VLAN...

What is VLAN ?..

Vlan is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location

·         Virtual Local Area Network

·         It is a logical  boundary on the switch

·         All the ports in a vlan can communicate with each other

·         The ports in different vlans cannot communicate in L2 switch

·         Inter vlan communication is possible in L3 switch

·         The ports with same vlan id can communicate even though they belong to different switches

·         Vlan range  is 1 – 1005

·         Vlan breaks the broadcast domain In the switch

·         Vlan manage the information only on a single switch

·         To communicate data across the multiple switches we need VTP

·         Logically groups users

·         Segments broadcast domains

·         Subnet correlation

·         Access control

·         Quality of service

What is Default VLAN?

·         By default a vlan exit on the switch with vlan id 1

·         This Vlan 1 is called as default valn or management vlan

·         By default all the ports belong to vlan 1 in the switch

·         Vlan 1 can’t be created or deleted

·         Generally vlan 1 carries management information like cdp, vtp

What is management VLAN?

·         The active vlan to which ip address is assigned and operational

·         Management vlan carries switch management information

·         By default vlan 1 is management vlan

What is Trunking?

·         The link between different switches that can carry the data from various vlans

Switches port types:

        Access port

·         Used to connect a computer

·         Access port can understand normal Ethernet frame

·         Access port belongs to only one vlan

Trunk port

·         Used to connect a switch

·         Trunk port can understand tagged Ethernet frames

·         Trunk port can be a member of multiple vlans

·         Trunk port minimum speed is 100Mbps

What is frame tagging?

·         Trunk port inserts vlan id information within the frame before sending it through trunk link

·         Trunk port removes vlan id information from the frame before sending it to system

Tagging vlan id information to the original Ethernet frame is called frame tagging or frame encapsulation

Frame tagging methods

·         Dot 1 q

·         ISL

Difference between dot 1 q and ISL

Dot 1 q	ISL
IEEE 802.1q encapsulation	Inter switch link
Open standard	Cisco proprietary
Insert vlan id within the frame	Encapsulates Ethernet frame with new header & tailor
Insert 4 bytes	Header is 26 bytes, tailor is 4 bytes
Original frame size is 1518 bytes new frame size is 1522 bytes	Original frame size is 1518 bytes new frame size is 1548 bytes

What is native VLAN?

·         The vlan from which frames are not tagged

·         By default vlan 1 is native vlan

·         Native vlans must match at both ends of trunk link

·         Native vlans occur only when we using 802 1Q does not occurs in ISL

Servers at trunk ports:

·         The ports from different vlans may need to access common servers

·         Servers with trunk NIC can be connected at trunk ports

·         Trunk NIC can understand tagged frames

IP Sec...

IPSec:

Ø  IPSec-IP security

Ø  It is open standard protocol

Ø  IPSec is actually a group of standards, protocol and technologies that work together to build a secure session, commonly called a tunnel, to a remote peer

Ø  It works at network layer and protects IP packets

Ø  It can be used for site-site VPN and remote access VPN

IPSec services:

IPSec provides four main services

1.       Authentication

Ø  Verifying the identify of remote peers

Ø   Service attacks

Ø  digital certificates

2.       Confidentiality

Ø  Guaranteeing that no intermediate device can decipher the contents of the payload in a packet

Ø  Encryption  is used to hide the real data

3.       Integrity

Ø  Guaranteeing that the contents of a packet have not been changed by an intermediate device

Ø  HMA functions are used to verify the source of every packet as well as checking if it was tampered(changed) or not

4.       Anti-reply protection

Ø  Verifying that each packet is unique and not duplicated

Ø  Ensuring that copies of a valid packet are not used to create a denial of service attacks

Ø  Protected sequence number are  used to detect duplicate packets and drop them

IPSec Protocols:

Ø  IPSec is actually a group of standards, protocols that work together to build a secure session

Ø  An IPSec  tunnel comprises three connections

One management connection and two unidirectional data connections

Ø Tunnel is built across two phases

Ø  The management connection is built during phase 1 and is used to share IPSec- related information between the two peers

Ø  The two data connections are built during phase 2 and are used to transmit user tariff

Ø  All three connections are protected

ISAKMP –Internet security association and key management protocols, used to build and maintain the tunnel. It defines the format of the management payload

IKE – Internet key exchange protocol is responsible for generating and managing keys used for encryption algorithms and HMAC functions

DH –Diffie-Hellman process is used to secure the management and data connections

AH –Authentication header protocols is used only to validate the origination validity of data packets (on the data connections) received from a peer

ESP- Encapsulation security payload protocol is used to provide packet confidentiality and authentication. It provides confidentiality through encryption and packet authentication through an HMAC function

VPN Basics...

What is VPN?

                                                  

 Virtual private network

It is a logical secured tunnel establishes between networks in unsecured network

Public network is unsecured network

The secured networks can communicate via internet with security using VPN

The end network devices take care of encapsulation/encryption of packets

With VPN, networks can have security equal to private network security

Benefits of VPNs:

Ø  Security:

Security is provided through data encryption to protect confidentiality

Ø  Cost:

VPN reduce WAN infrastructure cost of a company

Ø  Bandwidth:

Inexpensive high bandwidth connections, such as DSL can be used to interconnect offices to allow fast and secure access to corporate offices

Ø  Scalability:

Companies can easily add large number of users and offices without building significant WAN structure

                                             

                                               VPN Types

                         VPNs fall under two implementation types

·         Site to site VPN

·         Remote access VPN

                Site to site VPN:

Ø  Site to site VPNs, sometimes called as LAN-to-LAN or L2L VPNs

Ø  Connect two locations or sites together (similar to P2P wan connectivity)

Ø  Two intermediate devices (VPN gateways) protect the traffic between two LANs

Ø  The original IP packet from one LAN is encrypted by one gateway, forwarded to destination gateway and then decrypted and forwarded to the local LAN

Ø  Traffic is protected by IPSec protocol

Site to Site VPNs are two types

·         Intranet: VPN between sites belong to same company

·         Extranet: VPN between sites belong to different companies

Remote access VPN:

Ø  VPN connectivity between a site and remote user

Ø  Remote access VPN is used by mobile users to have the connectivity with site

Ø  The can have access to resources as they are in site

Ø  VPN software is required in the PC to access site (Cisco VPN client)

Ø  Traffic is protected  by protocols like IPSec, SSL, PPTP, L2TP

Ø  Remote access VPN has two implementations

·         Easy VPN

·         Web VPN

OSI Layer Description....

OSI Layers                    

Ø  OSI layers explain the complete network communication process

Ø  It explains how the systems interact with each other

Ø  OSI layered architecture was designed by ISO& ITU-T

ISO –International standards organization

ITU-T-International telecommunication union –Telecom standard sector

                               

Application, presentation, session layers are called software layers

Transport layer is called Heart of OSI

Network, data link, physical layers are called hardware layers

7.Application layer

Functions:

Ø  It provides user interface

Ø  It gives network services to the user

Ø  Identification of port no depends on service

Protocols:

DNS, DHCP, HTTP, FTP, SMPT, Telnet

6.Presentation layer

Functions:

Ø  It converts data from standard format to machine format

Ø  Encryption  and decryption

Ø  Compression and decompression

Protocols:

ASCII, EBCDIC, GIF, TIFF, BMP, JPEG, MPEG, AVI, WAV

Ø  ASCII – American standard code for information interchange

Ø  EBCDIC – Extended  binary coded decimal interchange code

Ø  JPEG – joint picture expert group

Ø  TIFF – Tagged image file format

Ø  GIF – Graphical image format

Ø  BMP – Bit map image

Ø  MPEG – Motion picture expert group

Ø  AVI – audio video interleave

Ø  WAV – Windows audio video

5. Session layer

                   Functions:

Ø  It establish , maintains and terminate a logical session

                             Protocols:

                      NFS – Network file system

                      RPC – Remote procedure call

4. Transport layer

                              Function:

Ø  Segmentation

Ø  Adding TCP/UDP header

Ø  Sequencing &reassembling

Ø  Multiplexing & Demultiplexing

Ø  Error connection

Ø  Flow control

Protocols:

TCP – Transmission control protocol

UDP – User datagram protocol

Segmentation:

Ø  It is not possible to handle whole data as a unit

Ø  TCP typically handles 64KB of data as pay load

Ø  The data is divided into smaller segments

Ø  No of segments =total size /64KB

Ø  Example :1MB of data is made into 16 segments

Adding TCP/UDP header:

Ø  TCP/UDP header is added to the data fragment

Ø  TCP header size is 20 bytes

Sequencing and reassembling:

Ø  Segment will be rearranged if they arrive in different order

Ø  This can be done with the help of sequence number in TCP header

Multiplexing and Demultiplexing :

Ø  When a system communities with multiple systems , if send segments to all systems simultaneously

Error connection:

Ø  Destination system queries the source for missing segments. Source  needs to resend them

Flow control:

Ø  Speed is adjusted automatically between source and destination computers , if one of the computers is lower

TCP & UDP differences:

TCP	UDP
Transmission control protocol	User datagram protocol
Connection oriented	Connection less
Reliable and slow	Unreliable and fast
Eg : Telnet FTP , HTTP , SMTP	Eg : SNMP , TFTP , DHCP

3. Network layer:

Function:

Ø  It provides logical IP addressing scheme

Ø  IP header is added at network layer

Ø  It chooses best path to destination

Ø  Carries the data in the chosen path

Protocols:

Ø  Routing protocols : finds all possible paths and chooses the best path

Ø  RIP – Routing information protocol

Ø  IGRP – Interior gateway routing protocol

Ø  EIGRP – Enhanced IGRP

Ø  OSPF – Open shortest path first

Ø  ISIS – Intermediate system to intermediate system

Routed protocols: carries the data in the chosen path

Ø  IP – Internet protocol

Ø  IPX – Internet packet exchange

Ø  Apple talk

2. Data Link Layer:

Function:

Ø  It gives network services to the computer

Ø  It does error detection (No correction)-FCS

Ø  Data link Header and Tailor are added to the packet

Protocols/sub layers:

Ø MAC Sub Layer: Media Access control

        

·         LAN Protocols (LAN connectivity)

·         FDDI, token ring, Ethernet

·         FDDI – Fiber Distributed Data Interface

Ø LLC Sub Layer: Logical Link Control

   

·         WAN Protocols( WAN Connectivity)

·         HDLC, PPP, Frame-Relay, X.25

HDLC	PPP
High Level Data Link control	Point to Point Protocol
Cisco Proprietary	Open Standard
No compression	Supports compression
Doesn’t support Authentication	Supports authentication PAP - Password Authentication Protocol CHAP – Challenge handshake Authentication protocol

Adding data link Header and Tailor:

14 byte data link header is added to the packet at beginning

4 byte data link tailor is added to the packet at ending(FCS/CRS)

Data link tailor is used for error checking

Source computer generates one value by running CRC algorithm on the data and sends that value in the tailor. Destination computer also runs CRC and compares that value with original. Destination system accepts the data if it matches.

Layer 2 limitations:

Ø Connect to upper layers via logical link control(LLC)

Ø Uses addressing schemes to identify devices

Ø Uses frames to organize bits into groups

Ø Uses (MAC) to identify transmission sources

1.   Physical Layer

Functions:

Ø It deals with electrical and mechanical properties

Ø Cables, connectors, voltage levels

Ø Example:  Rj-45, Rj-11 connectors, transceiver, v.35 cables

Layer 1 limitations:

Ø  Cannot connect to upper layers

Ø  Cannot identify devices

Ø  Only recognizes streams of bits

Ø  Cannot determine the source of a transmission when multiple devices are transmitting