Network Design - PowerPoint PPT Presentation

1 / 62
About This Presentation
Title:

Network Design

Description:

... first packet to a particular destination, a routing table lookup is performed. ... The router dials the destination phone number and establishes the connection. ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 63
Provided by: ICT354
Category:

less

Transcript and Presenter's Notes

Title: Network Design


1
Network Design
  • In networking, scalability is the capability to
    grow and adapt without major redesign or
    reinstallation.
  • Good design is the key to a network's capability
    to scale . To be scalable, a network design
    should follow a hierarchical model.
  • Hierarchical design model simplifies network
    design in a similar way the OSI 7-layer protocol
    model simplifies the communications between
    computers.
  • A hierarchical network design model breaks the
    complex problem of network design into smaller,
    more manageable problems.

2
Hierarchical Model/Structure
Regional site C
R
Regional site B
Regional site D
Public Networks
R
R
Core Layer
Regional site A
R
Campus Backbone
Distribution Layer
R
R
Building Backbone
Access Layer
R
R
R
R
Local site
Remote sites
3
Layers in Hierarchical Structure
  • A hierarchical model/structure may include the
    following layers
  • Core layer that provides optimal transport
    between regional sites or at the network
    backbone. 
  • Distribution layer that provides policy-based
    connectivity
  • Access layer that provides workgroup and user
    access to the network resources
  • Layered models are useful because they facilitate
    modularity. Since devices at each layer have
    similar and well-defined functions,
    administrators can easily add, replace/remove
    individual device.

4
Advantages of Hierarchical Model
  • Design implementation
  • As each layer is assigned clear and specific
    functions, it is easier to choose the right
    systems and features for that layer.
    Implementation of each layer and the overall
    network is more simple.
  • Each layer addresses a different set of problems
    so that the hardware and software can be
    optimized for specific roles. Devices in the
    same layer can be configured in a consistent way.
  • Modularity in network design help replicating
    design elements.
  • Predictability the behaviour of a network is
    more predictable, capacity planning for growth is
    easier. Modelling of network performance is made
    easier.

5
Advantages of Hierarchical Model
  • Scalability
  • Functionality is localized and potential problems
    can be recognized more easily, hence, network can
    grow much larger without sacrificing control or
    manageability
  • Changes can be more easily implemented. Costs
    and complexity of upgrade are limited within a
    subset of the overall network. In large but flat
    network architecture, changes can affect many
    parts of the network.
  • Ease of troubleshooting
  • It is easier to isolate problems in a network as
    the functions of the individual layers are well
    defined.
  • Easier to identify failure points in a network by
    structuring the network into small,
    easy-to-understand elements.

6
Traffic Flow in Hierarchical Model
  • A hierarchical model for network design is good
    for controlling data traffic patterns. With
    routers suitably placed in the network,
    unnecessary traffic will not flow from one layer
    to the other layer.
  • Together with a suitable placement of servers,
    traffic flow can be effectively controlled.
  • For example, when clients in site Z access their
    local server, the traffic will not go up to the
    regional router. Only when clients in site Z
    access servers in other sites will the traffic go
    up to the regional router and then down to the
    required site.

7
Placement of servers
  • Placement of servers affect the traffic flow,
    hence, the usage of link bandwidth.
  • Some servers (like email servers) are frequency
    accessed by all clients in the network, while
    some servers (like file servers) only serve
    specific client groups. The former is referred
    as enterprise server and the latter as workgroup
    server.
  • To avoid necessary traffic flow across layers and
    sites, wasting network bandwidth
  • enterprise servers are better placed at a higher
    layer in the hierarchy
  • workgroup servers should be placed in the access
    layer

8
Core Layer
  • Typically, the Core layer provides connections
    between regional and main sites in a Wide Area
    Network (WAN).
  • However, the core of a network does not have to
    exist in the WAN, a LAN backbone can also be part
    of the core layer. Gigabit Ethernet is a typical
    core layer technology.
  • The Core layer provides optimized and reliable
    transport structure by forwarding traffic at very
    high speeds.
  • Core layer routes/switches packets as fast as
    possible.
  • Devices at the core layer should not be burdened
    with any processing that slow down the speed no
    access-list checking, no data encryption, no
    address translation (NAT) at the Core layer.

9
Features of routers at Core Layer
  • Scalable routers at the Core layer routers
    should provide multiple modules for different
    media types (copper, fiber, etc.) Routers at the
    Distribution layer generally need fewer
    interfaces.
  • Features (for reliability) of routers at the Core
    layer
  • redundant symmetrical links
  • redundant power supplies
  • Although many packet processing functions are not
    preferred in the Core layer, the most powerful
    routers should be used in the Core layer to
    provide high speed and reliable transport of data
    between regional sites.
  • Routers at the Distribution layer usually has
    lower switching speed than routers at the Core
    layer because they should handle less traffic.

10
Core Layer - Load Balancing
  • To add bandwidth, either increase the bandwidth
    of existing link, or put additional links. The
    latter require routers to provide load balancing
    function. Load balancing/sharing can be
    Per-Destination (Fast Switching) or Per-Packet (
    Process Switching).
  • Per-destination load balancing
  • given two paths to the same network, all packets
    for one destination IP address will travel over
    the first path, all packets for a second
    destination will travel over the second path, and
    so on.
  • when router switches first packet to a particular
    destination, a routing table lookup is performed.
    The route and data-link information is stored in
    the fast switching cache. Subsequent packets to
    the same destination are immediately switched out
    the same interface without performing another
    routing table lookup.

11
Core Layer - Load Balancing
  • Per-packet load balancing means that the router
    sends one packet for a destination over the first
    path, the second packet for the same destination
    over the second path, and so on.
  • Per-destination Vs Per-Packet load balancing
  • Per-packet load balancing may distribute traffic
    more evenly
  • Per-destination (Fast switching) provides a lower
    switching time and processor utilization.
  • Per-destination load balancing can preserve
    packet order. Per-packet load balancing
    guarantees equal load across all links. However,
    there is potential that the packets may arrive
    out of order at the destination because
    differential delay may exist within the network.

12
Core layer Redundant Links
  • At the core layer, redundant links are needed to
    provide fault tolerance so that network can
    withstand individual link failure. Together
    with load balancing of routers, link bandwidth is
    increased. Response times is lowered,
    application availability is improved.
  • Multiple routers can be used to terminate dual
    links so that there is not a single-point-of-failu
    re.
  • Main disadvantage of duplicating WAN links to
    each site is cost. In larges network, especially
    those using star topology, many links are
    required. A lower cost alternative is using a
    partial/semi-meshed or ring topology.

Star topology with redundant links
partial-mesh topology
13
Core layer dedicated link dial-up link
  • A reliable backbone may consists of dual,
    dedicated links. Traffic load can be shared
    between the two links.
  • Another model is one dedicated link and one
    dial-up (switched) link.
  • Under normal operational conditions, the dial-up
    link is not operational until the dedicated link
    fails.
  • The dial-up link can also be setup when the
    dedicated link has reach a limit of traffic load
    (say 90)

14
Distribution Layer
  • The distribution layer provides policy-based
    connectivity. Packet manipulation and handling
    occurs in this layer. A policy is an approach in
    handling certain kinds of traffic. Policies can
    be used to secure networks and to preserve
    resources by preventing unnecessary traffic.
  • The distribution layer is located between the
    access and core layer. This layer provide
    boundary definition using access lists/filters to
    limit what gets into the core. Traffic filters
    based on area or service type are used to provide
    policy-based access control. Access
    lists/filters can be used to permit or deny
    traffic from particular networks/nodes or
    particular protocols and applications. Access
    filters can be applied on incoming or outgoing
    ports.
  • If a network has two or more routing protocols,
    such as RIP and OSPF, route redistribution is
    done at the distribution layer.

15
Access Layer
  • This layer provides access to services and data
    servers and workstations are attached to this
    layer. Quick access to local services workgroup
    servers and printers are placed in access layer.
  • Using VLANs, users can be grouped according to
    their logical function.
  • Access routers generally offer fewer physical
    interfaces than distribution and core routers.
    Access routers generally connect to access
    switches for user access to the network.
  • Provide connectivity remote users access through
    WAN services such as ISDN or Frame Relay local
    users access through Ethernet.
  • The access layer performs network entry security
    control.
  • Routers at the access layer permit/deny users
  • Authenticating users prevent unauthorized users
    from accessing network

16
Three-layer, Two-layer, One-layer
  • A three-layer model can meet the needs of many
    enterprise networks.
  • But not all organizations require a three-layer
    structure. In many cases, one-layer and
    two-layer design are suitable.
  • The way the layers are implemented depends on the
    needs of the network being designed.
  • However, a hierarchical structure should be
    planned or maintained to allow for future
    expansion. A two-layer structure may expand into
    three-layer.

17
Campus Networks broadcast issue
  • Campus networks usually covers a building or
    several buildings in close proximity to each
    other.
  • Two major problems with traditional networks are
    availability and performance. These two problems
    are both impacted by the amount of bandwidth
    available. Broadcast type traffic can consume a
    lot of bandwidth and therefore affect the network
    performance.
  • Two methods can address the broadcast issue for
    large switched LANs
  • Use routers to create many subnets and limit
    broadcasts within individual subnets. This may
    create traffic bottleneck at the routers.
  • Another method is to implement virtual LANs
    (VLANs) in the switched network. VLAN provides
    various advantages of better bandwidth
    utilization, better security and administration
    (adding/moving computers in VLANs).

18
Network Traffic Pattern
  • The 80/20 rule states that 80 percent of the
    traffic on a given network segment is local. No
    more than 20 percent of the network traffic move
    across the backbone of the network.
  • In today's networks, traffic patterns are moving
    toward the 20/80 model. In the 20/80 model, only
    20 percent of traffic remains local to the
    workgroup LAN, and 80 percent of the traffic
    leaves the local network. Contributing factors
    of this shift in traffic patterns include
  • The Internet
  • Server Farms
  • As majority of traffic leave the local network
    segment, congestion (traffic bottleneck) may
    occurs at routers at the distribution layer.

19
LAN Switching and The Hierarchical Model
Switch Block 1
Switch Block 2
switch
switch
  • Access Layer provides access-layer aggregation
    and L3/L4 services
  • Distribution Layer provides policy-based
    connectivity
  • Core Layer provides optimal connectivity between
    distribution blocks

Access Layer
Distribution Layer
Core Block
Core Layer
20
Network Building Blocks
  • Network building blocks may include the
    following
  • Switch block
  • Core block
  • Server block
  • WAN block
  • Mainframe block
  • Internet connectivity
  • Switch block provides switch and router
    functionality
  • Switch block provides Access Layer and
    Distribution Layer functions.

21
Switch Block
  • Access Layer
  • Switches in the wiring closets connect users to
    the network.
  • Access layer devices have redundant connections
    to the distribution layer device to provide fault
    tolerance.
  • Spanning-Tree Protocol (STP) is required in the
    access layer switches
  • Distribution Layer
  • Switches/routers provide broadcast control,
    security and connectivity for each switch block.
  • The distribution layer device provides switching
    and routing services.
  • A distribution layer device can be a switch plus
    an external router.
  • A distribution layer device can also be a
    multilayer switch

22
Core Block
Switch Block
Switch Block
Switch Block
Switch Block
Collapsed Core
Dual Core
23
Core Block
  • A core is required when there are two or more
    switch blocks.
  • The core block is responsible for transferring
    traffic between switch blocks at high speed.
    Traffic between switch blocks, server blocks, the
    Internet, and the wide-area network must pass
    through the core.
  • Core block must be able to pass traffic as
    quickly as possible
  • One or more switches can make up a core. To
    provide redundancy, at least two devices shall
    be present in the core.
  • With a Collapsed Core, distribution and core
    layer functions are performed in the same device.
    There is not a separated core block. The DL
    device of one switch block is connected to the DL
    device of another switch block directly, without
    a separate core layer device in between.
  • With a Dual Core, each switch block is
    redundantly linked to both core switches,
    providing two equal path links and twice the
    bandwidth.

24
Scalable Network Key Characteristics
  • Reliable and available - A reliable network
    should be dependable and available.
  • Responsive - A responsive network should provide
    Quality of Service (QoS) for various applications
    and protocols.
  • Efficient - Large internetworks must optimize the
    use of resources, especially bandwidth. Reducing
    the amount of overhead traffic results in an
    increase in data throughput.
  • Adaptable - An adaptable network is capable of
    accommodating disparate protocols, applications,
    and hardware technologies.
  • Accessible but secure - An accessible network
    allows different types of connections while
    securing network integrity.

25
Reliable and Available Network
  • In a highly reliable and available network, fault
    tolerance and redundancy make outages and
    failures invisible to the end user. Devices and
    telecommunication links can be very expensive,
    however, the cost of a core router/link goes
    down, can be much higher.
  • Reliability can be expressed as Mean Time Between
    Failure (MTBF).
  • Availability can be expressed as an percentage of
    time when service is available, eg. service is
    available 99.9 during a day.
  • Reliable system may have high availability. High
    availability systems could be built with less
    reliable components if good fault-tolerant
    mechanism is used.
  • Core routers maintain reliability and
    availability. The following features can enhance
    reliability and availability scalable routing
    protocols, alternative paths, load balancing and
    dial backup.

26
Reliable Available Network
  • Scalable routing protocols routers in the core
    of a network should converge rapidly and maintain
    reachability to all networks and subnetworks.
    Simple distance vector routing protocols, such as
    RIP, take too long to update and adapt to
    topology changes.
  • Alternate Paths redundant links maximize
    network reliability and availability, but they
    are expensive to deploy.
  • Load Balancing redundant links do not
    necessarily remain idle until a link fails.
    Routers can distribute the traffic load across
    multiple links to the same destination.
  • Dial Backup A redundant link could be too
    expensive. A backup link can be configured over
    a dialup technology, such as ISDN.

27
Responsive Network
  • End users notice network responsiveness as they
    use the network, users expect network resources
    to respond quickly.
  • Traffic Prioritization enables policy-based
    routing and ensures that packets carrying
    mission-critical data take precedence over less
    important traffic.
  • To improve responsiveness in a congested network,
    routers may be configured to prioritize certain
    kinds of traffic based on protocol information,
    such as TCP port numbers.
  • If the router schedules packets for transmission
    on a first-come, first-served basis
    (First-In-First-Out FIFO queuing), users could
    experience an unacceptable lack of
    responsiveness. User sending delay-sensitive
    voice traffic may be forced to wait too long.
    Delay problem is even more serious in slow WAN
    links.

28
Responsive Network Traffic Prioritization
Queuing
  • Routers may be configured to reorder packets so
    that mission-critical and delay sensitive traffic
    is processed first. Higher priority packets are
    sent first even if other low priority packets
    arrive ahead of them.
  • Priority Queuing
  • assign different priority (high, medium, normal,
    low), according to various criteria, to different
    protocols
  • for those traffic classified as low priority,
    they might not get serviced in a timely manner,
    or at all.
  • Custom Queuing
  • reserves bandwidth for a specific protocol,
    ensures a minimum amount of bandwidth be provided
    to the protocol.
  • configuration may include specify max number of
    packets in each custom queue specify amount of
    data to be forwarded from each queue during its
    turn in the cycle.

29
Efficient Network
  • An efficient network should not waste bandwidth,
    especially over costly WAN links. To be
    efficient, routers should prevent unnecessary
    traffic from traversing the WAN and minimize the
    size and frequency of routing updates.
  • Techniques that optimize a WAN connection
  • Access lists filtering/stopping unwanted
    traffic
  • Snapshot routing
  • Dial-on-Demand Routing
  • Compression over WANs
  • Incremental updates routing protocols such as
    OSPF send routing updates that contain
    information only about routes that have changed.

30
Efficient Network - DDR
  • With Dial-on-demand routing (DDR), low-volume,
    periodic network connections can be made over the
    switched network (such as ISDN, PSTN) in a cost
    effective way.
  • A router activates the DDR feature when it
    receives an IP packet destined for a location on
    the other side of the dial-up line.
  • The router dials the destination phone number and
    establishes the connection. When the transmission
    is complete, the line is automatically
    disconnected.
  • The main difference between dial backup and DDR
    is the reason for placing the call. With DDR,
    traffic to the called destination activates the
    link. With dial backup, the link can be
    activated as a result of a primary line failure
    or the utilization of the primary link has
    reached a predefined level.

31
Efficient Network - Snapshot routing
  • Distance vector routing protocols typically
    update neighbor routers with their complete
    routing table periodically even there is no
    change in the network topology. Regular update
    would cause a dial-up link to re-establish just
    to maintain the routing tables. It is possible
    to adjust the timers, but snapshot routing is a
    better solution.
  • With snapshot routing, routers exchange their
    route tables during an initial connection. Then,
    waits until the next active period on the line
    before again exchanging routing information.
  • The router takes a snapshot of the routing table,
    which it uses while the dialup link is down.
    When the link is re-established, the router again
    updates its neighbors.

32
Making a network adaptable
  • An adaptable network will handle the addition and
    coexistence of multiple routed and routing
    protocols.
  • Adaptable protocols are needed to support routing
    information for different routed protocols.
  • Adaptable protocols and routers also supports
    route redistribution, which allows routing
    information to be shared among two or more
    different routing protocols. For example, RIP
    routes could be redistributed, or injected, into
    an OSPF area.

33
Accessible and secure
  • Accessible networks let users connect over a
    variety of technologies.
  • Users may be connected through wired or wireless
    LAN.
  • Remote users/sites may have access to several
    types of WAN services.
  • Circuit-switched networks that use dialup lines
  • Dedicated networks that use leased lines
  • Packet-switched networks
  • VPN over the Internet
  • The easier it is for legitimate users to access
    the network, the easier it is for unauthorized
    users to break in. Network administrator must
    secure the access.
  • Access lists can be used to provide security.
  • Authentication and encryption should be used

34
Accessible and secure
  • A RADIUS client, also referred as Network Access
    Server (NAS), provides the remote connections for
    users. RADIUS client is typically a router, a
    VPN server/router or a wireless access point. A
    RADIUS servers perform authentication,
    authorization and accounting functions.
  • VPN is the extension of a private network that
    uses links across the Internet. With VPN, data
    sent between two computers across the public
    Internet are encrypted for confidentiality.
    Hence, it is just like sending data over a
    point-to-point private link.
  • IPSec is a set of protocols for creating and
    maintaining secure communications over IP
    networks. Many VPNs are based on IPSec.
  • SSL can be used to implement VPN. SSL based VPNs
    typically only require standard web browsers.

35
Accessible and Secure - WLAN
  • Security problems with early WLAN systems (WEP
    based IEEE802.11)
  • Open system authentication SSID is sent in clear
    text
  • Wired Equivalent Privacy (WEP)
  • Wi-Fi Protected Access (WPA) addresses the
    problems in WEP
  • WPA uses the Temporal Key Integrity Protocol
    (TKIP) for encryption and IEEE802.1X/EAP for
    authentication. WPA2 uses the Advanced
    Encryption Standard (AES).
  • IEEE 802.1X is based on the use of authentication
    server (e.g. RADIUS) for user management and the
    Extensible Authentication Protocol for secured
    communication.

36
Troubleshooting
  • Troubleshooting begins by looking at a
    methodology that breaks down the process of
    troubleshooting into manageable pieces. This
    permits a systematic approach, minimizes
    confusion, and cuts down on time otherwise wasted
    with trial and error troubleshooting.
  • The stages of general troubleshooting process
    are
  • Step 1 gather symptoms
  • Step 2 isolate the problem
  • Step 3 correct the problem
  • The stages are not mutually exclusive. At any
    point in the process, it may be necessary to
    retrace to previous steps. For example, it may
    be required to gather more symptoms while
    isolating a problem. Often, when attempting to
    correct a problem, another unidentified problem
    could be created.

37
Gather Symptoms
  • Troubleshooter gathers and documents symptoms
    from the network, end systems, or users.
  • Troubleshooter determines what network components
    have been affected and how the functionality of
    the network has changed compared to baseline.
  • Symptoms may appear in many different forms
    alerts from network management system, console
    messages, and user complaints.

38
Gathering Symptoms
  • Problem is reported by a person or by software
  • Often involves communicating with others
  • It is like gathering requirements in software
    design
  • It is an iterative process
  • Possible questions to ask
  • What does not work? What does work?
  • Are the things related?
  • When the problem was first noticed?
  • What has changed since the last time it did work?
  • Did any unusual thing happen?
  • When exactly does the problem occur?

39
Isolation Correcting Problems
  • Isolation of problem
  • Identify the characteristics of problems at the
    logical layers of the network so that the most
    likely cause can be selected.
  • At this stage, may need to gather and document
    more symptoms depending on the problem
    characteristics that are identified.
  • Correct the problem
  • Correct an identified problem by implementing,
    testing, and documenting a solution.
  • Make change to only one thing at a time. Gather
    results as you change each variable
  • Perform each step carefully and test to see if
    symptoms go away
  • If the corrective action has created another
    problem, the attempted solution is documented,
    the changes are removed. Then returns to
    gathering symptoms and isolating the problem.

40
Layered Approach
  • OSI model is useful in troubleshooting networks.
    The model allows troubleshooting to be described
    in a structured way.
  • The ability to identify which layers pertain to a
    networking device gives a troubleshooter the
    ability to minimize the complexity of a problem
    by dividing the problem into manageable parts.
  • For example, knowing that Layer 3 issues are of
    no importance to a switch, defines the boundaries
    of a task to layer 1 and layer 2. This simple
    knowledge can prevent the wasting of time
    troubleshooting irrelevant possibilities and will
    reduce the amount of time spent attempting to
    correct a problem.

41
Bottom-up
  • When applying a bottom-up approach towards
    troubleshooting a networking problem, the
    examination starts with the physical components
    of the network and then is worked up through the
    layers of the OSI model until the cause of the
    problem is identified.
  • Advantages most networking problems reside at
    the lower levels, so, this approach will often
    result in effective results.
  • Disadvantages requires checking of every device
    and interface on the network until the possible
    cause of the problem is found. The challenge is
    to determine which devices to start with.

42
Top-down
  • When applying a top-down approach towards
    troubleshooting a networking problem, the end
    user application is examined first. Then work
    down from the upper-layers of the OSI model until
    the cause of the problem has been identified.
  • This approach requires checking of every network
    application until the possible cause of the
    problem is found. The challenge is to determine
    which application to start with.

43
Divide and conquer
  • When the divide and conquer approach is applied
    towards troubleshooting a networking problem, a
    layer is selected and tested in both directions
    from the starting layer.
  • This approach is initiated at a particular layer.
    The layer is based on troubleshooter experience
    level and the symptoms gathered about the problem
  • Once the direction of the problem is identified,
    troubleshooting follows that direction until the
    cause of the problem is identified.
  • If it can be verified that a layer is
    functioning, it is quite safe to assume that the
    layers below it are functioning as well. If a
    layer is not functioning properly, gather
    symptoms of the problem at that layer and work
    downward to lower layers.

44
Selecting an approach
  • A troubleshooting approach is often selected
    based on its complexity.
  • A bottom-up approach typical works better for
    complex problems.
  • If symptoms come from users complaining about
    specific network application(s), a top-down
    approach may be preferred.
  • If symptoms come from the network (e.g. network
    monitor display, alarm/warning message from
    devices), a bottom-up approach will likely be
    more effective.
  • If a particular problem has been experienced
    previously, then the troubleshooter may know of a
    way to shorten the troubleshooting process.

45
Documentation
  • An inventory of equipment and software, such as a
    list of MAC addresses and IP addresses.
  • Keep record of changes (a change log file),
    recording
  • Each significant change
  • Each problem identified
  • Each entry dated, with name of person who made
    the entry
  • Types of documentation
  • Configuration information that describes the
    system, for example, sysreport used in Linux.
  • Procedural information that describes how to do
    things. Best, use tools (such as script) that
    automatically document what you have done.

46
Monitoring and Logging
  • Event logs are useful for troubleshooting and
    monitoring performance.
  • An event (an entry in the log file) may include
    details of date and time when it occurred, event
    ID, event category, etc.
  • In Windows systems, event category includes
    application, security, system, etc.
  • Performance monitor keeps track of various
    processes. It help identify bottlenecks. It
    help the planning of upgrades, tracking of
    processes, monitoring results of
    tuning/configuration, etc.
  • Bottlenecks could be due to the system not having
    enough resources, or due to a malfunctioning
    program, or a program that dominates resource.
  • Performance monitoring can be done locally or
    remotely.
  • When the value of a monitored object exceed the
    limit, an action is required record the event in
    a log file, send a message, execute a script, etc.

47
Logging
  • The syslog.conf file specifies rules for logging
    of system messages on Linux/Unix systems.
  • Each rule consists of two fields a selector and
    an action.
  • The selector field consists of two parts, a
    facility and a priority.
  • The facility specifies the subsystem that
    produced the message.
  • Examples of facility auth, authpriv, cron,
    daemon, kern, lpr, mail, news, syslog, user, uucp
    and local0 through local7
  • The priority defines the severity of the message.
  • Examples of priority in ascending order debug,
    info, notice, warning, err, crit, alert, emerg
  • Examples of action write the message to a file
    on the localhost, or forward the message to
    another host, or write the message to users'
    screens if they are logged on

48
Logging Policies
  • Data logged should be kept for a period rather
    than deleted immediately
  • Log files could be reset at periodic intervals.
    Data logged can be kept for a period by
    "rotating" log files.
  • For examples, logfiles are kept for a week.
    Backup files are named as logfile.1, logfile.2,
    logfile.6. Every day, the data in logfile.7 is
    lost as logfile.6 overwrites it.
  • To store logged data for a longer period,
    compress and archive the logs to tape or other
    permanent media

49
Troubleshooting TCP/IP network
  • Step 1. Check whether the local host is properly
    configured, is subnet mask, default gateway
    correct? Use the TCP/IP utilities such as
    ipconfig, netstat, route print, arp, etc.
  • Step 2. Use the ping or traceroute commands to
    check whether the default gateway (router) can
    respond. Then, ping outwards i.e. ping hosts
    farther away.
  • Step 3. If not able to get through a particular
    node (router), check the configuration (show
    running-config) and use various show commands to
    determine the state (e.g. show ip route, show
    interface)
  • Step 4. If all the routers in the path are
    working, check the host configuration at the
    remote host.

50
Useful tools
  • netstat shows connections, services, routing
  • ifconfig shows network interfaces (for Windows,
    use ipconfig)
  • ping - tests connectivity
  • traceroute shows route/path information
  • route shows, changes routing table
  • ip shows, changes, set network configuration
  • arp shows MAC addresses
  • ps information about processes
  • is the web server running ps aux grep httpd
  • top shows processes that use the most resources
    (CPU time)
  • for Windows, use the task manager

51
netstat
  • netstat can show statistics about network
    interfaces, including number of packet/bytes
    sent/received, etc. These values are cumulative
    (since interface was up)
  • netstat tua shows all network connections,
    including those listening
  • netstat tu shows only connections that are
    established
  • netstat i is like ifconfig, shows info and stats
    about each interface
  • netstat nr shows the routing table, like route
    n
  • Linux and Windows provide netstat

52
ipconfig/ifconfig and route
  • ipconfig (Windows), ifconfig (Linux)
  • Check interface status connected or disconnected
  • Check IP and subnet mask
  • Check default gateway, DNS settings
  • Route
  • Check route table in the computer route print
  • Check route table in the router show ip route.
    Help checking routing protocols.
  • Can modify route table by adding static routes
    and default route.

53
Ping
  • A useful tool for checking connectivity. Sends
    an ICMP echo_request message and waits for an
    ICMP echo_reply message. Shows round trip time.
    Can be used to make a rough measurement of
    throughput.
  • If a ping is not successful, the following error
    messages may help understand what is wrong.
  • Destination Network Unreachable there is not a
    route to the destination in the route table of
    the local host or the router. This may happen if
    default gateway is not properly assigned to
    computer. For routers, this may be due to
    problems related to routing protocols or
    static/default routes.
  • Request Timeout the echo_request message has
    been sent out by the local host, but there is no
    reply possibly due to connectivity problem or the
    remote host is not available.

54
Path Discovery traceroute
  • As the name suggest, traceroute (in Windows,
    tracert) provides the information about the route
    from the source to the destination.
  • Ping can test connectivity between two points,
    but it does not tell which path is taken by the
    ICMP packets.
  • Why bother to know which path is taken? For
    example, verify that a BGP router is sending
    traffic with the preferred route.

55
Rough measurement with ping
  • Transmission delay time to put signal onto the
    media.
  • Propagation delay time for signal to travel
    across the media.
  • Queuing delay time spent waiting for
    transmission in a router/switch.
  • Rough measurement with ping
  • Ping with packet size 100 bytes, round-trip
    time 2Y sec
  • Ping with packet size 1100 bytes, round-trip
    time 2X sec
  • A rough estimation of data throughput is
    8000/(X-Y) bps
  • Measurement with ping is simple, BUT it may not
    be accurate for example, routers may give lower
    priority to answering pings

56
What is Packet Capture?
  • Real time collection of data as it travels over
    networks. Works by putting network interface
    into promiscuous mode which will examine all
    packets that arrive, even those not addressed to
    it. A normal Ethernet interface will ignore
    packets not addressed to it.
  • See what client and server are actually
    communicating with each other. Can analyze type
    of traffic on network.
  • Tools called packet sniffers, packet analysers,
    protocol analysers, network monitors.
  • Do not capture packet without permission!
  • Do not invade the privacy of others. Permission
    should be obtained before capturing packets on
    the network.

57
tcpdump
  • Be careful not to invade privacy of others. Do
    not capture packet without permission!
  • Filter can be used to select addresses,
    protocols, port numbers,...
  • Show all network traffic to and from 192.168.0.1
  • tcpdump host 192.168.0.1
  • Show packets to 192.168.0.1
  • tcpdump dst 192.168.0.1
  • Show packets to port 68 on 192.168.0.1
  • tcpdump dst 192.168.0.1 and port 68
  • Capture traffic to or from 172.19.64.0/18
  • tcpdump net 172.19.64.0/18
  • Can specify network as source or destination
  • tcpdump src net 205.153.60/24
  • tcpdump dst net 172.19.64/18

58
tcpdump - filter
  • Can specify protocol
  • tcpdump ip
  • tcpdump tcp
  • tcpdump ip proto ospf
  • This will catch DNS name lookups
  • tcpdump udp port 53
  • This will not work as you might expect
  • tcpdump host ictlab and udp or arp
  • Instead, need group with parentheses, and quote
  • tcpdump "host ictlab and (udp or arp)"
  • To see more ways of filtering, look at the
    manual man tcpdump

59
Ethereal
  • Ethereal can read data captured by tcpdump
  • Ethereal can capture data itself
  • Like tcpdump, various types of filters can be
    used with Ethereal.
  • Can expand any protocol. View details of
    protocols at different layers data frames, IP
    packets, TCP/UDP segments, application protocols.
  • Can view the contents of TCP, in ASCII or in
    hexadecimal.
  • Can check if a communications stream is encrypted
    or not
  • Be careful not to invade privacy of others. Do
    not capture packet without permission.

60
Port Monitoring switched network
  • Don't do port monitoring without permission!
  • Port monitoring or port mirroring, selects
    network traffic for analysis.
  • To capture traffic sent by hosts connected to a
    hub, just attach a protocol analyzer (or a
    sniffer) to this hub.
  • On a switch, after the host MAC address is
    learned, unicast traffic to that host is only
    forwarded to the required port, and therefore, is
    not seen by the sniffer.
  • How do you use Ethereal or tcpdump to monitor
    traffic between a number of hosts?
  • Solution some switches support port monitoring,
    where a switch port can monitor the traffic of
    other ports
  • The port monitoring function copies unicast
    packets to the required destination port (monitor
    port).
  • However, not every switch supports port
    monitoring function.

61
Port Monitoring switched network
  • Don't do port monitoring without permission!
  • Source Port a port that is monitored.
  • Destination Port (or Monitor Port) a port that
    is monitoring source ports, usually where a
    network analyzer is connected.
  • Port Monitoring can be local or remote
  • Local port monitoring the monitored ports and
    destination port are on the same switch.
  • Remote port monitoring some source ports are not
    located on the same switch as the destination
    port.
  • Port Monitoring can be port-based or VLAN-based
  • Port-based monitoring specifies one or several
    source ports on the switch and one destination
    port.
  • VLAN-Based monitoring on a given switch, monitor
    all the ports belonging to a particular VLAN

62
Port Scanning
  • Do not port scan machines without permission!
    Port scanning can be interpreted as a cracking
    attempt
  • Port scanning the techniques used to determine
    what ports of a host are listening for
    connections. Port scanning software sends out a
    request to connect to the target computer on each
    port sequentially and records which ports
    responded or seem open.
  • Port scanning tools such as Network Mapper (nmap)
    can check what network services a computer is
    offering. A cracked computer may be hiding some
    services with trojaned utilities.
  • Network security applications can alert
    administrators if they detect connection requests
    across a broad range of ports from a single host.
  • To avoid being detected, intruder may
  • limits the ports to a smaller target set rather
    than blanket scanning all 65536 ports
  • scan the ports over a much longer period of time.
Write a Comment
User Comments (0)
About PowerShow.com