O A Practical Guide to Advanced , Networking Third Edition Jeffrey S. Beasley Oe ieee cnA PRACTICAL GUIDE TO ADVANCED NETWORKING Copyright © 2013 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-4904-8 ISBN-10: 0-7897-4904-1 The Library of Congress Cataloging-in-Publication Data is on file. Printed in the United States of America First Printing: November 2012 ASSOCIATE PUBLISHER Dave Dusthimer EXECUTIVE EDITOR Brett Bartow SENIOR DEVELOPMENT EDITOR Christopher Cleveland MANAGING EDITOR Sandra SchroederContents at a Glance Introduction 4 Network Infrastructure Design 2 Advanced Router Configuration | 3 Advanced Router Configuration I! 4 Configuring Juniper Routers 5 Configuring and Managing the Network Infrastructure 6 Analyzing Network Data Traffic 7 Network Security 8 IPV6 9 Linux Networking 10 Internet Routing 11 Voice over IP Glossary IndexTable of Contents Introduction Chapter 1 Network Infrastructure Design Chapter Outline Objectives Key Terms Introduction 1-1 Physical Network Design Core Distribution Layer Access Layer Data Flow Selecting the Media 1-2 IP Subnet Design IP Address Range Determining the Number of Subnetworks Needed for the Network Determining the Size or the Number of IP Host Addresses Needed for the Network IP Assignment 1-3 VLAN Network Virtual LAN (VLAN) VLAN Configuration oohVLAN Tagging 802.1Q Configuration Networking Challenge: Static VLAN Configuration Configuring the HP Procurve Switch 1-4 Routed Network Router Gateway Address Network Segments Multilayer Switch Layer 3 Routed Networks Routed Port Configuration InterVLAN Routing Configuration Serial and ATM Port Configuration Summary Questions and Problems Chapter 2 Advanced Router Configuration | Chapter Outline Objectives Key Terms Introduction 2-1 Configuring Static Routing Gateway of Last Resort Configuring Static Routes Load Balancing and Redundancy Networking Challenge—Static Routes oyna2-2 Dynamic Routing Protocols Distance Vector Protocols Link State Protocols 2-3 Configuring RIPv2 Configuring Routes with RIP Configuring Routes with RIP Version 2 Networking Challenge—RIP 2-4 TFTP—Trivial File Transfer Protocol Configuring TFTP Summary Questions and Problems Chapter 3 Advanced Router Configuration II Chapter Outline Objectives Key Terms Introduction 3-1 Configuring Link State Protocols—OSPF Link State Protocols Configuring Routes with OSPF Load Balancing and Redundancy with OSPF Networking Challenge—OSPF 3-2 Configuring Link State Protocols—IS-IS Configuring Routes with IS-IS Load Balancing and Redundancy with IS-IS Networking Challenge: IS-IS oyna3-3 Configuring Hybrid Routing Protocols—EIGRP Configuring Routes with EIGRP Load Balancing and Redundancy Networking Challenge: EIGRP 3-4 Advanced Routing Redistribution Route Redistribution into RIP Route Redistribution into OSPF Route Redistribution into EIGRP Route Redistribution into 1S-IS 3-5 Analyzing OSPF “Hello” Packets Summary Questions and Problems Chapter 4 Configuring Juniper Routers Chapter Outline Objectives Key Terms Introduction 4-1 Operational Mode 4-2 Router Configuration Mode Displaying the Router Interfaces Hostname Configuration Assigning an IP Address to an Interface 4-3 Configuring Routes on Juniper Routers Configure STATIC Routes on Juniper Routers Configure RIP on Juniper Routers oynaConfigure OSPF on Juniper Routers Configure 1S-IS on Juniper Routers 4-4 Configuring Route Redistribution on Juniper Routers Summary Questions and Problems Chapter 5 Configuring and Managing the Network Infrastructure Chapter Outline Objectives Key Terms Introduction 5-1 Domain Name and IP Assignment 5-2 IP Management with DHCP DHCP Data Packets DHCP Deployment 5-3 Scaling the Network with NAT and PAT Configuring NAT 5-4 Domain Name Service (DNS DNS Tree Hierarchy DNS Resource Records Summary Questions and Problems Chapter 6 Analyzing Network Data Traffic Chapter Outline Objectives oynaKey Terms Introduction 6-1 Protocol Analysis/Forensics Basic TCP/UDP Forensics ARP and ICMP 6-2 Wireshark Protocol Analyzer Using Wireshark to Capture Packets 6-3 Analyzing Network Data Traffic onfiguring SNMP NetFlow 6-4 Filtering FTP Filtering Right-Click Filtering Logic Rules Filtering DHCP. Summary Questions and Problems Chapter 7 Network Security Chapter Outline Objectives Key Terms Introduction 7-1 Denial of Service uted De of Ser 7-2 Firewalls and Access Lists Network Attack Prevention Attacks (DDoS. oynaAccess Lists 7-3 Router Security Router Access Router Services Router Logging and Access-List 7-4 Switch Security Switch Port Security Switch Special Features 7-5 Wireless Security 7-6 VPN Security VPN Tunneling Protocols Configuring a VPN Virtual Interface (Router to Router) Troubleshooting the VPN Tunnel Link Summary Questions and Problems Chapter 8 IPv6 Chapter Outline Objectives Key Terms Introduction 8-1 Comparison of IPv6 and IPv4 8-2 |Pv6 Addressing 8-3 |Pv6 Network Settings 8-4 Configuring a Router for IPv6 oyna8-5 IPv6 Routing IPv6: Static IPv6: RIP IPv6: OSPF IPv6: EIGRP IPv6: IS-IS 8-6 Troubleshooting IPv6 Connection Summary Questions and Problems Chapter 9 Linux Networking Chapter Outline Objectives Key Terms Introduction 9-1 Logging On to Linux Adding a User Account 9-2 Linux File Structure and File Commands Listing Files Displaying File Contents Directory Operations File Operations Permissions and Ownership 9-3 Linux Administration Commands The man (manual) Command The ps (processes) Command oynaConfiguring a WAN Connection Configuring an Internet Connection 10-2 Configuring BGP Configuring BGP Networking Challenge: BGP 10-3 BGP Best Path Selection 10-4 IPv6 over the Internet 10-5 Configure BGP on JUNIPER Routers Summary Questions and Problems Chapter 11 Voice over IP Chapter Outline Objectives Key Terms Introduction 11-1 The Basics of Voice over IP 11-2 Voice over IP Networks Replacing an Existing PBX Tie Line Upgrading Existing PBXs to Support IP Telephony Switching to a Complete IP Telephony Solution 11-3 Quality of Service Jitter Network Latency Queuing QOS Configuration Example oyna11-4 Analyzing VoIP Data Packets Analyzing VoIP Telephone Call Data Packets 11-5 VoIP Security Summary Questions and Problems Key Terms Glossary Index oynaAbout the Authors Jeffrey S. Beasley is with the Department of Engineering Technology and Surveying Engineering at New Mexico State University. He has been teaching with the department since 1988 and is the co-author of Modern Electronic Communication and Electronic Devices and Circuits, and the author of Networking. Piyasat Nilkaew is a network engineer with 15 years of experience in network management and consulting, and has extensive expertise in deploying and integrating multiprotocol and multivendor data, voice, and video network solutions on limited budgets.Dedications This book is dedicated to my family, Kim, Damon, and Dana. —dJeff Beasley This book is dedicated to Jeff Harris and Norma Grijalva. Not only have you given me my networking career, but you are also my mentors. You inspire me to think outside the box and motivate me to continue improving my skills. Thank you for giving me the opportunity of a lifetime. | am very grateful. —Piyasat NilkaewAcknowledgments | am grateful to the many people who have helped with this text. My sincere thanks go to the following technical consultants: * Danny Bosch and Matthew Peralta for sharing their expertise with optical networks and unshielded twisted- pair cabling, and Don Yates for his help with the initial Net-Challenge Software. * Abel Sanchez, for his review of the Linux Networking chapter. | also want to thank my many past and present students for their help with this book: + David Potts, Jonathan Trejo, and Nate Murillo for their work on the Net-Challenge Software. Josiah Jones, Raul Marquez Jr., Brandon Wise, and Chris Lascano for their help with the Wireshark material. Also, thanks to Wayne Randall and lantha Finley Malbon for the chapter reviews. Your efforts are greatly appreciated. | appreciate the excellent feedback of the following reviewers: Phillip Davis, DelMar College, TX; Thomas D. Edwards, Carteret Community College, NC; William Hessmiller, Editors & Training Associates; Bill Liu, DeVry University, CA; and Timothy Staley, DeVry University, TX. My thanks to the people at Pearson for making this project possible: Dave Dusthimer, for providing me with the opportunity to work on this book, and Vanessa Evans, for helping make this process enjoyable. Thanks to Brett Bartow, Christopher Cleveland, and all the people at Pearson, and to the manytechnical editors for their help with editing the manuscript. Special thanks to our families for their continued support and patience. —Jeffrey S. Beasley and Piyasat NilkaewFiber Optic Technician.We Want to Hear from You! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we're doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you're willing to pass our way. As the associate publisher for Pearson IT Certification, | welcome your comments. You can email or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books better. Please note that | cannot help you with technical problems related to the topic of this book. We do have a User Services group, however, where | will forward specific technical questions related to the book. When you write, please be sure to include this book's title and author as well as your name, email address, and phone number. | will carefully review your comments and share them with the author and editors who worked on the book. Email: [email protected] Mail: Dave Dusthimer Associate Publisher Pearson IT Certification 800 East 96th Street Indianapolis, IN 46240 USAIntroduction This book looks at advanced computer networking. It first guides readers through network infrastructure design. The readers are then introduced to configuring static, RIPv2, OSPF, ISIS, EIGRP routing protocols, techniques for configuring Juniper router, managing the network infrastructure, analyzing network data traffic using Wireshark, network security, IPv6, Linux networking, Internet routing, and Voice over IP. After covering the entire text, readers will have gained a solid knowledge base in advanced computer networks. In my years of teaching, | have observed that technology students prefer to learn “how to swim” after they have gotten wet and taken in a little water. Then, they are ready for more challenges. Show the students the technology, how it is used, and why, and they will take the applications of the technology to the next level. Allowing them to experiment with the technology helps them to develop a greater understanding. This book does just that.Organization of the Text This textbook is adapted from the second edition of Networking. This third volume has been revised and reorganized around the needs of advanced networking students. This book assumes that the students have been introduced to the basics of computer networking. Throughout the text, the students are introduced to more advanced computer networking concepts. This involves network infrastructure design, advanced router configuration, network security, analyzing data traffic, Internet routing, and Voice over IP. Key Pedagogical Features + Chapter Outline, Key Terms, and Introduction at the beginning of each chapter clearly outline specific goals for the reader. An example of these features is shown in Figure P-1.Figure P-1 + Net-Challenge Software provides a simulated, hands-on experience in configuring routers and switches. Exercises provided in the text (see Figure P-2) and on the CD challenge readers to undertake certain router/ network configuration tasks. The challenges check the students’ ability to enter basic networking commands and set up router function, such as configuring the interface (Ethernet and Serial) and routing protocols (that is, static, RIPv2, OSPF, ISIS, EIGRP, BGP, and VLANs). The software has the look and feel of actually being connected to the router's and switch console port.chapter to reinforce key concepts and aid in subject mastery, as shown in Figure P-4. Configuring, analyzing, and Screen captures and network ‘troubleshooting sections guide topologies guide students Figure P-4 * Key Terms and their definitions are highlighted in the margins to foster inquisitiveness and ensure retention. This is illustrated in Figure P-5.Key terms are highlighted i text and defi in the margin Figure P-5 + Extensive Summaries, Questions, and Problems, as well as Critical Thinking Questions, are found at the end of each chapter, as shown in Figure P-6.Figure P-7 Accompanying CD-ROM The CD-ROM packaged with the text includes the captured data packets used in the text. It also includes the Net-Challenge Software, which was developed specifically for this text. Instructor Resources The Instructor's Manual to accompany A Practical Guide to Advanced Networking, (ISBN: 978-0-132-88303-0) provides the entire book in PDF format along with instructor notes for each section within each chapter, recommending key concepts that should be covered in each chapter. Solutions to all Chapter Questions and Problems sections are also included. In addition,the instructor can also access 13 lab and lab-related exercises and a test bank with which to generate quizzes on the material found within the student edition of the book.Chapter 1. Network Infrastructure Design Chapter Outline Introduction 1-1 Physical Network Design 1-2 IP Subnet Design 1-3 VLAN Network 1-4 Routed Network Summary Questions and Problems Objectives + Understand the purpose of the three layers of a campus network design + Understand the issue of data flow and selecting the network media + Develop techniques for IP allocation and subnet design + Understand the process of configuring a VLAN + Understand the issues of configuring the Layer 3 routed network Key Terms core distribution layer access layer CIDR ISP intranets NAT PATrouting table subnet, NET multilayer switch (MLS) wire speed routing routed network Layer 3 network SONET WAN terminal monitor (term mon) terminal no monitor (term no mon) show ip interface brief (sh ip int br) no switchport secondary IP address InterVLAN routing router on a stick svi DS CSU/DSU AMI Minimum Ones Density HDLC Ri wic IC service-module t1 show controller t1 s/ot/port ATM Virtual Path Connection (VPC. I< ISVirtual Channel Connection (VCC) BE I< lO Introduction The objective of this chapter is to examine the computer networking issues that arise when planning a campus network. The term campus network applies to any network that has multiple LANs interconnected. The LANs are typically in multiple buildings that are close to each other and interconnected with switches and routers. This chapter looks at the planning and designs of a simple campus network, including network design, IP subnet assignment, VLAN configuration, and routed network configuration. The basics of configuring the three layers of a campus LAN (core, distribution, and access) are first examined in Section 1-1. This section also addresses the important issues of data flow and selecting the proper network media. Section 1-2 examines IP allocation and subnet design. Section 1-3 discusses the VLAN network, including a step- by-step process of how to configure a VLAN, which provides an introduction to the basic switch commands and the steps for configuring a static VLAN. Section 1-4 examines the Layer 3 routed network. This section explores the functions of the router and includes configuration examples in different scenarios. 1-1. Physical Network Design Most campus networks follow a design that has core, distribution, and access layers. These layers, shown in Figure 1-1, can be spread out into more layers or compacted into fewer, depending on the size of these networks. This three-layer network structure is incorporated in campus networks to improve data handling and routing within the network. Theissues of data flow and network media are also examined in this section. Figure 1-1. The core, distribution, and access layers of a campus network Core The network core usually contains high-end Layer 3 switches or routers. The core is the heart, or backbone, of the network. The major portion of a network’s data traffic passes through the core. The core must be able to quickly forward data to other parts of the network. Data congestion should be avoided at the core, if possible. This means that unnecessary route policies should be avoided. An example of a route policy is traffic filtering, which limits what traffic can pass from one part of a network to another. Keep in mind that it takes time for a router to examine each data packet, and unnecessary route policies can slow down the network’s data traffic. Core The Backbone of the Networkdistribution layer? There are network stability issues when routing large amounts of network data traffic if the networks are fully or even partially meshed together. This means that connecting routers together in the distribution layer should be avoided. + Where is the campus backbone located in the layers of a campus network? The backbone of a campus network carries the bulk of the routed data traffic. Based on this, the backbone of the campus network connects the distribution and the core layer networking devices. Selecting the Media The choices for the media used to interconnect networks in a campus network are based on several criteria. The following is a partial list of things to consider: + Desired data speed + Distance for connections + Budget The desired data speed for the network connection is probably the first consideration given when selecting the network media. Twisted-pair cable works well at 100 Mbps and 1 Gbps and is specified to support data speeds of 10-gigabit data traffic. Fiber-optic cable supports LAN data rates up to 10 Gbps or higher. Wireless networks support data rates up to 200+ Mbps. The distance consideration limits the choice of media. CAT 6/5e or better have a distance limitation of 100 meters. Fiber-optic cable can be run for many kilometers, depending on the electronics and optical devices used. Wireless LAN connections can also be used to interconnect networks a few kilometers apart. The available budget is always the final deciding factor when planning the design for a campus LAN. If the budget allows, fiber-optic cable is probably the best overall choice, especially in the high-speed backbone of the campus network. The cost of fiber is continually dropping, making it more competitive with lower-cost network media, such as twisted-pair cable. Also, fiber cable will always be able to carry a greater amount of data traffic and can easily grow with the bandwidth requirements of a network. Twisted-pair cable is a popular choice for connecting computers in a wiredLAN. The twisted-pair technologies support bandwidths suitable for most LANs, and the performance capabilities of twisted-pair cable is always Improving, Wireless LANs are being used to connect networking devices together in LANs where a wired connection is not feasible or mobility is the major concern. For example, a wireless LAN could be used to connect two LANs in a building together. This is a cost-effective choice if there is not a cable duct to run the cable to interconnect the LANs or if the cost of running the cable is too high. Also, wireless connections are playing an important role with mobile users within a LAN. The mobile user can make a network connection without having to use a physical connection or jack. For example, a wireless LAN could be used to enable network users to connect their mobile computers to the campus network. 1-2. IP Subnet Design Once the physical infrastructure for a network is in place, the next big step is to plan and allocate IP space for the network. Take time to plan the IP. subnet design, because it is not easy to change the IP subnet assignments once they are in place. It is crucial for a network engineer to consider three factors before coming up with the final IP subnet design. These three factors are 1. The assigned IP address range 2. The number of subnetworks needed for the network 3. The size or the number of IP host addresses needed for the network The final steps in designing the IP subnet is to assign an IP address to the interface that will serve as the gateway out of each subnet. IP Address Range The IP address range defines the size of the IP network you can work with. In some cases, a classless interdomain routing (CIDR) block of public IP addresses might be allocated to the network by an ISP. For example, the block of IP address 206.206.156.0/24 could be assigned to the network. This case allocates 256 IP addresses to the 206.206. 156.0 network. In another case, a CIDR block of private IP addresses, like 10.10.10.0/24, could be used. In this case, 256 IP addresses are assigned to the10.10.10.0 network. For established networks with an IP address range already in use, the network engineer generally has to work within the existing IP address assignments. With a brand new network, the engineer has the luxury of creating a network from scratch. In most network situations, an IP address block will have been previously assigned to the network for Internet use. The public IP addresses are typically obtained from the ISP (Internet service provider). This IP block of addresses could be from Class A, B, or C networks, as shown in Table 1-1. Table 1-1. Address Range for Each Class of Network Class YM EL Class A 0.0.0.0 to 127.255.255.255 Class 8 128.0.0.0 to 191.255.255.255 Class € 192.0.0.0 to 223.255.255.255 CIDR Classless Interdomain Routing ISP Internet service provider: An organization that provides Internet access for the public. Today, only public Class C addresses are assigned by ISPs, and most of them are not even a full set of Class C addresses (256 IP addresses). A lot of ISPs partition their allotted IP space into smaller subnets and then, in turn, provide those smaller portions to the customers. The bottom line is the limited number of public IP addresses are now a commodity on the Internet, and it is important to note that there are fees associated with acquiring an IP range from an ISP. Not many institutions or businesses have the luxury of using public IP addresses inside their network anymore. This is because the growing number of devices being used in a network exceeds the number of public IP addresses assigned to them. The solution is that most networks are using private IP addresses in their internal network. Private addresses areIP addresses set aside for use in private intranets. An intranet is an internal internetwork that provides file and resource sharing. Private addresses are not valid addresses for Internet use, because they have been reserved for internal use and are not routable on the Internet. However, these addresses can be used within a private LAN (intranet) to create the internal IP network. Intranets Internetwork that provides file and resource sharing. NAT Network Address Translation. A technique used to translate an internal private IP address to a public IP address PAT Port Address Translation. A port number is tracked with the client computer's private address when translating to a public address. Overloading Where NAT translates the home network’s private IP addresses to a single public IP address. The private IP addresses must be translated to public IP addresses using techniques like NAT (Network Address Translation) or PAT (Port Address. Translation) before being routed over the Internet. For example, computer 1 in the home network (see Figure 1-2) might be trying to establish a connection to an Internet website. The wireless router uses NAT to translate computer 1’s private IP address to the public IP address assigned to the router. The router uses a technique called overloading, where NAT translates the home network's private IP addresses to the single public IP address assigned by the ISP. In addition, the NAT process tracks a port number for the connection. This technique is called Port Address Translation (PAT). The router stores the home network's IP address and port number in a NAT lookup table. The port number differentiates the computer that is establishing a connection to the Internet because the router uses the same public address for all computers. This port number isused when a data packet is returned to the home network. This port number identifies the computer that established the Internet connection, and the router can deliver the data packet back to the correct computer. An example of this conversion is provided in Figure 1-3. This example shows three data connections originating from the home network of 192.168.0.0/24. A single 128.123.246.55 IP address is used for the Internet connection. Port address translation is being used to map the data packet back to the origination source. In this case, the port numbers are 1962, 1970, and 1973. ~Y The wireless computers (1 and 2) will use private IP addresses that are assigned by the wireless router. | Wireless Router —_ (Access Point/Switch/ Broadband Modem) Figure 1-2. An example of a home computer connecting to the ISP Figure 1-3. This example shows the three data connections originating from the home network of 192.168.0.0/24Determining the Number of Subnetworks Needed for the Network The use of private IP addresses is a viable technique for creating a large amount of IP addresses for intranet use. Obviously, there is a big difference when designing an IP network for a single network than there is when designing an IP network for multiple networks. When designing an IP network for one single network, things are quite simple. This type of configuration is typically found in the home, small office, or a small business environment where one IP subnet is allocated and only one small router is involved. For situations requiring multiple networks, each network must be sized accordingly. Therefore, the subnet must be carefully designed. In addition, networks with multiple subnets require a router or multiple routers with multiple routed network interfaces to interconnect the networks. For example, if the network engineer is using private addresses and needs to design for three different networks, one possibility is to assign 10.10.10.0/24 for the first network, 172.16.0.0/24 for the second network, and 192.168.1.0/24 for the third network. Is this a good approach? Technically, this can be done, but it is probably not logically sound. It makes more sense to group these networks within the same big CIDR block. This will make it easier for a network engineer to remember the IP assignments and to manage the subnets. A better design is to assign 10.10.10.0/24 to the first network, 10.10.20.0/24 to the second network, and 10.10.30.0/24 to the third network. All three networks are all in the same “40” network, which makes it easier for the network engineer to track the IP. assignments. The term subnet and network are used interchangeably in multiple network environments. The term subnet usually indicates a bigger network address is partitioned and is assigned to smaller networks or subnets Another design factor that the network engineer must address is the network size. Two questions that a good network engineer must ask are + How many network devices must be accommodated in the network? (Current demand) + How many network devices must be accommodated in the future? (Future growth) Simply put, the IP network must be designed to accommodate the currentdemand, and it must be designed to accommodate future growth. Once the size of a network is determined, a subnet can be assigned. In the case of a single network, the design is not too complicated. For example, if the network needs to be able to accommodate 150 network devices, an entire Class C address, like 192.168.1.0/24, can be assigned to the network. This will handle the current 150 network devices and leave enough room for growth. In this example, 104 additional IP address will be available for future growth. When allocating IP address blocks, a table like Table 1-2 can be used to provide the CIDR for the most common subnet masks and their corresponding number of available IP addresses. Table 1-2. CIDR—Subnet Mask-IPs Conversionfa di) 3 Subnet Mask try /16 255.255.0.0 65534 fy 255.255,128.0 32768 /18 255.255,192.0 16384 fg 255.255.224.0 8192 (20 255.255.240.0 4096 /21 255.255.248.0 2048 [22 255.255.252.0 1024 [23 255.255.254.0 512 [24 255.255.255.0 256 (25 255.255.255.128 128 (26 255.255.255.192 64 [27 255.255.255.224 32 [28 255.255.255.240 16 [29 255.255.255.248 8 30 255.255.255.252 4 31 255.255.255.254 z [32 255.255.255.255 1 Even with a much smaller network, like the home network, where only a handful of network computers and peripherals are present, an entire Class C private address is generally allocated to the home network. In fact, most home routers are preconfigured with a private Class C address within the 192.168.0.0—-192.168.0.255 range. This technique is user friendly and easy to use and sets aside private IP addresses for internal network use. This technique virtually guarantees that users will never have to worry about subnetting the CIDR block. For a bigger network that must handle more than 254 network devices, a supernet can be deployed. A supernet is when two or more classful contiguous networks are grouped together. The technique of supernetting was proposed in 1992 to eliminate the class boundaries and make availablethe unused IP address space. Supernetting allows multiple networks to be specified by one subnet mask. In other words, the class boundary could be overcome. For example, if the network needs to be able to accommodate 300 network devices, two Class C networks, like 192.168.0.0/24 and 192.168.1.0/24, can be grouped together to form a supernet of 192.168.0.0/23, which can accommodate up to 510 network devices. As shown in Table 1-2, a /23 CIDR provides 512 available IP addresses. However, one |P is reserved for the network address and another one is reserved for the network broadcast address. Therefore, a /23 CIDR yields 512 —2 = 510 usable host IP addresses. Supernet Two or more classful contiguous networks are grouped together. Determining the Size or the Number of IP Host Addresses Needed for the Network The problem with randomly applying CIDR blocks to Class A, B, and C addresses is that there are boundaries in each class, and these boundaries can't be crossed. If a boundary is crossed, the IP address maps to another subnet. For example, if a CIDR block is expanded to include four Class C networks, all four Class C networks need to be specified by the same CIDR subnet mask to avoid crossing boundaries. The following example illustrates this.192. 168. 0. 0 192.168. 1. 0 255. 255. 254. 0 (/23 255. 255. 254, 0 (/23) 192. 168. 0. 0 192.168. 0.0 This shows that applying the /23 [255.255.254.0] subnet mask to the specified IP address places both in the same 192.168.0.0 network. This also means that this CIDR block does not cross boundaries, because applying the subnet mask to each network address places both in the same 192.168.0.0 network. For LAN B1, the requirement is that a CIDR block that can handle 800 network devices must be provided. According to Table 1-2, a/22 CIDR yields 1,022 usable host IP addresses and is equivalent to grouping four Class C networks together. Therefore, a /22 CIDR can be used. The next decision is selecting the group of IP addresses to create the CIDR block and decide where the IP addresses should start. Recall that the 192.168.0.0 and 192.168.1.0 networks are being used to create the LAN A CIDR block. Should LAN B1 start from 192.168.2.0/22, which is the next contiguous space? The answer is no. The 192.168.2.0/22 is still within the boundary of the 192.168.0.0/23 network. Remember, the requirement is that a CIDR block that can handle 800 network devices must be provided and that boundaries cannot be crossed, and the designer must be careful not to overlap the networks when assigning subnets to more than one network. In this case, when the /22 subnet mask (255.255.252.0) is applied to 192.168.2.0, this yields the network 192.168.0.0. The AND operation is shown: 192. 168. 2.0 255. 255.252. 0 (/22 192. 168. 0.0 This happens to be the same network address as when the /23 CIDR subnet mask (255.255.254.0) is applied to any IP within the range of 192.168.0.0-192.168.1.255, as shown: 192, 168. 0.0 192.168. 1. 255 255. 255. 254.0 (/23) 255. 255.254. 0 (/23) 192.168. 0. 0 192.168. 0. 0There is an overlap between 192.168.0.0/23 and 192.168.2.0/22. Moving to the next contiguous Class C of 192.168.3.0/22, we still find that it’s still in the 192.168.0.0: 192.168.3.0 255.255.252.0 (/22) 192.168.0.0 is still in the same subnet. Based on this information, the next Class C range 192.168.4.0/22 is selected. This yields a nonoverlapping network of 192.168.4.0, so the subnet 192. 168.4.0/22 is a valid for this network: 192.168.4.0 255.255.252.0 (/22) 192.168.4.0 is not the same subnet; therefore, this is an acceptable CIDR block. Recall that the CIDR for LANB1 is a /22 and is equivalent to grouping four Class C networks. This means that LANB1 uses the following Class C networks: 192.168.4.0 192.168.5.0 192.168.6.0 192.168.7.0 The IP subnet design gets more complicated when designing multiple networks with different size subnets. This generally means that the subnet mask or the CIDR will not be uniformly assigned to every network. For example, one network might be a /25 network or /22, while another is a /30 network. The next requirement is that a CIDR block that can handle 800 network devices must be tasked to assign a CIDR block to LAN B2. This LAN is a server network that houses a fixed number of servers. The number is not expected to grow beyond 80 servers. One easy approach is to assign a /24 CIDR to this network. This means that the next network is 192.168.8.0/24, which is the next nonoverlapping CIDR block after 192.168.4.0/22. The /24 CIDR gives 254 host IP addresses, but only 80 IP addresses are required. Another approach is to size it appropriately. According to Table 1-2, a good CIDR touse is a /25, which allows for 126 host IP addresses. Therefore, a network 192.168.8.0/25 can be used for this network. Assigning a 192.168.8.0/24 CIDR, which can accommodate 254 hosts, seems like a waste, because the network is expected to be a fixed size, and it will house no more than 80 servers. By assigning a 192.168.8.0/25 CIDR, enough room is left for another contiguous CIDR, 192.168.8.128/25. Obviously, this is a more efficient way of managing the available IP space. Last but not least is the interconnection shown in Figure 1-4. This is the router-to-router link between Router A and Router B. The interconnection usually gets the least attention, but it exists everywhere in the multiple networks environment. Nonetheless, a CIDR block has to be assigned to it. Because there are always only two interface IP addresses involved plus the network and broadcast address, giving an entire Class C address would definitely be a waste. Typically, a /30 CIDR is used for this type of connection. Therefore, a CIDR block for the interconnection between Router A and Router B can be 192.168.9.0/30. This yields two IP host addresses: one for Router A and one for Router B. The complete subnet assignment for Example 1-1 and Figure 1-4 is provided in Table 1-3. Table 1-3. Completed Design of Subnets for Figure 1-4 Las Subnet CIDR RYT TT auETL LAN A 192.168.0.0 [23 255.255.254.0 LAN B1 192.168.4.0 (22 255.255.252.0 LAN B2 192,168.8.0 [24 or [25 255.255.255.0 or 255.255.255.128 Interconnect 192.168.9.0 [30 255.255.255.252 IP Assignment The next task requirement is that a CIDR block that can handle 800 network devices must be required to assign an IP address to each routed interface. This address will become the gateway IP address of the subnet. The gateway describes the networking device that enables hosts in a LAN to connect to networks (and hosts) outside the LAN. Figure 1-5 provides anexample of the gateway. Every network device within its subnet (LAN) will use this IP address as its gateway to communicate from its local subnet to devices on other subnets. The gateway IP address is preselected and is distributed to a network device by way of manual configuration or dynamic assignment. Figure 1-5. The gateway for a network Gateway Describes the networking device that enables hosts ina LAN to connect to networks (and hosts) outside the LAN For LAN A in Example 1-1, the IP address 192.168.0.0 is already reserved as the network address, and the IP address 192.168.0.255 is reserved as the broadcast address. This leaves any IP address within the range 192.168.0.1—-192.168.0.254 available for use for the gateway address. Choosing the gateway IP address is not an exact science. Generally, the first IP address or the last IP address of the available range is chosen. Whatever convention is chosen, it should apply to the rest of the subnets for the ease of management. Once the gateway IP address is chosen, this IP address is reserved and is not to be used by any other devices in thesubnet. Otherwise, an IP conflict will be introduced. The following is an example of how the gateway IP addresses could be assigned to the LANs in Example 1-1. Network Gateway LANA 192.168.0.1 LAN B1 192.168.4.1 LAN B2 192,168.81 1-3. VLAN Network This section examines the function of using a switch in a VLAN within the campus network. The terminology and steps for implementing VLANs will be presented first. The second part examines basic Cisco switch configuration and provides an introduction to the commands needed for configuring the VLAN. The third part of Section 1-3 demonstrates the commands needed to set up a static VLAN. Next is a discussion on VLAN tagging using 802.1Q. The section concludes with a look at configuring an HP Procurve switch. LANs are not necessarily restricted in size. A LAN can have 20 computers, 200 computers, or even more. Multiple LANs also can be interconnected to essentially create one large LAN. For example, the first floor of a building could be set up as one LAN, the second floor as another LAN, and the third floor another. The three LANs in the building can be interconnected into essentially one large LAN using switches, with the switches interconnected, as shown in Figure 1-6.ird floor nd floor st floor Figure 1-6. Three floors of a building interconnected using switches to form one large LAN Is it bad to interconnect LANs this way? As long as switches are being used to interconnect the computers, the interconnected LANs have minimal impact on network performance. This is true as long as there are not too many computers in the LAN. The number of computers in the LAN is an issue, because Layer 2 switches do not separate broadcast domains. This means that any broadcast sent out on the network (for example, the broadcast associated with an ARP request) will be sent to all computers in the LAN. Excessive broadcasts are a problem, because each computer must process the broadcast to determine whether it needs to respond; this essentially slows down the computer and the network. Broadcast Domain Any broadcast sent out on the network is seen by all hosts in this domain. A network with multiple LANs interconnected at the Layer 2 level is called aflat network. A flat network is where the LANs share the same broadcast domain. The use of a flat network should be avoided if possible for the simple reason that the network response time is greatly affected. Flat networks can be avoided by the use of virtual LANs (VLAN) or routers Although both options can be used to separate broadcast domains, they differ in that the VLAN operates at the OSI Layer 2, while routers use Layer 3 networking to accomplish the task. The topic of a virtual VLAN is discussed next. Flat Network A network where the LANs share the same broadcast domain. Virtual LAN (VLAN) Obviously, if the LANs are not connected, then each LAN is segregated only to a switch. The broadcast domain is contained to that switch; however, this does not scale in a practical network, and it is not cost effective because each LAN requires its own Layer 2 switches. This is where the concept of virtual LAN (VLAN) can help out. A VLAN is a way to have multiple LANs co-exist in the same Layer 2 switch, but their traffic is segregated from each other. Even though they reside on the same physical switch, they behave as if they are on different switches (hence, the term virtual). VLAN compatible switches can communicate to each other and extend the segregation of multiple LANs throughout the entire switched network. A switch can be configured with a VLAN where a group of host computers and servers are configured as if they are in the same LAN, even if they reside across routers in separate LANs. Each VLAN has its own broadcast domain. Hence, traffic from one VLAN cannot pass to another VLAN. The advantage of using VLANs is the network administrator can group computers and servers in the same VLAN based on the organizational group (such as Sales, Engineering) even if they are not on the same physical segment—or even the same building.VLAN (Virtual LAN) A group of host computers and servers that are configured as if they are in the same LAN, even if they reside across routers in separate LANs. There are three types of VLANs: port-based VLANs, tag-based VLANs, and protocol-based VLANs. The port-based VLAN is one where the host computers connected to specific ports on a switch are assigned to a specific VLAN. For example, assume the computers connected to switch ports 2, 3, and 4 are assigned to the Sales VLAN 2, while the computers connected to switch ports 6, 7, and 8 are assigned to the Engineering VLAN 3, as shown in Figure 1-7. The switch will be configured as a port- based VLAN so that the groups of ports [2,3,4] are assigned to the sales VLAN while ports [6,7,8] belong to the Engineering VLAN. The devices assigned to the same VLAN will share broadcasts for that LAN; however, computers that are connected to ports not assigned to the VLAN will not share the broadcasts. For example, the computers in VLAN 2 (Sales) share the same broadcast domain and computers in VLAN 3 (Engineering) share a different broadcast domain. Figure 1-7. An example of the grouping for port-based VLANs+ Dynamic VLAN: Ports are assigned to a VLAN based on either the computer’s MAC address or the username of the client logged onto the computer. This means that the system has been previously configured with the VLAN assignments for the computer or the username. The advantage of this is the username and/or the computer can move to a different location, but VLAN membership will be retained. Static VLAN Basically, a port-based VLAN. Dynamic VLAN Ports are assigned to a VLAN based on either the computer’s MAC address or the username of the client logged onto the computer. VLAN Configuration This section demonstrates the steps for configuring a static VLAN. In this example, the ports for VLAN 2 (Sales) and VLAN 3 (Engineering) will be defined. This requires that VLAN memberships be defined for the required ports. The steps and the commands will be demonstrated. The show vian command can be used to verify what ports have been defined for the switch. By default, all ports are assigned to VLAN 1. An example using the show vlan command is provided next. Click here to view code image SwitchA# show vlan 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/é Fa0/3, Fa0/10show vlan Used to verify what ports have been defined for the switch. This shows that all the FastEthernet interfaces on the switch are currently assigned to VLAN 1, which is a default VLAN. In the next step, two additional VLANs will be created for both Sales and Engineering. The two new VLANs will have the VLAN ID of 2 and 3 respectively, and each VLAN will be assigned a name associated to it. This is accomplished by modifying the VLAN database using the vian database command, as shown in the next steps. vlan database The command used on older Cisco switches to enter the VLAN database. Click here to view code image SwitchA#vlan database switcha(vlan)#vlan 2 name Sales VLAN 2 modified: Name: Sales SwitchA(vlan)#vlan 3 name Engineering VLAN 3 modified: Name: Engineering On newer Cisco switches, users will get the following message that the command vlan database is being deprecated: Click here to view code image % Warning: It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN in config mode. Cisco has moved away from the VLAN database-style command to an IOS. global command. Similarly to other |OS global commands, the switch must be in the configuration mode (config)#. However, the concept remains the same that a VLAN must be created for it to be activated and ready for use. The steps for creating the VLAN on newer Cisco switches are as follows:Click here to view code image Switcha# conf t SwitchA (config) #vlan 2 SwitchA (config-vlan) #name Sales Switcha (config-vlan) #vlan 3 switcha(config-vlan) #name Engineering Switcha (config-vlan) #exit SwitchA (config) #exit To start configuring a VLAN, one must specify which VLAN needs to be configured using the vlan [v/an_id] command. If the specific VLAN does not exist, this command will create the VLAN as well. As shown in the preceding example, the command vlan 2 is entered to configure vlan 2 and then the command name Sales is entered to configure the name associated to the VLAN. The similar steps are done for VLAN 3 with the name Engineering. vian [vian_id] The IOS global command used to create VLAN ID. The rest of the VLAN commands are almost identical in the older switches and newer switches. The next step is used to verify that the new VLANs have been created using the show vlan command: Click here to view code image Switch#show vlan VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10 2 sales active 3. Engineering activeThis shows that both the Sales and Engineering VLANs have been created. In the next steps, ports will be assigned to the newly created VLANs. This requires that the configuration mode be entered and each FastEthernet interface (port) must be assigned to the proper VLAN using the two. commands switchport mode access and switchport access vlan vian-id. An example is presented for FastEthernet interface 0/2 being assigned to VLAN 2 on a Cisco switch: cli SwitchA#conf t Enter configuration commands, one per line. End with CNTL/z. SwitchA(config)#int fa 0/2 SwitchA (config-if) #switchport mode access Switcha (config-if) #switchport access vlan 2 Switcha (config-if) #end The next step is used to verify that FastEthernet 0/2 has been assigned to the Sales VLAN (VLAN2). This can be verified using the show vlan brief command, as shown. This command only displays the interfaces assigned to each VLAN: Click here to view code image SwitchA#sh vlan brief VLAN Name status Ports 1 default active Fa0/1, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10 2 Sales active Fa0/2 The next steps are to assign ports 3 and 4 to the Sales VLAN (VLAN 2) and ports 6,7,8 to Engineering (VLAN 3). Once this is completed, the port assignments can be verified using the show vlan command, as shown: Click here to view code imageSwitchA#¢show vlan VLAN Name Status Ports 1 default active Fa0/1, Fa0/5, Fa0/9, Fa0/10 2 Sales active Fa0/2, Fa0/3, Fa0/4 3 Engineering active Fa0/6, Fa0/7, Fa0/8 You can look specifically at the assignments for only one of the VLANs by entering the command show vlan name vian-name, where vian-name is the name assigned to the VLAN. Note that the name is case-sensitive. You can also use the number of the VLAN instead of using the command show vlan id vian-id. Examples of both are presented: show vlan name vianname The command to look specifically at only one of the VLANs Click here to view code image switchA#show vlan name Engineering VLAN Name Status Ports 3. Engineering active Fa0/6, Fa0/7, Fa0/8 Switch#show vlan id 3 VLAN Name Status Ports3 Engineering active Fa0/6, Fa0/7, Fa0/8 On Layer 2 switches, an IP address can be assigned to a VLAN interface. This merely assigns an IP address to a switch, so that a switch can communicate with other network devices on the same VLAN and vice- versa. The IP VLAN interface does not perform any routing functions when running as a layer 2 switch. As a matter of fact, the IP VLAN interface is not required in order for a switch to start forwarding packets and perform its other Layer 2 functions. By default, the interface VLAN 1 is automatically created. The following command sequence demonstrates how to assign the IP address to the VLAN interface: interface VLAN 1 The default vlan for the switch. Click here to view code image SwitchA(config)# interface VLAN 1 SwitchA(config-if)# ip address 192.168.1.1 255.255.255.0 switcha (config-if)# no shutdown Note that the IP address is being set for VLAN 1. The interface for the switch is also enabled at this same point using the no shutdown command, as shown. In order for the interface VLAN to be up, at least one switch port in the VLAN must be up or have a physical link. The status of a switch port can be verified with the command show interface or, better yet, with the command show interface status. Although the command show interface shows detailed information of individual interface one at a time, the command show interface status displays the status of all the switch ports including their speed, duplex, and VLAN, as shown. This gives a quick and precise look of the port status of a switch where port density is high. show interface status Used to verify the status of a switchport. Click here to view code imageSwitchA#show interface status Port Name Status Vian Duplex Speed Type Fa0/1 connected = 1 a-full — a-100 10/100BaseTx Fa0/2 connected 2 a-full — a-100 10/100BaseTx Fa0/3 connected 2 a-full — a-100 10/100BaseTX Fa0/4 connected 2 a-full — a~100 10/100BaseTX Fa0/5 connected = 1 a-full —a-100 10/100BaseTx Fa0/6 connected = 3, a-full — a-100 10/100BaseTX Fa0/7 connected = 3 a-full — a~100 10/100BaseTX Fa0/8 connected 3, a-full — a-100 10/100BaseTx Fa0/9 connected = 1 a-full — a-100 10/100BaseTX Fa0/10 connected = 1 a-full —a~100 10/100BaseTx The overall configuration of the switch can be viewed using the show running-config (sh run) command, as shown. (Only a part of the configuration is displayed.) ‘k here to view code image Switch#sh run - = Building configuration... Current configuration : 1411 bytes version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname switch ! ip subnet-zero