Академический Документы
Профессиональный Документы
Культура Документы
BY
ALISINA GHAFORI (11630020) (ECE 1)
ABHILEKH DOWERAH (11610419) (ECE4)
MD SHAAD ALAM (11610417) (ECE 4)
OBJECTIVE
This Project introduces the architecture, structure, functions, components, and models of
the Internet and other computer networks. It uses the OSI and TCP layered models to
examine the nature and roles of protocols and services at the application, network, data
link, and physical layers. The principles and structure of IP addressing and fundamentals
of Ethernet concepts, media, and operations are introduced to provide a foundation for the
project. Packet Tracer (PT) is being used to analyze protocol and network operation and
build small networks in a simulated environment with all sorts of security features. At the
end of the project, building simple WAN topologies by applying basic principles of
cabling; performing basic configurations of network devices, including routers and
switches; and implementing IP addressing schemes.
ABSTRACT
Designing of wide area network, where a system on the network can interact in safe and
secure environment. Network security starts with authentication, commonly with a
username and a password. Since this requires just one detail, authenticating the user name
and the password—this is sometimes termed one-factor authentication. Once
authenticated, a firewall enforces access policies such as what services are allowed to be
accessed by the network users. The project is all about designing of wide area network
with security feature. For making the project virtually realizable , CISCO Packet tracer is
used as an simulating application. Lots of protocols and functionality are used in order to
connect all the component of the network like computer hardware, cabling, network
devices, computer software , routers, switches etc. And all of these components are
interacting with each other in secure and risk free environment of networking . Router are
basically coded and designed to control the traffic of data packets between different
networks, and most of time it is being configured to serve the purpose to direct the data
packets intelligently to the destination .
NETWORK SECURITY
CONTENTS
CHAPTER Topic
INTRODUCTION TO PROJECT
1.NETWORKING BASICS13
2 INTERNETWORKING DEVICES
2.2.1 Hubs
2.2.2 Switches
2.2.3 Routers
3.3 Subnetting
4. IP ROUTING
4.1 Routing
4.3.2 Metrics
4.4 EIGRP
4.5 RIP
4.5.1 RIP V2
4.6 OSPF
4.7 BGP
4.8 Ping
4.9 Loopbacks
4.10 TELNET
4.11 REDISTRIBUTION
5. SECURITY
5.4 NAT
5.5 FIREWALL
6. IPv6
6.1 IP Version 6
7. FRAME RELAY
7.1 Frame-Relay
8. SWITCHING
8.1 MAC
8.6 STP
9. VOIP
9.2 IP Phones
10.2 Features
11. CONCLUSION
12. REFERENCES
NETWORK SECURITY
NETWORK SECURITY
INTRODUCTION TO PROJECT
The structure of this project based on back end structure of internet. This project is
combination of two devices servers and routers. Computer Networking is a very vast
project in the present developing era of electronics and communication. Now days,
computers are used in a wider range. All the organizations are using multiple computers
within their departments to perform their day to day work. Computer network allows the
user to share data, share folders and files with other users connected in a network with
high security. Computer Networking has bound the world in a very small area with it
wide networking processes like LAN, MAN, WAN.
Routing is a process or technique to identify the path from one network to another.
Routers don’t really care about hosts—they only care about networks and the best path to
each network.
Network Security
Network security consists of the provisions and policies adopted by a network
administrator to prevent and monitor unauthorized access, misuse, modification, or denial
of a computer network and network-accessible resources. Network security involves the
authorization of access to data in a network, which is controlled by the network
administrator. Users choose or are assigned an ID and password or other authenticating
information that allows them access to information and programs within their authority.
Network security covers a variety of computer networks, both public and private, that are
used in everyday jobs conducting transactions and communications among businesses,
government agencies and individuals. Networks can be private, such as within a
company, and others which might be open to public access. Network security is involved
in organizations, enterprises, and other types of institutions. It does as its title explains: It
secures the network, as well as protecting and overseeing operations being done. The
most common and simple way of protecting a network resource is by assigning it a
unique name and a corresponding password.
Network security is accomplished through hardware and software. The software must be
constantly updated and managed to protect you from emerging threats.
A network security system usually consists of many components. Ideally, all components
work together, which minimizes maintenance and improves security.
NETWORK SECURITY
Features of project
What’s a Network?
A local area network (LAN) is a network that connects computers and devices in a limited
geographical area such as home, school, computer laboratory, office building, or closely
positioned group of buildings. Each computer or device on the network is a node.
A personal area network (PAN) is a computer network used for communication among
computer and different information technological devices close to one person. Some
examples of devices that are used in a PAN are personal computers, printers, fax
machines, telephones, PDAs, scanners, and even video game consoles. A PAN may
include wired and wireless devices. The reach of a PAN typically extends to 10 meters.
1.1.3 Wide area network
A wide area network (WAN) is a computer network that covers a large geographic area
such as a city, country, or spans even intercontinental distances, using a communications
channel that combines many types of media such as telephone lines, cables, and air
waves. A WAN often uses transmission facilities provided by common carriers, such as
telephone companies. WAN technologies generally function at the lower three layers of
the OSI reference model: the physical layer, the data link layer, and the network layer.
A Metropolitan area network is a large computer network that usually spans a city or a
large campus.
A virtual private network (VPN) is a computer network in which some of the links
between nodes are carried by open connections or virtual circuits in some larger network
(e.g., the Internet) instead of by physical wires. The data link layer protocols of the virtual
network are said to be tunnelled through the larger network when this is the case. One
common application is secure communications through the public Internet, but a VPN
need not have explicit security features, such as authentication or content encryption.
VPNs, for example, can be used to separate the traffic of different user communities over
an underlying network with strong security features.
When networks first came into being, computers could typically communicate only with
computers from the same manufacturer. For example, companies ran either a complete
DECnet solution or an IBM solution—not both together. In the late 1970s, the OSI (Open
Systems Interconnection) model was created by the International Organization for
Standardization (ISO) to break this barrier. The OSI model was meant to help vendors
create interoperable network devices. Like world peace, it’ll probably never happen
completely, but it’s still a great goal. The OSI model is the primary architectural model
for networks. It describes how data and network information are communicated from
applications on one computer, through the network media, to an application on another
computer. The OSI reference model breaks this approach into layers.
The OSI model is hierarchical, and the same benefits and advantages can apply to any
layered model. The primary purpose of all models, and especially the OSI model, is to
allow different vendors to interoperate. The benefits of the OSI model include, but are not
limited to, the following:
Dividing the complex network operation into more manageable layers
Changing one layer without having to change all layers. This allows application
developers to specialize in design and development.
Defining the standard interface for the “plug-and-play” multi-vendor integration
NETWORK SECURITY
OSI Network Model- The International Standards Organization (ISO) has defined a
standard called the Open Systems Interconnection (OSI) reference model. This is a seven
layer architecture listed in the next section.
The OSI, or Open System Interconnection, model defines a networking framework for
implementing protocols in seven layers. Control is passed from one layer to the next,
starting at the application layer in one station, and proceeding to the bottom layer, over
the channel to the next station and back up the hierarchy.
Application (Layer 7)
This layer supports application and end-user processes. Communication partners are
identified, quality of service is identified, user authentication and privacy are considered,
and any constraints on data syntax are identified.
Presentation (Layer 6)
Session (Layer 5)
This layer establishes, manages and terminates connections between applications. The
session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues
between the applications at each end. It deals with session and connection coordination.
Transport (Layer 4)
This layer provides transparent transfer of data between end systems, or hosts, and is
responsible for end-to-end error recovery and flow control. It ensures complete data
transfer.
NETWORK SECURITY
Network (Layer 3)
This layer provides switching and routing technologies, creating logical paths, known as
virtual circuits, for transmitting data from node to node.
At this layer, data packets are encoded and decoded into bits. It furnishes transmission
protocol knowledge and management and handles errors in the physical layer, flow
control and frame synchronization. The data link layer is divided into two sub layers: The
Media Access Control (MAC) layer and the Logical Link Control (LLC) layer.
Physical (Layer 1)This layer conveys the bit stream - electrical impulse, light or radio
signal -- through the network at the electrical and mechanical level.
establishes internetworking; indeed, it defines and establishes the Internet. This layer
defines the addressing and routing structures used for the TCP/IP protocol suite.
Link Layer: This layer defines the networking methods with the scope of the local
network link on which hosts communicate without intervening routers. This layer
describes the protocols used to describe the local network topology and the interfaces
needed to affect transmission of Internet Layer datagram’s to next- neghbour hosts.
Sr.
TCP/IP Reference Model OSI Reference Model
No.
Service interface and protocols were not Service interface and protocols are
2
clearly distinguished before clearly distinguished
Table 1.1
Networking Cables are used to connect one network device to other or to connect two or
more computers to share printer, scanner etc. Different types of network cables
like Coaxial cable, Optical fiber cable, Twisted Pair cables are used depending on the
network's topology, protocol and size.
NETWORK SECURITY
Twisted pair cabling is a type of wiring in which two conductors (the forward and return
conductors of a single circuit) are twisted together for the purposes of cancelling
out electromagnetic interference (EMI) from external sources; for
instance, electromagnetic radiation from unshielded twisted pair (UTP) cables,
and crosstalk between neighbouring pairs. It was invented by Alexander Graham Bell.
An optical fibers is a single, hair-fine filament drawn from molten silica glass. These
fibers are replacing metal wire as the transmission medium in high-speed, high-capacity
communications systems that convert information into light, which is then transmitted via
fibers optic cable. Currently, American telephone companies represent the largest users of
fibers optic cables, but the technology is also used for power lines, local access computer
networks, and video transmission.
You usually use straight cable to connect different type of devices. This type of cable will
be used most of the time and can be used to:
4) Connect a router's LAN port to a switch/hub's uplink port. (Normally used for
expanding network)
Computer networking devices are units that mediate data in a computer network.
2.2.1 Hubs
The central connecting device in a computer network is known as a hub. There are two
types of a hub i.e. active hub and passive hub. Every computer is directly connected with
the hub. When data packets arrives at hub, it broadcast them to all the LAN cards in a
network and the destined recipient picks them and all other computers discard the data
packets. Hub has five, eight, sixteen and more ports and one port is known as uplink port,
which is used to connect with the next hub.
NETWORK SECURITY
2.2.2 Switches
Like the router, a switch is an intelligent device that maps the IP address with the MAC
address of the LAN card. Unlike the hubs, a switch does not broadcast the data to all the
computers, it sends the data packets only to the destined computer. Switches are used in
the LAN, MAN and WAN. In an Ethernet network, computers are directly connected
with the switch via twisted pair cables.
2.2.3 Routers
A router is a device that interconnects two or more computer networks, and selectively
interchanges packets of data between them. Each data packet contains address
information that a router can use to determine if the source and destination are on the
same network, or if the data packet must be transferred from one network to another. A
router is a device whose software and hardware are customized to the tasks of routing and
forwarding information. A router has two or more network interfaces, which may be to
different types of network or different network standards.
Types of routers
1) Modular: - these routers do not have fixed interfaces. These can be added and
removed according to need.
2) Non-modular routers:- These routers have fixed interfaces and these cannot be
removed
3.1 IP Addressing
One of the most important topics in any discussion of TCP/IP is IPaddressing. An IP
address is a numeric identifier assigned to each machine on an IP network. It designates
the location of a device on the network. An IP address is a software address, not a
hardware address—the latter is hardcoded on a network interface card (NIC) and used for
finding hosts on a local network. IP addressing was designed to allow a host on one
network to communicate with a host on a different network, regardless of the type of
LANs the hosts is participating in.
IP stands for Internet Protocol, it's a communications protocol used from the smallest
private network to the massive global Internet. An IP address is a unique identifier given
to a single device on an IP network. The IP address consists of a 32-bit number that
ranges from 0 to 4294967295. This means that theoretically, the Internet can contain
approximately 4.3 billion unique objects. But to make such a large address block easier to
NETWORK SECURITY
handle, it was chopped up into four 8-bit numbers, or "octets," separated by a period.
Instead of 32 binary base-2 digits, which would be too long to read, it's converted to four
base-256 digits. Octets are made up of numbers ranging from 0 to 255.
CHAPTER 4. IP ROUTUNG
4.1 Routing
toward their ultimate destination through intermediate nodes; typically hardware devices
called routers, bridges, gateways, firewalls, or switches. General-purpose computers with
multiple network cards can also forward packets and perform routing, though they are not
specialized hardware and may suffer from limited performance. The routing process
usually directs forwarding on the basis of routing tables which maintain a record of the
routes to various network destinations. Thus, constructing routing tables, which are held
in the routers' memory, is very important for efficient routing. Most routing algorithms
use only one network path at a time, but multipath routing techniques enable the use of
multiple alternative paths.
Destination address
Neighbor routers from which it can learn about remote networks
Possible routes to all remote networks
The best route to each remote network
Static routing
Default routing
Dynamic routing
Configuring a Router
Console
Telnet
Auxiliary line telephone link (not used these days)
NETWORK SECURITY
Set the enable secret password to peter. Router(config)# enable secret peter
Set the clock rate for a router with a DCE Router(config-if)clock rate 64000
cable to 64K
Static routingis the process of an administrator manually adding routes in each router’s
routing table. There are benefits and disadvantages to all routing processes. Static routing
is not really a protocol, simply the process of manually entering routes into the routing
table via a configuration file that is loaded when the routing device starts up.
The administrator must really understand the internetwork and how each router is
connected to configure the routes correctly.
If one network is added to the internetwork, the administrator must add a route to
it on all routers.
It’s not feasible in large networks because it would be a full-time job.
One major problem in Static Routing is that Admin has to select the Best route to
each network when redundant paths are available.
The command used to add a static route to a routing table is
& so on.
4.2.2Default Routing
Default Routing is the routing in which all the packets to unknown addresses are routed
through particular interface of the router and this interface will act as the default gateway
for that particular router and one router can only have on gateway.
Router(config)#ip route 0.0.0.0 0.0.0.0 (Interface out address) (Next hop address)
(Admin Distance)
And with this command one can set the default gateway to the router and when using the
Show ip route command then the Gateway to last resort will be set to the next hop address
of the Adjacent router.
4.2.3Dynamic routing
This is the process of using protocols to find and update routing tables on routers. This is
easier than static or default routing, but one can use it at the expense of router CPU
processes and bandwidth on the network links.
NETWORK SECURITY
A routing protocol defines the set of rules used by a router when it communicates
between neighbor routers.
All dynamic routing protocols are built around an algorithm. Generally, an algorithm is a
step-by-step procedure for solving a problem. A routing algorithm must, at a minimum,
specify the following:
Each router knows about its directly connected networks from its assigned
addresses and masks. And Network that are not directly connected to router must
be known to router via static routing or dynamic routing.
Router A examines its IP addresses and associated masks and deduces that it is
attached to networks 192.168.1.0, 192.186.2.0, and 192.168.3.0.
Router A enters these networks into its route table, along with some sort of flag
indicating that the networks are directly connected.
Router A places the information into a packet: "My directly connected networks
are 192.168.1.0, 192.186.2.0, and 192.168.3.0."
Router A transmits copies of these route information packets, or routing updates,
to routers B and C.
Routers B and C, having performed the same steps, have sent updates with their
directly connected networks to A. Router A enters the received information into
its route table, along with the source address of the router that sent the update
packet. Router A now knows about all the networks, and it knows the addresses of
the routers to which they are attached.
4.3.2 Metrics
OSPF Bandwidth
IS-IS 115
The design philosophy behind DUAL is that even temporary routing loops are detrimental
to the performance of an internetwork. DUAL uses diffusing computations, first proposed
by E. W. Dijkstra and C. S. Scholten, to perform distributed shortest-path routing while
maintaining freedom from loops at every instant. Although many researchers have
contributed to the development of DUAL, the most prominent work is that of J. J. Garcia-
Luna-Aceves.
EIGRP uses a sophisticated metric that considers bandwidth, load, reliability, and delay.
The K-values are constants that are used to adjust the relative contribution of the various
parameters to the total metric. In other words, if you wanted delay to be much more
relatively important than bandwidth, you might set K3 to a much larger number. You next
need to understand the variables:
Router(config-router)#no auto-summary
RIP only uses hop count to determine the best way to remote network, but it has a
maximum allowable hop count of 0-15 by default, meaning that 16 is deemed
unreachable.
RIP version 1 uses only class full routing, which means that all devices in the
network must use the same subnet mask.
RIP version 2 provides something called prefix routing, and does send subnet
mask information with the route updates. This is called classless routing.
RIP Timers
Router update timer sets the interval 30 seconds between periodic routing updates,
in which the router sends a complete copy of its routing table out to all neighbors.
A router invalid timer determines the length of time that must elapse 180 seconds
before a router determines that a route has become invalid. It will come to this conclusion
if it hasn’t heard any updates about a particular route for that period. When that happens,
thee router will send out updates to all its neighbors letting them know that the route is
invalid.
Hold-down timer
This sets the amount of time during which routing information is suppressed.
Routers will enter into the hold-down state when an update packet is received that
indicated the route is unreachable. This continues until entire an update packet is received
with a better metric or until the hold-down timer expires. The default is 180 seconds
Route flush timers’ sets the time between a route becoming invalid and its interval
from the routing table 240 seconds. Before it’s removed from the table, the router notifies
its neighbors of that route’s impending demise. The value of the route invalid timer must
be less than that of the route flush timers.
NETWORK SECURITY
Both RIPv1 and RIPv2 are distance-vector protocols, which means that each router
running RIP sends its complete routing tables out all active interfaces at periodic time
intervals.
The timers and loop-avoidance schemes are the same in both RIP versions.
Both RIPv1 and RIPv2 are configured as classful addressing, (but RIPv2 is
considered classless because subnet information is sent with each route update)
Both have the same administrative distance (120)
RIP is an open standard, you can use RIP with any brand of router.
Alogrithm – Bellman Ford
Multicast address 224.0.0.9
Classful Classless
Open Shortest Path First (OSPF)is an open standards routing protocol that’s been
implemented by a wide variety of network vendors, including Cisco.This works by using
the Dijkstra algorithm. First, a shortest path tree is constructed, and then the routing table
is populated with the resulting best paths. OSPF converges quickly, although perhaps not
as quickly as EIGRP, and it supports multiple, equal-cost routes to the same destination.
But unlike EIGRP, it only supports IP routing.
OSPF is the first link-state routing protocol that most people are introduced to.
Each router in the network connects to the backbone called area 0, or the backbone area.
OSPF must have an area 0, and all routers should connect to this area if at all possible.
But routers that connect other areas to the backbone within an AS are called Area Border
Routers (ABRs). Still, at least one interface must be in area 0. OSPF runs inside an
autonomous system, but can also connect multiple autonomous systems together. The
router that connects these ASes together is called an Autonomous System Boundary
Router (ASBR).
OSPF Terminology
Link
Router ID:-The Router ID (RID) is an IP address used to identify the router. Cisco
chooses the Router ID by using the highest IP address of all configured loopback
interfaces. If no loopback interfaces are configured with addresses, OSPF will choose the
highest IP address of all active physical interfaces.
Neighbors
NETWORK SECURITY
Neighbors are two or more routers that have an interface on a common network,
such as two routers connected on a point-to-point serial link.
Adjacency
An adjacency is a relationship between two OSPF routers that permits the direct
exchange of route updates. OSPF is really picky about sharing routing information—
unlike EIGRP, which directly shares routes with all of its neighbors. Instead, OSPF
directly shares routes only with neighbors that have also established adjacencies. And not
all neighbors will become adjacent—this depends upon both the type of network and the
configuration of the routers.
Hello protocol
The OSPF Hello protocol provides dynamic neighbor discovery and maintains
neighbor relationships. Hello packets and Link State Advertisements (LSAs) build and
maintain the topological database. Hello packets are addressed to 224.0.0.5.
Neighborship database
The neighborship database is a list of all OSPF routers for which Hello packets
have been seen. A variety of details, including the Router ID and state, are maintained on
each router in the neighborship database.
Topology database
The topology database contains information from all of the Link State
Advertisement packets that have been received for an area. The router uses the
information from the topology database as input into the Dijkstra algorithm that computes
the shortest path to every network. LSA packets are used to update and maintain the
topology database.
Designated router
A designated router (DR) is elected whenever OSPF routers are connected to the
same multi-access network. A prime example is an Ethernet LAN.
OSPF areas
Broadcast (multi-access)
Non-broadcast multi-access
Point-to-point
Point-to-multipoint
NETWORK SECURITY
REQUIREMENTS
Autonomous number
BGP also configured with AS number, but in BGP AS no. is different on each
router.
Neighbor ID
Neighbor AS
TYPES OF BGP
IBGP
EBGP
IBGP
EBGP
COMMANDS
NETWORK SECURITY
Router(config)#Network x.x.x.x
Router(config)#Redistribute connected
4.8Ping
Ping is a computer network administration utility used to test whether a particular host is
reachable across an Internet Protocol (IP) network and to measure the round-trip time for
packets sent from the local host to a destination computer. Ping operates by sending
Internet Control Message Protocol (ICMP) echo request packets to the target host and
waits for an ICMP response.
Command can be used in given formant for any device whether Microsoft OS or the
Cisco Routers
C:\>ping Address(IP or www.xyz.com)
C:\>ping 127.0.0.254
Pinging 127.0.0.254 with 32 bytes of data:
Reply from 127.0.0.254: bytes=32 time<1ms TTL=128
Reply from 127.0.0.254: bytes=32 time<1ms TTL=128
Reply from 127.0.0.254: bytes=32 time<1ms TTL=128
Reply from 127.0.0.254: bytes=32 time<1ms TTL=128
Any address can be given to loopbacks and it behave as the real interface to all the other
devices the traffic send to the loopback is equivalent to the traffic send to the real
interface or host and proper reply is send to the sender. As is testing environment we
cannot create a large real networks so the loopbacks are the only tool which helps in
creating the large virtual network.
Router(config)#interface loopback ?
Router(config)#interface loopback 1
Router(config-if)#
Router(config-if)#no shut
4.10TELNET
TELNET (TELe-NETwork) is a network protocol used on the Internet or local area
networks to provide a bidirectional interactive text-oriented communications facility via a
virtual terminal connection. User data is interspersed in-band with TELNET control
information in an 8-bit byte oriented data connection over the Transmission Control
Protocol (TCP).
Telnet is to get the privilege to configure the router from the remote location or from any
host on the network without having the console directly connected to the system.
NETWORK SECURITY
4.11REDISTRIBUTION:
It is the mechanism that allows to connect different domains, so as the different Routing
protocol can exchange and advertise routing updates as if they are a single protocol. The
redistribution is performed on the router that lies at the boundary between different
domains or runs multiple protocols.
CHAPTER 5.SECURITY
NETWORK 5. This matches; the action at layer three is permit, so the packet is allowed
to exit interface E0.
Implicit Deny Any
What happens if a packet drops through all the filters and a match never occurs? The
router has to know what to do with a packet in this situation; that is, there must be a
default action. The default action could be either to permit all packets that don't match or
to deny them. Cisco chose to deny them: Any packet that is referred to an access list and
does not find a match is automatically dropped. This last filter is called an implicit deny
any (Figure 2). All access lists end with an implicit deny any, which discards all
packets that do not match a line in the list.
Some of the features here are familiar, and some are new.
access-list-number, for extended IP access lists, is between 100 and 199.
protocolis a new variable that looks for a match in the protocol field of the IP packet
header. The keyword choices are eigrp, gre, icmp, igmp, igrp, ip, nos, ospf, dns, tcp, or
udp. An integer in the range 0 to 255 representing an IP protocol number may also be
used. ipis a generic keyword, which will match any and all IP protocols, in the same way
inverse mask 255.255.255.255 will match all addresses.
Router(config)#access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255
Router(config)#access-list 101 permit tcp 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255
Router(config)#access-list 101 permit udp 10.0.0.0 0.0.0.255 host 4.2.2.2 eq 57
Router(config)#access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0
255.255.255.255
Line 1:
IP packets with a source address of 172.22.30.6 and with a destination address that
belongs to network 10.0.0.0 are permitted.
Line 2:
IP packets with a source address of 172.22.30.95 and with a destination address that
belongs to subnet 10.11.12.0/24 are permitted.
Line 6:
UDP packets from Network 10.0.0.0 |24 to the Host 4.2.2.2 with the port no equals to 57
will be denied
Line 7:
IP packets from any source to any destination are permitted
NETWORK SECURITY
5.3PORT SECURITY
Port security limits the number of MAC addresses allowed per port and can also limit
which MAC addresses are allowed. Allowed MAC addressed can be manually configured
or the switch can sticky learn them. MAC address of a device can be sticked to a specific
port. Port security limits the number of MAC addresses allowed per port and can also
limit which MAC addresses are allowed.
Allowed MAC addressed can be manually configured or the switch can sticky learn them.
Command Description
switchport port-security Specifies the max MAC addresses allowed on this port. Default
is 1.maximum value
switchport port-security Configures the action to be taken when the maximum number
is reached and a MAC address
violation {shutdown | not associated with the port attempts to use the port, or when a
station whose MAC address
restrict| protect} is associated with a different port attempt to access this port. Default is
shutdown.
mac-addressmac-address
switchport port-security Enables the switch port to dynamically learn secure MAC
addresses. MAC addresses learned
5.5 FIREWALL
Firewall is a security which is used to secure the network or filter the network traffic.
Firewall stops unauthorised access to computers. It blocks devices and does not allow
others to access system. Firewall comes both in hardware and software form. High
security may require hardware version of firewall. OS like windows include firewall
service.
CHAPTER 6.IPv6
6.1 IP Version 6
Internet Protocol version 6 (IPv6) is an Internet Protocol version which is
designed to succeed IPv4, the first implementation which is still in dominant use
currently. It is an Internet Layer protocol for packet-switched internetworks. The main
driving force for the redesign of Internet Protocol is the foreseeable IPv4 address
exhaustion. IPv6 was defined in December 1998 by the Internet Engineering Task Force
(IETF) with the publication of an Internet standard specification, RFC 2460
IPv6 has a vastly larger address space than IPv4. This results from the use of a 128-bit
address, whereas IPv4 uses only 32 bits. The new address space thus supports 2 128 (about
3.4×1038) addresses. This expansion provides flexibility in allocating addresses and
routing traffic and eliminates the primary need for Network Address translation (NAT),
which gained widespread deployment as an effort to alleviate IPv4 address exhaustion.
IPv6 also implements new features that simplify aspects of address assignment (stateless
address auto-configuration) and network renumbering (prefix and router announcements)
when changing Internet connectivity providers. The IPv6 subnet size has been
standardized by fixing the size of the host identifier portion of an address to 64 bits to
facilitate an automatic mechanism for forming the host identifier from Link Layer media
addressing information (MAC address).
Network security is integrated into the design of the IPv6 architecture. Internet
Protocol Security (IP-sec) was originally developed for IPv6, but found widespread
optional deployment first in IPv4 (into which it was back-engineered). The IPv6
specifications mandate IP-sec implementation as a fundamental interoperability
requirement.
NETWORK SECURITY
Hex - Decimal 0 1 2 3 4 5 6 7
Binary 0000 0001 0010 0011 0100 0101 0110 0111
Hex - Decimal 8 9 A B C D E F
Binary 1000 1001 1010 1011 1100 1101 1110 1111
In Hex-Decimal
CFCD :D312 : E013 : 8003 : CADE : 0037 : 0F37 : AAAA
Zero compression The method allows a single string of contiguous zeroes in an IPv6
address to be replaced by a double-colon.
Caution Only one time can be used in the address
So, for example, the address below could be expressed in two ways:
FE80:0000:0000:0000:00A1:0000:0000:0010
FE80::00A1:0000:0000:0010
OR
FE80:0000:0000:0000:00A1::0010
We know how many zeroes are replaced by the “::” because we can see how many fully-
expressed (“uncompressed”) hex words are in the address. In this case there are six, so the
“::” represents two zero words. To prevent ambiguity, the double-colon can appear only
once in any IP address, because if it appeared more than once we could not tell how many
zeroes were replaced in each instance.
Leading Zeroes compression
Leading zeroes can be suppressed in the notation.
FE80::00A1:0000:0000:0010
FE80::A10:0:0:10
OR
FE80:0:0:0:A10::10
Type of LMIs
Cisco (Cisco Propriety)
ANSI (Industry Standard)
Q933a (Industry Standard)
CHAPTER 8. SWITCHING
8.1 Mac-Address
It is defined as the layer 2 address of the packet in OSI model. It is a 48 bits Hex-decimal
character address use to communicate on the switches and bridges. It is physically coded
on the Ethernet interface. Mac-address is unique for all the systems.
It consists of two parts
First 24 bits or first 6 Hex-decimal char. Represent the organizationally unique identifier
OUI controlled and assigned by Internet Corporation of Assigned Names and Numbers.
And rest 24 bits or last 6 Hex-decimal characters are assigned by the vendor and are
called vendor specified.
NETWORK SECURITY
When all the 48 bits of the Mac-address are 1s, this represents the Broadcast Mac-address
of the system. FFFF.FFFF.FFFF. If a packet with destination Mac-address as broadcast
is send on the switch than the switch will forward this packet to all the host in the network
and when a host get the packet with destination Mac-address is broadcast it will process
the packet and will forward it to the layer 3 irrespective to whether the packet is destined
for it or not.
4 bits = 1 Hex-Decimal character
48bits = 12 Hex-Decimal characters
0000 = 0, 0001 = 1, 0010 = 2, 0011 = 3, 0100 = 4, 0101 = 5, 0110 = 6, 0111
= 7, 1000 = 8, 1001 = 9, 1010 = A, 1011 = B, 1100 = C, 1101 = D,
1110 = E, 1111 = F
Mac-Address is written in the two forms
AA:AA:AA:AA:AA:AA way of Microsoft
AAAA.AAAA.AAAA way of Cisco
Representation of above Mac-address in Binary
101010101010101010101010101010101010101010101010.
2nd example
ABC1.BCA2.3321
101010111100000110111100101000100100010000110001
In a collision domain, a frame sent by a device can cause collision with a frame
sent by another device in the same collision domain. Moreover, a device can hear the
frames destined for any device in the same collision domain.
Ethernet congestion problem occurs when too many devices are connected to the
same Ethernet network segment, such that the high network bandwidth utilization
increases the possibility of collision, which causes degradation of network performance.
LAN segmentation solves the congestion problem by breaking the network into
separate segments or collision domains using bridges, switches or routers (but not hub s
or repeaters). LAN segmentation can reduce the number of collisions in the network and
increase the total bandwidth of the network (e.g. 10 Mbps for one segment, 20 Mbps for
two segments, 30 Mbps for three segments, and so on).
80/20 rule
The 80/20 rule should be used when designing how to segment a network, i.e.
80% or more data traffic should be on the local network segment while 20% or less data
traffic should cross network segments.
Layer – 2 switching is hardware based, which means it uses the MAC address from
the host NIC card to filter the network traffic.
Layer 2 switch can be considered as multi port bridge.
Layer 2 switches are fast because they do not look at the network layer header
information, instead it looks at the frames hardware address before deciding to either
forward the frame or drop it.
Layer 2 Switching Provides the Following:
With bridge the connected networks are still one large broadcast domain.
Layer 2 switch cannot break the broadcast domain, this cause performance issue which
limits the size of your network.
NETWORK SECURITY
For this one reason the switch cannot completely replace routers in the internetwork.
Layer 2 switches are just bridges with more ports, however there are some important
differences.
Bridges are software based. While switches are hardware based because they use ASIC
(Application Specific Integrated Circuit) chip that help make filtering decisions.
8.4LAN Switching
1. Address learning – learning the MAC addresses of the connected devices to build
the bridge table.
2. Forward and filter decision – forwarding and filtering frames based on the bridge
table entries and the bridge logic.
3. Loop avoidance – avoiding network loop by using Spanning Tree Protocol
A bridge or switch maintains a forwarding table (also known as bridge table or MAC
address table) which maps destination physical addresses with the interfaces or ports to
forward frames to the addresses.
A bridge or switch builds a bridge table by learning the MAC addresses of the connected
devices. When a bridge is first powered on, the bridge table is empty. The bridge listens
to the incoming frames and examines the source MAC addresses of the frames. For
example, if there is an incoming frame with a particular source MAC address received
from a particular interface, and the bridge does not have an entry in its table for the MAC
address, an entry will be created to associate the MAC address with the interface.
The default aging time for an entry in a bridge table is 300 seconds (5 minutes). It means
that an entry will be removed from the bridge table if the bridge has not heard any
message from the concerned host for 5 minutes.
ADDRESS LEARNING
172.16.255.255 (multicast)
o Multicast sends the frame to a certain network or subnet and all hosts
within that network or subnet.
o broadcast of all 1’s sends the frame to all networks and hosts.
Store-and-forward switching
The entire frame is received and the CRC is computed and verified before
forwarding the frame. If the frame is too short (i.e. less than 64 bytes including the CRC),
too long (i.e. more than 1518 bytes including the CRC), or has CRC error, it will be
discarded. It has the lowest error rate but the longest latency for switching. However, for
high-speed network (e.g. Fast Ethernet or Gigabit Ethernet network), the latency is not
significant.
switching can detect a frame corrupted by a collision and drop it. Therefore, fragment-
free switching provides better error checking than cut-through switching.
NOTE:
Bridges only support store-and-forward switching. Most new switch models also
use store-and-forward switching.
However, it should be noted that Cisco 1900 switches use fragment-free switching by
default.
Broadcast Storms
NETWORK SECURITY
Consider a network design that consists of Layer 2 devices only. For example, this design
could be a single Ethernet segment, an Ethernet switch with many ports, or a network
with several interconnected Ethernet switches. A full Layer 2–only switched network is
referred to as a flat network topology. A flat network is a single broadcast domain, such
that every connected device sees every broadcast packet that is transmitted. As the
number of stations on the network increases, so does the number of broad casts.A VLAN
consists of hosts defined as members, communicating as a logical network segment.
Figure shows how a VLAN can provide logical connectivity between switch ports.
Two workstations on the left Catalyst switch are assigned to VLAN 1, whereas a third
workstation is assigned to VLAN 100. In this example, no communication can occur
between VLAN 1 and VLAN 100. Both ends of the link between the Catalysts are
assigned to VLAN 1. One workstation on the right Catalyst also is assigned to VLAN 1.
Because there is end-to-end connectivity of VLAN 1, any of the workstations on VLAN 1
can communicate as if they were connected to a physical network segment.
VLAN Membership
When a VLAN is provided at an access-layer switch, an end user must have some means
of gaining membership to it. Two membership methods exist on Cisco Catalyst switches:
Static VLANs
Static VLANs offer port-based membership, in which switch ports are assigned to
specific VLANs. End-user devices become members in a VLAN based on the physical
switch port to which they are connected. No handshaking or unique VLAN membership
NETWORK SECURITY
protocol is needed for the end devices; they automatically assume VLAN connectivity
when they connect to a port. Normally, the end device is not even aware that the VLAN
exists. The switch port and its VLAN simply are viewed and used as any other network
segment, with other “locally attached” members on the wire. Switch ports are assigned to
VLANs by the manual intervention of the network administrator, hence the static nature.
Each port receives a Port VLAN ID (PVID) that associates it with a VLAN number. The
ports on a single switch can be assigned and grouped into many VLANs. Even though
two devices are connected to the same switch, traffic will not pass between them if they
are connected to ports on different VLANs. To perform this function, you could use either
a Layer 3 device to route packets or an external Layer 2 device to bridge packets between
the two VLANs.
Dynamic VLANs
Dynamic VLANs provide membership based on the MAC address of an end-user device.
When a device is connected to a switch port, the switch must, in effect, query a database
to establish VLAN membership. A network administrator also must assign the user’s
MAC address to a VLAN in the database of a VLAN Membership Policy Server
(VMPS).
With Cisco switches, dynamic VLANs are created and managed using network-
management tools such as Cisco Works. Dynamic VLANs allow a great deal of flexibility
and mobility for end users but require more administrative overhead.
VLAN Interoperability
Cisco IOS features bring added benefits to the VLAN technology. Enhancements to ISL,
IEEE 802.10, and ATM LAN Emulation (LANE) implementations enable routing of all
major protocols between VLANs. These enhancements allow users to create more robust
networks incorporating VLAN configurations by providing communications capabilities
between VLANs.
NETWORK SECURITY
Inter-VLAN Communications
The Cisco IOS supports full routing of several protocols over ISL and ATM LANE
virtual LANs. IP, Novell IPX, and AppleTalk routing are supported over IEEE 802.10
VLANs. Standard routing attributes, such as network advertisements, secondaries, and
help addresses are applicable and VLAN routing is fast switched. Table shows protocols
supported for each VLAN encapsulation format and corresponding Cisco IOS releases.
Novell IPX (default encapsulation) Release 11.1 Release 10.3 Release 11.1
Novell IPX (configurable encapsulation) Release 11.3 Release 10.3 Release 11.3
Cisco has developed a method to manage VLANs across the campus network. The VLAN
NETWORK SECURITY
Trunking Protocol (VTP) uses Layer 2 trunk frames to communicate VLAN information
among a group of switches. VTP manages the addition, deletion, and renaming of VLANs
across the network from a central point of control. Any switch participating in a VTP
exchange is aware of and can use any VLAN that VTP manages.
VTP Domains
VTP is organized into management domains, or areas with common VLAN requirements.
A switch can belong to only one VTP domain, in addition to sharing VLAN information
with other switches in the domain. Switches in different VTP domains, however, do not
share VTP information.
Switches in a VTP domain advertise several attributes to their domain neighbours. Each
advertisement contains information about the VTP management domain, VTP revision
number, known VLANs, and specific VLAN parameters. When a VLAN is added to a
switch
in a management domain, other switches are notified of the new VLAN through VTP
advertisements. In this way, all switches in a domain can prepare to receive traffic on their
trunk ports using the new VLAN.
VTP Modes
in one of several modes. The VTP mode determines how the switch processes and
advertises VTP information. You can use the following modes:
Server mode -
VTP servers have full control over VLAN creation and modification for their domains.
All VTP information is advertised to other switches in the domain, while all received
VTP information is synchronized with the other switches. By default, a switch is in VTP
server mode. Note that each VTP domain must have at least one server so that VLANs
can be created, modified, or deleted, and VLAN information can be propagated.
NETWORK SECURITY
Client mode -
VTP clients do not allow the administrator to create, change, or delete any VLANs.
Instead, they listen to VTP advertisements from other switches and modify their VLAN
configurations accordingly. In effect, this is a passive listening mode. Received VTP
information is forwarded out trunk links to neighbouring switches in the domain, so the
switch also acts as a VTP relay.
Transparent mode -
VTP transparent switches do not participate in VTP. While in transparent mode, a switch
does not advertise its own VLAN configuration, and as witch does not synchronize its
VLAN database with received advertisements. In
VTP version 1, a transparent mode switch does not even relay VTP information it
receives to other switches unless its VTP domain names and VTP version numbers match
those of the other switches. In VTP version 2, transparent switches do forward received
VTP advertisements out of their trunk ports, acting as VTP relays. This occurs regardless
of the VTP domain name setting.
VTP Configuration
By default, every switch operates in VTP server mode for the management domain NULL
(a blank string), with no password or secure mode. If the switch hears a VTP summary
advertisement on a trunk port from any other switch, it automatically learns the VTP
domain name, VLANs, and the configuration revision number it hears. This makes it easy
to bring up a new switch in an existing VTP domain. However, be aware that the new
switch stays in VTP server mode, something that might not be desirable.
You should get into the habit of double-checking the VTP configuration of any switch
before you add it into your network. Make sure that the VTP configuration revision
number is set to 0. You can do this by isolating the switch from the network, powering it
up, and using the show vtp status command, as demonstrated in the following output:
VTP Version : 2
Configuration Revision : 0
NETWORK SECURITY
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Here, the switch has a configuration revision number of 0, and is in the default state of
VTP server mode with an undefined VTP domain name. This switch would be safe to add
to a network.
You can configure the VTP mode with the following sequence of global configuration
commands:
If the domain is operating in secure mode, a password also can be defined. The password
can be configured only on VTP servers and clients. The password itself is not sent;
instead,
an MD5 digest or hash code is computed and sent in VTP advertisements (servers)
Server All VLAN and VTP configuration changes occur here. The server advertises
settings and changes to all other servers and clients in a VTP domain. (This is the default
mode for Catalyst switches.)
Client listens to all VTP advertisements from servers in a VTP domain. Advertisements
are relayed out other trunk links. No VLAN or VTP configuration changes can be made
on a client.
Transparent VLAN configuration changes are made locally, independent of any VTP
domain.
VTP advertisements are not received but merely are relayed out other trunk links, if
possible.
The domain uses secure VTP with the password big secret. You can use the following
configuration commands to accomplish this:
VTP Status
The current VTP parameters for a management domain can be displayed using the show
vtp status command. Example 5-1 demonstrates some sample output of this command
from a switch acting as a VTP client in the VTP domain called CampusDomain.
NETWORK SECURITY
VTP Version : 2
Configuration Revision : 89
A robust network design not only includes efficient transfer of packets or frames, but also
considers how to recover quickly from faults in the network. In a Layer 3 environment,
the routing protocols in use keep track of redundant paths to a destination network so that
a secondary path can be used quickly if the primary path fails. Layer 3 routing allows
many paths to a destination to remain up and active, and allows load sharing across
multiple paths.
(STP) provides network link redundancy so that a Layer 2 switched network can recover
from failures without intervention in a timely manner. The STP is defined in the IEEE
802.1D standard.
Bridging loops form because parallel switches (or bridges) are unaware of each other.
STP was developed to overcome the possibility of bridging loops so that redundant
switches and switch paths could be used for their benefits. Basically, the protocol enables
NETWORK SECURITY
switches to become aware of each other so they can negotiate a loop-free path through the
network.
Loops are discovered before they are made available for use, and redundant links are
effect shut down to prevent the loops from forming. In the case of redundant links,
switches can be made aware that a link shut down for loop prevention should be brought
up quickly in case of a link failure.
STP is communicated among all connected switches on a network. Each switch executes
the spanning-tree algorithm based on information received from other neighbouring
switches. The algorithm chooses a reference point in the network and calculates all the
reduct paths to that reference point. When redundant paths are found, the spanning-tree
algorithm picks one path by which to forward frames and disables, or blocks, forwarding
on the other redundant paths.
As its name implies, STP computes a tree structure that spans all switches in a subnet
ornet work. Redundant paths are placed in a Blocking or Standby state to prevent frame
forwarding.
The switched network is then in a loop-free condition. However, if a forwarding port fails
or becomes disconnected, the spanning-tree algorithm re computes the spanning tree
topology so that the appropriate blocked links can be reactivated.
MAC Address (6 bytes)—The MAC address used by a switch can come from the
supervisor module, the backplane, or a pool of 1,024 addresses that are assigned to every
supervisor or backplane, depending on the switch model. In any event, this address is
hard-coded and unique, and the user cannot change it.
As an example, consider the small network shown in Figure. For simplicity, assume that
each Catalyst switch has a MAC address of all 0s, with the last hex digit equal to the
switch label.
In this network, each switch has the default bridge priority of 32,768. The switches are
interconnected Fast Ethernet links. All three switches try to elect themselves as the root,
but all of them have equal Bridge Priority values. The election outcome produces the root
bridge, determined by the lowest MAC address—that of Catalyst A.
Now that a reference point has been nominated and elected for the entire switched
network, each non root switch must figure out where it is in relation to the root bridge.
This action can be performed by selecting only one root porton each non root switch.
Ther oot port always points toward the current root bridge.
STP uses the concept of cost to determine many things. Selecting a root port involves
evaluating the root path cost. This value is the cumulative cost of all the links leading to
NETWORK SECURITY
the root bridge. A particular switch link also has a cost associated with it, called the path
cost. To understand the difference between these values, remember that only the root path
cost is carried inside the BPDU. As the root path cost travels along, other switches can
modify its value to make it cumulative. The path cost, however, is not contained in the
BPDU. It is known only to the local switch where the port (or “path” to a neighbouring
switch) resides.
Path costs are defined as a 1-byte value. Generally, the higher the bandwidth of a link, the
lower the cost of transporting data across it. The original IEEE 802.1D standard defined
path cost as 1000 Mbps divided by the link bandwidth in megabits per second. These
values are shown in the center column of the table. Modern networks commonly use
Gigabit Ethernet and OC-48 ATM, which are both either too close to or greater than the
maximum scale of 1000 Mbps. The IEEE now uses a nonlinear scale for path cost.
1. The root bridge sends out a BPDU with a root path cost value of 0 because its portssit
directly on the root bridge.
2. When the next-closest neighbour receives the BPDU, it adds the path cost of its own
port where the BPDU arrived. (This is done as the BPDU is received.)
3. The neighbour sends out BPDUs with this new cumulative value as the root path cost.
4. The root path cost is incremented by the ingress port path cost as the BPDU is received
at each switch down the line.
5. Notice the emphasis on incrementing the root path cost as BPDUs are received.
When computing the spanning-tree algorithm manually, remember to compute a new root
path cost as BPDUs come in to a switch port, not as they go out.
NETWORK SECURITY
By now, you should begin to see the process unfolding: A starting or reference point has
been identified, and each switch “connects” itself toward the reference point with the
single link that has the best path. A tree structure is beginning to emerge, but links have
only been identified at this point. All links still are connected and could be active, leaving
bridging loops.
To remove the possibility of bridging loops, STP makes a final computation to identify
one designated porton each network segment. Suppose that two or more switches have
ports connected to a single common network segment. If a frame appears on that segment
,all the bridges attempt to forward it to its destination. Recall that this behaviour was the
basis of a bridging loop and should be avoided.
In each determination process discussed so far, two or more links might have identical
root path costs. This results in a tie condition, unless other factors are considered. All tie
The three switches have chosen their designated ports (DP) for the following reasons:
Catalyst A
Because this switch is the root bridge, all its active ports are designated ports, by
definition. At the root bridge, the root path cost of each port is 0.
Catalyst B
Catalyst A port 1/1 is the DP for the Segment A–B because it has the lowest root path
cost (0). Catalyst B port 1/2 is the DP for segment B–C. The root path cost for each end
of this segment is 19, determined from the incoming BPDU on port 1/1. Because the root
path cost is equal on both ports of the segment, the DP must be chosen by the next
criteria—the lowest sender bridge ID. When Catalyst B sends a BPDU to Catalyst C, it
has the lowest MAC address in the bridge ID. Catalyst
C also sends a BPDU to Catalyst B, but its sender bridge ID is higher. Therefore, Catalyst
Catalyst C
Catalyst A port 1/2 is the DP for Segment A–C because it has the lowest root path cost
(0). Catalyst B port 1/2 is the DP for Segment B–C. Therefore, Catalyst C port 1/2 will be
NETWORK SECURITY
neither a root port nor a designated port. As discussed in the next section, any port that is
not elected to either position enters the Blocking state.
STP States
To participate in STP, each port of a switch must progress through several states. A port
begins its life in a Disabled state, moving through several passive states and, finally, into
an active state if allowed to forward traffic. The STP port states are as follows:
Listening—A port is moved from Blocking to Listening if the switch thinks that the port
can be selected as a root port or designated port. In other words, the port is on its way to
begin forwarding traffic.
In the Listening state, the port still cannot send or receive data frames. However, the port
is allowed to receive and send BPDUs so that it can actively participate in the Spanning
Tree topology process. Here, the port finally is allowed to become a root port or
designated port because the switch can advertise the port by sending BPDUs to other
switches. If the port loses its root port or designated port status, it returns to the Blocking
state.
Learning—After a period of time called the Forward Delay in the Listening state, the
port is allowed to move into the Learning state. The port still sends and receives BPDUs
as before. In addition, the switch now can learn new MAC addresses to add to its address
table. This gives the port an extra period of silent participation and allows the switch to
assemble at least some address information. The port cannot yet send any data frames,
however.
NETWORK SECURITY
Forwarding—After another Forward Delay period of time in the Learning state, theport
is allowed to move into the Forwarding state. The port now can send and receive data
frames, collect MAC addresses in its address table, and send and receive BPDUs.
The port is now a fully functioning switch port within the spanning-tree topology.
Remember that a switch port is allowed into the Forwarding state only if no redundant
links (or loops) are detected and if the port has the best path to the root bridge as the root
port or designated port.
Ethernet, Gigabit, or 10-Gigabit Ethernet ports to scale link speeds by a factor of ten.
Cisco offers another method of scaling link bandwidth by aggregating, or bundling,
parallel links, termed the Ether Channel technology. Two to eight links of either Fast
Ethernet(FE), Gigabit Ethernet (GE), or 10-Gigabit Ethernet (10GE) are bundled as one
logical link of Fast Ether Channel (FEC), Gigabit Ether Channel (GEC), or 10-Gigabit
Ether channel(10GEC), respectively. This bundle provides a full-duplex bandwidth of up
to 1600 Mbps(eight links of Fast Ethernet), 16 Gbps (eight links of Gigabit Ethernet), or
160 Gbps (eight links of 10-Gigabit Ethernet).
This also provides an easy means to “grow,” or expand, a link’s capacity between two
switches, without having to continually purchase hardware for the next magnitude of
throughput. For example, a single Fast Ethernet link (200 Mbps throughput) can be
incrementally expanded up to eight Fast Ethernet links (1600 Mbps) as a single Fast Ether
Channel.
If the traffic load grows beyond that, the growth process can begin again with a single
Gigabit Ethernet link (2 Gbps throughput), which can be expanded up to eight Giga bit
Ethernet links as a Gigabit Ether channel (16 Gbps). The process repeats again by moving
to a single 10-Gigabit Ethernet link, and so on.
Ordinarily, having multiple or parallel links between switches creates the possibility of
bridging loops, an undesirable condition. Ether Channel avoids this situation by bundling
parallel links into a single, logical link, which can act as either an access or a trunk link.
Switches or devices on each end of the Ether Channel link must understand and use the
Ether Channel technology for proper operation. Although an Ether Channel link is seen as
NETWORK SECURITY
a single logical link, the link doesn’t necessarily have an inherent total bandwidth equal to
the sum of its component physical links. For example, suppose that an FEC link is made
up of four full-duplex, 100-Mbps Fast Ethernet links.
Although it is possible for the FEC link to carry a total throughput of 800 Mbps(if each
link becomes fully loaded), the single resulting FEC bundle does not operate at this speed.
Ether Channel also provides redundancy with several bundled physical links. If one of the
links within the bundle fails, traffic sent through that link automatically is moved to an
adjacent link. Failover occurs in less than a few milliseconds and is transparent to the end
user. As more links fail, more traffic is moved to further adjacent links. Likewise, as
linksare restored, the load automatically is redistributed among the active links.
Ether Channel bundles can consist of up to eight physical ports of the same Ethernet
media type and speed. Some configuration restrictions exist to ensure that only similar
configured links are bundled. Generally, all bundled ports first must belong to the same
VLAN. If used as a trunk, bundled ports must be in trunking mode, have the same native
VLAN, and pass the same set of VLANs. Each of the ports should have the same speed
and duplex settings before being bundled. Bundled ports also must be configured with
identical spanning-tree settings.
The hashing operation can be performed on either MAC or IP addresses and can be base
dsolely on source or destination addresses, or both. Use the following command to
configure frame distribution for all Ether Channel switch links:
EtherChannel Configuration
For each Ether Channel on a switch, you must choose the Ether Channel negotiation
protocol and assign individual switch ports to the Ether Channel. Both PAgP- and LACP-
negotiated Ether Channels are described in the following sections. You also can configure
an Ether Channel to use the on mode, which unconditionally bundles the links. In this
case ,neither PAgP nor LACP packets are sent or received. As ports are configured to be
NETWORK SECURITY
CHAPTER 9. VOIP
Voice over Internet Protocol is a category of hardware and software that enables people to
use the Internet as the transmission medium for telephone calls by sending voice data in
packets using IP rather than by traditional circuit transmissions of the PSTN.
One advantage of VoIP is that the telephone calls over the Internet do not incur a
surcharge beyond what the user is paying for Internet access, much in the same way that
the user doesn't pay for sending individual emails over the Internet. With VoIP, you can
make a call from anywhere you have broadband connectivity.
VoIP systems employ session control and signaling protocols to control the signaling, set-
up, and tear-down of calls. They transport audio streams over IP networks using special
media delivery protocols that encode voice, audio, video with audio codecs, and video
Voice over IP has been implemented in various ways using both proprietary protocols
and protocols based on open standards. Examples of the VoIP protocols are:
NETWORK SECURITY
H.323
Media Gateway Control Protocol (MGCP)
Session Initiation Protocol (SIP)
H.248 (also known as Media Gateway Control (Megaco))
Real-time Transport Protocol (RTP)
Real-time Transport Control Protocol (RTCP)
Secure Real-time Transport Protocol (SRTP)
Session Description Protocol (SDP)
Inter-Asterisk eXchange (IAX)
JingleXMPP VoIP extensions
Skype protocol
TeamSpeak
The H.323 protocol was one of the first VoIP protocols that found widespread
implementation for long-distance traffic, as well as local area network services. However,
since the development of newer, less complex protocols such as MGCP and SIP, H.323
deployments are increasingly limited to carrying existing long-haul network traffic. In
particular, the Session Initiation Protocol (SIP) has gained widespread VoIP market
penetration.
These protocols can be used by special-purpose software, such as Jitsi, or integrated into a
web page (web-based VoIP), like Google Talk.
9.2 IP PHONES
VoIP phones utilize packet-switched Voice over Internet Protocol (VoIP), or Internet
telephony, to transmit telephone calls over the Internet as opposed to the circuit-switched
telephony used by the traditional Public Switched Telephone Network (PSTN). The
advantage to VoIP phone calls is that unlike regular long-distance calls, phone calls made
through a VoIP phone service are free – there are no fees beyond the cost of your Internet
access.
These specialized phones look just like normal phones with a handset, cradle and buttons
.Also referred to as online phones or Internet phones, a VoIP phone can be a physical
NETWORK SECURITY
telephone with built-in IP technology and an RJ-45 Ethernet connector instead of the RJ-
11 phone connector found in standard phones, or it can be a voice-capable computer that
uses VoIP hardware such as Magic Jack or VoIP software like Skype. This flexibility
makes it possible for VoIP phone calls to function as Internet phone-to-phone, Internet
phone-to-PC, PC-to-PC or PC-to-phone calls.
IP phones connect directly to your router and have all the hardware and software
necessary right onboard to handle the IP call. Wi-Fi phones allow subscribing callers to
make VoIP calls from any Wi-Fi hot spot.
Caller ID support among VoIP providers varies, but is provided by the majority of VoIP
providers. Many VoIP service providers allow callers to configure arbitrary caller ID
information, thus permitting spoofing attacks. Business-grade VoIP equipment and
software often makes it easy to modify caller ID information, providing many businesses
great flexibility.
The United States enacted the Truth in Caller ID Act of 2009 on December 22, 2010. This
law makes it a crime to "knowingly transmit misleading or inaccurate caller identification
information with the intent to defraud, cause harm, or wrongfully obtain anything of
value.
• Cheaper telecommunications
NETWORK SECURITY
Disadvantages of VOIP
Planning of work
First of all we need to decide structure of network and then devices being used. In this
project we used routers, switches, servers, Linksys and end devices (pc, laptop etc). We
used both wired and wireless network. Our main goal is to apply security services. After
creating structure it’s time to provide networks and routing protocols to make routers
communicate and then DHCP to provide IP addresses to end devices. After this providing
security services like NAT, ACL , Port Security, Login Passwords etc.
NETWORK SECURITY
10.1 Project Overview: Network security consists of the provisions and policies
adopted by a network administrator to prevent and monitor unauthorized access, misuse,
modification, or denial of a computer network and network-accessible resources. Network
security involves the authorization of access to data in a network, which is controlled by
the network administrator.
In this project all work is done on CISCO packet tracer software and is practically
performed on real devices.
User authentication
Port security or MAC addresses filtration- Port security limits the number of
MAC addresses allowed per port and can also limit which MAC addresses are
allowed. Allowed MAC addressed can be manually configured or the switch can
sticky learn them. MAC address of a device can be sticked to a specific port.
NETWORK SECURITY
Access control list- the original intention of an access list was to permit or deny
access of packets into, out of, or through a router. Access lists have become
powerful tools for controlling the behavior of packets and frames.
11. Conclusion
Computer Networking is a very vast project in the present developing era of
electronics and communication. Now days, computers are used in a wider range. All the
organizations are using multiple computers within their departments to perform their day
to day work. Computer network allows the user to share data , share folders and files with
other users connected in a network. Computer Networking has bound the world in a very
small area with it wide networking processes like LAN, MAN, WAN. Every network
requires security for confidential data and to secure that data
Applications
Communication Field
Industries
Medical Field
Research Field
Organizations
School
Colleges
Military
Domestic use
12. REFERENCES
www.dikvininfotech.com
www.google.com
www.microsoft.com
www.cisco.com
www.digitech-engineers.com
www.wikipedia.com
www.netcad.com
NETWORK SECURITY