SlideShare a Scribd company logo

Starter Tutorials on Reliable Lan Switching

S
S Khawaja

As the progresses we will keep on increasing the complexity of the network

1 of 34
Download to read offline
2013 Starters Toutorial on Reliable LAN Switching CDi Communications, Inc. Netwind Learning Center, 4327 South Hwy 27, Suite 331 Clermont (Orlando), FL 34711 Toll Free Tel: 800.617.5586 (407.656.2277) Toll Free Fax: 877.557.3064 e-mail us at: salesinfo@netwind.com Copyright © 1996-2013 Netwind Learning Center / CDi Communications, Inc.
1 1 Table of Contents 1 Table of Contents ................................................................................................................................................................ 1 2 Reliable and Secure Campus LAN Switching ....................................................................................................................... 2 2.1 Basic Wireless Router Configurations ........................................................................................................................ 3 2.2 Configuring Multiple Wifi for seamless roaming and less congestion ....................................................................... 5 2.3 Configuring Wireless Mac Address Filtering on Linksys WRT 300 N .......................................................................... 7 2.3.1 What is a MAC Address ..................................................................................................................................... 7 2.3.2 Implementation of Wireless MAC Address Filtering ......................................................................................... 7 2.4 Broadcast & Collision Domains, CSMA/CD, and VLAN ............................................................................................... 9 2.4.1 What is a broadcast domain ? ........................................................................................................................... 9 2.4.2 Collision domains and role of CSMA/CD............................................................................................................ 9 CSMA/CD (Carrier sense Multiple Access and Collision Detection) .................................................................................. 12 2.4.3 What is a VLAN ? ............................................................................................................................................. 12 2.5 IP Addressing ............................................................................................................................................................ 13 2.5.1 What is an IP Address ? ................................................................................................................................... 13 2.5.2 IP Addresses (Binary to Decimal and Decimal to Binary Conversion )............................................................. 14 2.5.3 Public and Private IP Addresses ....................................................................................................................... 16 2.5.4 Classes of IP Addresses .................................................................................................................................... 16 2.5.5 Sub netting: ..................................................................................................................................................... 19 2.6 Configuring VLANS on Cisco Switch ........................................................................................................................ 25 2.7 Configuring Trunk Ports on Cisco Switches ............................................................................................................. 27 2.7.1 Access Port ...................................................................................................................................................... 27 2.7.2 Trunk Port ........................................................................................................................................................ 27 2.7.3 Trunk Configuration commands on Cisco Switches and Routers .................................................................... 27 2.8 Configuring DHCP on Cisco 3560 Switch .................................................................................................................. 28 2.8.1 What is Dynamic Host Configuration Protocol (DHCP)? .................................................................................. 28 2.8.2 What is the DHCP Scope? ................................................................................................................................ 28 2.8.3 DHCP Configuration commands ...................................................................................................................... 29 2.9 Configuring InterVLAN Routing on Cisco 3560 Switch ............................................................................................. 30 2.10 Access Control List (ACL) .......................................................................................................................................... 32 2.10.1 What is ACL ? ................................................................................................................................................... 32 2.10.2 Standard access list: ........................................................................................................................................ 32 2.10.3 Extended access list: ........................................................................................................................................ 32 2.10.4 Named based access list: ................................................................................................................................. 32 2.10.5 Access Control List configuration command on a Cisco 3560 switch .............................................................. 33
2 2 Reliable and Secure Campus LAN Switching Suppose this is your first day in office as a Cisco Network Engineer and your supervisor hands in a complex network diagram and task you to interconnect different devices in different departments. Your task is to achieve following goals • Everyone in branch must have access to internet and e-mail server. • The CEO should have access to all servers, printers, and computers. • Only finance department must have access to finance server, printer, and computers. • The only operation department must have access to operations printer, and computers. • Computers in finance department may communicate with each other but not with computers of another department and same goes for the operations department. • No employee can access computers and printers of managers, CEO or CFO. • Managers can access the computers of their respective department. Network diagram that you need to complete is below You are expected to finish the project in a short time and have no clue from where to start. We are here to help you out in a step by step fashion. As the time progresses we will keep on increasing the complexity of the network by adding more devices, scenarios interconnected with each other securely.
3 2.1 Basic Wireless Router Configurations First step is to bring CEO and CFO laptops and printers on a local area network using Linksys WRT 300 N router, so that they can start using network printer and sharing files with each other. We will also connect Linksys WRT 300 N router to the internet so that senior executives have access to the internet. It is assumed that your DSL modem is already configured for internet access by service provider. Connect the internet port of the router to the Ethernet port of DSL Modem. Open GUI of Linksys WRT 300 N and do below mentioned steps • Give IP address to router as 192.168.1.1 with a subnet mask of 255.255.255.0 • Enable DHCP Server with a start IP Address of 192.168.1.33 and the maximum number of users as 10. • Now Click on the wireless and then basic wireless setting and set the SSID as NY Branch
4 • Now Click on Wireless Security and make security mode as “WPA2 Personal” , make Encryption as “AES” and set your secret paraphrase for WiFi connectivity. Your Linksys WRT 300 N is configured for internet access, and file & printer sharing. You can connect CFO and CTO laptop to wifi network “NY Branch” and connect the Pinter with LAN port of Linksys WRT 300N using a straight UTP Cable. Assign an IP Address of “192.168.1.201” to the Printer with a subnet mask of 255.255.255.0. CTO and CFO can browse the internet, send prints to network printer and can share files with each other. We will discuss IP addressing and sub netting in details but for the time being following IP Addressing Schema would be handy to retain. Servers and Networking Devices 192.168.1.1 – 192.168.1.30 Laptops and Desktops and Tablets 192.168.1.33 – 192.168.1.190 Printers 192.168.1.201 - 250
5 2.2 Configuring Multiple Wifi for seamless roaming and less congestion Below is what you accomplished on Day -1, i.e. bringing C Level Executives on local area network ( LAN) and Internet using Linksys WRT 300 N routers. You need to move on and bring managers’ laptops and printer on the network. We are adding another performance related restriction here • SSID and Security Key of Both LinkSys WRT 300 N Routers should be same. Below are the advantages of keeping SSID and Security Key same on both wireless access points ( AP ) / Routers • Users are able to roam between the two locations seamlessly without facing any disconnection • You are able to accommodate a double number of users on the same wireless network You will configure the Managers’ wireless router ( Linksys WRT 300 N ) exactly the same way as you configured the wireless router on Day-1 except three changes. 1. In wireless settings, you will make wires channel as 1 for router-1 and make wireless channel as 6 for router-2 , this will help keep both wireless signals in the non overlapping range, thus doubling the number of users being accommodated. 2. Assign an IP address of 192.168.1.2 to the Managers’ Wireless Router 3. Enable the DHCP on Managers’ router with start IP address of 192.168.1.43 and the maximum number of users as 10. Assign an IP address of 192.168.1.202 to managers’ printer with default gateway as 192.168.1.2 and connect it to the LAN port of managers’ wireless router Linksys WRT 300 N There must be a communication channel between the two wireless routers so that wireless clients connecting to Managers’ wifi can have an IP assigned by DHCP running on the C level wireless router. Here comes the role of our access switch Cisco 2950, connect the LAN ports of both wireless routers to Fast Ethernet Ports of CISCO 2950 Switch using a crossover UTP Cable.
6 Now the next step is to connect your DSL Modem or Internet CPE to Ethernet port of the Cisco 2950. Here you internet connectivity is operational for managers and C level executives and they can access each other laptops and printers. Below is how your network looks like today. Below is how your IP addressing scheme is looking now. Servers and Networking Devices 192.168.1.1 – 192.168.1.30 C Level Wireless Router 192.168.1.1 Managers’ Wireless Router 192.168.1.2 Laptops and Desktops and Tablets 192.168.1.33 – 192.168.1.190 Available Host IPs for Dynamic client IP in DHCP 192.168.1.33 -192.168.1.42 Server of C Level router. Available Host IPs for Dynamic client IP in DHCP 192.168.1.43- 192.168.1.52 Server of Managers’ router. Printers 192.168.1.201 – 250 C Level Printer IP 192.168.1.201 Managers’ Printer IP 192.168.1.202
7 2.3 Configuring Wireless Mac Address Filtering on Linksys WRT 300 N The problem we inherited from previous scenario is that wireless clients are being connected to random wireless access points as they SSID and security key is same. We did this to implement seamless roaming but we are having serious information security concern here. The solution is to implement wireless Mac address filtering, which will allow us to specify which wireless clients are allowed to connect to a particular wireless access point. First we need to understand what wireless Mac address filtering and then we will implement it on Linksys WRT 300 N 2.3.1 What is a MAC Address A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware, the card's read-only memory. Wireless MAC Address Filtering & its Implementation 2.3.2 Implementation of Wireless MAC Address Filtering Wireless MAC address filtering is a method by which you control the access to your network devices from unauthorized devices by defining a list of authorized MAC Addresses which can connect to your network device. You can obtain the MAC address of wireless NIC of CEO laptop by going to command prompt and typing ipconfig /all . Below is the result of the command in which MAC address is being highlighted. Physical Address................: 0090.2B41.3871 IP Address......................: 192.168.1.36 Subnet Mask.....................: 255.255.255.0 Default Gateway.................: 192.168.1.1 DNS Servers.....................: 0.0.0.0
8 Now you will add this MAC address to allowed wireless client list in your C level Router and deny access to all other devices. • Open the GUI of C level wireless Router • Click on Wireless, then Wireless MAC Filter • Check “Enable” • Check “Permit PCs listed below to access wireless network” You can add up to 50 wireless clients in the list. Repeat the same process for CFO laptop. Add wireless Mac address of operation manager and finance manager laptops to allowed client list on Managers router. Here you go, only C level Executives will be able to connect to the C level Router and only Managers will be able to connect to Managers Router. You have added layer of security also by only authorizing trusted wireless clients. If someone get to know the SSID and Security Key of your Wifi, he/she still cannot access your wifi network. Your task is not finished yet, following is a serious information security issue in above network: C level wireless clients and printers are in the same broadcast domain and managers can access C Level executives’ devices. In Next topics we will learn what broadcast domains, collision domains, IP Addressing and how we can use Vlans to create multiple broadcast domains, and segregate traffic between different networks.
9 2.4 Broadcast & Collision Domains, CSMA/CD, and VLAN We carried following problems from our last network diagram : All wireless clients are in the same broadcast domain and able to communicate with each other. The solution is to create multiple broadcast domains on a single switch using VLANs. First we have to understand what a broadcast domain is ? What a collision domain is? And what is the role of the CSM / CD. We will also learn IP Addressing before jumping into VLAN Configuration. 2.4.1 What is a broadcast domain ? In an Ethernet LAN, a set of terminals that receive a broadcast transmitted by any one of the terminals in the Same network is known as a broadcast domain. On switches that have no support for virtual LANs (VLAN), A switch simply sends all broadcasts on all interfaces, except the interface on which it received The frame. Consequently, all the interfaces on an individual switch are in the single broadcast domain. Also, if the switch attaches to other switches and hubs, the interfaces on those switches and hubs are also in the same broadcast domain. 2.4.2 Collision domains and role of CSMA/CD Just imagine yourself in the old world of Hubs and Repeaters. As you know repeaters were used in the network for the re-generation of the signal for its transmission for longer distances. In a simple network topology as given below:
10 In the above network, all the hosts are connected to a hub. If PC1 will send some packets to PC0, the packets will be broadcast to all the hosts on the hub, that’s why a hub is a single broadcast domain. In such Scenarios, it’s quite a possibility that when PC1 is sending some packets, in the same instant PC2 is also sending packets, as the medium is shared and there are maximum chances for packet collision. From this we can conclude that a hub has a single broadcast and a single collision domain: The Major drawback of such a network scenario, if we increase the number of hosts in above network, there will be un-necessary broadcasts and collisions, which will ultimately affect the network performance and will cause unbearable latency and congestion in the network:
11 So to avoid such a case we use Switch. A switch is a data link layer device. The switch learns the MAC addresses of the all the hosts connected to its interfaces using ARP (Address Resolution Protocol). Once MAC addresses are learned by a switch and maintained in its CAM table, then a switch will not send un- necessary broadcasts. Switch only broadcast, in case it doesn’t know about any host, once it knows about some host, it never broadcast again to trace that host. A thumb rule to remember is that, each switch port is a collision domain and each switch is a single broadcast domain. It’s illustrated in below diagram: A few more things to remember: each switch has a single broadcast domain; the broadcast domain can be expanded via creating Vlans on a switch. For example 2 vlans will create two broadcast domains on a switch. One more point, router’s each interface is a single broadcast and a single collision domain.
12 CSMA/CD (Carrier sense Multiple Access and Collision Detection) is a media access mechanism used on a shared Ethernet to avoid collision of different packets. Let suppose we have two stations on our shared Ethernet medium A and B. In the language of CSMA, station A first scan the shared Ethernet medium or listen for any ongoing packet transmission on the medium. If it senses some packets, it will stop from transmission, in case it sense that the link is free, it will transmit its packets. If at the same instance station B is also transmitting, station A will sense the collision and will back off for a certain amount of time ( mostly in milliseconds), this is how it avoid collision of packets in the network. In reality the collision is detected by voltage changes. Everyone on the network is notified about the collision via a Jam Signal and hosts stop sending data. After a random timer the hosts will again start scanning or listening to the network, if its free they will start sending packets. Use of CSMA/CD is now obsolete in modern networks, switches and full duplex connection don’t use CSMA/CD any more. But it was one of the best protocols of the good old days! 2.4.3 What is a VLAN ? A VLAN is group of ports which acts as an independent switch inside a switch. By default port in different Vlans cannot communicate with each other, however communication between different VLans can be made possible using intervlan routing. An access switch port can be part of one vlan only while a trunk port may carry traffic of multiple vlans. Configuring VLANs in a network of Cisco switches is done by defining the Vlan # and associating the switch ports with VLAN.
13 2.5 IP Addressing It's time to learn IP Addressing before jumping into VLAN configurations. In the real life, we as human beings, trace each other via the use of different sort of addresses and location services. The same pattern was applied when computer networks were designed, in the form of IP addressing. An IP address is just like the home address of a computer node! As is the rule in real life, when we want to send some Mail, we write a destination address on it and it is delivered by the postal services to the concerned person. Same is the case in computer networks, when one Computer wants to send some data to another computer, it writes down the destination address on the data ( packet in computer networks) and the packet is sent via the Postal service ( our network services) of the computer system. 2.5.1 What is an IP Address ? In simple words, an IP Address is a decimal representation of the address of different network nodes which enable them to exchange data packets with each other and hence many network applications. So what is the abbreviation of IP? Internet Protocol, so simple! The IP address evolution began in 1969. The original IP address was of 5 bits only! Which means according to binary calculations it was able to cover a network of only 32 nodes! ( 2 to the power of 5 = 32), which was enough at that time for the experimental requirements of that time, mostly interconnection of different research organizations. Gradually it was increased to 32 bits, the currently used range in IPv4, which is enough for around 4 billion network nodes only! (Only? Yes, because it has become short for the ever expanding human world, that’s why techno geek has moved toward IPv6). Especially advent of smart phones and smart sensor devices which are able to connect to internet through easily available wifi spots and 3 G cellular connection will make it possible in the near future that a tech savvy person will be carrying around 4 -10 devices with him/her with a public IP address. In technical terms, IPv4 is represented by 4 blocks, each separated by a dot (.) and each block composed of 8 bits, represented as follows: 00000000.00000000.00000000.00000000 10000000.00000000.00000000.00000000 11000000.00000000.00000000.00000000 Don’t give up if you are learning for the first time, as IP addresses are not represented in binary, as it would not be able for everyone to remember the binary digits, for ease they are represented in decimal representation of its binary form. So an IP address: 192.168.100.2 and 11000000.10101000.01100100.00000010 are same. In simple words, each block can be written as: 11000000 = 192 10101000 =168 01100100 =100 00000010 =2 As now we have discussed IP addressing, its representation/bits requirements, and now we will do a little discussion on how to convert from Binary to decimal and decimal to Binary.
14 2.5.2 IP Addresses (Binary to Decimal and Decimal to Binary Conversion ) Now we will discuss how to convert a binary representation of an IP address in decimal one and vice versa. We will take following sample IP Address: 11000000.10101000.01100100.00000010 Each block is comprised of 0 or 1, 0/1 in binary represent On/Off states respectively. We will take below chart to convert the above binary into decimal or base 10 systems. To convert the first Octet (an octet is composed of 8 bits) into decimal: 11000000 = 1*128 + 1*64 + 0*32 + 0*16 + 0*8 + 0*4 + 0*2 + 0*1 = 128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 = 192 10101000 = 1 *128 + 0*64 + 1*32 + 0*16 + 1*8 +0*4 + 0*2 + 0*1 = 128 + 0 + 32 + 0 + 8 + 0 + 0 + 0 = 168 And so on In the above conversion process each bit in (11000000) is multiplied by its corresponding bit position value in decimal starting from least significant bit to the most significant bit. Please remember below mentioned chart for efficient conversion of Binary into decimal: The 8th bit position will be multiplied by 128, 7th bit position will be multiplied by 64 and so on! Conversion from Decimal to Binary is a little tricky. Suppose we want to convert 15 from decimal into binary. Consider below mentioned chart, which combination of digits added together can give a sum of 15? After a little brainstorming on below mentioned chart we conclude 8+4+2+1 sums up to 15, so we will change the status of these bits to ON (1) and will turn OFF (0) all the remaining bits: 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 0 0 0 0 1 1 1 1
15 So the resulting value of 15 in an 8 bit binary representation is 00001111! Another example to solidify the concepts: Conversion of 130 into binary: 130 can be made from summing 128 and 2, so we will ON these bits and will turn OFF the remaining bits: 128 64 32 16 8 4 2 1 1 0 0 0 0 0 1 0 So 130 = 10000010 in binary, I hope now you can easily convert between binary and decimals. The interesting thing about the above chart is that, it can be used for binary to decimal conversion as well. Suppose we want to convert 11100100 into decimal, simply put these values according to its bit positions and then add up corresponding decimal values to get the value. 128 64 32 16 8 4 2 1 1 1 1 0 0 1 0 0 = 128 + 64 + 32 + 4 = 228  Please do the following examples yourself to clarify the concepts: Convert: 192.168.140.20 in binary. Convert: 11110011 in decimal. After learning conversion between decimal and binary notations, we will turn our focus to private and public IP addresses and classes of IP Addresses.
16 2.5.3 Public and Private IP Addresses Continuing our IP addressing discussion. IP addresses can be further divided into Private IP addresses and Public IP Addresses. To preserve IP address space Private IP Addresses were introduced. Private IP addresses are used on the internal network and never advertised to the public network. Private IP addresses are defined in below mentioned ranges: 10.0.0.0 - 10.255.255.255 Addresses: 16,777,216 172.16.0.0 - 172.31.255.255 Addresses: 1,048,576 192.168.0.0 - 192.168.255.255 Addresses: 65,536 Private IP addresses go through a process of NATing if they want to communicate with Public Internet. Public addresses are those addresses which are advertised on the public network, inter-networks etc. 2.5.4 Classes of IP Addresses Several classes of IP addresses have been defined for Network identification and network address assignment according to design requirements. For these classes numeric ranges were defined, each range can be used for a specific number of hosts and network addresses. IP address classes are: A, B, C, D, E. Each class has its own Host and Network Ranges. The IP address classes were developed keeping in mind: to accommodate large companies with a lot of host requirements and small companies with minimum host requirements! The normal range used mostly in public network is Class A, B and C. Class D and Class E are used for special purposes. • Class D: this range IP addresses are used for Multicast addressing requirements. • Class E: this range is reserved for research and scientific purposes. Before moving forward into this class discussion, let us discuss one more important aspect of IP addressing. IP addressing is a hierarchical design. The telephone number system is the best example of a hierarchical design model. A telephone number is composed of Country Code, Area Code, and local exchange code. The same is true for an IP address. An IP address is made of two parts, one part is called the Network Portion and the second part is called the Host Portion. The Network portion of the IP address is used to keep track of the domain to which some specific host belongs and the host portion of the IP address is used to trace the machine or computer node.
17 Below we will discuss Class A, B and C in more detail. 2.5.4.1 Class A IP Addresses: The first octet of the Class A address is composed of Network Portion and its most significant bit is always off. All other three octets denote the host portion. Simply we can say: N.H.H.H 0xxxxxxx.H.H.H If we want to calculate the range of Class A IP addresses, we can move as: 00000000.H.H.H (0.H.H.H) 01111111.H.H.H (127.H.H.H) If the 1st portion of an IP address is in range (0-127), then that IP address belongs to Class A! But as you know 127.0.0.1 range is reserved for loop back interface and we can’t use it for Class A and also not use an IP address starting from 0 , then the revised range would be from (1-126)! A few examples of Class A IP address are: 10.0.0.1 100.2.3.1 110.130.13.4 123.4.1.110 2.5.4.2 Class B IP Addresses: The first two octets of Class B IP address are composed of Network Portion, and the other two octets are composed of Host portion, in doted representation it can be given as: N.N.H.H The most significant two bits in the first octet are kept 10, 10xxxxxx. xxxxxxxx. H. H So the range of Class B IP address space can be calculated from its first octet as follow: 10000000 to 10111111 (128 – 191) Some examples of Class B IP addresses are: 130.50.3.3 170.16.3.1 172.31.3.3
18 2.5.4.3 Class C IP Addresses: The first three 8 bit portions of a class C IP address are composed of Network Portion, and the last one denotes the host portion. It can be simplified as: N.N.N.H The three most significant bits are kept 110 despite all bit position changes. So the range for Class C IP address space can be calculated as: 110xxxxx. xxxxxxxx. H. H 11000000- 11011111 192 – 223 Some examples of Class C IP address are: 192.168.100.3 220.221.120.135 210.49.66.110 All of the above discussion regarding IP address Classes can be summed up in below table: IP Address 1st Octet Range Usable Network and Host IDs Class A (N.H.H.H) 1-126 Networks : 2^8-2 and Hosts= 2^24-2 Class B (N.N.H.H) 128-191 Networks : 2^16-2 and Hosts= 2^16-2 Class C (N.N.N.H) 191-223 Networks : 2^24-2 and Hosts= 2^8-2 Two more ranges for your technical mind: D: Multicast range: 224 – 239 (Examples: 224.0.0.9) E: IP Address range for R&D: 240 – 255 (Example: 241.0.0.9)
19 2.5.5 Sub netting: One of the most important topics in Computer Networks and CISCO realm is sub netting. The main motivation behind sub netting was the best utilization of the scarce resources of available IP addresses. In simple words, sub netting is the process of taking a single Network address and creating further smaller Network IDs from it, called Subnets (Sub Networks). In the process of sub netting , bits can be borrowed from the host portion of an IP Address, the borrowed bits are added to the Subnet Mask of that IP address. We will further clarify the sub netting process via different examples. The main goal behind sub netting a given network address is to create our required number of smaller network IDs and to achieve our desired number of hosts per subnet ID. 2.5.5.1 What is a Subnet Mask? We will end this discussion with Subnet mask. A subnet mask is used by routers and end machines to check, to which network, the host belongs. The network ID of the IP address is calculated by Logical ANDING of the Subnet mask with the IP Address. Each Class has its own subnet mask: Class A Subnet Mask is: 255.0.0.0 and is also denoted by /8 In binary: 11111111.00000000.00000000.00000000 Class B Subnet Mask is: 255.255.0.0 and is also denoted by /16 In binary: 11111111.11111111.00000000.00000000 Class C Subnet Mask is: 255.255.255.0 and is also denoted by /24 In binary: 11111111.11111111.11111111.00000000
20 2.5.5.2 Sub Netting a Class C IP Address We learned what a sub net mask is, and what is sub netting. Now we will learn how to sub net. The basic Sub netting process starts from below mentioned questions: • How many subnets are required? • How many hosts per subnet are required? • Compute the effective subnets? • Compute the valid host IP Addresses? For keeping the sub netting process simple we will stick to these questions for time being, will further add up things as per demand. The anatomy of a typical Class C address is: N.N.N.H with subnet mask 255.255.255.0 or /24 Suppose we have an IP address: 192.168.10.0 /24 and our network design requirement is 8 subnets! For 8 subnets, how many bits we can take from the host portion (last octet) of the given IP address? For this, just do a mental calculation using below formula: 2^y = 8, two to the power which value can give us 8? Simply 2^3 = 8, great! For getting 8 subnets, 3 bits can be borrowed from the host portion of the given IP address (192.168.10.0), the borrowed bits are moved to the given subnet mask: 11111111.11111111.11111111.11100000 3 borrowed The new Subnet mask is: 255.255.255.224 in CIDR Notation /27! Now the mystery of hosts per subnet! As we have borrowed three bits from the last octet of the host portion, how many bits are remaining? 5! Yes, you are right, 5 bits are remaining. So the number of usable hosts per subnet will be given as: 2^5-2 = 32 – 2 = 30 From above two steps, we have achieved two tasks: We will have 8 subnets and there will be 30 usable host addresses per subnet!
21 Okay, now the tricky part, what are the valid subnets block size? Please keep this formula in mind: Subnet block size = 256 – subnet mask modified octet. As we have new subnet mask 255.255.255.224, the modified octet is the last one (224), so Subnet block size = 256 – 224 = 32 So our subnet block will start from 0, 32, and 64 and will go on for increment of 32. So our 10 new subnets are: 192.168.10.0 192.168.10.32 192.168.10.64 192.168.10.96 192.168.10.128 192.168.10.160 192.168.10.192 192.168.10.224 All the valid hosts and IP ranges given by each subnet can be summarized in below table: IP Address Network Address 1st Host Address Last Host Address Broadcast Address 192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.30 192.168.10.31 192.168.10.32 192.168.10.32 192.168.10.33 192.168.10.62 192.168.10.63 192.168.10.64 192.168.10.64 192.168.10.65 192.168.10.94 192.168.10.95 192.168.10.96 192.168.10.96 192.168.10.97 192.168.10.126 192.168.10.127 192.168.10.128 192.168.10.128 192.168.10.129 192.168.10.158 192.168.10.159 192.168.10.160 192.168.10.160 192.168.10.161 192.168.10.190 192.168.10.191 192.168.10.192 192.168.10.192 192.168.10.193 192.168.10.222 192.168.10.223 The usable host portion for each octet is highlighted! And we are done with sub netting for Class C! Was it simple? No, you will need some practice to get the full command on it  Now we can use the above mentioned IP plan, in our network design, a single IP has been converted into 8 usable sub networks and each network having 30 host capacity, isn’t it amazing?
22 2.5.5.3 Sub netting a Class B Address: We will use the method explained previously to subnet a Class B address and a class A address. The network design requirements are the same as above (i.e. 8 sub networks required): Given Class B Address is: 172.16.0.0 Default Class B Mask: 255.255.0.0 How many host bits needed? 3! Yes absolutely right. Okay now we are going to embed these 3 bits in the Class B mask: 11111111.11111111.00000000.00000000 11111111.11111111.11100000.00000000 The modified Subnet mask is 255.255.224.0 /19 So what’s next? Yeah, you got it, Subnet block size = 256 – subnet mask modified octet Subnet block size = 256 – 224 = 32 As we have taken bits from 3rd octet, our new subnets are: 172.16.0.0 – 172.16.32.0 – 172.16.63.0 – 172.16.95.0 – 172.16.127.0 - - - - - > 172.16.224.0 IP Address Network Address 1st Host Address Last Host Address Broadcast Address 172.16.0.0 172.16.0.0 172.16.0.1 172.16.31.254 172.16.31.255 172.16.32.0 172.16.32.0 172.16.32.1 172.16.62.254 172.16.62.255 172.16.63.0 172.16.63.0 172.16.63.1 172.16.94.254 172.16.94.255 172.16.95.0 172.16.95.0 172.16.95.1 172.16.126.254 172.16.126.255 172.16.127.0 172.16.127.0 172.16.127.1 172.16.158.254 172.16.158.255 172.16.159.0 172.16.159.0 172.16.159.1 172.16.190.254 172.16.190.255
23 As only 3 bits were reserved, the number of usable hosts per subnet is: Usable hosts per subnet = 2^13-2 = 8190! (8190 hosts/subnet) 2.5.5.4 Sub netting Class A Address: If you have mastered Class B and Class C sub netting then Class A is not that hard! The network design requirements are the same as above (i.e. 8 sub networks required) and we have a Class A IP address of 10.0.0.0: Given Class A Address is: 10.0.0.0 Default Class B Mask: 255.0.0.0 How many host bits needed? 3! Yeah that’s right. Okay now we are going to embed these 3 bits in the Class A mask: 11111111.00000000.00000000.00000000 11111111.11100000.00000000.00000000 The modified Class A mask is 255.224.0.0 /11 Pretty easy! As we have modified our second octet in the Subnet Mask of Class A, so it will be subtracted only from 256, so: Subnet block size = 256 – subnet mask modified octet Subnet block size = 256 – 224 = 32 So our new subnets are: 10.0.0.0 - 10.32.0.0 - 10.64.0.0 – And so on The feel of the 8 subnets would be best visible in the tabular form as follows : IP Address Network Address 1st Host Address Last Host Address Broadcast Address 10.0.0.0 10.0.0.0 10.0.0.1 10.31.255.254 10.31.255.255 10.32.0.0 10.32.0.0 10.32.0.1 10.63.255.254 10.63.255.255 10.64.0.0 10.64.0.0 10.64.0.1 10.95.255.254 10.95.255.255 10.96.0.0 10.96.0.0 10.96.0.0 10.127.255.254 10.127.255.255 10.128.0.0 10.128.0.0 10.128.0.1 10.159.255.254 10.159.255.255 10.160.0.0 10.160.0.0 10.160.0.1 10.191.255.254 10.191.255.255 10.192.0.0 10.192.0.0 10.192.0.1 10.223.255.254 10.223.255.255 10.224.0.0 10.224.0.0 10.224.0.1 10.255.255.254 10.255.255.255
24 Believe me, by just looking at the above given examples, you will be frightened by sub netting, but if you actually begin practicing them, then you will realize that how easy sub netting is. So don’t give up, reread the above examples, you will find plenty of sub netting problems online. Remember, only Practice and more Practice are the key to success in sub netting. One very interesting tool while practicing Subnetting is Solar Winds, Advance Subnet Calculator. You can download it and verify your sub netting from it. For example, for above Class A Subnetting, the Solar Winds Subnetting Calculator output is: This sub netting tool is awesome and you will love it!
25 2.6 Configuring VLANS on Cisco Switch We carried following problems from our last network diagram : All wireless clients are in same broadcast domain and able to communicate with each other. Solution is to create multiple broadcast domains on a single switch using VLANs. Below is the procedure to configure Vlans on a cisco switch Switch#config terminal (this command takes you in configuration mode) Switch(config)#interface fastEthernet0/1 ( enables configuration of Interface Fa 0/1) Switch(config-if)#switchport access vlan 2 ( make fa 0/1 part of VLAN 2) Switch(config-if)#exit (go back in configuration mode) Switch(config)#vlan 2 (go In configuration of VLAN 2) Switch(config-vlan)#name c-level-ap ( assign a name to VLAN ) Repeat the same process and create VLAN 3 with name Managers-AP and put interface Fast Ethernet 0/2 in this VLAN. Fast Ethernet 0/1 is the interface with which C level wireless router is connected and Fast Ethernet 0/2 is the interface with which Managers’ wireless router is connected. Now traffic from the C level router and Managers router is segregated from each other on switch level and they cannot access each other devices . Now our task is to subnet our network into smaller portions and each subnet must be able to accommodate at least 14 hosts so that we can configure each subnet in each VLAN. Subnetting lets you generate numerous logical networks available within a specific Class A , B , or C network . If you do not opt for subnetting , you are only able to utilize just one network from your Class A , B , or C network , and it is not realistic . To be able to subnet a network, expand the original mask using a portion of the bits from the host ID portion of the address to build a sub network ID . To illustrate, given a Class C network of 192.168.1.0 which has original mask of 255 .255 .255 .0, you can create subnets in this manner:
26 IP Address 192.168.1.0 11000000 10101000 00000001 00000000 Subnet Mask 255.255.255.240 11111111 11111111 11111111 11110000 By borrowing 4 bits from host portion of network in last octet you are able to create 16 subnets (24 ) and 14 hosts ( 24-2). Below is a useful link to calculate variable length subnet mask for variety of network scenarios http://www.vlsm-calc.net/ Following table lists the Subnets of each VLAN in our scenario VLAN Network ID / Subnet Broadcast IP Address Available Host IP Address Range Number VLAN2 192.168.1.32/255.255.255.240 192.168.1.47 192.168.1.33 -192.168.1.46 VLAN3 192.168.1.48/255.255.255.240 192.168.1.63 192.168.1.49 - 192.168.1.62 VLAN4 192.168.1.64/255.255.255.240 192.168.1.79 192.168.1.65 -192.168.1.78 VLAN5 192.168.1.80/255.255.255.240 192.168.1.81 192.168.1.82- 192.168.1.94 Now its time to configure different subnets for different vlans on cisco 3560 switch, go into configuration mode of your cisco 3560 switch and give following commands interface vlan 2 ip add 192.168.1.33 255.255.255.240 interface vlan 3 ip add 192.168.1.49 255.255.255.240 interface vlan 4 ip add 192.168.1.65 255.255.255.240 interface vlan 5 ip add 192.168.1.82 255.255.255.240 These commands will assign IP address to each VLAN in its respective subnet.
27 2.7 Configuring Trunk Ports on Cisco Switches In our last two lectures, we put our wireless clients in different VLANS and configured wireless Mac address filtering on CISCO WRT 300 N. Our next challenge is to to bring our departmental desktops on LAN too. In order to achieve the result we want to get rid of individual DHCP servers running in each subnet . Before we do that we need to configure a single trunk port which will carry traffic of all VLANs to Cisco 3560 on which we will configure our DHCP server. We also configured access switch ports when configuring VLANs on Cisco 2950 switches, but did not explain the difference between a trunk port and an access port. First we will understand the difference between trunk port and access port then we will configure trunk ports on Cisco switches and router. 2.7.1 Access Port An access port can be part of a single VLAN and can carry traffic of single VLAN. Access ports are usually configured for end devices in a network. 2.7.2 Trunk Port Trunk port can carry traffic from two or more Vlans in a single link. Trunk ports are used usually configured on uplinks between access and distribution switches and routers. Major reason for using trunk ports is that interfaces on Cisco distribution switches and Cisco routers comes with a price tag. You don’t want an interface for each Vlan. Instead a single link carrying traffic from all VLANs serve our purpose. ISL and 802.1 q are the trunking protocols used for defining trunk ports. Both trunk ports must have a similar Trunking protocol configured on them. ISL is a Cisco proprietary protocol While 802.1 q is an IEEE standard. ISL and 802.1Q differ in how they add a header to the Ethernet frame before sending it over a trunk. Cisco switches make use of the Dynamic Trunk Protocol (DTP) to dynamically know whether the device on the other end of the cable wants to perform Trunking and, if so, which Trunking protocol to use. If we set the mode of DTP desirable, switches automatically negotiates the Trunking parameters and forms trunk. 2.7.3 Trunk Configuration commands on Cisco Switches and Routers Connect your Cisco 2950 access switches with Cisco 3560 distribution switch using a straight UTP Cable on gigabit interfaces of Cisco 3560 switch. Go into configuration mode of Cisco 3560 switch and enter following commands Switch(config)#inter gigabitEthernet 0/1 Switch(config-if)#switchport mode dynamic desirable Repeat the process on other interfaces of Cisco 3560 switch. Similarly repeat the command on the interfaces of departmental and wifi access switches which are connected to distribution switch through uplink. You can check the status of your trunks by following command Switch#show interfaces trunk
28 2.8 Configuring DHCP on Cisco 3560 Switch After configuring trunk ports which are linking Cisco 2950 access switches to Cisco 3560 distribution switches, we are all set to configure a single DHCP server for the whole network on a Cisco 3560 switch. Before that do following steps: • Disable DHCP servers on wireless routers. • Connect all the desktops and printers in the operations department to operations access switch through straight UTP Cables. • Connect all the desktops and printers in the finance department to finance access switch through straight UTP Cables. • Create Vlan 4 on operations switch ,name it operations-vlan, and make all the ports connecting the devices part of vlan-4. • Create vlan-5 on finance switch and name it finance-vlan, and make all the ports connecting the devices part of vlan-5. • Remove the static IP address of printers and set them to obtain an IP from DHCP. • Set all desktops to get IP from DHCP server We must first understand, what is DHCP and DHCP scope 2.8.1 What is Dynamic Host Configuration Protocol (DHCP)? Dynamic Host Configuration Protocol ( DHCP ) is a client/server protocol that completely on its own supplies an Internet Protocol ( IP ) host with its IP address as well as associated configuration information such as the subnet mask and default gateway . RFCs 2131 and 2132 clearly define DHCP as an Internet Engineering Task Force ( IETF ) standard based on the Bootstrap Protocol ( BOOTP ) , a protocol with which DHCP shares numerous functioning features . DHCP helps network devices to secure requisite TCP/IP configuration data from a DHCP server 2.8.2 What is the DHCP Scope? A Dynamic Host Configuration Protocol ( DHCP ) scope is the continuous range of potential IP addresses that the DHCP server will be able to lease to network devices on a subnet . Scopes in general specify a single physical subnet on your network to which DHCP services are available . Scopes are the prime method for the DHCP server to control the distribution and assignment of IP addresses and any linked configuration parameters to DHCP clients on the network .
29 2.8.3 DHCP Configuration commands We studied DHCP scope in the previous section, now we also need to define separate scope for each VLAN in Cisco 3560 switch. Following command will serve the purpose ip dhcp pool vlan”#” network “Network Address” “Subnet Mask” Where # is VLAN number for example VLAN2 Network Address is Network IP Address for example 192.168.1.32 Subnet Mask is 255.255.255.240 for all Vlans in our case. For instance following commands will configure a DHCP scope for clients present in VLAN 2 , such that there will be a maximum of 14 hosts allowed in the VLAN and start IP address of hosts will be 192.168.1.33 and end IP address will be 192.168.1.46. Repeat the process for all VLANs and remember to remove static IP Addresses from Printers and let them have an IP assigned by DHCP. Now devices in different VLANs cannot communicate with each other, but we have to get the CEO and CFO to communicate with the rest of the company. We will achieve this by learning interVLAN routing and access control lists ( ACL)
30 2.9 Configuring InterVLAN Routing on Cisco 3560 Switch In our former scenario, VLANs segregated Hosts into different broadcast domains and Layer 3 subnets. Now Hosts in Vlan2 cannot communicate with hosts in vlan3 unless we configure the inter VLAN routing. Layer 2-only switches require a Layer 3 router. The router may be present as a separate device in the network or it may be another module of a Layer 3 switch. Layer 3 Switches like Cisco 3560 incorporate routing capability within the switch. The Cisco 3560 switch gets a packet, decides that the packet needs to be sent to another VLAN, and routes the packet to the correct port on the other VLAN. A good network topology fragments the network based on the departments or functions. For instance, the Finance VLAN only has hosts that belong to Finance Department, and the Operations VLAN only has hosts that are present in the Operations Department. If you configure inter VLAN routing on a Cisco 3560 switch, the hosts in VLAN 2,3,4,5 will be able to communicate with each other without being in the same broadcast domain in a single subnet. Such Network topology allows the network administrator to restrict communication between VLANs with the use of access lists. We will learn in the next topic, how we can use access control lists to restrict communication between different VLANs. Now that we have understood the theory behind inter VLAN routing, its time to configure interVLAN routing on cisco 3560 distribution switch. We need to configure inter VLAN routing for following user defined VLANs • VLAN 2— Traffic Coming from C Level Access Point • VLAN 3— Traffic coming from Managers’ Access Point • VLAN 4— Operations Vlan • Vlan5 ---- Finance Vlan We must enable IP routing globally so that Cisco 3560 switch can act as layer 3 device and can provide the functionality of Inter VLAN routing.
31 Go into configuration mode of Cisco 3560 Switch and give following commands Switch(config)# ip routing //Enables IP Routing on Cisco 3560 Switch The default gateway settings on every machine needs to be the VLAN interface IP address that matches on a Cisco 3560 Switch . For example, for Finance department machines, the default gateway is 192 .168 .1 .82 which is the IP address which we created for VLAN 5 interface on a Cisco 3560 switch. The access layer switches, which are the Catalyst 2950, are already trunked to the Catalyst 3560 switch. Now hosts in all VLANs will be able to communicate with each other but this communication is not allowed according to our information security criteria which stated that machines in operations and finance VLAN should not be able to access C level machines and CEO and CFO should be able to access machines in rest of the departments. We will achieve this goal by understanding Access Control List and implementing Access Control List in Next Topic.
32 2.10 Access Control List (ACL) Now our task is to make ACL at Cisco Distribution 3560 switch end so that no employee can reach computers and printers of managers, CEO or CFO and allow CEO to get all servers, printers, and computers. So we are going to block IP address of Finance and Operation Department from accessing the wireless network (192.1681.1.0) and only allow CFO or CEO network t ( 192.168.1.33 – 192.168.1.46) to use the rest of the network. For this we will use Named based extended access control list. Before configuration we need to know the basic concept behind the Access Control list. 2.10.1 What is ACL ? Access Control list (ACL) is a control list that block or allow particular traffic in a network. It mainly works in ascending order. In the Cisco environment there are three basic types of access lists. 2.10.2 Standard access list: Standard access list mainly identifies network traffic using source IP address in the packet. We can create a standard access list using access-list number 1-99 or 1300-1999. Syntax: access-list [acl number] [permit/deny] [network-address/ host/any][wildcard mask][log] Here permit and deny keyword allow and discard a particular rule. And the host keyword is used to find a particular host and any keyword is any host in the network. Wildcard mask is used to identify a particular host or certain range of networks. Log keyword is used for logging. 2.10.3 Extended access list: Extended access is more robust than Standard access list. It identifies network traffic using source and destination IP address, protocols, port number of upper layer application. Syntax: access-list [acl number] [permit/deny] [protocol-type] [source-network-address/host /any][wildcard mask] [destination-network-address/host /any][wildcard mask][log] Here protocol-type field identifies layer 4 or layer 3 protocol type. 2.10.4 Named based access list: Named based access list is another way of creating standard or extended access list which are easy to understand. In normal standard and extended access list we cannot easily change access list. But in named based access list we can easily edit the access list.
33 Syntax: ip access-list [standard/extended] [name of acl] [permit/deny] [protocol-type] [source-network-address/host /any][wildcard mask] [destination-network-address/host /any][wildcard mask][log] After creating the access list we have to apply it to an interface. ACL mainly are implemented on inbound or outbound interfaces according to network traffic flow. Syntax: ip access-group [acl-number/ acl-name ] in|out To see the configuration of access list write show access-list in privileged mode. 2.10.5 Access Control List configuration command on a Cisco 3560 switch First we will enter into configuration mode of Cisco 3560 switch then create two named based extended ACL one for Finance and Operation Department and another for CFO and CEO ACL 1: Switch(config)#ip access-list extended FIN&OP Switch(config-ext-nacl)#deny ip any 192.168.1.0 0.0.0.255 Switch(config-ext-nacl)#permit ip any any ACL 2: Switch(config)#ip access-list extended CLEVEL Switch(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.15 any Now we will add ACL 1 in outbound and ACL 2 in the inbound end of all VLAN using following command. Switch(config)# interface vlan 2 Switch(config-if)#ip access-group FIN&OP OUT Switch(config-if)#ip access-group CLEVEL IN Here you go, you can implement rest of information security policies by defining making more access control lists.

Recommended

Dap 1360 b1-manual_v2.00(ww)
Dap 1360 b1-manual_v2.00(ww)Dap 1360 b1-manual_v2.00(ww)
Dap 1360 b1-manual_v2.00(ww)
websitenapster
 
Dir 300
Dir 300Dir 300
Dir 300
Domingo Arroyo
 
Dwa 182 c1-manual_v3.11(di)
Dwa 182 c1-manual_v3.11(di)Dwa 182 c1-manual_v3.11(di)
Dwa 182 c1-manual_v3.11(di)
Alexandre Marques
 
Meraki Datasheet VPN
Meraki Datasheet VPNMeraki Datasheet VPN
Meraki Datasheet VPN
Cloud Distribution
 
Manual dir 300 dlink
Manual dir 300 dlinkManual dir 300 dlink
Manual dir 300 dlink
teste2015
 
Belkin beach p75170 d f5d8231-4-man[1]
Belkin beach p75170 d f5d8231-4-man[1]Belkin beach p75170 d f5d8231-4-man[1]
Belkin beach p75170 d f5d8231-4-man[1]
jasviii
 
RFP-Final3
RFP-Final3RFP-Final3
RFP-Final3
Antonio Billard
 
Virtual Design Master Challenge 1 - Joe
Virtual Design Master Challenge 1 - JoeVirtual Design Master Challenge 1 - Joe
Virtual Design Master Challenge 1 - Joe
tovmug
 

Recommended

Dap 1360 b1-manual_v2.00(ww)
Dap 1360 b1-manual_v2.00(ww)Dap 1360 b1-manual_v2.00(ww)
Dap 1360 b1-manual_v2.00(ww)
websitenapster
 
Dir 300
Dir 300Dir 300
Dir 300
Domingo Arroyo
 
Dwa 182 c1-manual_v3.11(di)
Dwa 182 c1-manual_v3.11(di)Dwa 182 c1-manual_v3.11(di)
Dwa 182 c1-manual_v3.11(di)
Alexandre Marques
 
Meraki Datasheet VPN
Meraki Datasheet VPNMeraki Datasheet VPN
Meraki Datasheet VPN
Cloud Distribution
 
Manual dir 300 dlink
Manual dir 300 dlinkManual dir 300 dlink
Manual dir 300 dlink
teste2015
 
Belkin beach p75170 d f5d8231-4-man[1]
Belkin beach p75170 d f5d8231-4-man[1]Belkin beach p75170 d f5d8231-4-man[1]
Belkin beach p75170 d f5d8231-4-man[1]
jasviii
 
RFP-Final3
RFP-Final3RFP-Final3
RFP-Final3
Antonio Billard
 
Virtual Design Master Challenge 1 - Joe
Virtual Design Master Challenge 1 - JoeVirtual Design Master Challenge 1 - Joe
Virtual Design Master Challenge 1 - Joe
tovmug
 
IP Address Conflict
IP Address ConflictIP Address Conflict
IP Address Conflict
Michal Hrncirik
 
How to choose the right IPAM for your organization final
How to choose the right IPAM for your organization finalHow to choose the right IPAM for your organization final
How to choose the right IPAM for your organization final
Michal Hrncirik
 
3DConsulting_Presentation
3DConsulting_Presentation3DConsulting_Presentation
3DConsulting_Presentation
Joseph Baca
 
Skype 4 Business Webcast 11. März 2015
Skype 4 Business Webcast 11. März 2015Skype 4 Business Webcast 11. März 2015
Skype 4 Business Webcast 11. März 2015
Thomas Poett
 
80211ac 5th gen_wi-fi
80211ac 5th gen_wi-fi80211ac 5th gen_wi-fi
80211ac 5th gen_wi-fi
laser9107
 
Ccna labs
Ccna labsCcna labs
Ccna labs
yousif2006
 
Capstone August 2010
Capstone August 2010Capstone August 2010
Capstone August 2010
icuconsultants
 
Capstone
CapstoneCapstone
Capstone
icuconsultants
 
Capstone
CapstoneCapstone
Capstone
icuconsultants
 
Dcs 3411&3430 A1 Manual V1 01(Ww)
Dcs 3411&3430 A1 Manual V1 01(Ww)Dcs 3411&3430 A1 Manual V1 01(Ww)
Dcs 3411&3430 A1 Manual V1 01(Ww)
guest792142
 
dheerj singh
dheerj singhdheerj singh
dheerj singh
dheeraj singh
 
JaySexton_IT326_IP5
JaySexton_IT326_IP5JaySexton_IT326_IP5
JaySexton_IT326_IP5
Jay T Sexton
 
Siegfried_Norman2015
Siegfried_Norman2015Siegfried_Norman2015
Siegfried_Norman2015
Siegfried Norman
 
Manual repetidor wi fi
Manual repetidor wi fiManual repetidor wi fi
Manual repetidor wi fi
Patrícia Nascimento
 
En35793797
En35793797En35793797
En35793797
IJERA Editor
 
DirectShare Quick Start Setup Guide
DirectShare Quick Start Setup GuideDirectShare Quick Start Setup Guide
DirectShare Quick Start Setup Guide
Christian Petrou
 
Guide to home networking
Guide to home networkingGuide to home networking
Guide to home networking
Dilan Gilluly
 
Presentation1
Presentation1Presentation1
Presentation1
digitallearning
 
Visualresume1
Visualresume1Visualresume1
Visualresume1
alexschmidt4
 
Kebijakan Pendidikan Kewarganegaraan Era Reformasi
Kebijakan Pendidikan Kewarganegaraan Era Reformasi Kebijakan Pendidikan Kewarganegaraan Era Reformasi
Kebijakan Pendidikan Kewarganegaraan Era Reformasi
Andhika Pratama
 
Derp
DerpDerp
Derp
kasperderp
 
Business valuation services
Business valuation servicesBusiness valuation services
Business valuation services
HLB Hamt
 

More Related Content

What's hot

3DConsulting_Presentation
3DConsulting_Presentation3DConsulting_Presentation
3DConsulting_Presentation
Joseph Baca
 
80211ac 5th gen_wi-fi
80211ac 5th gen_wi-fi80211ac 5th gen_wi-fi
80211ac 5th gen_wi-fi
laser9107
 
JaySexton_IT326_IP5
JaySexton_IT326_IP5JaySexton_IT326_IP5
JaySexton_IT326_IP5
Jay T Sexton
 
DirectShare Quick Start Setup Guide
DirectShare Quick Start Setup GuideDirectShare Quick Start Setup Guide
DirectShare Quick Start Setup Guide
Christian Petrou
 

What's hot (17)

IP Address Conflict
IP Address ConflictIP Address Conflict
IP Address Conflict
 
How to choose the right IPAM for your organization final
How to choose the right IPAM for your organization finalHow to choose the right IPAM for your organization final
How to choose the right IPAM for your organization final
 
3DConsulting_Presentation
3DConsulting_Presentation3DConsulting_Presentation
3DConsulting_Presentation
 
Skype 4 Business Webcast 11. März 2015
Skype 4 Business Webcast 11. März 2015Skype 4 Business Webcast 11. März 2015
Skype 4 Business Webcast 11. März 2015
 
80211ac 5th gen_wi-fi
80211ac 5th gen_wi-fi80211ac 5th gen_wi-fi
80211ac 5th gen_wi-fi
 
Ccna labs
Ccna labsCcna labs
Ccna labs
 
Capstone August 2010
Capstone August 2010Capstone August 2010
Capstone August 2010
 
Capstone
CapstoneCapstone
Capstone
 
Capstone
CapstoneCapstone
Capstone
 
Dcs 3411&3430 A1 Manual V1 01(Ww)
Dcs 3411&3430 A1 Manual V1 01(Ww)Dcs 3411&3430 A1 Manual V1 01(Ww)
Dcs 3411&3430 A1 Manual V1 01(Ww)
 
dheerj singh
dheerj singhdheerj singh
dheerj singh
 
JaySexton_IT326_IP5
JaySexton_IT326_IP5JaySexton_IT326_IP5
JaySexton_IT326_IP5
 
Siegfried_Norman2015
Siegfried_Norman2015Siegfried_Norman2015
Siegfried_Norman2015
 
Manual repetidor wi fi
Manual repetidor wi fiManual repetidor wi fi
Manual repetidor wi fi
 
En35793797
En35793797En35793797
En35793797
 
DirectShare Quick Start Setup Guide
DirectShare Quick Start Setup GuideDirectShare Quick Start Setup Guide
DirectShare Quick Start Setup Guide
 
Guide to home networking
Guide to home networkingGuide to home networking
Guide to home networking
 

Viewers also liked

Kebijakan Pendidikan Kewarganegaraan Era Reformasi
Kebijakan Pendidikan Kewarganegaraan Era Reformasi Kebijakan Pendidikan Kewarganegaraan Era Reformasi
Kebijakan Pendidikan Kewarganegaraan Era Reformasi
Andhika Pratama
 
Business valuation services
Business valuation servicesBusiness valuation services
Business valuation services
HLB Hamt
 
Dubai – the gateway to global business
Dubai – the gateway to global businessDubai – the gateway to global business
Dubai – the gateway to global business
HLB Hamt
 
Pp. jaringan internet.. n
Pp. jaringan internet.. nPp. jaringan internet.. n
Pp. jaringan internet.. n
Kyubi Imam
 
Asking the right questions
Asking the right questionsAsking the right questions
Asking the right questions
shzahedi
 
Expressions which use_the_verb_avoir
Expressions which use_the_verb_avoirExpressions which use_the_verb_avoir
Expressions which use_the_verb_avoir
shzahedi
 

Viewers also liked (13)

Presentation1
Presentation1Presentation1
Presentation1
 
Visualresume1
Visualresume1Visualresume1
Visualresume1
 
Kebijakan Pendidikan Kewarganegaraan Era Reformasi
Kebijakan Pendidikan Kewarganegaraan Era Reformasi Kebijakan Pendidikan Kewarganegaraan Era Reformasi
Kebijakan Pendidikan Kewarganegaraan Era Reformasi
 
Derp
DerpDerp
Derp
 
Business valuation services
Business valuation servicesBusiness valuation services
Business valuation services
 
Dubai – the gateway to global business
Dubai – the gateway to global businessDubai – the gateway to global business
Dubai – the gateway to global business
 
Asthma
AsthmaAsthma
Asthma
 
Pp. jaringan internet.. n
Pp. jaringan internet.. nPp. jaringan internet.. n
Pp. jaringan internet.. n
 
Français 101 MiraCosta 2015
Français 101 MiraCosta 2015Français 101 MiraCosta 2015
Français 101 MiraCosta 2015
 
Asking the right questions
Asking the right questionsAsking the right questions
Asking the right questions
 
Conjugating regular "er" verbs
Conjugating regular "er" verbsConjugating regular "er" verbs
Conjugating regular "er" verbs
 
How i learned i wanted to teach
How i learned i wanted to teachHow i learned i wanted to teach
How i learned i wanted to teach
 
Expressions which use_the_verb_avoir
Expressions which use_the_verb_avoirExpressions which use_the_verb_avoir
Expressions which use_the_verb_avoir
 

Similar to Starter Tutorials on Reliable Lan Switching

Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3
TommyBtown
 
D link-dir-615-manual
D link-dir-615-manualD link-dir-615-manual
D link-dir-615-manual
40044
 
Case study for it03 roshan
Case study for it03 roshanCase study for it03 roshan
Case study for it03 roshan
rosu555
 
Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577
guest854c41d
 
NT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCXNT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCX
Fred Abram III
 
WWTC_implementation_plan_Group5_FINAL
WWTC_implementation_plan_Group5_FINALWWTC_implementation_plan_Group5_FINAL
WWTC_implementation_plan_Group5_FINAL
John Bernal
 

Similar to Starter Tutorials on Reliable Lan Switching (20)

Kwfsbs67 en-v1
Kwfsbs67 en-v1Kwfsbs67 en-v1
Kwfsbs67 en-v1
 
Cisco 200 series switches datasheet
Cisco 200 series switches datasheetCisco 200 series switches datasheet
Cisco 200 series switches datasheet
 
LAN Proposal
LAN Proposal LAN Proposal
LAN Proposal
 
Ebr 2310 revb-manual_2.1.0_en
Ebr 2310 revb-manual_2.1.0_enEbr 2310 revb-manual_2.1.0_en
Ebr 2310 revb-manual_2.1.0_en
 
QuickTutorial Guide Advanced Topics in IP Addressing
QuickTutorial Guide Advanced Topics in IP AddressingQuickTutorial Guide Advanced Topics in IP Addressing
QuickTutorial Guide Advanced Topics in IP Addressing
 
Project report,nowrin
Project report,nowrinProject report,nowrin
Project report,nowrin
 
Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3
 
Banking and ATM networking reports
Banking and ATM networking reportsBanking and ATM networking reports
Banking and ATM networking reports
 
D link-dir-615-manual
D link-dir-615-manualD link-dir-615-manual
D link-dir-615-manual
 
Dhcp2003
Dhcp2003Dhcp2003
Dhcp2003
 
NOTES
NOTESNOTES
NOTES
 
Case study for it03 roshan
Case study for it03 roshanCase study for it03 roshan
Case study for it03 roshan
 
Networksecurity
NetworksecurityNetworksecurity
Networksecurity
 
Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577Manuale Router Sitecom Wl577
Manuale Router Sitecom Wl577
 
Improving performance and efficiency with Network Virtualization Overlays
Improving performance and efficiency with Network Virtualization OverlaysImproving performance and efficiency with Network Virtualization Overlays
Improving performance and efficiency with Network Virtualization Overlays
 
Config Guide Ip Sec
Config Guide Ip SecConfig Guide Ip Sec
Config Guide Ip Sec
 
NT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCXNT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCX
 
WWTC_implementation_plan_Group5_FINAL
WWTC_implementation_plan_Group5_FINALWWTC_implementation_plan_Group5_FINAL
WWTC_implementation_plan_Group5_FINAL
 
CreditU
CreditUCreditU
CreditU
 
Google global Cache operations for youtube
Google global Cache operations for youtubeGoogle global Cache operations for youtube
Google global Cache operations for youtube
 

Starter Tutorials on Reliable Lan Switching

  • 1. 2013 Starters Toutorial on Reliable LAN Switching CDi Communications, Inc. Netwind Learning Center, 4327 South Hwy 27, Suite 331 Clermont (Orlando), FL 34711 Toll Free Tel: 800.617.5586 (407.656.2277) Toll Free Fax: 877.557.3064 e-mail us at: salesinfo@netwind.com Copyright © 1996-2013 Netwind Learning Center / CDi Communications, Inc.
  • 2. 1 1 Table of Contents 1 Table of Contents ................................................................................................................................................................ 1 2 Reliable and Secure Campus LAN Switching ....................................................................................................................... 2 2.1 Basic Wireless Router Configurations ........................................................................................................................ 3 2.2 Configuring Multiple Wifi for seamless roaming and less congestion ....................................................................... 5 2.3 Configuring Wireless Mac Address Filtering on Linksys WRT 300 N .......................................................................... 7 2.3.1 What is a MAC Address ..................................................................................................................................... 7 2.3.2 Implementation of Wireless MAC Address Filtering ......................................................................................... 7 2.4 Broadcast & Collision Domains, CSMA/CD, and VLAN ............................................................................................... 9 2.4.1 What is a broadcast domain ? ........................................................................................................................... 9 2.4.2 Collision domains and role of CSMA/CD............................................................................................................ 9 CSMA/CD (Carrier sense Multiple Access and Collision Detection) .................................................................................. 12 2.4.3 What is a VLAN ? ............................................................................................................................................. 12 2.5 IP Addressing ............................................................................................................................................................ 13 2.5.1 What is an IP Address ? ................................................................................................................................... 13 2.5.2 IP Addresses (Binary to Decimal and Decimal to Binary Conversion )............................................................. 14 2.5.3 Public and Private IP Addresses ....................................................................................................................... 16 2.5.4 Classes of IP Addresses .................................................................................................................................... 16 2.5.5 Sub netting: ..................................................................................................................................................... 19 2.6 Configuring VLANS on Cisco Switch ........................................................................................................................ 25 2.7 Configuring Trunk Ports on Cisco Switches ............................................................................................................. 27 2.7.1 Access Port ...................................................................................................................................................... 27 2.7.2 Trunk Port ........................................................................................................................................................ 27 2.7.3 Trunk Configuration commands on Cisco Switches and Routers .................................................................... 27 2.8 Configuring DHCP on Cisco 3560 Switch .................................................................................................................. 28 2.8.1 What is Dynamic Host Configuration Protocol (DHCP)? .................................................................................. 28 2.8.2 What is the DHCP Scope? ................................................................................................................................ 28 2.8.3 DHCP Configuration commands ...................................................................................................................... 29 2.9 Configuring InterVLAN Routing on Cisco 3560 Switch ............................................................................................. 30 2.10 Access Control List (ACL) .......................................................................................................................................... 32 2.10.1 What is ACL ? ................................................................................................................................................... 32 2.10.2 Standard access list: ........................................................................................................................................ 32 2.10.3 Extended access list: ........................................................................................................................................ 32 2.10.4 Named based access list: ................................................................................................................................. 32 2.10.5 Access Control List configuration command on a Cisco 3560 switch .............................................................. 33
  • 3. 2 2 Reliable and Secure Campus LAN Switching Suppose this is your first day in office as a Cisco Network Engineer and your supervisor hands in a complex network diagram and task you to interconnect different devices in different departments. Your task is to achieve following goals • Everyone in branch must have access to internet and e-mail server. • The CEO should have access to all servers, printers, and computers. • Only finance department must have access to finance server, printer, and computers. • The only operation department must have access to operations printer, and computers. • Computers in finance department may communicate with each other but not with computers of another department and same goes for the operations department. • No employee can access computers and printers of managers, CEO or CFO. • Managers can access the computers of their respective department. Network diagram that you need to complete is below You are expected to finish the project in a short time and have no clue from where to start. We are here to help you out in a step by step fashion. As the time progresses we will keep on increasing the complexity of the network by adding more devices, scenarios interconnected with each other securely.
  • 4. 3 2.1 Basic Wireless Router Configurations First step is to bring CEO and CFO laptops and printers on a local area network using Linksys WRT 300 N router, so that they can start using network printer and sharing files with each other. We will also connect Linksys WRT 300 N router to the internet so that senior executives have access to the internet. It is assumed that your DSL modem is already configured for internet access by service provider. Connect the internet port of the router to the Ethernet port of DSL Modem. Open GUI of Linksys WRT 300 N and do below mentioned steps • Give IP address to router as 192.168.1.1 with a subnet mask of 255.255.255.0 • Enable DHCP Server with a start IP Address of 192.168.1.33 and the maximum number of users as 10. • Now Click on the wireless and then basic wireless setting and set the SSID as NY Branch
  • 5. 4 • Now Click on Wireless Security and make security mode as “WPA2 Personal” , make Encryption as “AES” and set your secret paraphrase for WiFi connectivity. Your Linksys WRT 300 N is configured for internet access, and file & printer sharing. You can connect CFO and CTO laptop to wifi network “NY Branch” and connect the Pinter with LAN port of Linksys WRT 300N using a straight UTP Cable. Assign an IP Address of “192.168.1.201” to the Printer with a subnet mask of 255.255.255.0. CTO and CFO can browse the internet, send prints to network printer and can share files with each other. We will discuss IP addressing and sub netting in details but for the time being following IP Addressing Schema would be handy to retain. Servers and Networking Devices 192.168.1.1 – 192.168.1.30 Laptops and Desktops and Tablets 192.168.1.33 – 192.168.1.190 Printers 192.168.1.201 - 250
  • 6. 5 2.2 Configuring Multiple Wifi for seamless roaming and less congestion Below is what you accomplished on Day -1, i.e. bringing C Level Executives on local area network ( LAN) and Internet using Linksys WRT 300 N routers. You need to move on and bring managers’ laptops and printer on the network. We are adding another performance related restriction here • SSID and Security Key of Both LinkSys WRT 300 N Routers should be same. Below are the advantages of keeping SSID and Security Key same on both wireless access points ( AP ) / Routers • Users are able to roam between the two locations seamlessly without facing any disconnection • You are able to accommodate a double number of users on the same wireless network You will configure the Managers’ wireless router ( Linksys WRT 300 N ) exactly the same way as you configured the wireless router on Day-1 except three changes. 1. In wireless settings, you will make wires channel as 1 for router-1 and make wireless channel as 6 for router-2 , this will help keep both wireless signals in the non overlapping range, thus doubling the number of users being accommodated. 2. Assign an IP address of 192.168.1.2 to the Managers’ Wireless Router 3. Enable the DHCP on Managers’ router with start IP address of 192.168.1.43 and the maximum number of users as 10. Assign an IP address of 192.168.1.202 to managers’ printer with default gateway as 192.168.1.2 and connect it to the LAN port of managers’ wireless router Linksys WRT 300 N There must be a communication channel between the two wireless routers so that wireless clients connecting to Managers’ wifi can have an IP assigned by DHCP running on the C level wireless router. Here comes the role of our access switch Cisco 2950, connect the LAN ports of both wireless routers to Fast Ethernet Ports of CISCO 2950 Switch using a crossover UTP Cable.
  • 7. 6 Now the next step is to connect your DSL Modem or Internet CPE to Ethernet port of the Cisco 2950. Here you internet connectivity is operational for managers and C level executives and they can access each other laptops and printers. Below is how your network looks like today. Below is how your IP addressing scheme is looking now. Servers and Networking Devices 192.168.1.1 – 192.168.1.30 C Level Wireless Router 192.168.1.1 Managers’ Wireless Router 192.168.1.2 Laptops and Desktops and Tablets 192.168.1.33 – 192.168.1.190 Available Host IPs for Dynamic client IP in DHCP 192.168.1.33 -192.168.1.42 Server of C Level router. Available Host IPs for Dynamic client IP in DHCP 192.168.1.43- 192.168.1.52 Server of Managers’ router. Printers 192.168.1.201 – 250 C Level Printer IP 192.168.1.201 Managers’ Printer IP 192.168.1.202
  • 8. 7 2.3 Configuring Wireless Mac Address Filtering on Linksys WRT 300 N The problem we inherited from previous scenario is that wireless clients are being connected to random wireless access points as they SSID and security key is same. We did this to implement seamless roaming but we are having serious information security concern here. The solution is to implement wireless Mac address filtering, which will allow us to specify which wireless clients are allowed to connect to a particular wireless access point. First we need to understand what wireless Mac address filtering and then we will implement it on Linksys WRT 300 N 2.3.1 What is a MAC Address A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware, the card's read-only memory. Wireless MAC Address Filtering & its Implementation 2.3.2 Implementation of Wireless MAC Address Filtering Wireless MAC address filtering is a method by which you control the access to your network devices from unauthorized devices by defining a list of authorized MAC Addresses which can connect to your network device. You can obtain the MAC address of wireless NIC of CEO laptop by going to command prompt and typing ipconfig /all . Below is the result of the command in which MAC address is being highlighted. Physical Address................: 0090.2B41.3871 IP Address......................: 192.168.1.36 Subnet Mask.....................: 255.255.255.0 Default Gateway.................: 192.168.1.1 DNS Servers.....................: 0.0.0.0
  • 9. 8 Now you will add this MAC address to allowed wireless client list in your C level Router and deny access to all other devices. • Open the GUI of C level wireless Router • Click on Wireless, then Wireless MAC Filter • Check “Enable” • Check “Permit PCs listed below to access wireless network” You can add up to 50 wireless clients in the list. Repeat the same process for CFO laptop. Add wireless Mac address of operation manager and finance manager laptops to allowed client list on Managers router. Here you go, only C level Executives will be able to connect to the C level Router and only Managers will be able to connect to Managers Router. You have added layer of security also by only authorizing trusted wireless clients. If someone get to know the SSID and Security Key of your Wifi, he/she still cannot access your wifi network. Your task is not finished yet, following is a serious information security issue in above network: C level wireless clients and printers are in the same broadcast domain and managers can access C Level executives’ devices. In Next topics we will learn what broadcast domains, collision domains, IP Addressing and how we can use Vlans to create multiple broadcast domains, and segregate traffic between different networks.
  • 10. 9 2.4 Broadcast & Collision Domains, CSMA/CD, and VLAN We carried following problems from our last network diagram : All wireless clients are in the same broadcast domain and able to communicate with each other. The solution is to create multiple broadcast domains on a single switch using VLANs. First we have to understand what a broadcast domain is ? What a collision domain is? And what is the role of the CSM / CD. We will also learn IP Addressing before jumping into VLAN Configuration. 2.4.1 What is a broadcast domain ? In an Ethernet LAN, a set of terminals that receive a broadcast transmitted by any one of the terminals in the Same network is known as a broadcast domain. On switches that have no support for virtual LANs (VLAN), A switch simply sends all broadcasts on all interfaces, except the interface on which it received The frame. Consequently, all the interfaces on an individual switch are in the single broadcast domain. Also, if the switch attaches to other switches and hubs, the interfaces on those switches and hubs are also in the same broadcast domain. 2.4.2 Collision domains and role of CSMA/CD Just imagine yourself in the old world of Hubs and Repeaters. As you know repeaters were used in the network for the re-generation of the signal for its transmission for longer distances. In a simple network topology as given below:
  • 11. 10 In the above network, all the hosts are connected to a hub. If PC1 will send some packets to PC0, the packets will be broadcast to all the hosts on the hub, that’s why a hub is a single broadcast domain. In such Scenarios, it’s quite a possibility that when PC1 is sending some packets, in the same instant PC2 is also sending packets, as the medium is shared and there are maximum chances for packet collision. From this we can conclude that a hub has a single broadcast and a single collision domain: The Major drawback of such a network scenario, if we increase the number of hosts in above network, there will be un-necessary broadcasts and collisions, which will ultimately affect the network performance and will cause unbearable latency and congestion in the network:
  • 12. 11 So to avoid such a case we use Switch. A switch is a data link layer device. The switch learns the MAC addresses of the all the hosts connected to its interfaces using ARP (Address Resolution Protocol). Once MAC addresses are learned by a switch and maintained in its CAM table, then a switch will not send un- necessary broadcasts. Switch only broadcast, in case it doesn’t know about any host, once it knows about some host, it never broadcast again to trace that host. A thumb rule to remember is that, each switch port is a collision domain and each switch is a single broadcast domain. It’s illustrated in below diagram: A few more things to remember: each switch has a single broadcast domain; the broadcast domain can be expanded via creating Vlans on a switch. For example 2 vlans will create two broadcast domains on a switch. One more point, router’s each interface is a single broadcast and a single collision domain.
  • 13. 12 CSMA/CD (Carrier sense Multiple Access and Collision Detection) is a media access mechanism used on a shared Ethernet to avoid collision of different packets. Let suppose we have two stations on our shared Ethernet medium A and B. In the language of CSMA, station A first scan the shared Ethernet medium or listen for any ongoing packet transmission on the medium. If it senses some packets, it will stop from transmission, in case it sense that the link is free, it will transmit its packets. If at the same instance station B is also transmitting, station A will sense the collision and will back off for a certain amount of time ( mostly in milliseconds), this is how it avoid collision of packets in the network. In reality the collision is detected by voltage changes. Everyone on the network is notified about the collision via a Jam Signal and hosts stop sending data. After a random timer the hosts will again start scanning or listening to the network, if its free they will start sending packets. Use of CSMA/CD is now obsolete in modern networks, switches and full duplex connection don’t use CSMA/CD any more. But it was one of the best protocols of the good old days! 2.4.3 What is a VLAN ? A VLAN is group of ports which acts as an independent switch inside a switch. By default port in different Vlans cannot communicate with each other, however communication between different VLans can be made possible using intervlan routing. An access switch port can be part of one vlan only while a trunk port may carry traffic of multiple vlans. Configuring VLANs in a network of Cisco switches is done by defining the Vlan # and associating the switch ports with VLAN.
  • 14. 13 2.5 IP Addressing It's time to learn IP Addressing before jumping into VLAN configurations. In the real life, we as human beings, trace each other via the use of different sort of addresses and location services. The same pattern was applied when computer networks were designed, in the form of IP addressing. An IP address is just like the home address of a computer node! As is the rule in real life, when we want to send some Mail, we write a destination address on it and it is delivered by the postal services to the concerned person. Same is the case in computer networks, when one Computer wants to send some data to another computer, it writes down the destination address on the data ( packet in computer networks) and the packet is sent via the Postal service ( our network services) of the computer system. 2.5.1 What is an IP Address ? In simple words, an IP Address is a decimal representation of the address of different network nodes which enable them to exchange data packets with each other and hence many network applications. So what is the abbreviation of IP? Internet Protocol, so simple! The IP address evolution began in 1969. The original IP address was of 5 bits only! Which means according to binary calculations it was able to cover a network of only 32 nodes! ( 2 to the power of 5 = 32), which was enough at that time for the experimental requirements of that time, mostly interconnection of different research organizations. Gradually it was increased to 32 bits, the currently used range in IPv4, which is enough for around 4 billion network nodes only! (Only? Yes, because it has become short for the ever expanding human world, that’s why techno geek has moved toward IPv6). Especially advent of smart phones and smart sensor devices which are able to connect to internet through easily available wifi spots and 3 G cellular connection will make it possible in the near future that a tech savvy person will be carrying around 4 -10 devices with him/her with a public IP address. In technical terms, IPv4 is represented by 4 blocks, each separated by a dot (.) and each block composed of 8 bits, represented as follows: 00000000.00000000.00000000.00000000 10000000.00000000.00000000.00000000 11000000.00000000.00000000.00000000 Don’t give up if you are learning for the first time, as IP addresses are not represented in binary, as it would not be able for everyone to remember the binary digits, for ease they are represented in decimal representation of its binary form. So an IP address: 192.168.100.2 and 11000000.10101000.01100100.00000010 are same. In simple words, each block can be written as: 11000000 = 192 10101000 =168 01100100 =100 00000010 =2 As now we have discussed IP addressing, its representation/bits requirements, and now we will do a little discussion on how to convert from Binary to decimal and decimal to Binary.
  • 15. 14 2.5.2 IP Addresses (Binary to Decimal and Decimal to Binary Conversion ) Now we will discuss how to convert a binary representation of an IP address in decimal one and vice versa. We will take following sample IP Address: 11000000.10101000.01100100.00000010 Each block is comprised of 0 or 1, 0/1 in binary represent On/Off states respectively. We will take below chart to convert the above binary into decimal or base 10 systems. To convert the first Octet (an octet is composed of 8 bits) into decimal: 11000000 = 1*128 + 1*64 + 0*32 + 0*16 + 0*8 + 0*4 + 0*2 + 0*1 = 128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 = 192 10101000 = 1 *128 + 0*64 + 1*32 + 0*16 + 1*8 +0*4 + 0*2 + 0*1 = 128 + 0 + 32 + 0 + 8 + 0 + 0 + 0 = 168 And so on In the above conversion process each bit in (11000000) is multiplied by its corresponding bit position value in decimal starting from least significant bit to the most significant bit. Please remember below mentioned chart for efficient conversion of Binary into decimal: The 8th bit position will be multiplied by 128, 7th bit position will be multiplied by 64 and so on! Conversion from Decimal to Binary is a little tricky. Suppose we want to convert 15 from decimal into binary. Consider below mentioned chart, which combination of digits added together can give a sum of 15? After a little brainstorming on below mentioned chart we conclude 8+4+2+1 sums up to 15, so we will change the status of these bits to ON (1) and will turn OFF (0) all the remaining bits: 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 0 0 0 0 1 1 1 1
  • 16. 15 So the resulting value of 15 in an 8 bit binary representation is 00001111! Another example to solidify the concepts: Conversion of 130 into binary: 130 can be made from summing 128 and 2, so we will ON these bits and will turn OFF the remaining bits: 128 64 32 16 8 4 2 1 1 0 0 0 0 0 1 0 So 130 = 10000010 in binary, I hope now you can easily convert between binary and decimals. The interesting thing about the above chart is that, it can be used for binary to decimal conversion as well. Suppose we want to convert 11100100 into decimal, simply put these values according to its bit positions and then add up corresponding decimal values to get the value. 128 64 32 16 8 4 2 1 1 1 1 0 0 1 0 0 = 128 + 64 + 32 + 4 = 228  Please do the following examples yourself to clarify the concepts: Convert: 192.168.140.20 in binary. Convert: 11110011 in decimal. After learning conversion between decimal and binary notations, we will turn our focus to private and public IP addresses and classes of IP Addresses.
  • 17. 16 2.5.3 Public and Private IP Addresses Continuing our IP addressing discussion. IP addresses can be further divided into Private IP addresses and Public IP Addresses. To preserve IP address space Private IP Addresses were introduced. Private IP addresses are used on the internal network and never advertised to the public network. Private IP addresses are defined in below mentioned ranges: 10.0.0.0 - 10.255.255.255 Addresses: 16,777,216 172.16.0.0 - 172.31.255.255 Addresses: 1,048,576 192.168.0.0 - 192.168.255.255 Addresses: 65,536 Private IP addresses go through a process of NATing if they want to communicate with Public Internet. Public addresses are those addresses which are advertised on the public network, inter-networks etc. 2.5.4 Classes of IP Addresses Several classes of IP addresses have been defined for Network identification and network address assignment according to design requirements. For these classes numeric ranges were defined, each range can be used for a specific number of hosts and network addresses. IP address classes are: A, B, C, D, E. Each class has its own Host and Network Ranges. The IP address classes were developed keeping in mind: to accommodate large companies with a lot of host requirements and small companies with minimum host requirements! The normal range used mostly in public network is Class A, B and C. Class D and Class E are used for special purposes. • Class D: this range IP addresses are used for Multicast addressing requirements. • Class E: this range is reserved for research and scientific purposes. Before moving forward into this class discussion, let us discuss one more important aspect of IP addressing. IP addressing is a hierarchical design. The telephone number system is the best example of a hierarchical design model. A telephone number is composed of Country Code, Area Code, and local exchange code. The same is true for an IP address. An IP address is made of two parts, one part is called the Network Portion and the second part is called the Host Portion. The Network portion of the IP address is used to keep track of the domain to which some specific host belongs and the host portion of the IP address is used to trace the machine or computer node.
  • 18. 17 Below we will discuss Class A, B and C in more detail. 2.5.4.1 Class A IP Addresses: The first octet of the Class A address is composed of Network Portion and its most significant bit is always off. All other three octets denote the host portion. Simply we can say: N.H.H.H 0xxxxxxx.H.H.H If we want to calculate the range of Class A IP addresses, we can move as: 00000000.H.H.H (0.H.H.H) 01111111.H.H.H (127.H.H.H) If the 1st portion of an IP address is in range (0-127), then that IP address belongs to Class A! But as you know 127.0.0.1 range is reserved for loop back interface and we can’t use it for Class A and also not use an IP address starting from 0 , then the revised range would be from (1-126)! A few examples of Class A IP address are: 10.0.0.1 100.2.3.1 110.130.13.4 123.4.1.110 2.5.4.2 Class B IP Addresses: The first two octets of Class B IP address are composed of Network Portion, and the other two octets are composed of Host portion, in doted representation it can be given as: N.N.H.H The most significant two bits in the first octet are kept 10, 10xxxxxx. xxxxxxxx. H. H So the range of Class B IP address space can be calculated from its first octet as follow: 10000000 to 10111111 (128 – 191) Some examples of Class B IP addresses are: 130.50.3.3 170.16.3.1 172.31.3.3
  • 19. 18 2.5.4.3 Class C IP Addresses: The first three 8 bit portions of a class C IP address are composed of Network Portion, and the last one denotes the host portion. It can be simplified as: N.N.N.H The three most significant bits are kept 110 despite all bit position changes. So the range for Class C IP address space can be calculated as: 110xxxxx. xxxxxxxx. H. H 11000000- 11011111 192 – 223 Some examples of Class C IP address are: 192.168.100.3 220.221.120.135 210.49.66.110 All of the above discussion regarding IP address Classes can be summed up in below table: IP Address 1st Octet Range Usable Network and Host IDs Class A (N.H.H.H) 1-126 Networks : 2^8-2 and Hosts= 2^24-2 Class B (N.N.H.H) 128-191 Networks : 2^16-2 and Hosts= 2^16-2 Class C (N.N.N.H) 191-223 Networks : 2^24-2 and Hosts= 2^8-2 Two more ranges for your technical mind: D: Multicast range: 224 – 239 (Examples: 224.0.0.9) E: IP Address range for R&D: 240 – 255 (Example: 241.0.0.9)
  • 20. 19 2.5.5 Sub netting: One of the most important topics in Computer Networks and CISCO realm is sub netting. The main motivation behind sub netting was the best utilization of the scarce resources of available IP addresses. In simple words, sub netting is the process of taking a single Network address and creating further smaller Network IDs from it, called Subnets (Sub Networks). In the process of sub netting , bits can be borrowed from the host portion of an IP Address, the borrowed bits are added to the Subnet Mask of that IP address. We will further clarify the sub netting process via different examples. The main goal behind sub netting a given network address is to create our required number of smaller network IDs and to achieve our desired number of hosts per subnet ID. 2.5.5.1 What is a Subnet Mask? We will end this discussion with Subnet mask. A subnet mask is used by routers and end machines to check, to which network, the host belongs. The network ID of the IP address is calculated by Logical ANDING of the Subnet mask with the IP Address. Each Class has its own subnet mask: Class A Subnet Mask is: 255.0.0.0 and is also denoted by /8 In binary: 11111111.00000000.00000000.00000000 Class B Subnet Mask is: 255.255.0.0 and is also denoted by /16 In binary: 11111111.11111111.00000000.00000000 Class C Subnet Mask is: 255.255.255.0 and is also denoted by /24 In binary: 11111111.11111111.11111111.00000000
  • 21. 20 2.5.5.2 Sub Netting a Class C IP Address We learned what a sub net mask is, and what is sub netting. Now we will learn how to sub net. The basic Sub netting process starts from below mentioned questions: • How many subnets are required? • How many hosts per subnet are required? • Compute the effective subnets? • Compute the valid host IP Addresses? For keeping the sub netting process simple we will stick to these questions for time being, will further add up things as per demand. The anatomy of a typical Class C address is: N.N.N.H with subnet mask 255.255.255.0 or /24 Suppose we have an IP address: 192.168.10.0 /24 and our network design requirement is 8 subnets! For 8 subnets, how many bits we can take from the host portion (last octet) of the given IP address? For this, just do a mental calculation using below formula: 2^y = 8, two to the power which value can give us 8? Simply 2^3 = 8, great! For getting 8 subnets, 3 bits can be borrowed from the host portion of the given IP address (192.168.10.0), the borrowed bits are moved to the given subnet mask: 11111111.11111111.11111111.11100000 3 borrowed The new Subnet mask is: 255.255.255.224 in CIDR Notation /27! Now the mystery of hosts per subnet! As we have borrowed three bits from the last octet of the host portion, how many bits are remaining? 5! Yes, you are right, 5 bits are remaining. So the number of usable hosts per subnet will be given as: 2^5-2 = 32 – 2 = 30 From above two steps, we have achieved two tasks: We will have 8 subnets and there will be 30 usable host addresses per subnet!
  • 22. 21 Okay, now the tricky part, what are the valid subnets block size? Please keep this formula in mind: Subnet block size = 256 – subnet mask modified octet. As we have new subnet mask 255.255.255.224, the modified octet is the last one (224), so Subnet block size = 256 – 224 = 32 So our subnet block will start from 0, 32, and 64 and will go on for increment of 32. So our 10 new subnets are: 192.168.10.0 192.168.10.32 192.168.10.64 192.168.10.96 192.168.10.128 192.168.10.160 192.168.10.192 192.168.10.224 All the valid hosts and IP ranges given by each subnet can be summarized in below table: IP Address Network Address 1st Host Address Last Host Address Broadcast Address 192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.30 192.168.10.31 192.168.10.32 192.168.10.32 192.168.10.33 192.168.10.62 192.168.10.63 192.168.10.64 192.168.10.64 192.168.10.65 192.168.10.94 192.168.10.95 192.168.10.96 192.168.10.96 192.168.10.97 192.168.10.126 192.168.10.127 192.168.10.128 192.168.10.128 192.168.10.129 192.168.10.158 192.168.10.159 192.168.10.160 192.168.10.160 192.168.10.161 192.168.10.190 192.168.10.191 192.168.10.192 192.168.10.192 192.168.10.193 192.168.10.222 192.168.10.223 The usable host portion for each octet is highlighted! And we are done with sub netting for Class C! Was it simple? No, you will need some practice to get the full command on it  Now we can use the above mentioned IP plan, in our network design, a single IP has been converted into 8 usable sub networks and each network having 30 host capacity, isn’t it amazing?
  • 23. 22 2.5.5.3 Sub netting a Class B Address: We will use the method explained previously to subnet a Class B address and a class A address. The network design requirements are the same as above (i.e. 8 sub networks required): Given Class B Address is: 172.16.0.0 Default Class B Mask: 255.255.0.0 How many host bits needed? 3! Yes absolutely right. Okay now we are going to embed these 3 bits in the Class B mask: 11111111.11111111.00000000.00000000 11111111.11111111.11100000.00000000 The modified Subnet mask is 255.255.224.0 /19 So what’s next? Yeah, you got it, Subnet block size = 256 – subnet mask modified octet Subnet block size = 256 – 224 = 32 As we have taken bits from 3rd octet, our new subnets are: 172.16.0.0 – 172.16.32.0 – 172.16.63.0 – 172.16.95.0 – 172.16.127.0 - - - - - > 172.16.224.0 IP Address Network Address 1st Host Address Last Host Address Broadcast Address 172.16.0.0 172.16.0.0 172.16.0.1 172.16.31.254 172.16.31.255 172.16.32.0 172.16.32.0 172.16.32.1 172.16.62.254 172.16.62.255 172.16.63.0 172.16.63.0 172.16.63.1 172.16.94.254 172.16.94.255 172.16.95.0 172.16.95.0 172.16.95.1 172.16.126.254 172.16.126.255 172.16.127.0 172.16.127.0 172.16.127.1 172.16.158.254 172.16.158.255 172.16.159.0 172.16.159.0 172.16.159.1 172.16.190.254 172.16.190.255
  • 24. 23 As only 3 bits were reserved, the number of usable hosts per subnet is: Usable hosts per subnet = 2^13-2 = 8190! (8190 hosts/subnet) 2.5.5.4 Sub netting Class A Address: If you have mastered Class B and Class C sub netting then Class A is not that hard! The network design requirements are the same as above (i.e. 8 sub networks required) and we have a Class A IP address of 10.0.0.0: Given Class A Address is: 10.0.0.0 Default Class B Mask: 255.0.0.0 How many host bits needed? 3! Yeah that’s right. Okay now we are going to embed these 3 bits in the Class A mask: 11111111.00000000.00000000.00000000 11111111.11100000.00000000.00000000 The modified Class A mask is 255.224.0.0 /11 Pretty easy! As we have modified our second octet in the Subnet Mask of Class A, so it will be subtracted only from 256, so: Subnet block size = 256 – subnet mask modified octet Subnet block size = 256 – 224 = 32 So our new subnets are: 10.0.0.0 - 10.32.0.0 - 10.64.0.0 – And so on The feel of the 8 subnets would be best visible in the tabular form as follows : IP Address Network Address 1st Host Address Last Host Address Broadcast Address 10.0.0.0 10.0.0.0 10.0.0.1 10.31.255.254 10.31.255.255 10.32.0.0 10.32.0.0 10.32.0.1 10.63.255.254 10.63.255.255 10.64.0.0 10.64.0.0 10.64.0.1 10.95.255.254 10.95.255.255 10.96.0.0 10.96.0.0 10.96.0.0 10.127.255.254 10.127.255.255 10.128.0.0 10.128.0.0 10.128.0.1 10.159.255.254 10.159.255.255 10.160.0.0 10.160.0.0 10.160.0.1 10.191.255.254 10.191.255.255 10.192.0.0 10.192.0.0 10.192.0.1 10.223.255.254 10.223.255.255 10.224.0.0 10.224.0.0 10.224.0.1 10.255.255.254 10.255.255.255
  • 25. 24 Believe me, by just looking at the above given examples, you will be frightened by sub netting, but if you actually begin practicing them, then you will realize that how easy sub netting is. So don’t give up, reread the above examples, you will find plenty of sub netting problems online. Remember, only Practice and more Practice are the key to success in sub netting. One very interesting tool while practicing Subnetting is Solar Winds, Advance Subnet Calculator. You can download it and verify your sub netting from it. For example, for above Class A Subnetting, the Solar Winds Subnetting Calculator output is: This sub netting tool is awesome and you will love it!
  • 26. 25 2.6 Configuring VLANS on Cisco Switch We carried following problems from our last network diagram : All wireless clients are in same broadcast domain and able to communicate with each other. Solution is to create multiple broadcast domains on a single switch using VLANs. Below is the procedure to configure Vlans on a cisco switch Switch#config terminal (this command takes you in configuration mode) Switch(config)#interface fastEthernet0/1 ( enables configuration of Interface Fa 0/1) Switch(config-if)#switchport access vlan 2 ( make fa 0/1 part of VLAN 2) Switch(config-if)#exit (go back in configuration mode) Switch(config)#vlan 2 (go In configuration of VLAN 2) Switch(config-vlan)#name c-level-ap ( assign a name to VLAN ) Repeat the same process and create VLAN 3 with name Managers-AP and put interface Fast Ethernet 0/2 in this VLAN. Fast Ethernet 0/1 is the interface with which C level wireless router is connected and Fast Ethernet 0/2 is the interface with which Managers’ wireless router is connected. Now traffic from the C level router and Managers router is segregated from each other on switch level and they cannot access each other devices . Now our task is to subnet our network into smaller portions and each subnet must be able to accommodate at least 14 hosts so that we can configure each subnet in each VLAN. Subnetting lets you generate numerous logical networks available within a specific Class A , B , or C network . If you do not opt for subnetting , you are only able to utilize just one network from your Class A , B , or C network , and it is not realistic . To be able to subnet a network, expand the original mask using a portion of the bits from the host ID portion of the address to build a sub network ID . To illustrate, given a Class C network of 192.168.1.0 which has original mask of 255 .255 .255 .0, you can create subnets in this manner:
  • 27. 26 IP Address 192.168.1.0 11000000 10101000 00000001 00000000 Subnet Mask 255.255.255.240 11111111 11111111 11111111 11110000 By borrowing 4 bits from host portion of network in last octet you are able to create 16 subnets (24 ) and 14 hosts ( 24-2). Below is a useful link to calculate variable length subnet mask for variety of network scenarios http://www.vlsm-calc.net/ Following table lists the Subnets of each VLAN in our scenario VLAN Network ID / Subnet Broadcast IP Address Available Host IP Address Range Number VLAN2 192.168.1.32/255.255.255.240 192.168.1.47 192.168.1.33 -192.168.1.46 VLAN3 192.168.1.48/255.255.255.240 192.168.1.63 192.168.1.49 - 192.168.1.62 VLAN4 192.168.1.64/255.255.255.240 192.168.1.79 192.168.1.65 -192.168.1.78 VLAN5 192.168.1.80/255.255.255.240 192.168.1.81 192.168.1.82- 192.168.1.94 Now its time to configure different subnets for different vlans on cisco 3560 switch, go into configuration mode of your cisco 3560 switch and give following commands interface vlan 2 ip add 192.168.1.33 255.255.255.240 interface vlan 3 ip add 192.168.1.49 255.255.255.240 interface vlan 4 ip add 192.168.1.65 255.255.255.240 interface vlan 5 ip add 192.168.1.82 255.255.255.240 These commands will assign IP address to each VLAN in its respective subnet.
  • 28. 27 2.7 Configuring Trunk Ports on Cisco Switches In our last two lectures, we put our wireless clients in different VLANS and configured wireless Mac address filtering on CISCO WRT 300 N. Our next challenge is to to bring our departmental desktops on LAN too. In order to achieve the result we want to get rid of individual DHCP servers running in each subnet . Before we do that we need to configure a single trunk port which will carry traffic of all VLANs to Cisco 3560 on which we will configure our DHCP server. We also configured access switch ports when configuring VLANs on Cisco 2950 switches, but did not explain the difference between a trunk port and an access port. First we will understand the difference between trunk port and access port then we will configure trunk ports on Cisco switches and router. 2.7.1 Access Port An access port can be part of a single VLAN and can carry traffic of single VLAN. Access ports are usually configured for end devices in a network. 2.7.2 Trunk Port Trunk port can carry traffic from two or more Vlans in a single link. Trunk ports are used usually configured on uplinks between access and distribution switches and routers. Major reason for using trunk ports is that interfaces on Cisco distribution switches and Cisco routers comes with a price tag. You don’t want an interface for each Vlan. Instead a single link carrying traffic from all VLANs serve our purpose. ISL and 802.1 q are the trunking protocols used for defining trunk ports. Both trunk ports must have a similar Trunking protocol configured on them. ISL is a Cisco proprietary protocol While 802.1 q is an IEEE standard. ISL and 802.1Q differ in how they add a header to the Ethernet frame before sending it over a trunk. Cisco switches make use of the Dynamic Trunk Protocol (DTP) to dynamically know whether the device on the other end of the cable wants to perform Trunking and, if so, which Trunking protocol to use. If we set the mode of DTP desirable, switches automatically negotiates the Trunking parameters and forms trunk. 2.7.3 Trunk Configuration commands on Cisco Switches and Routers Connect your Cisco 2950 access switches with Cisco 3560 distribution switch using a straight UTP Cable on gigabit interfaces of Cisco 3560 switch. Go into configuration mode of Cisco 3560 switch and enter following commands Switch(config)#inter gigabitEthernet 0/1 Switch(config-if)#switchport mode dynamic desirable Repeat the process on other interfaces of Cisco 3560 switch. Similarly repeat the command on the interfaces of departmental and wifi access switches which are connected to distribution switch through uplink. You can check the status of your trunks by following command Switch#show interfaces trunk
  • 29. 28 2.8 Configuring DHCP on Cisco 3560 Switch After configuring trunk ports which are linking Cisco 2950 access switches to Cisco 3560 distribution switches, we are all set to configure a single DHCP server for the whole network on a Cisco 3560 switch. Before that do following steps: • Disable DHCP servers on wireless routers. • Connect all the desktops and printers in the operations department to operations access switch through straight UTP Cables. • Connect all the desktops and printers in the finance department to finance access switch through straight UTP Cables. • Create Vlan 4 on operations switch ,name it operations-vlan, and make all the ports connecting the devices part of vlan-4. • Create vlan-5 on finance switch and name it finance-vlan, and make all the ports connecting the devices part of vlan-5. • Remove the static IP address of printers and set them to obtain an IP from DHCP. • Set all desktops to get IP from DHCP server We must first understand, what is DHCP and DHCP scope 2.8.1 What is Dynamic Host Configuration Protocol (DHCP)? Dynamic Host Configuration Protocol ( DHCP ) is a client/server protocol that completely on its own supplies an Internet Protocol ( IP ) host with its IP address as well as associated configuration information such as the subnet mask and default gateway . RFCs 2131 and 2132 clearly define DHCP as an Internet Engineering Task Force ( IETF ) standard based on the Bootstrap Protocol ( BOOTP ) , a protocol with which DHCP shares numerous functioning features . DHCP helps network devices to secure requisite TCP/IP configuration data from a DHCP server 2.8.2 What is the DHCP Scope? A Dynamic Host Configuration Protocol ( DHCP ) scope is the continuous range of potential IP addresses that the DHCP server will be able to lease to network devices on a subnet . Scopes in general specify a single physical subnet on your network to which DHCP services are available . Scopes are the prime method for the DHCP server to control the distribution and assignment of IP addresses and any linked configuration parameters to DHCP clients on the network .
  • 30. 29 2.8.3 DHCP Configuration commands We studied DHCP scope in the previous section, now we also need to define separate scope for each VLAN in Cisco 3560 switch. Following command will serve the purpose ip dhcp pool vlan”#” network “Network Address” “Subnet Mask” Where # is VLAN number for example VLAN2 Network Address is Network IP Address for example 192.168.1.32 Subnet Mask is 255.255.255.240 for all Vlans in our case. For instance following commands will configure a DHCP scope for clients present in VLAN 2 , such that there will be a maximum of 14 hosts allowed in the VLAN and start IP address of hosts will be 192.168.1.33 and end IP address will be 192.168.1.46. Repeat the process for all VLANs and remember to remove static IP Addresses from Printers and let them have an IP assigned by DHCP. Now devices in different VLANs cannot communicate with each other, but we have to get the CEO and CFO to communicate with the rest of the company. We will achieve this by learning interVLAN routing and access control lists ( ACL)
  • 31. 30 2.9 Configuring InterVLAN Routing on Cisco 3560 Switch In our former scenario, VLANs segregated Hosts into different broadcast domains and Layer 3 subnets. Now Hosts in Vlan2 cannot communicate with hosts in vlan3 unless we configure the inter VLAN routing. Layer 2-only switches require a Layer 3 router. The router may be present as a separate device in the network or it may be another module of a Layer 3 switch. Layer 3 Switches like Cisco 3560 incorporate routing capability within the switch. The Cisco 3560 switch gets a packet, decides that the packet needs to be sent to another VLAN, and routes the packet to the correct port on the other VLAN. A good network topology fragments the network based on the departments or functions. For instance, the Finance VLAN only has hosts that belong to Finance Department, and the Operations VLAN only has hosts that are present in the Operations Department. If you configure inter VLAN routing on a Cisco 3560 switch, the hosts in VLAN 2,3,4,5 will be able to communicate with each other without being in the same broadcast domain in a single subnet. Such Network topology allows the network administrator to restrict communication between VLANs with the use of access lists. We will learn in the next topic, how we can use access control lists to restrict communication between different VLANs. Now that we have understood the theory behind inter VLAN routing, its time to configure interVLAN routing on cisco 3560 distribution switch. We need to configure inter VLAN routing for following user defined VLANs • VLAN 2— Traffic Coming from C Level Access Point • VLAN 3— Traffic coming from Managers’ Access Point • VLAN 4— Operations Vlan • Vlan5 ---- Finance Vlan We must enable IP routing globally so that Cisco 3560 switch can act as layer 3 device and can provide the functionality of Inter VLAN routing.
  • 32. 31 Go into configuration mode of Cisco 3560 Switch and give following commands Switch(config)# ip routing //Enables IP Routing on Cisco 3560 Switch The default gateway settings on every machine needs to be the VLAN interface IP address that matches on a Cisco 3560 Switch . For example, for Finance department machines, the default gateway is 192 .168 .1 .82 which is the IP address which we created for VLAN 5 interface on a Cisco 3560 switch. The access layer switches, which are the Catalyst 2950, are already trunked to the Catalyst 3560 switch. Now hosts in all VLANs will be able to communicate with each other but this communication is not allowed according to our information security criteria which stated that machines in operations and finance VLAN should not be able to access C level machines and CEO and CFO should be able to access machines in rest of the departments. We will achieve this goal by understanding Access Control List and implementing Access Control List in Next Topic.
  • 33. 32 2.10 Access Control List (ACL) Now our task is to make ACL at Cisco Distribution 3560 switch end so that no employee can reach computers and printers of managers, CEO or CFO and allow CEO to get all servers, printers, and computers. So we are going to block IP address of Finance and Operation Department from accessing the wireless network (192.1681.1.0) and only allow CFO or CEO network t ( 192.168.1.33 – 192.168.1.46) to use the rest of the network. For this we will use Named based extended access control list. Before configuration we need to know the basic concept behind the Access Control list. 2.10.1 What is ACL ? Access Control list (ACL) is a control list that block or allow particular traffic in a network. It mainly works in ascending order. In the Cisco environment there are three basic types of access lists. 2.10.2 Standard access list: Standard access list mainly identifies network traffic using source IP address in the packet. We can create a standard access list using access-list number 1-99 or 1300-1999. Syntax: access-list [acl number] [permit/deny] [network-address/ host/any][wildcard mask][log] Here permit and deny keyword allow and discard a particular rule. And the host keyword is used to find a particular host and any keyword is any host in the network. Wildcard mask is used to identify a particular host or certain range of networks. Log keyword is used for logging. 2.10.3 Extended access list: Extended access is more robust than Standard access list. It identifies network traffic using source and destination IP address, protocols, port number of upper layer application. Syntax: access-list [acl number] [permit/deny] [protocol-type] [source-network-address/host /any][wildcard mask] [destination-network-address/host /any][wildcard mask][log] Here protocol-type field identifies layer 4 or layer 3 protocol type. 2.10.4 Named based access list: Named based access list is another way of creating standard or extended access list which are easy to understand. In normal standard and extended access list we cannot easily change access list. But in named based access list we can easily edit the access list.
  • 34. 33 Syntax: ip access-list [standard/extended] [name of acl] [permit/deny] [protocol-type] [source-network-address/host /any][wildcard mask] [destination-network-address/host /any][wildcard mask][log] After creating the access list we have to apply it to an interface. ACL mainly are implemented on inbound or outbound interfaces according to network traffic flow. Syntax: ip access-group [acl-number/ acl-name ] in|out To see the configuration of access list write show access-list in privileged mode. 2.10.5 Access Control List configuration command on a Cisco 3560 switch First we will enter into configuration mode of Cisco 3560 switch then create two named based extended ACL one for Finance and Operation Department and another for CFO and CEO ACL 1: Switch(config)#ip access-list extended FIN&OP Switch(config-ext-nacl)#deny ip any 192.168.1.0 0.0.0.255 Switch(config-ext-nacl)#permit ip any any ACL 2: Switch(config)#ip access-list extended CLEVEL Switch(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.15 any Now we will add ACL 1 in outbound and ACL 2 in the inbound end of all VLAN using following command. Switch(config)# interface vlan 2 Switch(config-if)#ip access-group FIN&OP OUT Switch(config-if)#ip access-group CLEVEL IN Here you go, you can implement rest of information security policies by defining making more access control lists.