Presentación de PowerPoint

advertisement
4.- LAN Design
http://www.redes.upv.es/ralir/en/
 Structured cabling
 Design tools
 Subnetting
 Supernetting (CIDR)
 proxy-ARP and DHCP relay
 Virtual LANs
 application and concepts
 IEEE 802.1Q
 Virtual Private Networks
 Intranets/Extranets
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
Before we start: Icons
 based on Cisco Packet® Icon Library
Switch - Multilayer
switch
PC
Hub – 100baseT
Hub
Router
2
Server
http://www.redes.upv.es/ralir/en/
bridge
Local Area Networks (RALIR) /School of Engineering in Computer Science
3
LAN Design Goals
 One of the most critical steps to insure a fast and stable network
is the design of the network. This design activity is truly an indepth process, which includes:
 Defining all of the layer 1, 2 &3 devices and along with LAN and WAN
topology
 Document the physical and logical network implementation
 Functionality - the network must work with reasonable speed
and reliability.
 Scalability - the network must be able to grow without any
major changes to the overall design.
 Adaptability - the network must be designed with an eye toward
future technologies, and should include no element that would
limit implementation of new technologies as they become
available.
 Manageability - the network would be designed to facilitate
network monitoring and management.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Abdullah Mat Safri
Basic Network Planning & Design
 Network planning – a process of defining business requirements
and growth plans
 Build a framework for connecting computers and other
equipment in an organization.
 Why do plan first?
 Ease the process
 Increase the likelihood that the chosen network solution match
requirements now and in future
 So, how do I get started ?
 Step 1 – Assessing business or organization needs
 The size and purpose of the organization
 The amount budgeted for network and computer resources
 Will there be a need for high-speed communications
4
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
Thanks to Abdullah Mat Safri
Basic Network Planning & Design
 Consider usage requirements
 How many people will use the network
 How many network devices (nodes)
 Define requirement for each user/department/office (wired etc…)
 Plan the future (office expansion, new staff and etc..)
 Documented as a briefly requirements report
 Step 2 – Network hardware requirements
Will be based on step 1
What other devices will the network support?
How many network points?
Network device specification based on requirements (wired or wireless?
How many hub/switch ports to support? What is the spec that satisfy now
and future needs?
 Do the hardware checklist




http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
6
Thanks to Abdullah Mat Safri
Hardware Checklist
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Abdullah Mat Safri
Basic Network Planning & Design
 Step 3 – Network design








What network topology to use?
Type of cabling
Where network cables be located?
Where will you locate the following devices, servers, hubs or switches,
printers, modems etc.?
Layout of the premises, organization, building, office etc..
Plan on running the cabling under floors, over ceilings, or around dividers
Create a diagram for the network to be implemented
Include following information in the plan
 Number and kinds of server and host computers
 Network topology
 Network communications media
 Types of network devices
 Telecommunications services
 Do the design
7
http://www.redes.upv.es/ralir/en/
Room Diagram Example
FSK 5
MAKMAL NETWORK 1
KUKTEM
FSK 5: BENGKEL RANGKAIAN
KAPASITI 30 PELAJAR
31'-9"
RUANG
NETWORKING
TOOLS RACK
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Abdullah Mat Safri
KEPERLUAN MAKMAL:
5 KOMPUTER
5 KOMPUTER CHAIR
5 MEJA
LCD PROJECTOR
WHITE BOARD
SCREEN LCD PROJECTOR
TOOLS RACK
1 MEJA PENGAJAR
1 KOMPUTER
1 KERUSI
PINTU
2'-9 1/2"
2'-0"
2'-0"
2'-0"
2'-8 1/2"
6 ft. x 2 ft. 7.5 in.
FSK 5:
KAPASITI 40 PELAJAR
6 ft. x 2 ft.
6 7.5
ft. xin.
2 ft. 7.6 in.
2'-0"
2'-0"
2'-0"
6 ft. x 2 ft. 7.5 in.
2'-0"
6 ft. x 2 ft.
6 7.5
ft. xin.
2 ft. 7.6 in.
2'-0"
2'-0"
2'-0"
2'-0"
6 ft. x 2 ft. 7.5 in.
1'-9 1/2"
Office
192 sq. ft.
8'-0"
1 MEJA PENGAJAR
1 KOMPUTER
1 KERUSI
2'-0"
6 ft. x 2 ft.
6 7.0
ft. xin.
2 ft. 7.4 in.
2'-0"
KEPERLUAN MAKMAL:
40 KOMPUTER
40 KOMPUTER CHAIR
40 MEJA
LCD PROJECTOR
WHITE BOARD
SCREEN LCD PROJECTOR
RACK
SCANNER
PRINTER
6 ft. x 2 ft. 7.5 in.
2'-0"
2'-0"
6 ft. x 2 ft. 7.5 in.
http://www.redes.upv.es/ralir/en/
2'-0"
6 ft. x 2 ft.
6 7.2
ft. xin.
2 ft. 7.5 in.
2'-0"
8
6 ft. x 2 ft. 7.5 in.
2'-0"
2'-0"
6 ft. x 2 ft. 7.5 in.
2'-0"
2'-0"
3 ft. x 2 ft. 7.0 in.
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Abdullah Mat Safri
Floor Plan and Building Plan Example
KUKTEM CAMPUS LAN
Structured Cabling Design
ICT CENTRE
UTP Cat 6 Door Access Backbone (2p)
UTP Cat 6 IP Camera Backbone (2p)
UTP Cat 6 block wireless backbone 2+2+2+1=7p
UTP Cat 6 node 48 port
Level 2
Level 2
UTP Cat 6 Door Access Backbone (2p)
Tutorial
Library
Admin (Lecture Hall 1 & 2)
Incubator 1
Incubator 2
Incubator 3
Incubator 4
Female Hostel (FH6)
Male Hostel (MH3)
UTP Cat 6 IP Camera Backbone (2p)
UTP Cat 6 block wireless backbone 2+2+2+1=7p
UTP Cat 6 node 48 port
Level 1
UTP Cat 6 node
48 port
1LA
UTP Cat 6 Door Access Backbone (2p)
UTP Cat 6 IP Camera Backbone (2p)
UTP Cat 6 block wireless backbone 2+2+2+1=7p
UTP Cat 6 node 48 port
Academic
9
http://www.redes.upv.es/ralir/en/
Level 1
Ground
UTP Cat 6 node
UTP Cat 6 node
48 port
GLA
GLB
48 port
Ground
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
0
Thanks to Abdullah Mat Safri
http://www.redes.upv.es/ralir/en/
Network Layout Design Example
- Logical & Physical Design
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Abdullah Mat Safri
Schematic Diagram Example
Network Conceptual Design
CORE Switch A
ACADEMIC
CORE Switch B
ICT Center
Local Floors
Switch
Outdoor
Wireless
Access Point
1 x 10Gbps
2 x 1Gbps
MALE/FEMALE HOSTEL
Block
Switch
MH7 Ground Floor
MH6 Ground Floor
MH5 Ground Floor
Floors
Switch
Outdoor
Wireless
Access Point
1
1
http://www.redes.upv.es/ralir/en/
MH1 Ground Floor
Indoor/Floors
Wireless
Access Point
MH4 Ground Floor
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Abdullah Mat Safri
Basic Network Planning & Design
 Step 4 – Estimate network cost
 Develop cost estimates
 Select network equipment based on what the organization can afford
 Calculate networking costs in terms of two factors:
 Component costs
 Human resource costs
 Step 5 – Do timeframe for network setup
 Use Gantt Chart to list all the work involve in starting the work until
completing the network installation up to testing the functional of the new
network
 Always provide checklist and forms where appropriate.
 Always compile and do documentation for all work being done,
checklist, forms, labeling, testing and others.
1
2
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
3
Thanks to Abdullah Mat Safri
Cost Estimation And Gantt Chart Example
http://www.redes.upv.es/ralir/en/
4.- LAN Design
http://www.redes.upv.es/ralir/en/
 Structured cabling
 Design tools




Subnetting
Supernetting (CIDR)
Network Address Translation (NAT)
proxy-ARP and DHCP relay
 Virtual LANs
 application and concepts
 IEEE 802.1Q
 Virtual Private Networks
 Intranets/Extranets
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
5
Structured Cabling System
 Structured cabling is a set of standards for cable installers to
follow, defined by EIA/TIA, used all over the world to install
physical cabling and networks in a safe and orderly fashion!
 Standards EIA/TIA-568 and ISO 11801
 Includes cabling for all applications, including LANs, voice, video,
etc.
 Vendor and equipment independent
 Designed to encompass entire building, so that equipment can
be easily relocated
 Provides guidance for pre-installation in new buildings and
renovations
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
6
Some terminology
 Vertical cabling - (Backbone cabling) Cabling that provides
interconnections between wiring closets, wiring closets and the
POP, and between buildings that are part of the same LAN.
 Horizontal Cabling runs from central room to all rooms in your
organization and eventually to all PCs
 MDF - Main Distribution Facility. Primary communications room
for a building. Central point of a star networking topology where
patch panels, hub, and router are located.
 Telecommunications room
 IDF - Intermediate Distribution Facility. Secondary
communications room for a building using a star networking
topology. The IDF is dependent on the MDF.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Telecommunications Room
 Telecommunications Room (Central Room)
Equipment Room
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Equipment Racks
 EIA/TIA’s structured
cabling standards define
special components you
need in the
telecommunications room
including: Equipment
Rack, Patch Panel,
Hub/Switch, Servers
 Equipment is mounted
into equipment racks…a
central component
 19 inches wide but vary in
height
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Equipment Racks
 Equipment racks
 Most equipment rooms use a floor-mounted equipment rack
 A smaller network may be able to use a wall-mounted short rack or just a
wall-mounted patch panel
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Rack Mountable Equipment
 Equipment Rack Devices




Hubs
Switches
Servers
Uninterruptible Power Supplies
(UPSs)
Rack
mounted
UPS
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Horizontal Cabling
 Horizontal cabling is used to connect the Telecommunications
room (central room) to all of the other work areas throughout
your organization
 A single piece of horizontal cabling is called run
Horizontal cabling
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Patch Panels and Cables
 All Horizontal cabling runs
to the Equipment room
where it get’s punched
down into the Patch
Panel/Punch Down Block
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Patch Panels and Cables
 A patch panel is the box where you run all horizontal cabling to
& punch down all cabling into the back of the patch panel (the
punch down block side)!
 Horizontal cabling is punched down to the back of the Patch
Panel, & then you run a Patch Cable from the front ports to the
Hub or Switch
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Patch Cables
 Once the horizontal cabling is
run and connected to the
back of the patch panel
(punched down) then you
can use patch cables
to connect the Patch Panel to
the central hub/switch in the
main Equipment Room
 Patch cables are short
2 to 5 foot straight-through
UTP cables using a stranded
wire core (not solid core)
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Patch Panels
Patch Panels can get
messy over time, so
Label your patch
panels (so your
Equipment Room
doesn’t get too
messy)
You might have a
variety of different
type of ports such as
UTP, STP, or fiber
ports
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Work Area
 The work area is simply the office where the PC is located
Work area
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Wall Outlet
 It is a good idea to label
your wall outlet to
identify the position on
the patch panel in the
closet where the cable
goes
 In this picture A320
would match up to the
A320 patch panel
connection in the
Equipment Room
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Limitations to Network Design
 The horizontal cable (solid core) may be at most 90 meters in
length according to the EIA/TIA 568 specification, so that means
you have 90 meters between your telecommunications room to
the wall-jack of each work area room
 The patch cables (stranded core) in the work area may be up to
10 meters (maximum) in length
 The patch cables used in the telecommunications room to
connect the Patch Panel to the the Switch (stranded core) can
be up to 6 meters in length
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Telecommunication Room
 Distance
 Choose an equipment room location that is centrally located to keep
maximum runs to 90 meters
 Power
 Generally put your equipment room outlets on their own dedicated circuit
 Dryness
 Choose a dry room with low humidity
 Coolness
 Telecommunication Rooms get warm; make sure there is an air conditioning
duct in the room
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Pulling Cable
 Good cable management is important and must adhere today to
local codes, EIA/TIA, and the National Electrical Code (NEC)
rules
 Proper hooks and cable trays should be used
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Equipment Room Cables
 Many cables coming from work areas must be consolidated in the
equipment room
 Special cable guides will help to bring the cables down to the
equipment rack
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Connecting the Patch Panels
Poor cable
management
Good cable
management
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Labeling the Cable
 Organize the patch panel based on your network
 Either based on the physical layout of the network
 Or based on user groups
 EIA/TIA defined the 606 labeling scheme
 Design a labeling scheme that matches your network’s
organization
 Label the outlet in the work area and the jack on the patch
panel with the same number
 Color coding may be desirable
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Labeling
Well organized
patch panels
Labels on the
patch panel and
outlet match
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Simple Cable Testers
 Continuity Testers
 Simple cable testers cost
under 100€ and only test for
breaks in the wire by testing
continuity (they are called
Continuity testers)
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Time Domain Reflectometer
 TDR Testers
 A medium priced cable tester
(around 400+€) can
determine the length of the
cable and where a break is
located
 Called a Time Domain
Reflectometer (TDR)
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Thanks to Michael Meyers
Fiber Optic cable testers
 There are ‘Fiber Optic’ cable testers as well known as OTDROptical time domain reflectometer
http://www.redes.upv.es/ralir/en/
4.- LAN Design
http://www.redes.upv.es/ralir/en/
 Structured cabling
 Design tools
 Subnetting
 Supernetting (CIDR)
 proxy-ARP and DHCP relay
 Virtual LANs
 application and concepts
 IEEE 802.1Q
 Virtual Private Networks
 Intranets/Extranets
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
3
9
Collision and Broadcast Domains
 A collision domain is a section of network where packet collisions
can occur if two nodes attempt to communicate at the same
time.
 A broadcast domain includes all of the hosts that a broadcast
frame transmitted by a single host can reach.
 As routers do not pass broadcast traffic, they form a boundary of a
broadcast domain.
 All hosts in a broadcast domain share a common Layer 3 network address.
In TCP/IP terminology this means that they are on the same subnet.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
subnetting
IP Addresses
32 bits
version
(4 bits)
header
length
Type of Service/TOS
(8 bits)
flags
(3 bits)
Identification (16 bits)
TTL Time-to-Live
(8 bits)
Total Length (in bytes)
(16 bits)
Protocol
(8 bits)
Header Checksum (16 bits)
Source IP address (32 bits)
Destination IP address (32 bits)
Ethernet Header
IP Header
TCP Header
Ethernet frame
4
0
Fragment Offset (13 bits)
http://www.redes.upv.es/ralir/en/
Application data
Ethernet Trailer
Local Area Networks (RALIR) /School of Engineering in Computer Science
subnetting
IP Addresses
32 bits
0x4
0x5
0x00
9d08
12810
4410
0102
0x06
8bff
128.143.137.144
128.143.71.21
Ethernet Header
IP Header
TCP Header
Ethernet frame
4
1
00000000000002
http://www.redes.upv.es/ralir/en/
Application data
Ethernet Trailer
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
2
subnetting
What is an IP Address?
 An IP address is a unique global address for a network interface
 Exceptions:
 Dynamically assigned IP addresses ( DHCP)
 IP addresses in private networks ( NAT)
 An IP address:
- is a 32 bit long identifier
- encodes a network number (network prefix)
and a host number
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
3
subnetting
Network prefix and host number
 The network prefix identifies a network and the host number
identifies a specific host (actually, interface on the network).
network prefix
host number
 How do we know how long the network prefix is?
 Before 1993: The network prefix is implicitly defined (class-based
addressing)
or
 After 1993: The network prefix is indicated by a netmask.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
subnetting
Dotted Decimal Notation
 IP addresses are written in a so-called dotted decimal
notation
 Each byte is identified by a decimal number in the range
[0..255]:
 Example:
10000000
1st Byte
= 128
4
4
10001111
2nd Byte
= 143
10001001
3rd Byte
= 137
128.143.137.144
http://www.redes.upv.es/ralir/en/
10010000
4th Byte
= 144
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
5
subnetting
Netmask application example
 Example: ellington.cs.virginia.edu
128.143
 Network address is:
 Host number is:
 Netmask is:
http://www.redes.upv.es/ralir/en/
137.144
128.143.0.0
137.144
255.255.0.0
(or 128.143)
(or ffff0000)
Local Area Networks (RALIR) /School of Engineering in Computer Science
subnetting
Special IP Addresses
 Reserved or (by convention) special addresses:
 Loopback interfaces
 all addresses 127.0.0.1-127.255.255.255 are reserved for loopback interfaces
 Most systems use 127.0.0.1 as loopback address
 loopback interface is associated with name “localhost”
 IP address of a network
 Host number is set to all zeros, e.g., 128.143.0.0
 Broadcast address
 Host number is all ones, e.g., 128.143.255.255
 Broadcast goes to all hosts on the network
 Often ignored due to security concerns
 Test / Experimental addresses
Certain address ranges are reserved for “experimental use”. Packets
should get dropped if they contain this destination address (see RFC
1918):



10.0.0.0
172.16.0.0
192.168.0.0
- 10.255.255.255
- 172.31.255.255
- 192.168.255.255
 Convention (but not a reserved address)
4
6
 Default gateway has host number set to ‘1’, e.g., e.g., 192.0.1.1
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
7
subnetting
Classful Addressing
 IP address space broken into
5 classes: A B C D E
 First byte of address
identifies class
 A B C : Unicast
 D : Multicast
 E : Reserved
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
8
subnetting
Netid and Hostid
 Netid = block, Hostid = address





A: 128 blocks, 16,777,216 addresses/block
B: 16,384 blocks, 65,536 addresses/block
C: 2,097,152 blocks, 256 addresses/block
D: 1 block reserved for multicasting
E: 1 block reserved for special purposes, e.g. NAT
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
subnetting
Problems with Classful Addressing
 Class A blocks are larger than most organisations need
 Millions of Class A addresses are wasted
 Almost no Class A blocks left
 Class B blocks are larger than many organisations need
 Many Class B addresses are wasted
 Running out of Class B addresses
 Class C blocks are smaller than most organisations need
 Class C not very useful on their own
 Class C blocks still available
 It might be useful for the same administrative domain to contain
several different networks:
 Different link layer protocols without complex bridges
 Different administrative subdomains
 Smaller tables on routers
 The first solution is to carve sub-networks (“subnets”) out of
larger Class-B networks
4
9
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
0
Subnets
 Example, for a class B address (16 bit netid, 16 bit hostid)
 141.14.0.0 would be the address of the network (notice the hostid is all 0).
 Using default mask 255.255.0.0, all addresses on this network would have the same
first 16 bits (141.14)
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
1
Subnetting
Example: Division of network into 4 subnets
 Notice that the
Internet still only
sees a single
network, not the
subnets.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Subnets
 Adding a subnet adds another layer of hierarchy
Message first delivered
here
5
2
http://www.redes.upv.es/ralir/en/
Then here
Then here
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
3
Subnet Masks
 A network mask is used when a
network is not subnetted.
 Recall a network mask creates the
network address
 If the network is subnetted, then a
subnet mask is used.
 A subnet mask creates the
subnetwork address
 Using a subnet mask to find a
subnet address. Two Methods:
 Straight Method
 Short-Cut Method
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
4
Finding the Subnet Address
 Straight Method
 Use binary notation
 Apply bit-wise logical AND
 Resulting address is the subnet address
 Example:
 What is the subnetwork address if the destination address is 200.45.34.56
and the subnet mask is 255.255.240.0?
 To help you out, here are the addresses in binary:
11001000 00101101 00100010 00111000
11111111 11111111 11110000 00000000
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Finding the Subnet Address
 Short-Cut Method
 Apply some obvious logical short cuts:
 If a byte in the address is 255 (which is all binary 1’s), just copy the address (that
byte won’t change)
 If a byte in the address is 0 (which is all binary 0’s), the corresponding byte will
also be 0
 Otherwise, use the straight method for that byte
 Example:
 What is the subnetwork address if the destination address is 19.30.80.5 and
the mask is 255.255.192.0?
192
1100 0000
80
0101 0000
0100 0000
19.30.64.0
5
5
http://www.redes.upv.es/ralir/en/
64
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
6
Default vs. Subnet Mask
 Basically, a subnet mask has more 1s than the corresponding default
mask.
 Left most 0s are replaced with 1s
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Subnet Mask Details
 Total number of subnetworks is a power of 2
 i.e., count the number of extra 1s added.
 Example: on previous slide, three 1s were added. So… 23 subnetworks
 Number of addresses per subnet is also a power of 2
 Count the number of 0s
 Example: on the previous slide there were 13 0s. So… 213 addresses.
 Special Addresses (i.e. “reserved addresses”)
 Last address (host id all 1s) is the reserved for broadcast within the subnet
 The first address (host id all 0s) in the subnet is the subnet address
 According to the RFC 950 (1985) standard
 All CIDR-compliant routing protocols transmit both length and suffix. See RFC
1878 (1995) for a subnetting table with extensive examples.
5
7
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
8
Designing Subnets
 Step 1: Decide on how many subnets are required (pick a
power of 2)
 i.e. how many departments are there in the organization?
 Step 2: Find the subnet mask




X = Find the number of 1s in the default mask
Y = Find the number of 1s that defines the subnets
Z = X + Y (total number of 1s)
The number 0s = 32 – Z
 Step 3: Find the range of addresses in each subnet
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
9
Designing Subnets: Examples
 Problem 1:
A company is granted the site address 201.70.64.0 (class C).
The company needs 6 subnets. Design the subnets.
 Problem 2:
A company is granted the site address 181.56.0.0 (class B). The
company needs 1000 subnets. Design the subnets.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
6
0
Designing Subnets: Solution to Problem 1
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
6
1
Designing Subnets: Solution to Problem 2
http://www.redes.upv.es/ralir/en/
4.- LAN Design
http://www.redes.upv.es/ralir/en/
 Structured cabling
 Design tools
 Subnetting
 Supernetting (CIDR)
 proxy-ARP and DHCP relay
 Virtual LANs
 application and concepts
 IEEE 802.1Q
 Virtual Private Networks
 Intranets/Extranets
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
6
3
Supernetting
 Supernetting
 Combining several smaller blocks to create a larger range of addresses:
 Motivation
 Class A and B addresses almost depleted!
 Recall class C address only provides 256 addresses (too small for most
organizations)
 Solution: combining several class C addresses into one “supernetwork”
http://www.redes.upv.es/ralir/en/
6
4
Local Area Networks (RALIR) /School of Engineering in Computer Science
A Supernetwork
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Supernetting
 When we choose class C addresses for a supernet, we should
follow these rules:
 The number of blocks must be a power of 2
 The blocks must be contiguous in the address space (no gaps between the
blocks)
 The third byte of the first address in the superblock must be evenly divisible
by the number of blocks.
 Example: if there are 4 blocks, the third byte of the first address must be
divisible by 4. (i.e. it must be 4, 8, 12, 16, 20, etc.)
See examples…
6
5
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
6
6
Supernetting: Examples
 A company needs 600 addresses. Which of the following set of
class C blocks can be used to form a supernet for this company?
a) 198.47.32.0 198.47.33.0 198.47.34.0
No, there are only 3 blocks (not a power of 2)
b) 198.47.32.0 198.47.42.0 198.47.52.0 198.47.62.0
No, blocks are not contiguous
c) 198.47.31.0 198.47.32.0 198.47.33.0 198.47.52.0
No, there are 4 blocks (and 31 is not divisible by 4)
d) 198.47.32.0 198.47.33.0 198.47.34.0 198.47.35.0
Yes! All conditions hold.
How many addresses do they have?
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
6
7
Supernet Mask
 Recall for subnetting, we need the first address of the subnet
and the subnet mask to define the range of addresses
 For supernetting, we need the first address of the supernet and
the supernet mask to define the range of addresses
 Comparison between subnet & supernet mask, in reference to
the default mask
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
6
8
Supernet Mask: Examples
 Example 1:
 We need to make a supernetwork out of 16 class C blocks. What is the
supernet mask?
 Solution:
We need 16 blocks. For 16 blocks we need to change four 1s to
0s in the default mask. So the mask is
11111111 11111111 11110000 00000000
or
255.255.240.0
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Supernet Mask: Examples
Example 2:
 A supernet has a first address of 205.16.32.0 and a supernet
mask of 255.255.248.0. A router receives three packets with the
following destination addresses:
 205.16.37.44
 205.16.42.56
 205.17.33.76
 Which packet belongs to the supernet?
 Solution
 We apply the supernet mask to see if we can find the beginning
address.
205.16.37.44 AND 255.255.248.0
205.16.42.56 AND 255.255.248.0
205.17.33.76 AND 255.255.248.0
 205.16.32.0
 205.16.40.0
 205.17.32.0
 Only the first address belongs to this supernet.
6
9
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
7
0
Supernet Mask: Examples
Example 3:
 A supernet has a first address of 205.16.32.0 and a supernet
mask of 255.255.248.0. How many blocks are in this supernet
and what is the range of addresses?
Solution: (subtract the number of 1s)
 The supernet has 21 1s. The default mask has 24 1s. Since the
difference is 3, there are 23 or 8 blocks in this supernet. The
blocks are 205.16.32.0 to 205.16.39.0. The first address is
205.16.32.0. The last address is 205.16.39.255.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
7
1
Classless Addressing
 What about small business & households that need an IP
address to connect to the Internet?
 ISPs are granted several class B or class C blocks
 Then subdivide to groups of 2, 4, 8, 16, etc. for household or small
business usage.
 Idea:
 Divide the entire 232 address space into variable length blocks.
 Each block belongs to NO class.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Classless Addressing
 Number of addresses in a block
 Just has to be a power of 2
 Beginning address
 Must be divisible by the number of addresses
 Example
 Which of the following can be the beginning address of a block that
contains 16 addresses?
205.16.37.32
190.16.42.44
17.17.33.80
123.45.24.52
 Solution
 The address 205.16.37.32 is eligible because 32 is divisible by 16. The
address 17.17.33.80 is eligible because 80 is divisible by 16.
7
2
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
7
3
Classless Addressing: Example
Another Example
 Which of the following can be the beginning address of a block
that contains 1024 addresses?
205.16.37.32
190.16.42.0
17.17.32.0
123.45.24.52
Solution:
 To be divisible by 1024, the rightmost byte of an address should
be 0 and the second rightmost byte must be divisible by 4. Only
the address 17.17.32.0 meets this condition.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Classless Addressing
 Slash Notation
 A.K.A. CIDR notation (classless inter-domain routing)
 Recall that masks are made up of some 1s followed by some 0s.
 Ex: Instead of 255.255.255.224, or
11111111 11111111 11111111 11100000 we can say that the
mask has 27 1s.
 Notation example:
A small organization is given a block with the beginning address
and the prefix length 205.16.37.24/29 (in slash notation). What
is the range of the block?
 Solution
 The beginning address is 205.16.37.24. To find the last address we keep
the first 29 bits and change the last 3 bits to 1s.
Beginning:11001111 00010000 00100101 00011000
Ending :11001111 00010000 00100101 00011111
 There are only 8 addresses in this block.
7
4
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
7
5
Classless Addressing: Prefix lengths
RFC 1878
/n
Mask
/n
Mask
/n
Mask
/n
Mask
/1
128.0.0.0
/9
255.128.0.0
/17
255.255.128.0
/25
255.255.255.128
/2
192.0.0.0
/10
255.192.0.0
/18
255.255.192.0
/26
255.255.255.192
/3
224.0.0.0
/11
255.224.0.0
/19
255.255.224.0
/27
255.255.255.224
/4
240.0.0.0
/12
255.240.0.0
/20
255.255.240.0
/28
255.255.255.240
/5
248.0.0.0
/13
255.248.0.0
/21
255.255.248.0
/29
255.255.255.248
/6
252.0.0.0
/14
255.252.0.0
/22
255.255.252.0
/30
255.255.255.252
/7
254.0.0.0
/15
255.254.0.0
/23
255.255.254.0
/31
255.255.255.254
/8
255.0.0.0
/16
255.255.0.0
/24
255.255.255.0
/32
255.255.255.255
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
7
6
Classless Addressing (CIDR)
Finding the Network Address:
Example
What is the network address if one of the addresses is
167.199.170.82/27?
Solution
The prefix length is 27, which means that we must keep the first
27 bits as is and change the remaining bits (5) to 0s. The 5 bits
affect only the last byte. The last byte is 01010010. Changing
the last 5 bits to 0s, we get 01000000 or 64. The network
address is 167.199.170.64/27.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
7
7
Classless Addressing: Subnetting
 It is still OK to subnet a network utilizing classless addressing
 Simply increase the prefix length to define the subnet prefix
length.
 For example, say your initial address is /17
 Increase an additional 3 bits (23 = 8)
 Your prefix is now 20
 You will have 8 subnets
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Classless Addressing: CIDR - Subnetting
Example
 An organization is granted the block 130.34.12.64/26. The
organization needs to have four subnets. What are the subnet
addresses and the range of addresses for each subnet?
Solution (diagram on next slide):
 The suffix length is 6. This means the total number of addresses
in the block is 64 (26). If we create four subnets, each subnet
will have 16 addresses.
 Let us first find the subnet prefix (subnet mask). We need four
subnets, which means we need to add two more 1s to the site
prefix. The subnet prefix is then /28.




7
8
Subnet
Subnet
Subnet
Subnet
1: 130.34.12.64/28 to 130.34.12.79/28.
2 : 130.34.12.80/28 to 130.34.12.95/28.
3: 130.34.12.96/28 to 130.34.12.111/28.
4: 130.34.12.112/28 to 130.34.12.127/28.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
7
9
Classless Addressing: CIDR - Subnetting
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
0
Classless Addressing: Another Example
 An ISP is granted a block of addresses starting with
190.100.0.0/16. The ISP needs to distribute these addresses to
three groups of customers as follows:
1. The first group has 64 customers; each needs 256 addresses.
2. The second group has 128 customers; each needs 128
addresses.
3. The third group has 128 customers; each needs 64 addresses.
 Design the subblocks and give the slash notation for each
subblock. Find out how many addresses are still available after
these allocations.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
1
Classless Addressing: Another Example (Solution)
 Group 1
For this group, each customer needs 256 addresses. This means
the suffix length is 8 (28 = 256). The prefix length is then 32 - 8
= 24.
01: 190.100.0.0/24 190.100.0.255/24
02: 190.100.1.0/24 190.100.1.255/24
…………………………………..
64: 190.100.63.0/24190.100.63.255/24
Total = 64  256 = 16,384
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
2
Classless Addressing: Another Example (Solution)
 Group 2
For this group, each customer needs 128 addresses. This means
the suffix length is 7 (27 = 128). The prefix length is then 32 - 7
= 25. The addresses are:
001: 190.100.64.0/25
190.100.64.127/25
002: 190.100.64.128/25 190.100.64.255/25
…
128: 190.100.127.128/25 190.100.127.255/25
Total = 128  128 = 16,384
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
3
Classless Addressing: Another Example (Solution)
 Group 3
For this group, each customer needs 64 addresses. This means
the suffix length is 6 (26 = 64). The prefix length is then 32 - 6 =
26.
001:190.100.128.0/26
190.100.128.63/26
002:190.100.128.64/26 190.100.128.127/26
…………………………
128:190.100.159.192/26 190.100.159.255/26
Total = 128  64 = 8,192
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
4
Additional Routing Concerns
 Classless routing tables are usually stored in a hierarchical data
structure called a binary trie
 A tree with paths determined by the data stored
 A unique prefix identifies each data item
 Example:
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
5
Binary Trie Structure
 Interior nodes (circles) correspond to two or more prefixes
 Leaf nodes (squares) correspond to a unique prefix and contain
an address and mask
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
6
Binary Trie Structure (cont)
 A search for the address:
10010010 11110000 00000000 00000001
 A search for the address:
10110111 11110000 00000000 00000001
http://www.redes.upv.es/ralir/en/
4.- LAN Design
http://www.redes.upv.es/ralir/en/
 Structured cabling
 Design tools
 Subnetting
 Supernetting (CIDR)
 proxy-ARP and DHCP relay
 Virtual LANs
 application and concepts
 IEEE 802.1Q
 Virtual Private Networks
 Intranets/Extranets
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
Overview
TCP
UDP
ICMP
IP
IGMP
ARP
Network
Access
RARP
Media
8
8
http://www.redes.upv.es/ralir/en/
Transport
Layer
Network
Layer
Link Layer
Local Area Networks (RALIR) /School of Engineering in Computer Science
ARP and RARP
 Note:
 The Internet is based on IP addresses
 Data link protocols (Ethernet, FDDI, ATM) may have different (MAC)
addresses
 The ARP and RARP protocols perform the translation between IP
addresses and MAC layer addresses
IP address
(32 bit)
ARP
RARP
8
9
http://www.redes.upv.es/ralir/en/
Ethernet MAC
address
(48 bit)
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
0
Address Translation with ARP
ARP Request:
Argon broadcasts an ARP request to all stations on the network:
“What is the hardware address of Router137?”
Argon
128.143.137.144
00:a0:24:71:e4:44
ARP Request:
What is the MAC address
of 128.143.137.1?
http://www.redes.upv.es/ralir/en/
Router137
128.143.137.1
00:e0:f9:23:a8:20
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
1
Address Translation with ARP
ARP Reply:
Router 137 responds with an ARP Reply which contains the
hardware address
Argon
128.143.137.144
00:a0:24:71:e4:44
Router137
128.143.137.1
00:e0:f9:23:a8:20
ARP Reply:
The MAC address of 128.143.137.1
is 00:e0:f9:23:a8:20
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
2
ARP Cache
 Since sending an ARP request/reply for each IP datagram is
inefficient, hosts maintain a cache (ARP Cache) of current
entries. The entries expire after 20 minutes.
 Contents of the ARP Cache:






(128.143.71.37) at 00:10:4B:C5:D1:15 [ether] on eth0
(128.143.71.36) at 00:B0:D0:E1:17:D5 [ether] on eth0
(128.143.71.35) at 00:B0:D0:DE:70:E6 [ether] on eth0
(128.143.136.90) at 00:05:3C:06:27:35 [ether] on eth1
(128.143.71.34) at 00:B0:D0:E1:17:DB [ether] on eth0
(128.143.71.33) at 00:B0:D0:E1:17:DF [ether] on eth0
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
3
Things to know about ARP
 What happens if an ARP Request is made for a non-existing
host?
 Several ARP requests are made with increasing time intervals between
requests. Eventually, ARP gives up.
 What if a host sends an ARP request for its own IP address?
 The other machines respond (gratuitous ARP) as if it was a normal ARP
request.
 This is useful for detecting if an IP address has already been assigned.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Proxy ARP
 Used to support subnetting while hiding the presence of subnets
from unsubnetted portions of the network.
 Hack for better address space utilization
 Also called “promiscous ARP” or “ARP hack”
 Hosts on multiple subnets use same subnet address {“virtual
subnet”} => assume direct connectivity through LAN
 Sometimes used to conserve bandwidth over WAN links
 Problem: both router interface and hidden hosts will have same
LAN address in the ARP cache
 Considered security hazard
 With Proxy ARP, the router responds to a request by giving out
the actual MAC address of another node. This can only be done
between subnets.
9
4
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Proxy ARP
 Proxy ARP: Host or router responds to ARP Request that
arrives from one of its connected networks for a host that is on
another of its connected networks.
Argon
Neon
Router137
128.143.137.144/24
128.143.137.1/24
00:e0:f9:23:a8:20
128.143.137.0/24
Subnet
ARP Request:
What is the MAC address
of 128.143.71.21?
ARP Reply:
The MAC address of
128.143.71.21 is
00:e0:f9:23:a8:20
9
5
http://www.redes.upv.es/ralir/en/
128.143.71.1/24
128.143.71.21/24
00:20:af:03:98:28
128.143.71.0/24
Subnet
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
6
Dynamic Host Configuration Protocol (DHCP)
 The most common approach for dynamically assigning IP
addresses is DHCP (Dynamic Host Configuration Protocol)
 Each DHCP server has a range of IP addresses that can be
assigned and maintains a list of currently assigned and currently
unassigned IP addresses
 DHCP client software enables a network host/node to request an
IP address from a DHCP server when it comes online
 When the client goes offline, it notifies the DHCP server that it is
releasing the IP address. Once released, the IP address is placed
on the DHCP server’s assignable address list
http://www.redes.upv.es/ralir/en/
9
7
Local Area Networks (RALIR) /School of Engineering in Computer Science
Introducing DHCP
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
BOOTP and DHCP differences
There are two primary differences between DHCP and BOOTP:
 DHCP defines mechanisms through which clients can be
assigned an IP address for a finite lease period.
 This lease period allows for reassignment of the IP address to another
client later, or for the client to get another assignment, if the client moves
to another subnet.
 Clients may also renew leases and keep the same IP address.
 DHCP provides the mechanism for a client to gather other IP
configuration parameters, such as WINS and domain name.
9
8
http://www.redes.upv.es/ralir/en/
9
9
Local Area Networks (RALIR) /School of Engineering in Computer Science
Major DHCP features
http://www.redes.upv.es/ralir/en/
1
0
0
Local Area Networks (RALIR) /School of Engineering in Computer Science
DHCP Operation
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
DHCP Relay
 DHCP clients use IP broadcasts to find the DHCP server on the
segment.
 What happens when the server and the client are not on the
same segment and are separated by a router?
 Routers do not forward these broadcasts.
1
0
1
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
DHCP Forwarding
 Client issues address requests to the MAC and IP broadcast
addresses
 Routers do not forward broadcasts
 Routers can be configured to do DHCP forwarding
 Router becomes a DHCP relay agent
 Sources client’s broadcast
request as own unicast
packet and forwards to server
 IP packet’s TTL field
limits extent of address traffic
 Server responds to client’s
default router
 Router responds to client
1
0
2
Local
DHC
P
server
http://www.redes.upv.es/ralir/en/
Router configured
as DHCP relay
agent
Remote
DHCP
server
4.- LAN Design
http://www.redes.upv.es/ralir/en/
 Structured cabling
 Design tools
 Subnetting
 Supernetting (CIDR)
 proxy-ARP and DHCP relay
 Virtual LANs
 application and concepts
 IEEE 802.1Q
 Virtual Private Networks
 Intranets/Extranets
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
0
4
VLAN introduction
 VLANs provide segmentation based on broadcast domains.
 VLANs logically segment switched networks based on the functions,
project teams, or applications of the organization regardless of the
physical location or connections to the network.
 All workstations and servers used by a particular workgroup share the
same VLAN, regardless of the physical connection or location.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
.
1
0
5
Broadcast domains with VLANs and routers
 A VLAN is a broadcast domain created by one or more switches.
 The network design above creates three separate broadcast domains.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
0
6
Broadcast domains with VLANs and routers
1) Without
VLANs
10.0.0.0/8
2) With
subnetting
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
 1) No VLANs, or in other words, One VLAN.
Single IP network.
 2) With subnetting. Each group (switch) is on
a different IP network.
 3) Using VLANs. Switch is configured with the
ports on the appropriate VLAN.
 What are the broadcast domains in each?
One link per VLAN or a single VLAN
Trunk (later)
10.1.0.0/16
3) With
VLANs
10.2.0.0/16
10.3.0.0/16
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
VLAN operation
 Each switch port can be assigned to a different VLAN.
 Ports assigned to the same VLAN share broadcasts.
 Ports that do not belong to that VLAN do not share these broadcasts.
1
0
7
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
0
8
VLAN operation
 Static membership VLANs are called port-based and port-centric
membership VLANs.
 As a device enters the network, it automatically assumes the
VLAN membership of the port to which it is attached.
 “The default VLAN for every port in the switch is the
management VLAN. The management VLAN is always VLAN 1
and may not be deleted.”
 All other ports on the switch may be reassigned to alternate
VLANs.
 More on VLAN 1 later.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
VLAN operation
172.30.1.21
255.255.255.0
VLAN 1
1 2 3 4 5 6 . Port
1 2 1 2 2 1 . VLAN
172.30.2.12
255.255.255.0
VLAN 2
172.30.2.10
255.255.255.0
VLAN 2
172.30.1.23
255.255.255.0
VLAN 1
Two VLANs
Ÿ Two Subnets
Important notes on VLANs:
1.
VLANs are assigned on the switch port. There is no “VLAN” assignment done on the
host (usually).
2.
In order for a host to be a part of that VLAN, it must be assigned an IP address that
belongs to the proper subnet.
Remember: VLAN = Subnet
1
0
9
Switch 1
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
.
1
1
0
VLAN operation
 Dynamic membership VLANs are created through network management
software. (Not as common as static VLANs)
 Dynamic VLANs allow for membership based on the MAC address of the device
connected to the switch port.
 As a device enters the network, it queries a database within the switch for a
VLAN membership.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
1
1
Benefits of VLANs
If a hub is connected to VLAN port on
a switch, all devices on that hub must
belong to the same VLAN.
 The key benefit of VLANs is that they permit the network administrator
to organize the LAN logically instead of physically.
 Note: Can be done without VLANs, but VLANs limit the broadcast
domains
 This means that an administrator is able to do all of the following:





Easily move workstations on the LAN.
Easily add workstations to the LAN.
Easily change the LAN configuration.
Easily control network traffic.
Improve security.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Without VLANs – No Broadcast Control
ARP Request
Switch 1
172.30.1.21
255.255.255.0
172.30.2.12
255.255.255.0
172.30.2.10
255.255.255.0
172.30.1.23
255.255.255.0
No VLANs
Ÿ Same as a single VLAN
Ÿ Two Subnets
• Without VLANs, the ARP Request would be seen by all hosts.
• Again, consuming unnecessary network bandwidth and host processing
1
1
2
cycles.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
With VLANs – Broadcast Control
Switch Port: VLAN ID
ARP Request
Switch 1
172.30.1.21
255.255.255.0
VLAN 1
172.30.2.12
255.255.255.0
VLAN 2
172.30.2.10
255.255.255.0
VLAN 2
172.30.1.23
255.255.255.0
VLAN 1
Two VLANs
Ÿ Two Subnets
1
1
3
http://www.redes.upv.es/ralir/en/
1 2 3 4 5 6 . Port
1 2 1 2 2 1 . VLAN
Local Area Networks (RALIR) /School of Engineering in Computer Science
.
1
1
4
MAC address Based VLANs
 Rarely implemented.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
.
1
1
5
VLAN Tagging
 VLAN Tagging is used when a link needs to carry traffic for more than one VLAN.
 Trunk link: As packets are received by the switch from any attached end-station device, a
unique packet identifier is added within each header.
 This header information designates the VLAN membership of each packet.
 The packet is then forwarded to the appropriate switches or routers based on the VLAN
identifier and MAC address.
 Upon reaching the destination node (Switch) the VLAN ID is removed from the packet by
the adjacent switch and forwarded to the attached device.
 Packet tagging provides a mechanism for controlling the flow of broadcasts and
applications while not interfering with the network and applications.
 This is known as a trunk link or VLAN trunking.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
.
VLAN Tagging
No VLAN Tagging
VLAN Tagging
 VLAN Tagging is used when a single link needs to carry traffic
for more than one VLAN.
1
1
6
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
.
1
1
7
VLAN Tagging
 There are two major methods of frame tagging, Cisco
proprietary Inter-Switch Link (ISL) and IEEE 802.1Q.
 ISL used to be the most common, but is now being replaced by
802.1Q frame tagging.
 Cisco recommends using 802.1Q.
Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to identify the frame as an IEEE 802.1Q-tagged
frame.
Priority Code Point (PCP): a 3-bit field which refers to the IEEE 802.1p priority.
Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC address is in non-canonical format. If the
value is 0, the MAC address is in canonical format. It is always set to zero for Ethernet switches. CFI is used for compatibility
between Ethernet and Token Ring networks.
VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs. A value of 0 means that the frame doesn't
belong to any VLAN; in this case the 802.1Q tag specifies only a priority and is referred to as a priority tag. All other values may
be used as VLAN identifiers, allowing up to 4094 VLANs. On bridges, VLAN 1 is often reserved for management.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
1
8
GVRP: GARP VLAN Registration Protocol
 The Generic VLAN Registration Protocol (GVRP) is an application
that provides the 802.1Q-compliant VLAN pruning and dynamic
VLAN creation on 802.1Q trunk ports.
 With GVRP, the switch can exchange VLAN configuration
information with other GVRP switches, prune unnecessary
broadcast and unknown unicast traffic, and dynamically create
and manage VLANs on switches connected through 802.1Q
trunk ports.
 With GVRP, a single switch is manually configured with all the desired
VLANs for the network, and all other switches on the network learn those
VLANs dynamically.
 GVRP prunes trunk links so that only active VLANs will be sent
across trunk connections.
 GVRP expects to hear join messages from the switches before it
will add a VLAN to the trunk. GVRP can be configured to
dynamically add and manage VLANS to the VLAN database for
trunking purposes.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
1
9
Configuring Virtual
LANs in a
commercial switch
http://www.redes.upv.es/ralir/en/
General configuration: status
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
0
Configuring Virtual
LANs in a
commercial switch
http://www.redes.upv.es/ralir/en/
General configuration: status
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
1
Configuring Virtual
LANs in a
commercial switch
http://www.redes.upv.es/ralir/en/
General configuration: status
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
2
Configuring Virtual
LANs in a
commercial switch
http://www.redes.upv.es/ralir/en/
General configuration: diagnostic
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
3
Configuring Virtual
LANs in a
commercial switch
http://www.redes.upv.es/ralir/en/
General configuration: configuration
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
4
Configuring Virtual
LANs in a
commercial switch
http://www.redes.upv.es/ralir/en/
General configuration: configuration
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
5
Configuring Virtual
LANs in a
commercial switch
http://www.redes.upv.es/ralir/en/
General configuration: configuration
Local Area Networks (RALIR) /School of Engineering in Computer Science
Configuring Virtual
LANs in a
commercial switch
RFC 1878
1
2
6
General configuration: configuration - VLAN
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
7
Configuring Virtual
LANs in a
commercial switch
General configuration: configuration - VLAN
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
8
Configuring Virtual
LANs in a
commercial switch
General configuration: configuration - VLAN
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
9
Configuring Virtual
LANs in a
commercial switch
General configuration: configuration - VLAN
http://www.redes.upv.es/ralir/en/
4.- LAN Design
http://www.redes.upv.es/ralir/en/
 Structured cabling
 Design tools
 Subnetting
 Supernetting (CIDR)
 proxy-ARP and DHCP relay
 Virtual LANs
 application and concepts
 IEEE 802.1Q
 Virtual Private Networks
 Intranets/Extranets
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
3
1
What is a VPN?
 VPN Stands for Virtual Private Network
 A method of ensuring private, secure communication between
hosts over an insecure medium using tunneling
 Usually between geographically separate locations, but doesn’t
have to be
 Via tunneling and software drivers, computer is logically directly
connected to a network that it is not physically a part of
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
What is a VPN? (cont…)
 Uses some means of encryption to
secure communications
 Two main types of VPNs –
 Remote-Access:
The typical example of this is a
dial-up connection from home or
for a mobile worker, who needs to
connect to secure materials
remotely
 Site-to-Site:
The typical example of this is a
company that has offices in two
different geographical locations,
and wants to have a secure
network connection between the
two
Mobile User
VPN over Internet
Network A
VPN Enabled
Gateway
Home User
VPN over Internet
Network A
1
3
2
http://www.redes.upv.es/ralir/en/
VPN Enabled
Gateway
VPN Enabled
Gateway
Network B
Local Area Networks (RALIR) /School of Engineering in Computer Science
VPN a more formal definition
 Virtual Private Network (VPN) is defined as network connectivity
deployed on a shared infrastructure with the same policies and
security as a private network.
 A VPN is an alternative WAN infrastructure that replaces or
augments existing private networks that use leased-line or
enterprise-owned Frame Relay or ATM networks.
 VPNs provide three critical functions:
 Confidentiality (encryption) – The sender can encrypt the packets before
transmitting them across a network.
 By doing so, no one can access the communication without permission.
 If intercepted, the communications cannot be read.
 Data integrity – The receiver can verify that the data was transmitted
through the Internet without being altered.
 Origin authentication – The receiver can authenticate the source of the
packet, guaranteeing and certifying the source of the information.
1
3
3
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
VPN Tunnelling
Encapsulation
 VPNs are created by establishing virtual circuits between
endpoints across the Internet
 Tunnel defined by two endpoints that communicate with each
other via an encapsulation protocol
 Data from one protocol becomes payload of encapsulation protocol
 Encapsulated payload encrypted and can be digitally signed
 Three types of VPN Protocols used for tunnelling
 PPTP
 L2TP
 IPSec
(Point-to-Point Tunnelling Protocol)
(Layer 2 tunnelling Protocol)
(Internet Protocol Security)
 Nothing to do with Encryption!
 Encrypted data encapsulated in additional protocol
 Forms impenetrable pipe between endpoints
 TCP and IP headers included in encrypted payload to prevent
eavesdropping
 Only IP address of tunnel endpoints required to route packets
1
3
4
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
VPN Tunnelling
Protocols - PPTP
 PPTP tunnelling uses two packet types
 Control Packets
 Strictly for status enquiry and signalling information
 Uses TCP (Connection-oriented)
 Data Packets
 Uses PPP with GREv2
 GRE gives PPTP the flexibility of handling protocols other than IP, such as
NetBEUI and IPX.
 Developed by Microsoft, 3Com, US Robotics & Ascend
Communications, ECI Telematics
 Standard with Win95, Win98, Me, WinNT and Win2K
Media
Header
1
3
5
IP
Header
http://www.redes.upv.es/ralir/en/
GRE
Header
PPP
Header
PPP
Payload
Local Area Networks (RALIR) /School of Engineering in Computer Science
VPN Tunnelling
Protocols – L2TP
 Like PPTP, L2TP is strictly a tunnelling Protocol
 L2TP is a standards based combination of two proprietary Layer
2 tunnel protocols
 Cisco’s Layer 2 Forwarding (L2F)
 PPTP
 L2TP combines the control and data channels.
 L2TP runs over UDP
 Faster and Leaner
 L2TP is more “Firewall Friendly” than PPTP since you do not have to support
GRE.
 Vendors not implementing Encryption or Authentication with
L2TP
IP
Header
1
3
6
UDP
Header
http://www.redes.upv.es/ralir/en/
L2TP
Header
PPP
IP
Header
User
Data
Local Area Networks (RALIR) /School of Engineering in Computer Science
VPN Tunnelling
Protocols – IPSec
 Open, Standards based, Network layer security protocol.
 Aimed at protecting IP Datagrams
 Robust mechanisms for Authentication and Encryption
 Can protect whole datagram or just Upper-layer protocol (Transport or
Tunnel Mode)
Transport protocols
(TCP, UDP)
Routing through network
(IP)
Link protocols, physical
Infrastructure
1
3
7
http://www.redes.upv.es/ralir/en/
Transport layer
Network layer
IPSec
Link layer
L2TP/ PPTP
Physical layer
Local Area Networks (RALIR) /School of Engineering in Computer Science
VPN Tunneling in a University Campus Environment
Main Campus
Library
Student Dormitory
SuperStack
3 Firewall
Campus WLAN on
Firewall DMZ
WLAN
RADIUS
Server
(EAP-MD5)
Server




1
3
8
IPSec, L2TP/IPSec VPN tunneling capability over the current WLAN network
Wireless Client gets authenticated through a server (RAS, RADIUS, VPN termination box)
Support for campus-wide Layer 3 RADIUS authentication for controlling network access
Support for WEP as well as VPN pass-through, based on the customers’ requirements
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Enterprise VPN
Wireless Security …
Wireless Clients
Required to create VPN in
order to access Secured LAN
SuperStack 3 Firewall
(Internet Security)
SuperStack 3 Firewall
(Wireless Security)
DMZ
Internet
WAN
LAN
Secured Wired LAN
(Employees Only)
Guest Servers
Wireless visitors do not
need to authenticate to
reach these servers
1
3
9
http://www.redes.upv.es/ralir/en/
 SuperStack 3 Firewall can …



Offer secure wireless connectivity
Allow secure access to authorized wireless clients
Guest services for visiting wireless users
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
4
0
Authentication of VPN clients
 The authentication of virtual private network (VPN) clients by
the VPN server is a vital security concern. Authentication takes
place at two levels:
 Computer-level authentication:
 When Internet Protocol security (IPSec) is used for a Layer Two Tunneling
Protocol (L2TP) over IPSec (L2TP/IPSec) VPN connection, computer-level
authentication is performed through the exchange of computer certificates
or a preshared key during the establishment of the IPSec security
association. For more information, see Internet Key Exchange.
 User-level authentication:
 Before data can be sent over the Point-to-Point Tunneling Protocol (PPTP)
or L2TP tunnel, the remote access client or demand-dial router that
requests the VPN connection must be authenticated. User-level
authentication occurs through the use of a Point-to-Point Protocol (PPP)
authentication method. For more information, see Remote Access
Authentication Methods.
http://www.redes.upv.es/ralir/en/
4.- LAN Design
http://www.redes.upv.es/ralir/en/
 Structured cabling
 Design tools
 Subnetting
 Supernetting (CIDR)
 proxy-ARP and DHCP relay
 Virtual LANs
 application and concepts
 IEEE 802.1Q
 Virtual Private Networks
 Intranets/Extranets
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
4
2
The Internet and Intranets
 An intranet is a corporate LAN and/or Wide Area Network
(WAN) that is secured behind company’s firewalls and it uses
Internet technologies.
 Although intranets are developed using the same TCP/IP
protocol as the Internet, they operate as private networks with
limited access.
 Only employees who are issued passwords and access codes are
able to use them.
 So, intranets are limited to information significant to the
company and contain exclusive and often proprietary and
sensitive information.
 Firewalls protect intranets from unauthorized outside access.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
The Intranet (cont.)
Servers
Clients
Legacy
systems
Public/External
Internet Users
Intranet
E-mail
servers
Firewalls
Web
servers
Databases
1
4
3
ERP
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
4
4
The Extranet
 An extranet implies an “extended intranet”, which uses TCP/IP
protocol networks (like the Internet) to link intranets in different
locations.
 Extranet transmissions are conducted over the Internet to save
money. But it offers no privacy or transmission security. By
creating tunnels of secure data flows using cryptography and
authorization algorithms (i.e. VPNs), the security can be
improved.
 Extranets provide secure connectivity between a corporation’s
intranets and intranets of its business partners, material
suppliers, financial services, and customers.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
The Extranet (cont.)
Extranet
Suppliers
VPN
Intranet
Firewall
Distributors
VPN
Tunneling Internet
Intranet
VPN
Firewall
1
4
5
Customers
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Internet, Intranet, and Extranet
Network
Type
Internet
Intranet
Extranet
1
4
6
Typical
Users
Any individual
with dial-up
access or LAN
Authorized
employees ONLY
Authorized
groups from
collaborating
companies
http://www.redes.upv.es/ralir/en/
Type of
Access
Unlimited,
public; no
restrictions
Private and
restricted
Private and
outside
authorized
partners
Information
General, public
and advertisement
Specific, corporate
and proprietary
Shared in authorized
collaborating group
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
4
7
Generic Functions of an Intranet
 Corporate/department/individual Web-pages
 Database access: Web-based databases
 Interactive communication: Chatting, audio and
videoconferencing
 Document distribution and workflow: Web-based download and
routing of documents
 Groupware: Enhanced e-mail and a bulletin board
 Telephony: Intranets are the perfect conduit for computer-based
telephony
 Integration with electronic commerce: Interface with Internetbased electronic sales and purchasing
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
4
8
Industry Specific Intranet Solutions
 Financial Services: Banking, brokerages and other financial
services, insurance
 Information Technology
 Manufacturing: Chemicals and oil, consumer goods, food and
beverages, general manufacturing, and pharmaceuticals
 Retailing
 Services: Construction and engineering, education,
environmental, healthcare, media, entertainment,
telecommunications, transportation, and utilities
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
4
9
Categories of Extranet Application
 Enhanced Communications




Improved internal communications
Improved business partnership channels
Effective marketing, sales, and customer support
Collaborative activities support
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Benefits of Extranet Application
 Productivity Enhancements




Just-in-time (JIT) information delivery
Reduction of information overload
Productive collaboration between workgroups
Training on demand
 Business Enhancements





Faster time to market
Simultaneous engineering potential
Lower design and production costs
Improved client relationships
New business opportunities
 Cost Reduction





Reduced errors
Improved comparison shopping
Reduced travel and meetings expenses
Reduced administrative and operational costs
Elimination of paper publishing costs
 Information Delivery
1
5
0





Low-cost publishing
Leveraging of legacy systems
Standard delivery systems
Ease of implementation and maintenance
Elimination of paper publishing and mailing costs
http://www.redes.upv.es/ralir/en/
Download