Transcript Slide 1
Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Advanced Networking Devices Chapter 12 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Objectives • Discuss client/server and peer-to-peer topologies • Describe the features and functions of VPNs • Configure and deploy VLANs • Implement advanced switch features © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Overview © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Introduction to advanced network devices • • • • Simple devices each work at one OSI layer Advanced devices work at multiple layers Home router really a multilayer switch CompTIA’s logical network topologies – The way network systems are organized – Client/server, peer-to-peer, VPN, and VLAN © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Three parts to Chapter 12 • Logical network topologies • VLAN in depth • Multilayer switches © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Logical network topologies © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Logical network topologies – Beyond physical or signaling topologies – Software architecture model – Roles computers play in network •Servers •Clients © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Client/server topologies – Dedicated servers – Dedicated clients •Servers •Clients – Earliest networks used this model – Novell NetWare servers © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.1 A simple client/server network © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.2 Novell NetWare in action © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Peer-to-peer topologies – Microsoft’s early Windows versions – Any system server, client, or both – Depends on configuration – Windows 9x common example – Lack of security a problem – no user accounts • Permissions Read Only or Full Control • Available to anyone connected over network © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.3 Sharing options in Windows 98 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Peer-to-peer today – Adopted by every modern operating system – Now offers more robust security • User accounts • More advanced permissions © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.4 µTorrent downloading © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Peer-to-peer and client/server today – Updated – linked to individual applications – E-mail client and e-mail server • Outlook a dedicated client • MS Exchange Server a dedicated server – Peer-to-peer (P2P) applications • Act as both client and server • File-sharing applications – Bit Torrent, LimeWire, DC++ © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Virtual private network (VPN) – VPN over Internet • Alternative to expensive remote connections • Connection using an encrypted tunnel – Data encrypted and decrypted at endpoints – Connecting computers must have same network ID as network – Tunneling protocols: PPTP and L2TP © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.5 VPN connecting computers across the United States © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.6 Typical tunnel © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.7 Endpoints must have their own IP addresses. © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • PPTP VPNs – Point-to-Point Tunneling Protocol (PPTP) – Advanced version of PPP – One endpoint on client—other on Routing and Remote Access Service (RRAS) – Clients use a virtual NIC that acquires a DHCP address – Client connects to RRAS, PPTP creates tunnel over Internet © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.8 RRAS in action © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.9 VPN connection in Windows © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.10 VPN on a Macintosh OS X system © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • L2TP VPNs – Layer2 Tunneling Protocol (L2TP) – Cisco developed – Good features of PPTP plus… – Added support to run on most connections – Moved the endpoint on the local LAN • VPN concentrator can be endpoint • Can connect two remote LANs using two VPN concentrators © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • L2TP has no authentication or encryption – Usually uses IPSec for security – Technically should be “L2TP/IPSec” VPN – Connects client to LAN or LAN to LAN – VPN clients in all OSs support L2TP/IP Sec © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Site-to-site VPNs – Used to connect two LANs separated by a WAN or the cloud – Uses a VPN concentrator – Slower, but cheaper, than dedicated leased line between LANS © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.11 Cisco 2811 Integrated Services Router © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • SSL VPNs – VPNs using Secure Sockets Layer – Work at the Transport layer – Don’t require any special client software – Clients connect using Web browser – Traffic secured using SSL – Two most common types are SSL Portal and SSL Tunnel VPNs © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • SSL VPNs (cont.) – SSL portal VPNs • Client accesses VPN and is presented with a secure Web page • Able to access anything on that page, such as email, data, links, etc. © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • SSL VPNs (cont.) – SSL tunnel VPNs • Client browser runs an active control, such as Java or Flash • Enables much greater access to VPN-connected network • Creates a more typical client-to-site connection than SSL portal VPNs • User must have sufficient permissions to run active browser controls © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Alternatives to PPTP, L2TP, and SSL – Majority of VPNs use PPTP or L2TP – Open VPN using Secure Shell (SSH) – Pure IPSec using IPSec tunneling © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) VLANs in depth © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • VLAN – Virtual Local Area Network (VLAN) – Used by all but smallest LANs © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Serious networks are complex – Remote incoming connections – Public Web or e-mail servers – Wireless networks – String of connected switches – Tremendous amount of traffic – Security Issues © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • VLANs as solution – Separate networks with multiple switches – Segment networks using switches • Break up broadcast domains • Serious networks have more than one switch • Trunking connects VLANs on separate switches • One port on each switch is trunk port • Inter-Switch Link (ISL) Cisco form of trunking © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.12 Switch with two VLANs © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.13 Two switches, each with a VLAN 2 and a VLAN 1 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.14 Trunk ports © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • VLANs today – Every Ethernet switch uses IEEE 802.1Q – Connect switches from different sources © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Configuring a VLAN-capable switch – Connect to Web server on switch – Cisco Catalyst models – Simple switches at Layer 2 (use MAC addresses) – Managed switches use Layer 3 (IP addresses) – Define the VLANs – Assign MAC addresses or ports to VLANs © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.15 Catalyst 2950 Series Device Manager © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.16 Defining VLANs in Cisco Network Assistant © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.17 Assigning a port to a VLAN © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Virtual Trunk Protocol (VTP) – Large networks with many VLANS would require a LOT of manual updates – VTP is a proprietary Cisco protocol that automates updating multiple VLAN switches – Three states: Server, Client, or Transparent – Updating configuration of the Server switch updates all other switches in the Client state in minutes – Transparent doesn’t update © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • InterVLAN routing – Each VLAN a separate broadcast domain – Need router to communicate between – Problems with physical routers – Some switches can do InterVLAN routing – Cisco 3550 • Supports VLANs and virtual routers • Works at Layers 2 and 3 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.18 One router connecting multiple VLANs © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.19 Cisco 3550 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.20 Setting up interVLAN routing © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Multilayer switches © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Multilayer switches & InterVLAN routing – Example: Cisco 3550 • Supports VLANs and virtual routers • Works at Layers 2 and 3 – On Layer 2 switches, ports do not have IP addresses – On a router, every port MUST have an IP address (due to routing table) – Multilayer ports can be configured either way © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Load balancing – Load balancing: many servers look like one – Creates a server cluster – Requests are distributed evenly – Many load balancing methods – Common to use advanced network devices © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • DNS load balancing – Oldest and most common method – Each server has its own IP address – Multiple A records for one FQDN – DNS server cycles through A records – Windows DNS “Enable round robin” – BIND DNS server has more features – Requires multiple DNS servers © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.21 Multiple IP addresses, same name © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.22 Enabling round robin © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Using a multilayer or content switch – Client cache problem with DNS load balancing – Hide all Web servers behind one IP address – Special multilayer switch (Layers 3 and 4) • Is a router performing NAT and port forwarding • Queries hidden Web server © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Using a content switch for load balancing – Works at Layer 7 (Application) – Works with Web servers – Reads incoming HTTP and HTTPS requests – Handles SSL certificates and cookies – Takes workload off Web servers – Passes cookies to Web browsers © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.23 Layer 7 content switch © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • QoS and traffic shaping – Quality of Service (QoS) • Controls bandwidth use • Rules-based policies prioritize traffic – Traffic shaping • Bandwidth management • Controls flow of packets in or out • Guarantees a certain amount of bandwidth and/or latency • Popular where IT must control user activities © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.24 QOS configuration on a router © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Network protection – Intrusion protection/intrusion detection – Port mirroring – Proxy serving – Port authentication © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Intrusion detection/intrusion prevention – Intrusion detection system (IDS) • Inspects incoming packets • Network based IDS (NIDS) • Host-based IDS (HIDS) • Reporting – Intrusion protection system (IPS) • Adds capability to react to attacks • Can block incoming packets on-the-fly © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.25 Diagram of network-based IDS © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.26 OSSEC HIDS © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Port mirroring – Mirrors data from ports to a single port – Works like a configurable promiscuous port – Allows inspection of traffic to or from certain computers © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Proxy serving – Proxy server between clients and external servers – Intercepts requests from clients – Makes requests itself on behalf of clients – Client must not use DNS to access the type of server that is proxied • HTTP, SSL, FTP, Gopher, SOCKS © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.27 Setting a proxy server in Mozilla Firefox © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.28 Web proxy at work © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.29 Squid proxy software © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) • Port authentication – Authentication at point of connection – Critical for AAA authentication • RADIUS, TACACS+, 802.1X – Many switches and WAPs support it © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers’ CompTIA Network+® Guide to Managing and Troubleshooting Networks, Third Edition (Exam N10-005) Figure 12.30 802.1X configuration on a Cisco 2811 © 2012 The McGraw-Hill Companies, Inc. All rights reserved.