Transcript MAEDS 2015 Spring PD Day - Network Design Practicesx

Network Design Practices
Nicholas A. Hay
Monroe County ISD
[email protected]
VLAN Considerations
• Why do you not want a flat network?
VLAN Considerations
• Why do you not want a flat network?
• Large Broadcast traffic that can cripple a larger network.
• Can’t identify where a device is physically on your network
easily.
• Can’t separate part of your network for security reasons.
• Vlans are a way you can create multiple logical networks
that are segmented from one another.
VLANs Config on a Cisco Switch
• Enable routing on core switch. If you don’t do this, another
device would need to route traffic between Vlans.
• Switch(config) # ip routing
• Configure Vlan Interface(s)
• Switch#configure terminal
Switch(config)#interface Vlan2
Switch(config)#description Admin Wired Network
Switch(config-if)#ip address 10.1.2.1 255.255.255.0
Switch(config-if)#ip helper-address 10.1.2.8
Switch(config-if)#no shutdown
• Configure the Default Route (if this switch will route. Only
needs to be done at core switch that has your Vlan interfaces
IP addresses)
• Switch(config) # ip route 0.0.0.0 0.0.0.0 10.1.1.2
VLANs Config on a Cisco Switch
• Verify
• Switch(config) # show ip route
• Gateway of last resort is 10.1.1.2 to network 0.0.0.0
10.1.1.0/30 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/48
10.0.0.0/24 is subnetted, 3 subnets
C 10.1.10.0 is directly connected, Vlan10
C 10.1.3.0 is directly connected, Vlan3
C 10.1.2.0 is directly connected, Vlan2
S* 0.0.0.0/0 [1/0] via 10.1.1.2
VLANs Config on a Cisco Switch
• Tagged vs Untagged Vlans
• Tagged – Ability to send multiple Vlans through the same
port/interface.
• interface GigabitEthernet2/0/24
description Core to Admin TCA Switch
switchport trunk encapsulation dot1q
switchport mode trunk
• Untagged – Ability to tag a port to a vlan so any device you plug
in is placed on that logical network
• interface GigabitEthernet1/0/6
switchport access vlan 1030
switchport mode access
spanning-tree portfast
IP Addresses / Subnetting
• Consider how many devices will be on each of your Vlan’s or networks.
Also take into consideration how many subnets you will need so you don’t
run out of ranges. You do not want to run out of IP’s or you will have
unhappy people.
• Wireless can be very unpredictable and contain many devices with people
carrying multiples. Consider sporting events or events where people come in
with an abnormal amount of devices from your normal use.
Netmask
Hosts
IP Range
/24
255.255.255.0
254
10.1.1.0 – 10.1.1.255
/22
255.255.252.0
1,022
10.1.0.0 – 10.1.3.255
/20
255.255.240.0
4,094
10.1.0.0 – 10.1.15.255
/16
255.255.0.0
65,534
10.1.0.0 – 10.1.255.255
• http://www.aelius.com/njh/subnet_sheet.html
IP Addresses / Subnetting
• I have done /16’s (255.255.0.0). Not the best practice but it is easier to
remember different subnets. I could achieve the same result by doing a
\22 or a \21.
• 10.0.x.x – Servers
10.1.x.x – Admin Wired
10.1.1.x – Static IP’s
10.1.2.x – DHCP Reservations (exclude from the main DHCP Scope)
10.1.3.x to 10.1.8.x – DHCP Addresses
10.2.x.x – Elem Wired
10.3.x.x – MS/HS Wired
10.11.x.x – Admin Wireless
10.12.x.x – Elem Wireless
10.13.x.x – MS/HS Wireless
10.14.x.x – Guest Wireless
• You want to keep device counts down to make your broadcast domain smaller.
Broadcasts will go to all computers on network and on larger networks, this will
degrade the performance.
IPv6
• Anyone started looking at IPv6? Reserved IPv6 Address
Space?
IPv6
• IPv6 Key Items
• IPv6 is already running on your network and you didn’t have to do
anything!
• Devices will prefer IPv6 over IPv4 routes.
• With the IoT (Internet of Things), many technical and nontechnical
devices are going to communicate on the network. That’s a lot of IP’s
that will be needed!
• You will not run out of IP addresses! A IPv6 subnet is /64 so you have
18,446,744,073,709,551,616 IP addresses to use! That’s right, each of
your subnets will have more IP’s than IPv4 does in its entirety!
• Don’t make a subnet less than a /64. This will cause you issues!!!!
• We don’t need no stinking NAT’s. Every device will have a Public IP
address.
IPv6
• IPv6 Key Items
• It is not urgent yet to implement IPv6, but it should not be ignored
either since IPv6 is a whole different beast than IPv4.
• IPv4 Public Addresses are harder to get new ones. If you need
additional public IP’s, IPv6 may be your only option.
• Make sure new devices are IPv6 ready. IPv6 ready can mean a lot of
different things.
• You will more than likely run IPv4 an IPv6 both at the same time, this is
called Dual Stack.
• IPv6 Addresses are in hex rather than decimal format and look like this.
• 2620:11B0:A12F:134F:FCBA:A94D:4321:5678
• 2620:11B0:A12F:: = 2620:11B0:A12F:0000:0000:0000:0000:0000
IPv6
• How can you tell if your computer is accessing a website
in IPv6?
• IPvFoo Extension for Google Chrome. This is good when you are
testing IPv6 to ensure everything is working as expected.
IPv6 Security Concerns
• Microsoft does not recommend you disable IPv6 on your
clients or servers.
• Since computers prefer to use IPv6, hackers can hijack
your traffic on your current network today. Be sure to
review these documents below.
• Block Rogue DHCP Servers and Rogue Router
Advertisements
• http://blogs.cisco.com/perspectives/ipv6-first-hop-security
• http://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipv6_fhsec/configuration/xe-3s/ip6f-xe-3s-book/ip6-ra-guard.pdf
IPv6: LISD & MCISD Consortium
• We purchased a /40 since we are treating each of our 20+
district’s as a site.
Number of Sites
Prefix Block Size
1
/48
2-12
/44
13-192
/40
193-3,072
/36
3,072 - 49,152
/32
•
Net Range: 2620:11B:1000:: - 2620:11B:10FF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR: 2620:11B:1000::/40 (Direct Assignment)
Net Name: LENAWEE-MONROE-TECHNOLOGY-CONSORTIUM
• IPv6 takes quite a bit of planning if you do it correctly.
Routing
• Do you route on your switch or firewall?
• I personally like to route on the core switch rather than
firewall.
• I have a 3750x stacked switch for my core with redundant
connections to my other switches/racks.
• I don’t have dual firewalls so if that goes down and if that was
doing the network routing, my clients would not be able to
access internal servers.
• One less hop that a packet needs to make across a subnet.
• If you experience a DDoS or other network attack from the
outside that maxes out your firewall resources, your internal
traffic will still flow as expected.
NATing
• Do you NAT your network traffic out 1 IP address?
• Since we have a /24 (254 usable public addresses), we are
NATing each subnet out a different IP address.
• If abnormal traffic is happening in or out of your network,
you can easily narrow down a subnet/location.
• In SYN FLOOD Attacks and other types of DDoS attacks, it is
easier to block a NAT IP address from coming in with your
ISP to sacrifice part of your network rather than taking
down your whole network.
Backups
• Do you have a config backup of all your network switches and
firewalls?
• When making a network switch or firewall change, do you
create a backup?
• Recommend you do this on your changes. Never know when a
switch/firewall is going to bite the dust.
• My first week taking my ISD position, our firewall died. Luckily, we
were able to find a backup that was a year old. Over the next few
days, we had to make corrections for changes since the last backup.
• Cisco Network Assistant
• http://www.cisco.com/c/en/us/support/cloud-systems-management/network-assistant/tsdproducts-support-general-information.html
DOCUMENTATION!!!!!!!
• Don’t overlook this!
• Comments/Descriptions go a long way in switch and firewall
configs. Too much information is better than none.
• Excel File/OneNote of important information about network,
servers, website logins, software licensing, etc. Password
protecting the file is a very good idea if the file would get out.
See sample file located in the 2015 Spring PD Day resources.
• Keep repository of technical items (i.e. Cisco commands).
OneNote is really good to use to manage items like this.
• Keepass or other program to encrypt/save passwords.
Document during Major Issues
• When we experienced our DDoS attacks, we have spent
weeks troubleshooting and tracking down.
• I highly recommend start documenting and taking
screenshots of suspicious activity during issues since you
will forget what you have done or total time spent by you
and others in your department.
• After things clear up and you resolve the issue, if needed, you
would be able to provide your total time spent working on
issues and have evidence if you need to submit this to law
enforcement.