Task 1. Investigate the LAN Switching.

SWITCH ENGINEERING. ASSIGNMENT Page | 1 Unit Name Switch Engineering Unit Code SWE Unit Level Term 2-Year 2 Issue Date Submission Date Student Name Student ID Lecturer Page | 2 Table of Contents. Task 1. Investigate the LAN Switching 1. Analyse the concept of Internetworking. 2. Evaluate and analyse the concept of Switching. 3. Taking an example of Switch, demonstrate the basic Switch Configuration. Task 2. Investigate and design Switching Security. 1. Examine the Network Security Concepts. 2. Research VLAN attacks. 3. Review Random Frame-Stress Attacks. Task 3. Ethernet Switching Networks Design. 1. Analyse the Ethernet Switching. 2. Contrast the Multilayer Switching. 3. Evaluate industrial application of Ethernet Switching. 4. Demonstrate Ethernet Switch Network Design. Task 4. Wireless LAN Switching. 1. Demonstrate how Wireless Switching works. 2. Analyse WLAN Switching Architecture. 3. Evaluate Wireless Traffics. 4. Evaluate Wireless Management and Monitoring. Page | 3 Introduction STL is a UK based Financial Management Consultancy Company having its branches in operation over many countries in Europe, Asia and Australia. The company is going to establish a New York based office consisting of admin, accounts, finance, research department each consisting of 15, 18, 42 and 35 employees respectively. The proposed site consisting of four floors in a multi-storeyed building has already been acquired in the heart of the city. As a network consultant, the organization has required my services to produce a strategy & design certificate to set-up a network equipping for the proposed office with a file server, intranet server, mail server and connectivity to the head office. Page | 4 1.1 Internetworking Basics. An Internetwork is a group of individual networks, connected by intermediate networking devices, that works as a single huge network. General speaking, Internetworking refers to the industry field that among products and procedures accepts the challenge of creating and managing internetworks. Internetworking Challenges. Meet the challenge to install and configure an Internetwork is not an easy work, principally in the areas of connectivity, reliability, network management and flexibility. Each area is key in creating a proficient and operative Internetwork. The challenge when several systems are connected is communication between unequal technologies. Different sites, e.g. can use several kinds of transmission media, or may be operating at different speeds. Another key consideration is to be maintained at any Internetwork reliable service. Users and entire Organizations depend on a steady and consistent to access network resources. In addition, the network management must provide centralized support and capabilities in troubleshooting an internetwork. The configuration, security, performance, and other details should be properly treated so that the internetwork is functioning smoothly. Flexibility, final concern is needed for network expansion and new applications and services, among other factors. Fig 1. Different Network Technologies Can Be Connected to Create an Internetwork. Page | 5 Network Types. Fig 2. Network Types Scheme. LAN (Local Area Network). It is a group of computers that belong to the same Organization and are linked within a small geographic area through a network, usually with the same technology e.g. Ethernet (Nowadays Widely Used). The data transfer rate in a local area network can reach 10 Mbps (e.g. an Ethernet network) and 1 Gbps (e.g. FDDI (Fiber Distribute Date Interface), or Gigabit Ethernet). A local area network may cover 100 or even 1000, users. LANs offers users many advantages, including file exchange between connected users, shared access to devices and applications, and communication between users via electronic mail and other applications. By extending the definition of a LAN to the services provided, you can define two different operating modes: ï‚· In a network “peer to peer” (P2P) communication takes place from one computer to another without a central computer and each team has the same function. ï‚· In an environment “Client / Server”, a central computer provides network services to users. MAN (Metropolitan Area Network). A MAN (Metropolitan Area Networks) connect multiple LANs geographically nearby, (in an area of about 50 kilometres) at high speeds. Therefore, a MAN lets two remote nodes communicate as if they were part of the same local area network. ï‚· A MAN is made from switches or routers connected together via high speed connections (usually fiber optic cables). Page | 6 A WAN (Wide Area Network) connects multiple LANs to one another over huge geographical distances. The speed available on a WAN varies cost of connections (which increases with distance) and may be low. ï‚· WANs operate using routers, which can “choose” the most appropriate pathway for data to reach a network node. The best known WAN is the Internet. Fig 2. Three LAN Applications Topologies commonly used. Benefits of Internetworking. Generally speaking, there are a lot benefits since internetworking that has come to our daily lives but note that Infrastructure, cost, communication and time are the factors most significant in the internetworking intervention. Transparent Bridging. Transparent bridges records a list of MAC addresses, as do routers, based on all the received frames’ source data-link MAC addresses. These tables are used for address look-up while forwarding a frame. They learn the workstation locations by evaluating the source address of incoming frames from all attached networks. Bridge & Switch Basics. The switch works in the first two layers of the OSI model, i.e. it distributes data to each target machine, enable multiple physical LAN sectors to be interconnected into a single huge network. Page | 7 Designed for networking with an amount slightly higher than the hub machines, this eliminates any packet collisions (collision occurs when a computer attempts to communicate with a second while another is already communicating with it … the first retry later). While the hub sends all data to all machines that respond replicating the signal for all the ports until deliver the data and is a layer 1 device of the OSI Model. Switches can use different techniques. Forwarding two of these are store-and-forward switching and cut-through switching. Store-and-Forward. Save each frame into a buffer before the exchange of information to the output port. While the frame is in the buffer, the switch calculates the CRC (Cyclic Redundancy Check) and measures the size thereof. If the CRC fails, or the size is too small or too big frame is discarded. If everything is in order is routed to the output port. This method ensures error-free operations and increases the confidence of the network. But time used to store and check each time frame adds significantly to processing the same delay. The total delay is proportional to the size of the frames: the higher the frame, the greater the delay. Cut-through switching. Cut-Through Switches are designed to reduce this latency. These switches minimize the delay reading only the first 6 bytes of data in the frame that contains the destination MAC address, and immediately headed. The problem of this kind of switch is not detected collisions caused by corrupted frames (called runts) or CRC errors. The greater the number of collisions on the network, the greater the bandwidth consumed when routing frames corrupt. Fragment Free Switching. This method is improved Cut forward, with the only difference that it reads only the 14 bytes of the header, it reads the first 64 (minimum size for an Ethernet frame). Thus it is reducing the erroneous frames less than 64 bytes. Also, this method can relay frames with bad CRC. It is for this reason that some manufacturers have dynamic methods, jumping method according mistakes there. If there are many errors, the system chooses Forward Store. If the errors down, becomes the Fragment free method. Adaptive Cut-Through Switches processing frames in the adaptive mode supports both store-and-forward and c
ut-through. Either mode can be activated by the network administrator, or may be smart switch enough to choose between the two methods, based on the number of error frames passing through the ports. Page | 8 Fig 3. Identify frame forwarding Methods. Spanning Tree Protocol. Spanning Tree Protocol (STP) is a Layer two protocol that helps networks to avoid switching loops or/and frames looping endlessly on the network and broadcast Storms (delays) on any Ethernet local area network (LAN). STP lets network engineers to keep redundant automatic path redundancy in the event of active link failure. One of the Advantages of STP is that you can reconfigures the network by activating the appropriate standby path, if the forwarding path becomes unavailable Root Bridge. The root bridge is the main switch located at the top of the STP. Basically, there is only one Root Bridge on each network and it is designed based on a numerical value called bridge priority assigned to All Bridges. And the priority value of The Bridge is used to find the Bridge/Switch ID. The Switch ID is made from two values.  The Switch Priority, which is a numerical value defined by IEEE 802.1D, which is equal to 32,768 by default.  The MAC Address of the Switch. If all the Switches in at (LAN) are configured by default Switch Priority (32,768), the Switch MAC address will become the key factor in electing the Root Bridge. The Bridge by the lowest MAC Address is then elected as Root Bridge. Page | 9 BPDU (Bridge Protocol Data Unit). It is the protocol responsible for exchanging data messages through the switches within a LAN that uses a spanning tree protocol. BPDU packets contain data on ports, addresses, priorities and costs, value of aging timers, value of the hello timer and ensure that the information ends up where it was intended to go. Root Ports. Once we have the root bridge allocated, every other Switch connected to the network must select a single port on it to reach the Root Bridge/Switch. The single selected port on a Switch by least Pathway Cost to the Root Bridge is called the Root Port. Designated Ports. Note that can only exist one Root Port on a switch but can exist multiple Design Ports on it. A Design Port has the lowest Path Cost on owners (LAN) segment. The other side of a Designated Port is known as Non Designated Port, if it is NOT a Root Port. Non Designated Port will be all the time in Blocking State, to avoid Layer 2 Switching loops. Blocked Ports. This is the Port that does not forward traffic in a switched network. The main reason for Uplink Fast, Backbone Fast and Port fast are to decrease the time it takes for classic Spanning Tree Protocol to converge after a link failure.  Uplink fast allows reduce the convergence time of the STP in the occasion of the Direct link (a link connected directly to the same Switch) let-down of an uplink on an Access Layer switch.  Backbone Fast lets reduce the convergence time of the STP in the occasion of an Indirect link (a link in any other switch, which is not connected directly) let-down, anyplace in the STP Topology.  Port Fast we can use it to speed up convergence on ports which are connected to a workstation, a network printer or a server. 1.2 Evaluate the concept of Switch. A Network Switch is a device which is used to connect multiple computers inside (LAN). It operate at Layer 2 (Data Link Layer) of the OSI model. There are Switches that can operate at the layer 3 and above also known as Multilayer Switches. The Basic Task of a Network Switch is to forward Layer 2 packets (Ethernet frames) and flood traffic based on MAC addresses from source device to destination device. Table 1. The next chart shows some advantages and disadvantages between Bridge and Switch. Page | 10 Bridge Switch Packet forwarding are performed using software. Packet forwarding are performed using ASICs (Application Specific Integrated Circuits). Lower Speeds Higher Speeds Method of switching is store and forward Method of switching is Store and forward, cut through and fragment free. Few ports (6 ports) More ports (24, 48, 72…) Operate only in half duplex mode Operate both in half duplex or full duplex mode Bridge and Switch has one collision domain per port Switches have one broadcast domain per VLAN. Support full-duplex Local Area Network (LAN) communication. Forward Layer 2 addresses (MAC addresses) replicating the signal to all ports. Can learn Layer 2 MAC- addresses and forward Layer 2 packets (Ethernet frames) to exact destination. High-end switches have pluggable modules. Functions of Network Switch. Learning: is the procedure to get the MAC address of linked devices. When a host send a package to another host the Switch reads the Data & Mac Address of the source device from Ethernet frame and compares it to its CAM (Content Addressable Memory) also known as (MAC address table). If the switch cannot find a matching entry in the CAM table, the switch will add the address to the table with the port number by the Ethernet frame arrived. If the MAC address is available in the Content Addressable Memory table, the switch matches the incoming port with the port available in the CAM table. If the port numbers are different, the switch updates the CAM table new port number. This will usually happen when network administrators eliminate the wire from one port and attach it to another port. Forwarding: is the procedure of passing network traffic a device linked to one port of a Network Switch to another device linked to another port on the switch. Flooding: E.g. If the destination MAC address is not found on the CAM table, the switch forwards the Ethernet frame over all its ports except the source port. Aging: helps to remove old entries and free memory of CAM table to add new entries. When switch updates an entry in the MAC address table, the switch resets the timer for that entry. Page | 11 Categories of Switching. There are two main categories in the switching area: Modular Switches. They are those that lets you to add extension modules into the switches as required, thus delivering the best flexibility to address fluctuating networks. Some examples of expansion modules are application-specific (Firewall, Wireless, or Network Analysis), modules for extra interfaces, power supplies, or cooling fans. Fixed Switches. As the name implies, are switches with a fixed number of ports and are usually not expandable. Note that in this switch category we can go further and split it into:  Unmanaged Switches  Smart Switches  Managed L2 and L3 Switches Unmanaged Switch. This kind of switch is the best cost effective for deployment schemes that involve only basic layer 2 switching and connectivity. As such, they fit best when you need a few additional ports on your desk, in a meeting room, in a laboratory or even at home. With some unmanaged switches you can get capabilities such as prioritization of traffic using default QoS settings, wire diagnostics, Energy savings capabilities. Though, those switches mostly cannot be modified/managed. You simply plug them in and they require definitely not configuration at all. Smart Switches. General speaking these switches provides certain levels of Management, QoS, Security, etc. However is less in capabilities and less scalable than the Managed switches. It therefore makes them a cost-effective substitute to Managed switches. Therefore, Smart switches is the right choice of a huge network (with Managed Switches being used in the core), as the structure for smaller deployments, or for low complexity networks in general.  One of the capabilities for this Smart switches is that have an interface for Management such as CLI and/or SNMP/RMON as well.  Let you to segment the network into workgroups by creating VLANs.  Support basic quality-of-service (QoS) that facilitates prioritization of users and applications. Page | 12 Enterprise Switch (Fully Managed L2 & Managed L3 Switches). It is designed to provide the most complete set of features to deliver the best application experience, the highest levels of security, the meas
ure control and management of the network, and offer the greatest scalability in the Fixed Configuration category of Switches. As an end result, they are usually deployed as aggregation/access switches in very huge networks or as core switches in comparatively smaller networks. ï‚· Full set of management features, including CLI, SNMP agent, and web interface. ï‚· Full set of Additional features to handle configurations, such as the ability to display, modify, backup and restore configurations. 1.3 Demonstrate Switch Configuration. For our demonstration we will use Cisco Packet Tracer as a tool to configure a computer network. First of all let me explain about what is Cisco Packet Tracer. Cisco Packet Tracer is a powerful network simulation software that allows students to experiment with network behaviour, providing simulation, visualization, creation, evaluation, collaboration capabilities and facilitates the teaching and learning of complex technology concepts. After this brief explanation go into detail: The scheme below shows a network design in which present 2 Vlan sharing a switch to create the network and a router to connect the network. How it works step by step: 1. Add the workstations. PC05 PC06 PC09 2. Assign the Network ID. 192.168.1.1 3. Assign VLAN10 4. Assign the Default Gateway 192.168.1.254 1. Add the workstations. PC07 PC08 LAPTOP09 2. Assign the Network ID. 192.168.2.1 3. Assign VLAN20 4. Assign the Default Gateway 192.168.2.254 Page | 13 E.g. Static IP Configure PC05. To configure the Static IP Address in the first Network click on the PC required in this case PC05 > desktop > IP configuration > type the IP address > Subnet Mask comes by Default > type the default gateway > close. To configure the Static IP Address in the second Network click on the PC required in this case PC07 > desktop > IP configuration > type the IP address > Subnet Mask comes by Default > type the default gateway > close. Page | 14 Switch Configure. Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#vlan 10 Switch(config-vlan)# Name Sales Switch(config-vlan)#exit Switch(config)#interface vlan 10 Switch(config)#ip address 192.168.1.1 255.255.255.0 Switch(config)#exit Switch(config)#vlan 20 Switch(config)#Name Marketing Switch(config)#exit Switch(config)#interface vlan 20 Switch(config)#ip address 192.168.2.1 255.255.255.0 Switch(config)#exit Adding ports to Vlan 10 & Vlan 20 Switch(config)#interface f0/1 Switch(config-if)#switchport access vlan 10 Switch(config-if)#exit Switch(config)#interface f0/2 Switch(config-if)#switchport access vlan 10 Switch(config-if)#exit Switch(config)#interface f0/3 Switch(config-if)#switchport access vlan 20 Switch(config-if)#exit Switch(config)#interface f0/4 Switch(config-if)#switchport access vlan 20 Switch(config-if)#exit Create the Trunk Port that will connect to the Router. Switch>enable Switch#configure terminal Page | 15 Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface f0/5 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Router Configure. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int g0/0 Router(config-if)#no ip address Router(config-if)#no shut Router(config-if)#no shutdown Router(config-if)# %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up %LINK-5-CHANGED: Interface GigabitEthernet0/0.10, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0.10, changed state to up %LINK-5-CHANGED: Interface GigabitEthernet0/0.20, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0.20, changed state to up Router(config-if)#exit Router(config)#int Router(config)#interface f0/0.10 Router(config-subif)#encapsulation dot1Q 10 Router(config-subif)#ip add Router(config-subif)#ip address 192.168.1.254 255.255.255.0 % 192.168.1.0 overlaps with FastEthernet0/0 Router(config-subif)#exit Router(config)#interface f0/0.20 Router(config-subif)# %LINK-5-CHANGED: Interface FastEthernet0/0.20, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.20, changed state to up Router(config-subif)#encapsulation dot1Q 20 Router(config-subif)#ip address 192.168.2.254 255.255.255.0 Router(config-subif)#exit Router(config)# Router(config)#int f0/1 Router(config-if)#no ip address Router(config-if)#exit Router(config)#int f0/0 Router(config-if)#no ip address Router(config-if)#no shut Router(config-if)#exit Router(config)#int f0/0.10 Router(config-subif)#en Router(config-subif)#encapsulation dot1q 10 Router(config-subif)#ip ad Router(config-subif)#ip address 192.168.1.254 255.255.255.0 Router(config-subif)#exit Router(config)#int f0/0.20 Router(config-subif)#encapsulation dot1q 20 Router(config-subif)#ip address 192.168.2.254 255.255.255.0 Router(config-subif)#exit Router(config)# Router(config)#int f0/0 Router(config-if)#ip dhcp p Router(config-if)#ip dhcp pool sales Router(dhcp-config)#ne Page | 16 Router(dhcp-config)#network 192.168.1.0 255.255.255.0 Router(dhcp-config)#de Router(dhcp-config)#default-router 192.168.1.254 Router(dhcp-config)#exit Router(config)#int f0/0 Router(config-if)#ip dhcp pool marketing Router(dhcp-config)#network 192.168.2.0 255.255.255.0 Router(dhcp-config)#default-router 192.168.2.254 Router(dhcp-config)#exit Router(config)#ip dhcp ? excluded-address Prevent DHCP from assigning certain addresses pool Configure DHCP address pools relay DHCP relay agent parameters Router(config)#ip dhcp e Router(config)#ip dhcp excluded-address 192.168.1.1 Router(config)#ip dhcp excluded-address 192.168.2.1 Router(config)#exit Router# %SYS-5-CONFIG_I: Configured from console by console Router# Router#%DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.1.2. %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.1.3. %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.1.4. %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.2.2. %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.2.3. DHCP Configure. E.g. 1. To do this, configure the DHCP in the Second Network click on the PC required in this case Laptop 0 > desktop >IP Configuration > click on DHCP > close. Note: Test many times until reach a DHCP request successful. E.g. 2. To configure the DHCP in the first Network click on the PC required in this case PC05 > desktop > IP Configuration > click on DHCP > close. Page | 17 Task 2. Switching Security. 2.1 Examine the Network Security Concepts. As the name implies Network security is a high level of security that guarantees the best operation of all devices (such as routers, firewalls, switches, servers and workstations) on a network is optimal and that all users of these devices have the rights that have been established to them. Even the SOS running on these devices are part of Network Infrastructure as well. Therefore, make sure your network is secure every time, even when a configuration is changed or new device is added to not create a hole in your security system. This may include: ï‚· To avoid unauthorized users involved in the system for malicious purposes. ï‚· Avoid users from performing involuntary operations that could damage the OS. ï‚· Securing data by anticipating disasters. ï‚· Guarantee that services are not interrupted. Switching. In terms of Switching Security note that we have to know how to configure a switch in the best way. Switch is always not safe the risk still there so you need to configure correctly to make it pretty safe on a network. Remember, a switch is a networking device that connects devices together on a segment network, by using packet switching to receive, process and forward data to the destination device. Page | 18 Next are some tricks for switching security: Disable unused ports. All unused ports on the switch must be disabl
ed to avoid leaks of data by an open port making accessible network to any intruder. These examples show how to disable and re-enable a port: Switch(config)# interface gigabitethernet0/2 Switch(config-if)# shutdown Switch(config)# interface gigabitethernet0/2 Switch(config-if)# no shutdown Port Security. Enable you to control or access to you network, You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. Physical Security. By the time of installation you must consider a very safe place to fit the switch (such as a rack in a secure room) to avoid an unplugged wire, network failure by physical damage, so on. Disable Telnet. The telnet connection has to be disabled because it can be used to send information over the public network in clear text. Disable http Access. This command no IP http server should be used to inactivate http access, therefore users cannot access the switch and modifies the configuration through the Web. Virtual Local Area Network (VLAN) Concepts. Basically a Virtual Local Area Network (VLAN) allows you to separate one physical network into small logical networks, (therefore we have IP devices such as Router, Switch, and Workstations). The reason behind is that you can manage so many devices on a network of computers that behave as if they are connected to the same cable even though they may actually be physically located on different segments of a LAN. Workstations can sent out messages to each other to communicate in the same Vlan even send a broad cast messages goes out to any devices on the network them pass this messages into the other Vlan using a Router. Another good reason is that you can divide the network in VLANs departments or by resources that there been using e.g. certain people needs access to certain saver so then can be a same Vlan. E.g. marketing or Finance department/vlans. Page | 19 Security options you can put into to place certain users need access to server but user min another group don’t need the access at the server so you can put security measures in place to block there. Some services such as encryption to save your data efficiently. Fig 4. Vlan Architecture. 2b. Research VLAN attacks. VLAN runs on layer 2 “Data link” of the OSI model where all 7 layers are independent and communicate between them. The advantages of the VLAN are it provides independence users in location based, save of the bandwidth and cost effective for the organizations. Common VLAN attacks. Therefore it is as defenceless to attacks between other layers and some of the security issues faced by VLAN are as follows: ARP Attacks. ARP works by associating IP address of Layer 3 with MAC address of Layer 2. The ARP Poisoning is a technique that involves spoof a device on a network. And when I refer to a network device may be any device that is connected to the network. It can be a computer or a switch or router, etc… The objective of ARP spoofing is to send fake Address Resolution Protocol to the network messages. Usually the purpose is to associate the attacker’s MAC address with the IP address of another node (the attacked node), such as default gateway. Page | 20 Any traffic to the IP address of that node will be mistakenly sent to the attacker, rather than to their actual destination. The attacker can then choose between forward traffic to the actual default gateway door (passive or hear attack), or modify the data before forwarding (active attack). The attacker can even launch a DoS (Denial of Service) attacks against a victim by associating a non-existent MAC address with the IP address of the default gateway of the victim. Malicious user can perform (MiM) Man-in-the-middle attack where network device identify itself as another device such as default gateway and ARP has no power to confirm the authorizations. Fig 5. Man In The Middle Attack. (MITM) Preventions. One of them implies that most Cryptographic Protocols includes some form of authentication ends specifically to prevent MITM attacks. E.g. SSL authenticates the server using a certification authority trust. MAC Flooding Attack. Layer 3 Switch MAC Flooding Attack or MAC Address Overflow Attack as the name implies the MAC Address Overflow attack is for the attacker to be able to flood the switches Content-Addressable Memory (CAM) table. This will force packets for all new flows to be flooded out all ports, letting the attacker to display (sniff) arriving packets. The purpose is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table. Next, the switch go into a state called failopen mode, the switch begin acting like hub and start to replicate the data to every port. Hence, attacker uses the packet sniffer to steal the information from the network. Preventions. We can set the port security to restrict input to an interface by regulating and identifying MAC addresses of the stations permitted to access the port. Page | 21 There are three kinds of secure MAC addresses: ï‚· Static secure MAC addresses. ï‚· Dynamic secure MAC addresses. ï‚· Sticky secure MAC addresses. Fig 6. MAC flooding Attack scheme Page | 22 DHCP Attack. Dynamic Host Control Protocol assign IP Address dynamically to the workstations plus Subnet mask & Default Gateway. There are 2 kinds of DHCP Attacks. Starvation attack, works by broadcasting DHCP requests with spoofed MAC addresses. Rogue attack, is a DHCP server set up on a network by an attacker. In others words, is a fail DHCP Server created by the invader to provide clients with addresses and other network information such as default gateway and Domain Name System (DNS), resulting in a man-in-the-middle attack. This can be prevented by introducing multilayer switch in a network. Fig 7. Rogue Server Attacker. Spanning Tree Protocol Attack. By handling the STP root bridge determination controls, network attackers hope to spoof their system as the root bridge in the topology. To do this, the network invader broadcasts out STP configuration and topology change bridge protocol data units (BPDUs) in an attempt to force spanning-tree recalculation. Multicast Brute Force Attack. It proceeds when a switch receives a number of multicast frames in fast sequence. For that reason the frames to leak into other VLAN instead of containing it on original VLAN. This might also cause a scenario like to DoS. Page | 23 The multicast brute force attack can be stopped by a well-equipped switch which prevents the frames from leaking into other VLAN and therefore containing them in the original VLAN. VLAN Hopping Attack. VLAN hopping works by sending packets to a port which should not be accessible. Basically, in VLAN hopping attack there are two types ï‚· Switch Spoofing ï‚· Double Tagging 2c. Random Frame Stress Attack. It got many categories but it’s generally a brute force attack performed on several fields. In this kind of brute force attack the source address and destination address are kept constant. They are mainly performed to test the switch ability when it meets anomalies in inputs and controls. Random frame stress attack can be prevented when a Private VLAN or PVLAN is used to separate the host from receiving those unwanted inputs Task 3: Ethernet Switching Networks Design 3a. Analyse the Ethernet Switching. Ethernet (also known as IEEE 802.3 standard) is a data transmission standard for local area networks, which has become the technology to wired LANs predominant today. In an Ethernet configuration, all the computers are connected to the same transmission line and communication is performed using the CSMA / CD protocol (Carrier Sense Multiple Access with Collision Detect), which is a protocol that allows multiple
access each team transmit frames through the line at any time, without establishing a priority among them. The success of Ethernet is due to factors such as: Simplicity and practicality of maintenance, ability to incorporate new technologies, reliability and low cost installation and upgrade, instead other LAN technologies such as Token Ring, FDDI and ATM, which across the time they were slower and more costly than Ethernet. The term Ethernet includes three main sets: ï‚· 10 Mbps Ethernet and IEEE 802.3 Specifications LAN operating at 10 Mbps over coaxial cable. ï‚· 100 Mbps Ethernet LAN specification, also known as “Fast Ethernet” operating at 100 Mbps over twisted pair cable. ï‚· 1000 Mbps Ethernet LAN specification, also known as Gigabit Ethernet, which operates at 1000 Mbps (1 Gbps) fiber optic and twisted pair cable. Page | 24 In Ethernet switching, data sent from one device to another through a switch are sent in form of Ethernet frames and this method of communication is known as OSI model set by Institute of Electronic and Electrical Engineers (IEEE) organisation. The information travel along of the all 7 layers of the OSI Model, starting from Application Layer to Physical Layer, fulfilling with the standards and protocols established by each one. At the moment that the data package reach Data Link Layer, the IP Protocol encapsulate the package into Ethernet frames by the header that consists MAC addresses of source and destination devices along with Ethernet data and the Ethernet Frame Check Sequence (FCS). At that time, this Ethernet frame communicated along the transmission media to the router which encapsulate the received Ethernet frame into a datagram that consists of an IP header, IP data and the CRC. This router send a request to destination address for a connection using TCP protocol which breaks up the data into chunk before sending them through different routed and later on re-assemble them at the destination end-point. Fig 7. OSI Model Page | 25 IEEE Ethernet Standards. This page lists some IEEE standards. IEEE 802.1 802.1D (1993) MAC Layer Bridges (ISO 10038) 802.1p Quality of Service and Multicast support in 802.1Q (published as a part of 802.1D) 802.1Q VLAN tags (published as a part of 802.1D) 802.11 WLAN 801.ad Carrier Ethernet / Double Tagging (also known as “Q-in-Q”) List of most useful Supplements to the IEEE 802 Standards: 802.3i (1990) 10BaseT, Ethernet over CAT-5 Unshielded Twisted Pair (UTP) 802.3j (1993) defines Ethernet over Fibre (10BF) 802.3u (1995) Fast Ethernet (100BTX, 100BT4, 100BFX) 802.3z Gigabit Ethernet (over Fibre) 802.3ab Gigabit Ethernet (over UTP CAT-5) 802.3at Power over Ethernet (25.5W) http://www.erg.abdn.ac.uk/users/gorry/eg3567/lan-pages/ieee.html Ethernet frames. Fig 8. Ethernet frames scheme. Page | 26 Ethernet Frame holds of standardized bits that helps to manage the data within the frame. ï‚· Preamble, used for synchronization; also contains a delimiter to mark the end of the timing information. ï‚· Destination Address, 48 bit MAC address for the destination node. ï‚· Source Address, 48 bit MAC address for the source node. ï‚· Type, value to indicate which upper layer protocol will receive the data after the Ethernet process is complete. ï‚· Data or Payload, this is the PDU, typically an IPv4 packet, which is to be transported over the Media. ï‚· Frame Check Sequence (FCS), a value used to check for damage frames. 3b. Contrast the multilayer switching. Switches are used to create networks, connecting network devices together and forwarding data from one port to another based on information obtained from the packets being transferred. Why Layers? Because with reference the Switch with the Open System Interconnection (OSI) 7 layers Model. How Layer 2 switches work. In the Layer 2 (Data Link layer) switch decide how to move packets around a network. It’s here, that a switch can find the Media Access Control or MAC address of both sending and receiving devices. Switches layer 2 learn MAC addresses automatically, it saves the information at NVRAM Non Volatile Random Access Memory and creates a table (also known as CAM Table) which can be used to selectively forward packets. e.g. if a switch receives packets from MAC address Z on Port 1, it then knows that packets destined for MAC address Z can easily be switched out of that port rather than having to try each available port in turn. How Layer 3 switches work. Layer 3 switch keeps the same switching operation technology as layer 2 switch just has some great advantages such as: ï‚· Intelligent packet forwarding (routing basics). ï‚· The ability to logically segment a network into two or more Virtual LANs (VLANs). ï‚· Enhanced security controls to prevent unauthorised setup changes. ï‚· Facilities to prioritise different types of traffic are also commonplace, to provide guaranteed Quality of Service (QoS). Page | 27 How Layer 4 switches work. Layer 4 switch keeps the same switching operation technology as layer 3 switch that can also reflect the type of network traffic (e.g. differentiate between HTTP, FTP or VoIP). In addition, offers extra datagram inspection by reading the port numbers found in the Transport layer header to make routing decisions i.e. ports used by UDP or TCP. The biggest benefit of layer 4 switching is that the network administrator can configure a layer 4 switch to prioritize data traffic by application, which means a QoS can be defined for each user. Layer 4 information has been used to help make routing decisions for quite a while. How Multilayer switches work. Multi-layer switching mix layer 2, 3 and 4 switching technologies and runs high-speed scalability with low latency by using massive filter tables based on the measures designed by the network administrator. Benefits of switching layer 2 – 3 – 4 – Multilayer. Layer 2 Layer 3 Layer 4 Multilayer Hardware-based bridging (MAC). Hardware-based packet forwarding. Hardware-based packet forwarding. Wire speed. High-performance packet switching. High-performance packet switching. High speed. High-speed scalability. High-speed scalability. Low latency. Low latency. Low latency. Lower per-port cost. Lower per-port cost. Flow accounting. Flow accounting. Quality of service (QoS). QoS can be defined for each user. Routing decision is done by specialized ASIC with the help of CAM memory. Routing decision is done by specialized ASIC with the help of CAM memory. MAC source/destination address in a Data Link frame. IP source/destination address in the Network layer header. Page | 28 3c. Evaluate industrial application of Ethernet Switching. 1. Simplified Network Management Protocol (SNMP) Nowadays in the industrial environment, Ethernet switching has been really helpful in network management. Some useful protocols such as Simplified Network Management Protocol (SNMP) to manage, monitor and configure switches and other devices over the network by the network administrator. (SNMP) is a network management standard broadly used in TCP/IP networks. SNMP runs a method of managing network devices from a centrally-located computer running network management software, improving managing services by using management systems and agents. Therefore, the network administrator can be notified of any network issues in real time which speed up troubleshooting. 2. Another Application in the Industrial Network Environment is Redundancy, works as a quick-response backup system, the purpose of network redundancy is to mitigate the risk of unexpected outages and ensure continuity of process by instantly responding to and reducing the effects of a point of failure anywhere along the critical data path. Redundancy protocols may be standards-based or proprietary. General speaking, standards-based redundancy protocols offer outstanding interoperability but slower recovery times, while proprietary protocols in most cases offer faster recovery speeds and are designed specifically for industrial recovery applications. 3d. Demonstrate Ethernet Switch Network design. Based in our scenario, SLT Organization has 4 Departments Research,
Administration, Accounting and Finance, we have designed, implemented and configured an Ethernet Switch Network, satisfying Organization and Customer requirements. Page | 29 Note: the scheme above shows the complete design switch network, but we have been implemented and configured 2 departments (Accounting & Finance) to a much better understanding. However, note that with the same procedure used to configure 2 departments you can set up many departments as much as you wants. Main Switch (0) Configuration. Switch>en Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#VTP mode server Device mode already VTP SERVER. Switch(config)#VTP domain brand Changing VTP domain name from Pablo to brand Switch(config)#VTP password pablo Setting device VLAN database password to pablo Switch(config)#Vlan 10 Switch(config-vlan)#name Finance Switch(config-vlan)#exit Switch(config)#Vlan 20 Switch(config-vlan)#name Accounting Switch(config-vlan)#exit Switch(config)# Switch(config)#int vlan 10 Switch(config-if)# %LINK-5-CHANGED: Interface Vlan10, changed state to up ip address 192.168.1.1 255.255.255.0 Switch(config-if)#exit Switch(config)#int vlan 20 Switch(config-if)# %LINK-5-CHANGED: Interface Vlan20, changed state to up ip address 192.168.2.1 255.255.255.0 Switch(config-if)#exit Switch(config)# Switch(config)#int f0/1 Switch(config-if)#swi Switch(config-if)#switchport access vlan 20 Switch(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up Switch(config-if)#int f0/2 Switch(config-if)#switchport access vlan 10 Switch(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up Switch#show vlan brief VLAN Name Status Ports —- ——————————– ——— ——————————- 1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gig0/1, Gig0/2 10 Sales active Fa0/2 20 Marketing active Fa0/1 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Page | 30 Switch# Switch#show running-config Building configuration… Current configuration : 1211 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Switch spanning-tree mode pvst ! interface FastEthernet0/1 switchport access vlan 20 ! interface FastEthernet0/2 switchport access vlan 10 ! Switch>en Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int f0/23 Switch(config-if)#sw Switch(config-if)#switchport mode trunk Switch(config-if)#exit Switch(config)#int f0/24 Switch(config-if)#switchport mode trunk Switch(config-if)#exit Switch(config)# Second Switch (1) Configuration. Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#VTP mode client Setting device to VTP CLIENT mode. Switch(config)#VTP domain brand Changing VTP domain name from NULL to brand Switch(config)#VTP password pablo Setting device VLAN database password to pablo Switch(config)#exit Switch# %SYS-5-CONFIG_I: Configured from console by console Switch#sh vlan Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int f0/23 Switch(config-if)#sw Switch(config-if)#switchport mode trunk Switch(config-if)#exit Switch(config)#int f0/24 Switch(config-if)#switchport mode trunk Switch(config-if)#exit Switch(config)# Page | 31 Third Switch (2) Configuration. Switch>en Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#VTP mode CLIENT Setting device to VTP CLIENT mode. Switch(config)#VTP domain brand Domain name already set to brand. Switch(config)#VTP password pablo Setting device VLAN database password to pablo Switch(config)#exit Switch# %SYS-5-CONFIG_I: Configured from console by console Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int g0/1 Switch(config-if)#sw Switch(config-if)#switchport mode trunk Switch(config-if)#exit Switch(config)#int g0/2 Switch(config-if)#sw Switch(config-if)#switchport mode trunk Switch(config-if)#exit Switch(config)# Task 4: Wireless LAN Switching 4a. Demonstrate, how Wireless Switching Works. Brief description about Wireless LAN (WLAN). It was not until 1971 when a group of researchers led by Norman Abramson, University of Hawaii, created the first packet switching system via a radio communication network, that network was called as ALOHA. This is the first Wireless LAN (WLAN), it consisted of 7 computers located in different islands that could communicate with a central computer which was programmed to perform calculations. One of the first problems they had was the media access control (MAC) i.e. the protocol to be followed to prevent the seasons overlap their messages to each other. At first it was fixed by the central station to issue a flash in a different frequency than the other computers while it was free, so that when one of the other stations was about to pass before “listening” and made sure that the plant was emitting the signal then send your message, this is known as CSMA (Carrier Sense Multiple Access). How Wireless Network works. To implementing & configure Wireless Network at the Organization, we have to take account two important steps. Suppose that we have to make a wireless connection between the main building and the guard shop is very far away to the building and is not possible or a lot trouble to connect by wire. Page | 32 Therefore, we must to create a wireless bridge on one side from the network off (the server room or switch allocated in the main building) all that you need to do is put a Wireless Access Router to get access for this network, this wire access point transmit the signal over the guard shop now on the guard shop you put a wireless access point and it receive and send the signal (back & forwarded). Once the connection is done, In the Wireless Access Router you must to set up Service Set Identifier (SSID), Security, etc. Note. (SSID) is a case sensitive, 32 alphanumeric character unique identifier attached to the header of packets sent over a wireless local-area network (WLAN) that acts as a password when a mobile device tries to connect to the basic service set (BSS). http://www.webopedia.com/TERM/S/SSID.html Now, the Wireless Access Point in the guard shop has to be ONLY a Wireless Access Point. The only special thing to set up the wireless access point is when you go into the configuration for any wireless access point it is going to ask you 2 things: 1. Do you want to be part of the bridge network? Click on YES, only talks to one another access point. You DO NOT want to be a part of Access Point because wireless access point/broadcast are for multiple computers and receive data for multiple computers. 2. What is the MAC Address the Wireless Access Router that you want to connect? So you go to the configuration screen and get the MAC Address, obviously you have to configure some other features such as SSID, Security, but basically that’s it. The IEEE 802.11 standard WLAN environment. There are four adjustments to the IEEE 802.11 standard that define different features for wireless communications. 802.11a – used for wireless LANs that runs in 4GHz band, uses 52-subcarrier Orthogonal Frequency-Division Multiplexing (OFDM) with a maximum raw data rate of 54Mbps. 802.11b – it runs in 2.4 GHz band and can cause a lot of snooping. 802.11g – it applies to wireless LANs and also delivers up to 54Mbps while working in the 2.4GHz band. 802.11n – this is the new standard of wireless LANs and it delivers up to 540 Mbps in the 2.4 or 5 GHz band 4b. Analyse WLAN Switching Architecture. WLAN Network Architectures. While a topology basically defines the physical configuration of a WLAN, or any LAN for that matter, architecture describes a design concept inside which a topology can be. Page | 33 Network architecture refer to the logical relations
hip between network entities, whereas a topology refer to the actual physical connection required to achieve the logical design. WLANs are described by three broad categories of architectures: ï‚· Autonomous. ï‚· Centralized (controller-based). ï‚· Cooperative (controller-less). Autonomous Arquitecture. In an autonomous architecture, access points (APs) are stand-alone (also known as “fat”) APs that hold all the necessary features and capabilities to run without any reliance on another device. An autonomous AP works on all three network planes: management, control, and data. This architecture lets for several APs to connect to the wired infrastructure and offer a portal for its basic service set (BSA). Multiple autonomous APs can be interfaced to the same infrastructure and form an extended service set (ESS). Fig 9. FAT APs in Autonomous WLAN Network Architecture. Centralized (controller-based). This category of architecture relies on a centralized controller to regulate the operation of the WLAN. The controller typically takes the form of a hardware device that also is wired to the APs at the network edge, or uses a wireless system to run local connection to clients on one frequency, while performing control on another. Controller-based APs are referred to as “lightweight” APs and usually work completely on the information plane. Page | 34 One of disadvantages of Controller-based systems, is that the controller device presents a single point of failure; mitigation needs an additional, redundant controller, preferably in another location. Fig 10. Centralized (controller-based). Cooperative (controller-less). Controller-less architecture is established on the use of virtual management (cloud-based) systems that use a minimum of wired APs and relies on a cooperative communication technique among APs to manage and control a WLAN. These systems rely on distributing routing and messaging protocols to deliver control of and among full-featured Aps. Fig 11. Controller-less WLAN Architecture. Page | 35 4c. Evaluate Wireless Traffics. There are some specifications in the 802.11 family: “802.11 — applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).” “802.11a — an extension to 802.11 that applies to wireless LANs and provides up to 54-Mbps in the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS.” “802.11b (also referred to as 802.11 High Rate or Wi-Fi) — an extension to 802.11 that applies to wireless LANS and provides 11 Mbps transmission (with a fall back to 5.5, 2 and 1-Mbps) in the 2.4 GHz band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing wireless functionality comparable to Ethernet.” “802.11e — a wireless draft standard that defines the Quality of Service (QoS) support for LANs, and is an enhancement to the 802.11a and 802.11b wireless LAN (WLAN) specifications. 802.11e adds QoS features and multimedia support to the existing IEEE 802.11b and IEEE 802.11a wireless standards, while maintaining full backward compatibility with these standards.” “802.11g — applies to wireless LANs and is used for transmission over short distances at up to 54-Mbps in the 2.4 GHz bands.” “802.11ac — 802.11ac builds upon previous 802.11 standards, particularly the 802.11n standard, to deliver data rates of 433Mbps per spatial stream, or 1.3Gbps in a three-antenna (three stream) design. The 802.11ac specification operates only in the 5 GHz frequency range and features support for wider channels (80MHz and 160MHz) and beamforming capabilities by default to help achieve its higher wireless speeds.” http://www.webopedia.com/TERM/8/802_11.html 4d. Evaluate Wireless Management and Monitoring. Nowadays, is very important to any Organization execute a specific control over their network infrastructure (Hardware & Software) to ensure the smooth functioning and guarantee its feasibility, reliability, and security. Meeting the user’s requirements and the business needs, always in search of growth thereof. To evaluate and analyse network traffic on a LAN or WLAN there are some useful tools to management and monitoring as you see below. 1. Microsoft Network Monitor Is a packet analyser that allows you to capture, view and analyse network traffic. This tool is convenient for troubleshooting network issues and applications on the network. Page | 36 Main features contain support for over 300 public and Microsoft proprietary protocols, real-time capture sessions, a Wireless Monitor Mode and sniffing of promiscuous mode traffic, between others. 2. Nagios A potent network monitoring tool that helps you to ensure that your critical systems, applications and services are constantly up and running. It offers features such as alerting, handling and reporting. 3. Pandora FMS A performance monitoring, network monitoring and availability management tool on servers, applications and communications. It has an advanced event correlation system that allows you to create alerts based on events from different sources and notify administrators before an issue escalated. 4. Zenoss Core Zenoss Core is a powerful open source IT monitoring platform that monitors applications, servers, storage, networking and virtualization to provide availability and performance statistics. Page | 37 Conclusion. As a Network Consultant, we have designed, implemented and configured a VLAN Network Infrastructure according to STL Organization requirements, improving to feasibility, reliability, and security. We can conclude that, guided over the basic concepts acquired in this subject we have learned how to build an Ethernet Network Infrastructure. Knowing their main components, advantages and disadvantages, great economic benefits for both the organization and users. Where Router, Switches, Hubs and Hosts share information as safely and securely through a network, making this indispensable resource, a whole trajectory of technology applied to the benefit and growth of human beings. Page | 38 References. http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook#Internetworking_Basics http://es.ccm.net/faq/656-redes-concentrador-hub-conmutador-switch-y-router#q=switch&cur=1&url=%2F https://zepol3mx.wordpress.com/2013/09/24/1-3-modos-de-conmutacion-de-capa-2-store-and-forward-switch-cut-through/ http://www.omnisecu.com/cisco-certified-network-associate-ccna/what-is-a-root-bridge-switch.php http://blogs.cisco.com/smallbusiness/understanding-the-different-types-of-ethernet-switches http://www.ciscozine.com/protecting-against-mac-flooding-attack/ http://resources.infosecinstitute.com/vlan-hacking/ http://www.itpro.co.uk/88699/layer-2-and-layer-3-switches https://technet.microsoft.com/en-us/library/cc731328.aspx http://www.controleng.com/single-article/network-redundancy-reduces-risk-downtime/fbb380911a5b1769eb01347fdc8c30c7.html http://www.controleng.com/single-article/wlan-architectures/252e6326da5b03ce2a1852e55406cb04.html

Leave a Reply

Your email address will not be published. Required fields are marked *