3 switches or multilayer switches

1
The ASIC is basically a CPU that is not a general purpose CPU but is a CPU for making switching decisions very
quickly. It can't be used for much else. This is similar to a high-end graphics card that has a special CPU for graphics
processing that wouldn't be good for general applications. Hence the name, Application Specific Integrated Circuit.

One of the latest Programable ASIC:

1 byte = 8 bits

MB (MegaBytes) =8 x Mb (Megabits)

Mbps

In computers, everything is stored in binary (base 2). This makes it convenient to use powers of 2 to express
sizes and memory addresses. 1024 is 210, the power of 2 which is closest to 1000. So computer engineers
used the term gigabyte to denote 1024 megabytes.

Binary based units for data:

1 KB = 1024 bytes,
1 MB = 1024 KB,
1 GB = 1024 MB,
1 TB = 1024 GB

The more ports you add to a switch the more processing a switch is doing. Just a few ports can be handled by
software written to run on an off-the-shelf CPU. As the number of switch ports increase, the general purpose CPU
using software solution can't keep up.

Switches generally don't support tunneling techniques such as GRE, IPSec since those are not implemented in the
ASICs in the switches. They generally don't support doing NAT either.

A hub does not need an ASIC because it is not buffering frames, making a decision, and switching the frame out of
the correct port. A hub simply is a repeater with a bunch of ports. It regenerates the actual signal on the wire.

2
Router – L3 device, that forwards data packets from one network to another. Based on the address of the
destination network in the incoming packet and an internal routing table, the router determines which port (line)
to send out the packet .

In general purpose routers, packet switching takes place using software that runs on a microprocessor, whereas a
Layer 3 switch performs this using dedicated application-specific integrated circuit (ASIC) hardware.

Modular switches allows you to add expansion modules into the switches as needed, modules for additional
interfaces, power supplies, or cooling fans.

Unmanaged Switches – offers only basic layer 2 switching and connectivity and they cannot be modified/re-
configured.

Managed switches – deliver the most comprehensive set of features to provide the best application experience,
the highest levels of security, the most precise control and management of the network and they are configurable.

Stackable Switch – two or more switches than can function as a single switch – there is a single SNMP/RMON
agent, single Spanning Tree domain, single CLI or Web interface – i.e. single management plane.

A Top-of-Rack (or TOR) switch is a switch with a low number of ports that sits at the very top or in the middle of a
19” rack in data centers or service provider co-location facilities. A TOR switch provides a simple, low-cost way to
easily add more capacity to a network. It connects several servers and other network components such as storage
together in a single rack. Adding more server and storage capacity to a network is greatly simplified, eliminating
the use of complicated patch panels and cabling from each server or storage device.

Interfaces, lines, Console connection

Cisco devices contain two distinctly different types of ports, interfaces and lines.

Interfaces connect routers and switches to each other. In other words, traffic is actually routed or switched across
interfaces. Examples of interfaces include (but are not limited to):

 Serial interfaces (typically used for WAN connections from ISP (Internet Service Providers) for
connectivity types like Frame Relay, T1, T3, etc)
 Ethernet interfaces (10 Mbps – UTP Cat 5)
 Fast Ethernet interfaces (100 Mbps - UTP Cat5)
 Gig Ethernet (1 Gbps – UTP Cat6, Fiber optic (SFP +optics))
 10 Gig Ethernet (10 Gbps – Twin-ax Copper, Fiber optic (SFP +optics)) **
** http://wiki.networksecuritytoolkit.org/images/NETGEAR_Whitepaper_10_Gigabit.pdf

Lines identify ports that allow us to connect into, and then configure Cisco devices. The most common examples
of lines include:

3
 • Console ports (out of band )

• Auxiliary ports

• VTY (telnet, ssh) ports

Every modern Cisco router or switch includes a console port, used for initial configuration or for troubleshooting
when switch is not accessible over the network(this is out of band serial connection) . The console port is generally
a RJ-45 connector on one end and the opposite side of the rollover cable connects to a PC’s serial port using a
serial terminal adapter:

In enterprise environments the console ports are connected to a console device/server that has web interface.

* Example of Avocent console server from production.

2. OSI Layers, tcp/ip connections and Basic subneting

2.1 OSI layers, examples packets, frames, protocols on each layer

- OSI model – theoretical model, separate the communications process into layers and describing
the interactions between them. International Organization for Standardization working on this
standard Open Systems Interconnection
- TCP/IP model - how data is sent and received through network adapters, hubs, switches, routers
and other network communications hardware; every communications device in use today

4
- Encapsulation - provides a mechanism for implementing the separation between layers:

5
 1. Physical Layer – Bits - Cables, Radio, Microwave, etc.

2. Data Link Layer – Frames - Ethernet, WiFi

3. Network Layer – Packets - Routers

4. Transport Layer – Segments - Load Balancers/Firewalls.

5. Session Layer – Data - Load Balancers/Firewalls/Computers

6. Presentation Layer – Data - Load Balancers/Firewalls/Computers

7. Application Layer – Data - Load Balancers/Firewalls/Computers

2.2 TCP/IP server-client connections

In TCP/IP communications, the IP Address is analogous to a telephone number and the port number would
be analogous to a particular extension once the call has been answered.

The “Client” in a TCP/IP connection is the computer or device that “dials the phone” and the “Server” is
the computer that is “listening” for calls to come in.

In other words, the Client needs to know the IP Address of whatever Server it wants to connect to and it
also needs to know the port number that it wants to send and receive data through after a connection has
been established. The Server only has to listen for connections and either accept them or reject them
when they are initiated by a client.

Once a connection through a TCP/IP port has been established between a TCP/IP client and a TCP/IP
server, data can be sent in either direction exactly the same way that data is sent through any other type
6
of port on a PC (serial, parallel, etc.). The only difference is that the data is sent across your network. The
connection between a Client and a Server remains open until either the client or the server terminates the
connection (i.e. hangs up the phone). One extremely nice benefit of the TCP/IP protocol is that the low
level drivers that implement the sending and receiving of data perform error checking on all data so you
are guaranteed that there will be no errors in any data that you send or receive.

How TCP connections are established?

TPC connections use a 3-Way Handshake (SYN,SYN-ACK,ACK) mechanism over an IP network . There are
three messages transmitted by TCP to negotiate and start a TCP session between two computers and the
parameters of the network TCP socket connection are negotiated before transmitting data such as SSH or
HTTP web browser requests or any other upper layer protocols.

TCP is reliable protocol from Layer 4, provides the delivery guarantee, which means a message sent using
TCP protocol is guaranteed to be delivered to the client. If a message is lost in transits then its recovered
7
using resending, this is handled by TCP protocol itself. On the other hand, UDP is unreliable; it doesn't
provide any delivery guarantee. A datagram package may be lost in transits.

Listing established TCP/IP connections from Windows:

netstat –ano

Identify active(listening) ports of specific applications using PID of application ( process ID)

Example: find application listening on tcp port 3306

8
2.3 Network classes and basic subneting

Ip address – is a 32-bit number, which we shorten into dotted-decimal notation, translating each byte of
the 32-bit sequence into a decimal value, and separating those numbers with periods (decimal chunks
referred to as octets, group of eight binary values.)
Binary arithmetic
- In binary arithmetic, each bit within a group represents a power of two

- The following table represents the value for each bit in a byte (remember, a byte is 8 bits). In
binary math, the values for the bits ascend from right to left:

8th bit 7th bit 6th bit 5th bit 4th bit 3rd bit 2nd bit 1st bit

128 (27) 64 (26) 32 (25) 16 (24) 8 (23) 4 (22) 2 (21) 1 (20)

Example 1: what does an 8-bit binary number like 01101110 represent? The following table
dissects this number. Remember, a computer uses 1 to signify "on" and 0 to signify "off":

128 (27) 64 (26) 32 (25) 16 (24) 8 (23) 4 (22) 2 (21) 1 (20)

0 1 1 0 1 1 1 0

64+32+8+4+2 = 110

Example 2:

9
The full IP address consists of two parts:
1. a network prefix defining the network
2. a host address identifying the host on that network

All hosts that share the same network prefix—there cannot be any routers between them. Hosts that
have different network prefixes need a router between them so they can communicate with each other.

The subnet mask or the prefix (/24) tells you which part of the ip address represents the network and
which part represents the host.

Classful addressing

- Each class has a different length for its network prefix

- Each class of network can support a set number of hosts

Class A, B, and C networks have default masks, also known as natural masks, as shown here:

Class A: 255.0.0.0
Class B: 255.255.0.0
Class C: 255.255.255.0

Classless addressing
- in most cases, having the same subnet mask for all subnets ends up wasting address space

10
 - classless addressing (CIDR) - moves way from the traditional IP classes (Class A, Class B, Class C,
and so on)
- In CIDR , an IP network is represented by a prefix (example /24), which is an IP address and some
indication of the length of the mask:
 network 172.16.0.0 255.255.0.0 can be represented as 172.16.0.0/16
 if an ISP owns network 172.16.0.0/16, then the ISP can offer 172.16.1.0/24, 172.16.2.0/24,
and so on to customers
- CIDR allowed the network prefix to be an arbitrary length, through variable-length subnet masking
(VLSM)

Private vs Public ip addresses

- Private addresses - are typically used inside an organization where public IP addresses are not
needed. Privately addressed devices can still access external resources by way of Network Address
Translation (NAT):

Subnet
Class Private Networks Address Range
Mask
A 10.0.0.0 255.0.0.0 10.0.0.0 - 10.255.255.255
B 172.16.0.0 - 172.31.0.0 255.240.0.0 172.16.0.0 - 172.31.255.255
C 192.168.0.0 255.255.0.0 192.168.0.0 - 192.168.255.255

- Public ip addresses:
 what differentiate all devices that are plugged in to the public internet
 assigned by ISPs to companies or private users **
 are guaranteed to be globally unique to the Internet
 Each and every device that's accessing the internet is using a unique IP address.

** When an organization is assigned a CIDR block in the form of a network ID and subnet
mask, that [network ID, subnet mask] pair also exists as a route in the routers of the Internet.
IP packets destined to an address within the CIDR block are routed to the proper destination

2.4 Broadcast, multicast and unicast traffic

Unicast traffic - refers to a single sender or a single receiver, and can be used for both sending and
receiving. Usually, a unicast address is associated with a single device or host, but a device or host may
have more than one unicast address.

Broadcast traffic - In IPv4 it is possible to send data to all possible destinations ("all-hosts broadcast"),
which permits the sender to send the data only once, and all receivers receive a copy of it. In the IPv4
protocol, the address 255.255.255.255 is used for local broadcast.

11
 In addition, a directed (limited) broadcast can be made by combining the network prefix with a host suffix
composed entirely of binary 1s and can be routed by a L3 device, example 10.10.10.255.

Multicast traffic - identifies logical groups of computers. A single message can then be sent to the group.
In IPv4, addresses 224.0.0.0 through 239.255.255.255 (the former Class D addresses) are designated as
multicast addresses.

3. Basic switch/router configuration

Using the Command-Line Interface

- Connecting to a switch:
 Console port
 telnet (deprecated) – using the management ip and a virtual management interface
 ssh - using the management ip and a virtual management interface
- Check the boot process of a switch from console: boot loader, POST, OS image loading
- Using the built-in help – type ? in each mode to list all commands available in that mode

Configurations modes

User Mode - the user EXEC commands allow you to connect to remote devices, change terminal line
settings on a temporary basis, perform basic tests, and list system information.

12
 Priviledged Mode - enter privileged EXEC mode from user EXEC mode, use the enable command.
Privileged EXEC mode allows access to global configuration mode through the use of the enable
command.

Global config Mode - used to configure your system globally, or to enter specific configuration modes to
configure specific elements such as interfaces or protocols

Basic switch configuration

- Disable dns name translation, otherwise all wrongly typed commands in CLI will be (unsuccessfully)
resolved as a dns name:

- Get version, serial number

- Set hostname for a switch:

13
- View/Backup/Restore configuration:

 View running/startup configuration :

Switch# show running-config

 Copy running configuration to startup configuration:

Switch# copy running-config startup-config

 Backup/Restore configuration

Backup the running configuration to local flash (also possible to be copied remote to ftp or
tftp server):

Restore configuration from a file stored on flash to startup configuration(reboot is required

for the restored config to take effect):

- Accessing a switch with in-band and out-of-band methods: ssh, telnet, console

14
 The most basic level of security you can configure on a Cisco IOS device is a password. When
this is done, a password is assigned to allow access to the privileged/global configuration
mode.
 Other option is to create a basic local authentication database containing usernames and
passwords

 Set password** only and username and password (local database) for Telnet/SSH lines:

Create a local username and password***:

Set it on the vty lines:

Enable ssh access:

 Set password** only and username and password(local database) for Console line:

15
 Create a local username and password ***:

Set it on the console:

** Use enable secret to set password for Enable mode: Switch(config)#enable secret parola or set
encryption on global level with:

*** The users can be created with different types of access, example level 15 is CISCO admin, level
7 is moderate user acces:

username admin priv 15 password cisco

username bob priv 7 password cisco

- Assign IP address to a switch / Set a management interface

 Create a management vlan:

16
  Assign an ip address to vlan 99:

 Assign a physical interface to vlan 99:

- Show interface , Full Duplex/Half Duplex, interface counters, MTU

Auto-negotiation on ports is a function Fast Ethernet standard that enables devices to
automatically exchange information over a link about speed and duplex abilities.

17
Use the include command to filter results:

MTU is short for Maximum Transmission Unit, the largest physical packet size, measured in bytes that
a network can transmit. Any messages larger than the MTU are divided into smaller packets before
transmission (standard is 1500 bytes for a packet or 1518 bytes for a frame).

Has to be set up end to end the same, otherwise some network devices will fragment the packet into
multiple ones!

Jumbo frames - are frames that are bigger than the standard Ethernet frame size, which is 1518 bytes
(including Layer 2 (L2) header). Jumbo frames can improve network performance by making data
transmissions more efficient.

Example of Jumbo frames size: 9000 bytes used for storage traffic (iSCSI), but only if the network
support at least 1Gbps.

Test if Jumbo frames (or any other kind of non-standard frames) are implemented in a network end to
end:

18
 The size you specify on the ping command is actually the size of the ICMP payload. In this case,
1472 of payload + 8 bytes of ICMP header + 20 bytes of IP header results in a 1500 bytes IP
packet!

Extra references
Duplex and speed explained:
https://www.cisco.com/c/en/us/support/docs/lan-switching/ethernet/10561-3.html

- CDP (Cisco Discovery Protocol) – is a Layer 2, media-independent, and network-independent protocol

that runs on Cisco devices and enables networking applications to learn about directly connected
devices nearby.

With CDP, you can use a few show commands to quickly view information about directly connected
devices. Depending on the type of device and version of IOS, you can view information such as the
host name, the local and remote ports, and the device platform

- Show tech support and putty logging for vendor calls:

Once you open the ssh connection to the switch right click on the window and choose Change
Settings:

19
In the logging category check All session output:

Then Browse and choose a name for the log file as well as a location were to be stored.
Click Apply in the Putty Reconfiguration window and close it, now you can issue on the switch the
command:
20
 switch1# show tech-support

After the log were gathered, you set in the Putty Reconfiguration:
Session logging: None

- Reboot a switch

- Switch port security

Anyone can access unsecure network resources by simply plugging his host into one of our available
switch ports. A user can also change his physical location in LAN network without telling the admin.
Port security can allow only specific device to connect to it (between 1 or 132 devices can be set),
using the mac address of that device.

4. Switch Mac address table

Switch Mac address table - for a switch to transfer the frames (packets) between LAN ports efficiently, the switch
maintains a dynamic address table: port – mac address mapping

When the switch receives a frame, it associates the media access control (MAC) address of the sending network
device with the LAN port on which it was received.

The switch dynamically builds the address table by using the MAC source address of the frames received. When
the switch receives a frame for a MAC destination address not listed in its address table, it floods the frame to all
LAN ports of the same VLAN except the port that received the frame. When the destination station replies, the
switch adds its relevant MAC source address and port ID to the address table. The switch then forwards
subsequent frames to a single LAN port without flooding all LAN ports.

The switch uses an aging mechanism, defined by a configurable aging timer, so if an address remains inactive for a
specified number of seconds, it is removed from the address table (the default is ~300 seconds).

21
Arp protocol and devices’ LAN communication

When two computers on the LAN want to communicate with each other the following will happen:

- An IP packet is created with a source and destination IP address carrying the data from an application.
- The IP packet will be encapsulated in an Ethernet frame with a source and destination MAC address.
- The sending computer will of course know its source MAC address but how does it know the
destination MAC address?
Answer: using ARP

ARP - resolves IP address to Mac Address's (or Layer 3 Logical Addresses to Layer 2 Physical Address). Is populated
on Layer3 devices, can be found on switches as well when using the switch management ip.

To find a destination MAC a computer sends an ARP Request. This message basically says:

“Who has 192.168.1.2 and what is your MAC address?” Since we don’t know the MAC address we will
use the BROADCAST MAC address for the destination (FF:FF:FF:FF:FF:FF).

Destination computer receives the broadcasted message and will reply with a UNICAST message ARP
Reply , basically saying “that’s me! And this is my MAC address”.

Arp table from a Windows computer:

Arp table from a Cisco switch using a management ip :

Locate where a computer is connected using arp table and mac address table:

- On the routing device use show ip arp to find the mac address of the ip
- On the Layer 2 switch use mac address table to find the physical port where computer is connected

22
5. VLANS and STP (Spanning Tree Protocol)

Understanding VLANs

A LAN is a local area network and is defined as all devices in the same broadcast domain (routers stop broadcasts,
switches just forward them).

A VLAN is a group of devices (or ports) on one or more LANs that are configured to communicate as if they were
attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs
are based on logical instead of physical connections, they are extremely flexible.

- VLANs define broadcast domains in a Layer 2 network (all ports in a single VLAN are in a single
broadcast domain)

- VLANs enhance the network security. In a typical layer 2 network, all users can see all devices by
default. Any user can see network broadcast and responds to it. Users can access any network
resources located on that specific network. Users could join a workgroup by just attaching their
system in existing switch.

- VLAN’s offer higher performance for medium and large LAN’s because they limit broadcasts

- are often associated with IP subnetworks. For example, all of the end stations in a particular IP subnet
belong to the same VLAN

- traffic between VLANs must be routed

- you must assign LAN interfaces a VLAN membership on an interface-by-interface basis

- on a Cisco switch, VLAN’s are enabled by default and ALL devices are already in VLAN 1. So, by default,
you can just use all the ports on a switch and all devices will be able to talk to one another

23
Creating VLANs, adding ports to a Vlan

Set the following parameters when you create a VLAN on a switch:

 VLAN number
 VLAN name

24
Configure trunk ports

In order to pass traffic from VLANs on one switch to another switch we need to implement what is called a
trunk port.

There are two types of ports on a Cisco switch:

- Access ports** can be assigned to a single VLAN and are used to connect a single host to the
network.
- Trunk ports are designed for interconnecting switches and allow one or more VLANs to be assigned to
the port.

** The term ‘tagged’ is usually used when referring to the particular configuration of an access port. Even
though actual tagging on a Cisco switch only occurs on trunk ports to make sure that traffic from a
particular VLAN can be differentiated from other VLANs.

To remove a VLAN from a trunk:

Native and default VLANs

NATIVE VLAN represents traffic sent and received on a trunk interface that does not have a tag. So
although the NATIVE VLAN exists also on access ports, its role is relevant only on trunk ports (default is
VLAN ID 1). This allows anything from a port which wasn't configured with a vlan down the trunk.

25
 Native VLAN 1 is being used as the management data in order for the switches to speak with each other to
pass through management packets (example CDP, even it you change the native vlan you can examine the
packets and see that they will still be marked as vlan 1).

Example:

You have 2 switches connected via a trunk port; you create VLAN 2 on both switches; on one end of the
trunk you modify the NATIVE VLAN to be VLAN2;what will happen, just a short description?; if the first
switch (with NATIVE VLAN 1 on the trunk) receives a frame from VLAN1 and decides it needs to send the
frame on the trunk port, it will see that the frame was issued from VLAN1 which is the NATIVE VLAN
on the trunk port it will send the frame out the trunk port UNTAGGED. Now when switch 2 receives the
frame, it sees it is untagged and it will associate the frame with its NATIVE VLAN which is VLAN2.

Understand STP (preventing loops for packets in your network)

Redundant links are as important as backups in the case of a failover in a network. A failure of your
primary activates the backup links so that users can continue to use the network. Without STP on the
bridges and switches, such a failure can result in a loop.

The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your
network.

How STP works:

- All the switches in the network multicast BPDU’s (Bridge Protocol Data Unit) to discover if
there are any loops out there. BPDU’s are data frames that contain STP parameters.

- If a switch receives back its own BPDU, it establishes that there are loops in the network.

- a series of elections going on between the switches based on mac addresses and some costs
values:

 root bridge - for all the switches in the network the root bridge becomes the focal
point in the network. All other decisions in the network, such as which port to
block and which port to put in forwarding mode, are made from the perspective
of this root bridge.
 root ports - the best ways to reach the root switch
 designated ports - ports that are forwarding data
 blocking ports

26
Check default configuration of STP

27
 Extra references:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-
2/25ew/configuration/guide/conf/vlans.html

6. Etherchannel, Portchannels and LACP basic configuration

EtherChannel or Link Aggregation used to provide fault-tolerance and high-speed links between switches, routers,
and servers by grouping two to eight physical Ethernet links to create a logical Ethernet link with additional
failover links.

- It’s Cisco proprietary

- The "Port-channel" is the name of this virtual interface in IOS
- Port-Channel = Etherchannel= Link Aggregation
- To accomplish network redundancy, load balancing, and fail-over

Link Aggregation Control Protocol (LACP) - Controls the bundling of several physical ports into a single logical
channel. Permits a form of signaling on each member link (each member link status is negotiated with the other
side).

LACP allows a network device to negotiate an automatic bundling of links by sending LACP packets to the peer
(directly connected device that also implements LACP).

LACP is only supported in vSphere 5.1, 5.5 and 6.0 using vSphere Distributed Switches (VDS) or the Cisco Nexus
1000v.
28
ESXi/ESX link aggregation:

- ESXi/ESX host only supports NIC teaming on a single physical switch or stacked switches.
- Link aggregation is never supported on disparate trunked switches.
- The switch must be set to perform 802.3ad link aggregation in static mode ON and the virtual switch must
have its load balancing method set to Route based on IP hash. Ensure that the participating NICs are
connected to the ports configured on the same physical switch.

Example of configuring LACP active one end (the 2nd end/2nd device will be configured the same just in passive
mode) and check the etherchannel configuration:

29
Te remove an interface from an existing PO (configuration to be done on both ends):

Switch(config)#int fastEthernet 0/3

Switch(config-if)#

Switch(config-if)#no channel-group 1

To add an interface to an existing PO (configuration to be done on both ends):

Switch(config)#inter fastEthernet

Switch(config-if)#channel-group 1 mode active

30
 Extra references

Best Practices for Virtual Networking:

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/landing-pages/virtual-
support-day-best-practices-virtual-networking-june-2012.pdf

Etherchannel configuration on CISCO:

http://danscourses.com/etherchannel/

Host requirements for link aggregation for ESXi and ESX:

https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=
1001938

Sample configuration of EtherChannel / Link Aggregation Control Protocol (LACP) with ESXi/ESX and Cisco/HP
switches:

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048

7. Basic static Routing

Introducing the routing table and static routes (directed connected , default static routes)

A Router is a Layer 3 network gateway device, connecting two or more networks and networks to Internet.

Routers examine the destination IP address of a received packet and make routing decisions accordingly. To
determine out which interface the packet will be sent, routers use routing tables.

A routing table lists all networks for which routes are known. Each router’s routing table is unique and stored
in the RAM of the device.

Each entry in the routing table consists of the following entries:

- network and the subnet mask – specifies a range of IP addresses.

- remote router – the IP address of the router used to reach that network.
- outgoing interface – the outgoing interface the packet should go out to reach the destination network.

There are 3 types of routing:

 Static routing
 Default routing

31
  Dynamic routing

Static routing - is the manual configuration and selection of a network route and is not using any dynamic
routing protocol.

Default routing – is a manual configuration of a single default route for every destination and is used in
networks that have only one output interface and everything going through these networks has to cross the
single exit point.

Router interfaces all need an ip address assigned and once they are up a Directly connected route will be
create automatically for that subnet:

Routing table with the Directly connected routes:

Routes must know the path of return to the sender also, otherwise packets will not be able to return back the
responses needed for applications!!!

Adding a static route:

32
Adding a Default route:

33
 Extra references:

Static routing: https://ciscoiseasy.blogspot.ro/2010/12/lesson-33-static-routing.html

Inter-Vlan routing

Inter-Vlan routing can be configured in multiple ways:

 Router on a Stick (most used)

On the router you need to configure a sub-interface for each of the VLANs need to be routed by this device:

34
  Legacy inter-VLAN routing – each VLAN is connected to a different physical interface on the router, then
you will have a routing table with the Directly Connected interfaces and traffic can be routed between
them.

 Inter-VLAN routing using L3 switches –a switch virtual interface (SVI) is configured for every VLANs and
the switch must have the IP routing enabled:

8. Network security (Firewall, Proxy, NAT, VPN, DMZ terminologies)

Defense in depth approach – multiple layers of security controls (defense) are placed throughout an information
technology (IT) system. Its intent is to provide redundancy in the event a security control fails or vulnerability is
exploited.

35
https://sec.ch9.ms/ch9/820b/bd191231-039e-4fd7-bdc9-
1f9b44a6820b/DefenseInDepthWin81SecurityM05_960.jpg

36
CERT - Computer Emergency Response Team.

First computer emergency response team in the world was created at Carnegie Mellon University under U.S.
Government contract. With the massive growth in the use of information and communications technologies over
the subsequent years, the now-generic term 'CERT'/'CSIRT' refers to an essential part of most large organisations'
structures or governments.

Carnegie Mellon Univ CERT: http://www.kb.cert.org/vuls/

NIST: https://nvd.nist.gov/

Vulnerability - a security vulnerability is a weakness in a product that could allow an attacker to compromise the
integrity, availability, or confidentiality of that product.

Examples:

 A weakness that allows an unprivileged user to change the permissions on any file on a system, it would
constitute a security vulnerability.

 A weakness that enables an attacker to cause a server to fail would constitute security vulnerability, since
the attacker would be able to control whether the server provided service or not.

37
  A weakness in a web site that enables a visitor to read a file that should not be read would constitute a
security vulnerability.

Types of network attacks:

 Password-Based Attacks - Older applications do not always protect identity information as it is passed
through the network for validation. This might allow an eavesdropper to gain access to the network by
posing as a valid user.
 DOS (Denial of Service) attack - occur when an intruder tries to bring down a corporate web site with a
flood of traffic, so much so that it brings the web server down and, potentially, allows the intruder to
break into it.
 DDOS (Distributed Denial of Service) – originates from (or appears to originate from) multiple hosts. The
"multiple hosts" part of the attack is what makes it "distributed," and is what makes the attack more
difficult to defend against. An attack that originates from a single host or IP address can be easily blocked
with a simple router access list or firewall rule.
 Sniffer Attack - a sniffer is an application or device that can read, monitor, and capture network data
exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the
data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they
are encrypted and the attacker does not have access to the key.
 Identity Spoofing (IP Address Spoofing) - Most networks and operating systems use the IP address of a
computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed—
identity spoofing. An attacker might also use special programs to construct IP packets that appear to
originate from valid addresses inside the corporate intranet.
After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete
your data
 Malware - refers to various forms of harmful software, such as viruses and ransomware. Once malware is
in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your
actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to
the attacker's home base.
 Phishing attack - an attacker may send you an email that appears to be from someone you trust, like your
boss or a company you do business with. The email will seem legitimate, and it will have some urgency to
it (e.g. fraudulent activity has been detected on your account). In the email, there will be an attachment to
open or a link to click. Upon opening the malicious attachment, you’ll thereby install malware in your
computer.

Firewall – is a network security device that monitors incoming and outgoing network traffic and decides whether
to allow or block specific traffic based on a defined set of security rules. Firewall can be hardware, software or
both.

38
Types of firewalls:

 Packet filtering firewall (Access List Based) - has a list of firewall security rules which can block
traffic based on IP protocol, IP address and/or port number. Under this firewall management
program, all web traffic will be allowed, including web-based attacks. In this situation, you need to
have intrusion prevention, in addition to firewall security, in order to differentiate between good
web traffic (simple web requests from people browsing your website) and bad web traffic (people
attacking your website).

 Stateful firewall – similar to a packet filtering firewall, but it is more intelligent about keeping
track of active connections, so you can define firewall management rules such as "only allow
packets into the network that are part of an already established outbound connection."

 Deep packet inspection firewall -An application firewall actually examines the data in the packet,
and can therefore look at application layer attacks. This kind of firewall security is similar to
intrusion prevention technology.

 Application-aware firewall - Similar to deep packet inspection, except that the firewall
understands certain protocols and can parse them, so that signatures or rules can specifically
address certain fields in the protocol.

DMZ - most companies deploy two firewalls to create a DMZ, or demilitarized zone. One firewall connects to the
Internet while the other connects to the internal network. In between the two is the DMZ, where companies put
their public-facing Web servers. The idea is that, even if an intruder succeeds in hacking into the Web server, such
as via a DOS attack, the second firewall will prevent him from accessing the private corporate network.

39
Proxy server - is a server or a set of servers that will act on your behalf and acts as an intermediary between a
client (your PC or your server) and a web server on the internet or internally.

Purpose of Proxy Servers:

 Monitoring and Filtering

 Improving performance
 Accessing services anonymously
 Security
40
Type of Proxies:

 Forward Proxies

 Reverse Proxies

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) both increase the security level of
networks, monitoring traffic and inspecting and scanning packets for suspicious data. Detection in both systems is
mainly based on signatures already detected and recognized.

The main difference between one system and the other is the action they take when an attack is detected in its
initial phases (network scanning and port scanning).

VPN (Virtual Private Network) – is a private network that uses a public network (usually the Internet) to connect
remote sites or users together. Instead of using a dedicated, real-world connection, such as leased line, a VPN uses
"virtual" connections routed through the Internet from the company's private network to the remote site or
employee.

A VPN can be set up to support remote, protected access to the corporate home offices over the Internet. An
Internet VPN solution uses a client/server design works as follows:

1. A remote host (client) wanting to log into the company network first connects to any public Internet
Service Provider (ISP).
2. Next, the host initiates a VPN connection to the company VPN server. This connection is made via a VPN
client application installed on the remote host.
3. Once the connection has been established, the remote client can communicate with the internal company
systems over the Internet just as if it were a local host.

41
NAT - Network address translation provides a method for translating the Internet Protocol version 4 (IPv4)
addresses of computers on one network into IPv4 addresses of computers on a different network.

Static NAT is type of Network Address Translation (NAT) which is a one-to-one IP address mapping (one private IP
address to one public IP address)

Dynamic NAT is a type NAT using many public IP addresses in a NAT address pool. Static NAT and Dynamic NAT
therefore cannot be used providing internet access to inside users, because both require large number of IP public
addresses.

PAT (Port Address Translation or NAT overload) is another Network Address Translation (NAT) technology, which
can be used to provide internet access to inside users. In PAT (Port Address Translation or NAT overload), several
inside private IP addresses can be translated to one or a few outside public IP addresses. PAT (Port Address
Translation) is also known as NAT overload. The main advantage of PAT (Port Address Translation or NAT
overload) is that it can be used efficiently for large number of inside private IP addresses even with a single public
IP address.

42
Configure Static NAT:

IP nat inside for the router interface that sits inside the LAN:

For static NAT:

To test NAT :

4. Troubleshooting methods and tools (Cisco/Windows/Linux)

43
Network troubleshooting methodologies:

 Top –down - using this approach, you work from OSI model's application layer down to the physical layer.

Example: if you are researching a problem of a user that cannot browse a particular website and you find
that you can establish a TCP connection on port 80 from this host to the server and get a response from
the server, you can typically draw the conclusion that the transport layer and all layers below must be fully
functional between the client and the server and that this is most likely a client or server problem and not
a network problem.

 Bottom-up - starts from the OSI model's physical layer and moves up to the application layer.

A disadvantage of this method is that, in large networks, it can be a time-consuming process, because a lot
of effort will be spent on gathering and analyzing data and you always start from the bottom layer

 Divide and conquer - using this approach, you start in the middle of the OSI model's stack (usually the
network layer) and then, based on your findings, you move up or down the OSI stack.

If it is not clear which of the top-down or bottom-up approaches will be more effective for a particular
problem, an alternative is to start in the middle (typically the network layer) and perform some tests such
as ping. Ping is an excellent connectivity testing tool. If the test is successful, you can assume that all lower
layers are functional, and so you can start a bottom-up troubleshooting starting from this layer.

 Follow the path - this approach is based on the path that packets take through the network from source
to destination.

 Spot the differences - as the name implies, this approach compares network devices or processes that are
operating correctly to devices or processes that are not operating as expected and gathers clues by
spotting significant differences

 Move the problem - the strategy of this troubleshooting approach is to physically move components and
observe whether the problem moves with the components.

Windows network troubleshooting tools:

ipconfig, ping, tracert, pathping, nslookup, telnet/portqry, route, arp, hosts file, netstat

Linux network troubleshooting tools:

ifconfig, netstat, traceroute, nslookup, curl/telnet, route, arp, /etc/hosts file

44
EVALUARE:

1. During the class each student’s Motivation, Engagement, Achievements and Team working will be noted.
2. On the last day, there will be up to 10 questions and a packet tracer scenario to be configured so it meets some
requirements.

45