Académique Documents
Professionnel Documents
Culture Documents
Thursday, May 4, 2017 1:12 PM
1. Client/Server vs. Peer‐to‐Peer
In this episode, Mike looks at the two main types of networks: client/server and peer‐to‐peer.
From <https://hub.totalsem.com/content/2257#path=2257,2458,2459>
There are 2 types: Old school vs. Modern meaning.
Old School meaning:
Server: Back in the 80s when networking was first coming out, you would setup a Novell NetWare
server. This was a dedicated machine that was a server (you couldn't install Microsoft Word on it, for
example). It just ran NetWare.
Client: Old school DOS computers would have a NetWare client installed. When you ran that client,
these computers suddenly had access to a server/shared drive (i.e. a Z drive). Only the client could
access the server and the clients couldn't access each other.
Microsoft messed this up with Microsoft LAN manager. This introduced peer‐to‐peer networks.
Any computer could be a client or a server.
Today we don't have to have machines that are a dedicated client or server. They can be either.
Microsoft LAN Manager wasn't very secure or strong, it was easy to mess it up.
Modern meaning:
Network+ Page 1
Today's systems are peer‐to‐peer but are very robust and more secure.
For the most part, pretty much everything done on the internet is client/server.
You use a web client (browser) to access a web server (website).
To access email you are using a client to access a web server.
Some big exceptions to that are peer‐to‐peer tools, like BitTorrent. You have a bunch of peers that work
together to share data.
2. Virtual Private Networks (VPNs)
In this episode, Mike explains virtually everything about technology that enables remote clients to
connect to a local network, also called a Virtual Private Network (VPN).
From <https://hub.totalsem.com/content/2257#path=2257,2458,2460>
Sometimes you are working remotely and want an IP address that is part of your work's network. There
are situations where you need to be in your own (work) network. For example, if you need to copy a file
from the server to your desktop. In a Remote Desktop situation you would just be copying that file from
the server to the computer back at the office. There are situations where you need to be on your Local
Area Network even though you are far away.
Options for doing this:
Network+ Page 2
1. Do a dial up and connect into your router at 56k.
2. Can setup a high speed optical line from this router to anywhere.
A Virtual Private Network (VPN)!
We're going to make a laptop in an airport lounge in Illinois a part of a network (with an IP address that's
part of a LAN) elsewhere.
Network+ Page 3
Challenges in getting a remote computer to be part of a LAN:
The LAN most likely uses private IP addresses.
A remote computer needs both a public and a private IP address.
We need to come up with a way that allows us to have 2 IP addresses: 1 public IP address to get us to
our network, 1 private IP address that matches us.
Example:
Packet with 2 private IP addresses and 2 public IP addresses (1 from the airport, 1 to my LAN router).
When the data comes into the router it strips away the public part of the IP packet and just leaves the
private part so I can do whatever I want to do. Equally, I need to have something that's smart enough to
put all of the public IP addresses back on when things are sent out.
That's the beauty of VPN. A VPN creates a tunnel (which may or may not be encrypted) ‐ which puts an
IP address inside an IP address ‐ and uses that to connect 2 endpoints.
Network+ Page 4
Let's setup a VPN between Mike's Windows 8 computer and
Most OSes have a built in VPN client. Most VPN solutions also come with a third party client.
1. Connect to my workplace
2. Use my Internet connection (VPN)
Network+ Page 5
3. Type in the Internet address, a name for the VPN connection (to distinguish from any other VPN
connections you have on that computer), check Remember my credentials and Allow other people
to use this connection, then Create.
Go into adapter settings and there it is. Microsoft will manifest your VPNs as Virtual Network Cards. You
can apply your IP address to your virtual card and stuff.
Go into Properties and check out the Security tab.
Network+ Page 6
Choose the Type of VPN: Automatic (will query the VPN server and set itself up automatically), PPTP
(Microsoft type solution), L2TP/IPSec (Cisco type solution), SSTP (common type of VPN). You choose this
based on what you're told by the other people who setup the VPN.
Can choose different type of authentication:
Network+ Page 7
EAP requires certificates so if you click under Properties, it gives you many different options:
Network+ Page 8
Alternately, you can use the old school versions:
Network+ Page 9
IKEv2 is a pure IPSec VPN
Client to site VPN connects a remote computer to a local network
And then we go about setting up a VPN endpoint on the network itself (on the router usually). One way
we can do this is to buy a router that is also a VPN concentrator ‐ it basically acts as the other VPN
endpoint.
Network+ Page 10
VPN endpoint.
Site‐to‐site VPN: Can set up VPN concentrators on the end of 2 networks so these 2 networks are always
part of the same network.
Network+ Page 11
Most of the time the VPN that you chose to use is based on the equipment that you buy.
Cisco boxes will probably use L2TP (older) or SSL (newer)
Microsoft with a server will probably use PPTP
Appreciate WHY we use VPNs and what the choices are.
3. Introduction to VLANs
In this episode, Mike explores the concepts and processes behind virtual LANs, including managed
switches and trunking.
From <https://hub.totalsem.com/content/2257#path=2257,2458,2461>
Simplified piece of his network:
Network+ Page 12
2 switches that everyone in his network plugs into. Red cables.
Crossover cable that connects the 2 switches.
1 WAP for wifi.
His problem is that a lot of people come in and use his wireless network. He plugs all of his switches,
servers, everything into this one big broadcast domain. So a bad person could access file servers and
things that he doesn't want them to have access to. We can make things more secure with a Virtual LAN
(VLAN).
VLAN takes 1 big broadcast domain and breaks it up in 2 or more smaller broadcast domains.
Kind of like cutting a switch in half. We use VLANs to segregate broadcast domains.
Why not put all wireless devices on one switch and all the other devices on the other switch? In bigger
networks this can be tough physically. We need a way to separate broadcast domains electronically.
That's why we use VLANs.
You have to have switches that can do this. Managed switches.
There are 2 types of switches:
Network+ Page 13
1. Unmanaged: cheap
2. Managed: are more expensive because you can do things like VLANS with them.
Switches run at Layer 2 of the OSI model. They use MAC addresses. To get into a switch for configuring
it, you need to give it an IP address (they don't need an IP to do their job, but they need it for humans to
be able to go in and configure them).
For configuring Cisco switches, use the Cisco CNA tool.
Open Cisco CNA
Type in the IP address for the switch
Type in username and password for the switch
CNA has a cool graphic that shows the switch and what ports are plugged in right now
1 port is plugged into the other switch
Network+ Page 14
1 port is plugged into Mike's laptop
1 port is plugged into his WAP
By default, all switches are set to use VLAN1. But on the Network+ exam they seem to think all switches
are set to use VLAN0.
He created a new VLAN and called it VLAN2
Once the VLAN is made, you have to tell it who is going to be on that VLAN. To do so, go to "Configure
Ports" tab.
Network+ Page 15
This is a 24 port switch so all 24 are listed
Fa0 is Cisco‐ese for "Fast Ethernet"
He assigns ports 5, 6, 7, and 8 to VLAN2. Highlights the VLAN and clicks Modify
Network+ Page 16
He changes the Static‐Access VLAN to 2
For port # 7 he set in Administrative Mode: Static Access ‐ and changed this to VLAN 2. You can also
Static Access means you statically assign each port to a VLAN.
Dynamic Access and Dynamic Desirable have to do with Trunking. Or we can force them into a Trunk
mode.
Once I set a VLAN up it is not limited to one particular switch
VTP protocol (proprietary Cisco protocol) tells this one switch to advertise to other switches that there's
other VLANs out there.
Network+ Page 17
Mike has these switches interconnected using a (pink) crossover cable.
He can start setting up VLANs with the same numbers he has on the front ports of the switch, on the
switch
Because of VTP I can go into a switch and set up certain ports to be a part of VLAN 2.
Any time you are interconnecting 2 switches, those ports that are being plugged in are going to be trunk
ports pretty much automatically.
Dynamic desirable: when the 2 ports he plugged the crossover cable into had this setting they made
themselves into trunk ports automatically. The interconnections between the switches are the trunk
ports themselves.
Ports 5 ‐ 8 are setup on VLAN 2.
Network+ Page 18
The VLAN creates a complete separation. It's as if he has a little 4 port switch inside the big switch.
With trunking kicked in he can setup a VLAN 2 on a second switch and they will talk to the 4 ports on the
first switch.
Right click on the port (24x) > VLAN > you can see that it automatically set itself up to be a Trunk
802.1q is a standard for trunking
Key takeaways:
• VLANs take a single broadcast domain and break it up into smaller broadcast domains
• You have to go into the switch to configure the VLANS.
• Trunking we can propagate a single VLAN or more across multiple switches.
Network+ Page 19
4. InterVLAN Routing
In this episode, Mike shows how to network between virtual LANs.
From <https://hub.totalsem.com/content/2257#path=2257,2458,2462>
One of the big issues with VLANs is that you have taken 1 big network and separated it into separate
broadcast domains. That's good, but the downside is that sometimes you want these 2 separate
networks to be able to talk to eachother. Sometimes this can be messy.
Example:
Router on top
Top switch is on VLAN 2
Bottom switch is on VLAN 3
Back in the old days you had to use a Router to connect 2 VLANs
Network+ Page 20
This router has 2 ethernet ports. The other ports are used for management.
He has taken 1 arbitrary port from VLAN2, plugged it into one side of his router.
He took another arbitrary port from VLAN3, and plugged it into the other side of his router.
Now he can go into his router configuration and setup firewalls, ACLs, whatever he needs to do to keep
1 VLAN from getting too far into the other VLAN.
Every time he comes up with another VLAN, that's going to be a separate broadcast domain and he's
going to have to keep on adding more and more routers or at least adding more and more ports to a
single router to allow everybody to interconnect. It's a mess!
Instead of adding more and more ports, we use Inter‐VLAN routing. A virtualization of the functions of a
router that's put into higher‐end switches.
To set it up (for example): go into VLAN2 and VLAN3 and allow interVLAN routing. On a really good
switch you can allow things like Access Control Lists as well.
interVLAN routing is simply the tool we use… can be done with 1 or 2 boxes.
Network+ Page 21
5. Interfacing with Managed Switches
In this episode, Mike explains how to connect to and configure managed switches.
From <https://hub.totalsem.com/content/2257#path=2257,2458,2463>
Differences:
• Routers filter and forward traffic based on Layer 3 IP addresses
• Switches use Layer 2 MAC addresses
The whole idea of what switches can do and what routers can do becomes a little fuzzy.
You have to be able to go in and configure switches.
Console port on a Cisco router:
Network+ Page 22
You need a Rollover Cable to plug into the console port to manage a switch or router.
DB9 serial on one end and a serial connection on the other end (not RJ45)
Plug DB9 into serial port on the router
Plug serial connection into serial port on your computer (or use an adapter)
Use something like PuTTY for the connection.
The downside to connecting this way is the serial connection is incredibly slow. It runs at 9600 baud.
Most of these switches also have a way to connect via telnet over an Ethernet connection. So he's going
to use PuTTY with telnet and an Ethernet cable. The interface is the same but this is a lot faster.
Network+ Page 23
You can use it for just about any connection. If you want to use a rollover cable, set the Connection type
to Serial.
He set the com port to COM3 on his particular system and Baud rate is 9600 which is the default for
Cisco stuff.
Type in a password, and you are in Cisco's IOS interface!
Network+ Page 24
Pretty much all Cisco switches and routers run on IOS
Name of the switch plus the # sign indicates he is in enable mode
Typed in show st
‐‐> this shows the startup file for his particular system
Network+ Page 25
How to configure things in a web browser. He took the ethernet cable out of the router and put it in his
Netgear switch (any port).
Network+ Page 26
This is not a router, just a switch.
Has the factory default IP address
Network+ Page 27
Click on Set‐up and can give it a name and static IP. He assigned a static IP address:
Can setup a very basic access control list:
There is also port configuration:
Network+ Page 28
This allows you to do things like force a speed and force flow control.
Can configure QoS to setup priorities for different types of traffic. These go from 0‐7 on this switch. Can
throttle a percentage of your total bandwidth for FTP traffic for instance.
Mike setup 2 VLANs and called the second 1 wireless and setup a few ports for it:
Monitoring is interesting. By definition, a switch does not allow traffic to go out on all the different
ports.
Sniffer mode: both (see everything being sent and received)
Sniffer port: 01 (the port you listen in on)
Source port: check the boxes for anything happening on any of these ports, mirror it to port 1. Great
way to use monitoring tools.
Network+ Page 29
Spanning Tree Protocol is pretty common on better switches today.
If you don't have a risk of creating bridge loops by wiring your switches wrong you can keep it disabled.
Simple Network Management Protocol (SNMP) is a tool that's used by all kinds of devices but is
primarily used by switches and routers to have an idea of their status. So you can query them. You set
up an IP address and what you can do for this particular device. SNMP is mostly just used for monitoring
routers and switches.
- Community is a name, and all the devices that share this common name will share / be members
of this common community.
Network+ Page 30
IGMP is Internet Group Management Protocol: if you're going to be doing multicast traffic (i.e.
multicast video conferencing), you want to make sure this is turned on.
Port Rate Setting: how fast you can set a port. You can slow certain ports down in case there is a
problem with them or you don't want someone to eat up all your bandwidth.
These are all examples of things you may see in a more powerful managed switch.
Network+ Page 31
6. Port Bonding
Mike looks at how to improve network throughput from a router by combining traffic onto multiple
router ports.
From <https://hub.totalsem.com/content/2257#path=2257,2458,2464>
He's got 2 switches that are trunked together via 1 single trunk line.
Problem: he has so many devices working on these 2 switches (clearly they're not plugged in right now,
but normally they are) that his trunk line is getting overwhelmed. He needs to come up with some way
to increase the bandwidth of his trunk line. He could buy new switches that are higher speed but he'd
like to keep using what he has.
Solution: Port bonding.
a.k.a.: link aggregation, channel bonding, port trunking, NIC trunking, NIC teaming
Take 2 ports on each of these devices (can do more than 2 if you want), and they will work together as a
team in essence to act as 1 higher speed port.
Trunk line is the yellow cable.
Network+ Page 32
He fires up PuTTY and connects to the switch.
Opens PuTTY, puts in password.
It is important to know Cisco iOS. Most of the heavy lifting we do is in the command line of Cisco iOS.
He's going to take ports 23 and 24 of each switch and make them into a group. In Cisco iOS world you
make a group then assign switch ports to that group.
Type in config terminal to get things started: #conf t
Then interface port: #int port
Network+ Page 33
Then #int port‐channel 1
Basically, we've just told the switch to create a group for us to connect these 2 physical ports together.
Make sure it's a trunk: #switchport mode trunk
The protocol we're going to be using is Link Aggregation Control Protocol (LACP).
Is this port going to be Active or Passive? He made it Active: #channel‐group 1 mode active
Now he needs to repeat the process for the other port.
Network+ Page 34
Commands for port 24:
#int fa0/24
#channel‐group 1 mode active
He's now setup both of these ports to be a part of that group.
Now he will get the other one setup. We will come back and see how all of this works. He plugs in
another crossover cable. If it's done right you should see lights kick on. We have now port bonded ports
23 and 24.
To confirm, fire up PuTTY to take a look…
Network+ Page 35
Show int port‐
Show int port‐channel 1
Important part: BW 200000 Kbit
‐‐> That is telling us that the port channel is running two 100,000 Mb connections together so we have a
total bandwidth of 200,000 Kbit (it worked! Yay!).
We set that port as Active. With LACP you can set it up as Active or Passive. Cisco says to set them all up
as Active. As long as you set one as Active and one as Passive it will work. Or if you set both as Active it
will work. Do not set both as Passive or it will not work.
It's a bad idea to go into your configuration and take one of these out without first pulling out your
cable! If you don't do that you will create a Broadcast Storm!!!!!! that will take your network down.
This is a very good Review:
7. Port Mirroring
Here, Mike talks about how to duplicate the traffic from one router port to another port.
Network+ Page 36
From <https://hub.totalsem.com/content/2257#path=2257,2458,2465>
Problem: with Cisco switch…One of the devices that is plugged into it is giving Mike weird information,
it's running hard, and he's nervous that things are coming in and out of that device that he doesn't want
to see.
Solution: He could go to that device and do all sorts of things but it is a busy computer. So he wants to
monitor all IP traffic coming in and out of this device remotely. Normally with a switch you can't do that.
The beauty of a switch is that it is a point to point connection so I can't sniff traffic going in and out of
one port from a different port. With a good managed switch you can monitor traffic. We're going to
configure it so that it can listen in on the port that the bad computer is plugged into and send all the
traffic that's coming in and out ‐ send a copy over to my system. We're going to do this using iOS.
Here's the process of setting this up:
1. Run config terminal: conf t
2. Create a sniffing session (session 1) and tell it what the source is of your sniffing (fast ethernet
port 22).
monitor session 1 source interface fa 0/22
3. Tell it where you want to send all this data to (fast ethernet port 23 ‐ this is where Mike's
computer is plugged into).
monitor session 1 destination interface fa 0/23
Some SOHO devices have a graphical interface.
Port mirroring gives us the ability to remotely monitor data that is going in and out of a particular
source.
Network+ Page 37
8. Quality of Service
Mike shows how traffic is prioritized to maximize efficiency of communication.
From <https://hub.totalsem.com/content/2257#path=2257,2458,2466>
Want to manage bandwidth so it is utilized in the best possible way.
Traffic shaping: control traffic based on a number of things, like the type of service it is, based on an IP
address or MAC address, what port it is going in or out of.
Quality of Service is a mechanism by which we can perform traffic shaping.
Example: SOHO router > go into QoS > Enable
Upstream bandwidth (a lot of these devices have trouble determining what it is automatically so you can
set it manually. He left it at auto though)
Now you say who gets what Quality of Service. Every router handles this differently.
This particular router handles a priority basis.
First he put MSN Messenger at Low priority:
Network+ Page 38
It just means that if it gets busy, MSN messenger will be one of the first things to be slowed down.
Next he set his home theater by MAC address to be High priority:
Next he chose Online Games > World of Warcraft > High Priority
2 different things are set to High priority.
Network+ Page 39
IDS vs IPS
In this episode, Mike looks at intrusion detection systems and intrusion protection systems.
From <https://hub.totalsem.com/content/2257#path=2257,2458,2467>
Mike has a little network example:
Yellow is switch
Cylinders are hosts
Triangle is a router/connection to the internet
In the internet world, the first line of defense is a firewall. It keeps bad traffic out. The red triangle is
where the firewall would traditionally be. So in the screenshot above the router is also a firewall.
You can go out and buy a specialized device that is a firewall, as well as a router:
Network+ Page 40
Router is the red triangle on the far right, then firewall is next to it (to the left)
Firewalls are always being updated so they are always aware of evil things that are out there.
Firewalls are great but they are imperfect.
You need something inside the network that is watching for naughtiness to happen. That's where
intrusion detection systems come into play.
IDS can just be a computer with specialized IDS software. Tends to be on the inside of a network. In this
example, Mike plugged it into his switch. IDS' job is to watch for naughty things on the network itself. If
IDS detects something on the network, it has a job to let somebody know (i.e. via text message). It can
be a specialized device or it can be a Windows machine running specialized IDS software.
Network+ Page 41
This is the 1st gen of intrusion detection.
There used to be something called Active IDS. It is called Intrusion Prevention System (IPS) now. An IPS
system does the same as an IDS: it's looking on the inside of the network for naughtiness, BUT it does
something to stop it.
What we usually see with IPS is something like this:
We can have routers or firewalls that have IPS built into them, but you can actually still buy IPS boxes
whose only job is to provide IPS features. If IPS catches something bad on the network it does
something to stop it. That is the main difference between IDS vs. IPS!
*Make sure you can handle any question that defines a firewall vs an IPS vs an IDS.
A firewall filters, an IDS notifies, and IPS acts to stop.
Network+ Page 42
Network+ Page 43