Network Design

1
Network Design

• In networking, scalability is the capability to
  grow and adapt without major redesign or
  reinstallation.
• Good design is the key to a network's capability
  to scale . To be scalable, a network design
  should follow a hierarchical model.
• Hierarchical design model simplifies network
  design in a similar way the OSI 7-layer protocol
  model simplifies the communications between
  computers.
• A hierarchical network design model breaks the
  complex problem of network design into smaller,
  more manageable problems.

2
Hierarchical Model/Structure
Regional site C
R
Regional site B
Regional site D
Public Networks
R
R
Core Layer
Regional site A
R
Campus Backbone
Distribution Layer
R
R
Building Backbone
Access Layer
R
R
R
R
Local site
Remote sites
3
Layers in Hierarchical Structure

• A hierarchical model/structure may include the
  following layers
• Core layer that provides optimal transport
  between regional sites or at the network
  backbone. 
• Distribution layer that provides policy-based
  connectivity
• Access layer that provides workgroup and user
  access to the network resources
• Layered models are useful because they facilitate
  modularity. Since devices at each layer have
  similar and well-defined functions,
  administrators can easily add, replace/remove
  individual device.

4
Advantages of Hierarchical Model

• Design implementation
• As each layer is assigned clear and specific
  functions, it is easier to choose the right
  systems and features for that layer.
  Implementation of each layer and the overall
  network is more simple.
• Each layer addresses a different set of problems
  so that the hardware and software can be
  optimized for specific roles. Devices in the
  same layer can be configured in a consistent way.
  
• Modularity in network design help replicating
  design elements.
• Predictability the behaviour of a network is
  more predictable, capacity planning for growth is
  easier. Modelling of network performance is made
  easier.

5
Advantages of Hierarchical Model

• Scalability
• Functionality is localized and potential problems
  can be recognized more easily, hence, network can
  grow much larger without sacrificing control or
  manageability
• Changes can be more easily implemented. Costs
  and complexity of upgrade are limited within a
  subset of the overall network. In large but flat
  network architecture, changes can affect many
  parts of the network.
• Ease of troubleshooting
• It is easier to isolate problems in a network as
  the functions of the individual layers are well
  defined.
• Easier to identify failure points in a network by
  structuring the network into small,
  easy-to-understand elements.

6
Traffic Flow in Hierarchical Model

• A hierarchical model for network design is good
  for controlling data traffic patterns. With
  routers suitably placed in the network,
  unnecessary traffic will not flow from one layer
  to the other layer.
• Together with a suitable placement of servers,
  traffic flow can be effectively controlled.

• For example, when clients in site Z access their
  local server, the traffic will not go up to the
  regional router. Only when clients in site Z
  access servers in other sites will the traffic go
  up to the regional router and then down to the
  required site.

7
Placement of servers

• Placement of servers affect the traffic flow,
  hence, the usage of link bandwidth.
• Some servers (like email servers) are frequency
  accessed by all clients in the network, while
  some servers (like file servers) only serve
  specific client groups. The former is referred
  as enterprise server and the latter as workgroup
  server.
• To avoid necessary traffic flow across layers and
  sites, wasting network bandwidth
• enterprise servers are better placed at a higher
  layer in the hierarchy
• workgroup servers should be placed in the access
  layer

8
Core Layer

• Typically, the Core layer provides connections
  between regional and main sites in a Wide Area
  Network (WAN).
• However, the core of a network does not have to
  exist in the WAN, a LAN backbone can also be part
  of the core layer. Gigabit Ethernet is a typical
  core layer technology.
• The Core layer provides optimized and reliable
  transport structure by forwarding traffic at very
  high speeds.
• Core layer routes/switches packets as fast as
  possible.
• Devices at the core layer should not be burdened
  with any processing that slow down the speed no
  access-list checking, no data encryption, no
  address translation (NAT) at the Core layer.

9
Features of routers at Core Layer

• Scalable routers at the Core layer routers
  should provide multiple modules for different
  media types (copper, fiber, etc.) Routers at the
  Distribution layer generally need fewer
  interfaces.
• Features (for reliability) of routers at the Core
  layer
• redundant symmetrical links
• redundant power supplies
• Although many packet processing functions are not
  preferred in the Core layer, the most powerful
  routers should be used in the Core layer to
  provide high speed and reliable transport of data
  between regional sites.
• Routers at the Distribution layer usually has
  lower switching speed than routers at the Core
  layer because they should handle less traffic.

10
Core Layer - Load Balancing

• To add bandwidth, either increase the bandwidth
  of existing link, or put additional links. The
  latter require routers to provide load balancing
  function. Load balancing/sharing can be
  Per-Destination (Fast Switching) or Per-Packet (
  Process Switching).
• Per-destination load balancing
• given two paths to the same network, all packets
  for one destination IP address will travel over
  the first path, all packets for a second
  destination will travel over the second path, and
  so on.
• when router switches first packet to a particular
  destination, a routing table lookup is performed.
  The route and data-link information is stored in
  the fast switching cache. Subsequent packets to
  the same destination are immediately switched out
  the same interface without performing another
  routing table lookup.

11
Core Layer - Load Balancing

• Per-packet load balancing means that the router
  sends one packet for a destination over the first
  path, the second packet for the same destination
  over the second path, and so on.
• Per-destination Vs Per-Packet load balancing
• Per-packet load balancing may distribute traffic
  more evenly
• Per-destination (Fast switching) provides a lower
  switching time and processor utilization.
• Per-destination load balancing can preserve
  packet order. Per-packet load balancing
  guarantees equal load across all links. However,
  there is potential that the packets may arrive
  out of order at the destination because
  differential delay may exist within the network.

12
Core layer Redundant Links

• At the core layer, redundant links are needed to
  provide fault tolerance so that network can
  withstand individual link failure. Together
  with load balancing of routers, link bandwidth is
  increased. Response times is lowered,
  application availability is improved.
• Multiple routers can be used to terminate dual
  links so that there is not a single-point-of-failu
  re.
• Main disadvantage of duplicating WAN links to
  each site is cost. In larges network, especially
  those using star topology, many links are
  required. A lower cost alternative is using a
  partial/semi-meshed or ring topology.

Star topology with redundant links
partial-mesh topology
13
Core layer dedicated link dial-up link

• A reliable backbone may consists of dual,
  dedicated links. Traffic load can be shared
  between the two links.
• Another model is one dedicated link and one
  dial-up (switched) link.
• Under normal operational conditions, the dial-up
  link is not operational until the dedicated link
  fails.
• The dial-up link can also be setup when the
  dedicated link has reach a limit of traffic load
  (say 90)

14
Distribution Layer

• The distribution layer provides policy-based
  connectivity. Packet manipulation and handling
  occurs in this layer. A policy is an approach in
  handling certain kinds of traffic. Policies can
  be used to secure networks and to preserve
  resources by preventing unnecessary traffic.
• The distribution layer is located between the
  access and core layer. This layer provide
  boundary definition using access lists/filters to
  limit what gets into the core. Traffic filters
  based on area or service type are used to provide
  policy-based access control. Access
  lists/filters can be used to permit or deny
  traffic from particular networks/nodes or
  particular protocols and applications. Access
  filters can be applied on incoming or outgoing
  ports.
• If a network has two or more routing protocols,
  such as RIP and OSPF, route redistribution is
  done at the distribution layer.

15
Access Layer

• This layer provides access to services and data
  servers and workstations are attached to this
  layer. Quick access to local services workgroup
  servers and printers are placed in access layer.
• Using VLANs, users can be grouped according to
  their logical function.
• Access routers generally offer fewer physical
  interfaces than distribution and core routers.
  Access routers generally connect to access
  switches for user access to the network.
• Provide connectivity remote users access through
  WAN services such as ISDN or Frame Relay local
  users access through Ethernet.
• The access layer performs network entry security
  control.
• Routers at the access layer permit/deny users
• Authenticating users prevent unauthorized users
  from accessing network

16
Three-layer, Two-layer, One-layer

• A three-layer model can meet the needs of many
  enterprise networks.
• But not all organizations require a three-layer
  structure. In many cases, one-layer and
  two-layer design are suitable.
• The way the layers are implemented depends on the
  needs of the network being designed.
• However, a hierarchical structure should be
  planned or maintained to allow for future
  expansion. A two-layer structure may expand into
  three-layer.

17
Campus Networks broadcast issue

• Campus networks usually covers a building or
  several buildings in close proximity to each
  other.
• Two major problems with traditional networks are
  availability and performance. These two problems
  are both impacted by the amount of bandwidth
  available. Broadcast type traffic can consume a
  lot of bandwidth and therefore affect the network
  performance.
• Two methods can address the broadcast issue for
  large switched LANs
• Use routers to create many subnets and limit
  broadcasts within individual subnets. This may
  create traffic bottleneck at the routers.
• Another method is to implement virtual LANs
  (VLANs) in the switched network. VLAN provides
  various advantages of better bandwidth
  utilization, better security and administration
  (adding/moving computers in VLANs).

18
Network Traffic Pattern

• The 80/20 rule states that 80 percent of the
  traffic on a given network segment is local. No
  more than 20 percent of the network traffic move
  across the backbone of the network.
• In today's networks, traffic patterns are moving
  toward the 20/80 model. In the 20/80 model, only
  20 percent of traffic remains local to the
  workgroup LAN, and 80 percent of the traffic
  leaves the local network. Contributing factors
  of this shift in traffic patterns include
• The Internet
• Server Farms
• As majority of traffic leave the local network
  segment, congestion (traffic bottleneck) may
  occurs at routers at the distribution layer.

19
LAN Switching and The Hierarchical Model
Switch Block 1
Switch Block 2
switch
switch

• Access Layer provides access-layer aggregation
  and L3/L4 services
• Distribution Layer provides policy-based
  connectivity
• Core Layer provides optimal connectivity between
  distribution blocks

Access Layer
Distribution Layer
Core Block
Core Layer
20
Network Building Blocks

• Network building blocks may include the
  following
• Switch block
• Core block
• Server block
• WAN block
• Mainframe block
• Internet connectivity
• Switch block provides switch and router
  functionality
• Switch block provides Access Layer and
  Distribution Layer functions.

21
Switch Block

• Access Layer
• Switches in the wiring closets connect users to
  the network.
• Access layer devices have redundant connections
  to the distribution layer device to provide fault
  tolerance.
• Spanning-Tree Protocol (STP) is required in the
  access layer switches
• Distribution Layer
• Switches/routers provide broadcast control,
  security and connectivity for each switch block.
• The distribution layer device provides switching
  and routing services.
• A distribution layer device can be a switch plus
  an external router.
• A distribution layer device can also be a
  multilayer switch

22
Core Block
Switch Block
Switch Block
Switch Block
Switch Block
Collapsed Core
Dual Core
23
Core Block

• A core is required when there are two or more
  switch blocks.
• The core block is responsible for transferring
  traffic between switch blocks at high speed.
  Traffic between switch blocks, server blocks, the
  Internet, and the wide-area network must pass
  through the core.
• Core block must be able to pass traffic as
  quickly as possible
• One or more switches can make up a core. To
  provide redundancy, at least two devices shall
  be present in the core.
• With a Collapsed Core, distribution and core
  layer functions are performed in the same device.
  There is not a separated core block. The DL
  device of one switch block is connected to the DL
  device of another switch block directly, without
  a separate core layer device in between.
• With a Dual Core, each switch block is
  redundantly linked to both core switches,
  providing two equal path links and twice the
  bandwidth.

24
Scalable Network Key Characteristics

• Reliable and available - A reliable network
  should be dependable and available.
• Responsive - A responsive network should provide
  Quality of Service (QoS) for various applications
  and protocols.
• Efficient - Large internetworks must optimize the
  use of resources, especially bandwidth. Reducing
  the amount of overhead traffic results in an
  increase in data throughput.
• Adaptable - An adaptable network is capable of
  accommodating disparate protocols, applications,
  and hardware technologies.
• Accessible but secure - An accessible network
  allows different types of connections while
  securing network integrity.

25
Reliable and Available Network

• In a highly reliable and available network, fault
  tolerance and redundancy make outages and
  failures invisible to the end user. Devices and
  telecommunication links can be very expensive,
  however, the cost of a core router/link goes
  down, can be much higher.
• Reliability can be expressed as Mean Time Between
  Failure (MTBF).
• Availability can be expressed as an percentage of
  time when service is available, eg. service is
  available 99.9 during a day.
• Reliable system may have high availability. High
  availability systems could be built with less
  reliable components if good fault-tolerant
  mechanism is used.
• Core routers maintain reliability and
  availability. The following features can enhance
  reliability and availability scalable routing
  protocols, alternative paths, load balancing and
  dial backup.

26
Reliable Available Network

• Scalable routing protocols routers in the core
  of a network should converge rapidly and maintain
  reachability to all networks and subnetworks.
  Simple distance vector routing protocols, such as
  RIP, take too long to update and adapt to
  topology changes.
• Alternate Paths redundant links maximize
  network reliability and availability, but they
  are expensive to deploy.
• Load Balancing redundant links do not
  necessarily remain idle until a link fails.
  Routers can distribute the traffic load across
  multiple links to the same destination.
• Dial Backup A redundant link could be too
  expensive. A backup link can be configured over
  a dialup technology, such as ISDN.

27
Responsive Network

• End users notice network responsiveness as they
  use the network, users expect network resources
  to respond quickly.
• Traffic Prioritization enables policy-based
  routing and ensures that packets carrying
  mission-critical data take precedence over less
  important traffic.
• To improve responsiveness in a congested network,
  routers may be configured to prioritize certain
  kinds of traffic based on protocol information,
  such as TCP port numbers.
• If the router schedules packets for transmission
  on a first-come, first-served basis
  (First-In-First-Out FIFO queuing), users could
  experience an unacceptable lack of
  responsiveness. User sending delay-sensitive
  voice traffic may be forced to wait too long.
  Delay problem is even more serious in slow WAN
  links.

28
Responsive Network Traffic Prioritization
Queuing

• Routers may be configured to reorder packets so
  that mission-critical and delay sensitive traffic
  is processed first. Higher priority packets are
  sent first even if other low priority packets
  arrive ahead of them.
• Priority Queuing
• assign different priority (high, medium, normal,
  low), according to various criteria, to different
  protocols
• for those traffic classified as low priority,
  they might not get serviced in a timely manner,
  or at all.
• Custom Queuing
• reserves bandwidth for a specific protocol,
  ensures a minimum amount of bandwidth be provided
  to the protocol.
• configuration may include specify max number of
  packets in each custom queue specify amount of
  data to be forwarded from each queue during its
  turn in the cycle.

29
Efficient Network

• An efficient network should not waste bandwidth,
  especially over costly WAN links. To be
  efficient, routers should prevent unnecessary
  traffic from traversing the WAN and minimize the
  size and frequency of routing updates.
• Techniques that optimize a WAN connection
• Access lists filtering/stopping unwanted
  traffic
• Snapshot routing
• Dial-on-Demand Routing
• Compression over WANs
• Incremental updates routing protocols such as
  OSPF send routing updates that contain
  information only about routes that have changed.

30
Efficient Network - DDR

• With Dial-on-demand routing (DDR), low-volume,
  periodic network connections can be made over the
  switched network (such as ISDN, PSTN) in a cost
  effective way.
• A router activates the DDR feature when it
  receives an IP packet destined for a location on
  the other side of the dial-up line.
• The router dials the destination phone number and
  establishes the connection. When the transmission
  is complete, the line is automatically
  disconnected.
• The main difference between dial backup and DDR
  is the reason for placing the call. With DDR,
  traffic to the called destination activates the
  link. With dial backup, the link can be
  activated as a result of a primary line failure
  or the utilization of the primary link has
  reached a predefined level.

31
Efficient Network - Snapshot routing

• Distance vector routing protocols typically
  update neighbor routers with their complete
  routing table periodically even there is no
  change in the network topology. Regular update
  would cause a dial-up link to re-establish just
  to maintain the routing tables. It is possible
  to adjust the timers, but snapshot routing is a
  better solution.
• With snapshot routing, routers exchange their
  route tables during an initial connection. Then,
  waits until the next active period on the line
  before again exchanging routing information.
• The router takes a snapshot of the routing table,
  which it uses while the dialup link is down.
  When the link is re-established, the router again
  updates its neighbors.

32
Making a network adaptable

• An adaptable network will handle the addition and
  coexistence of multiple routed and routing
  protocols.
• Adaptable protocols are needed to support routing
  information for different routed protocols.
• Adaptable protocols and routers also supports
  route redistribution, which allows routing
  information to be shared among two or more
  different routing protocols. For example, RIP
  routes could be redistributed, or injected, into
  an OSPF area.

33
Accessible and secure

• Accessible networks let users connect over a
  variety of technologies.
• Users may be connected through wired or wireless
  LAN.
• Remote users/sites may have access to several
  types of WAN services.
• Circuit-switched networks that use dialup lines
• Dedicated networks that use leased lines
• Packet-switched networks
• VPN over the Internet
• The easier it is for legitimate users to access
  the network, the easier it is for unauthorized
  users to break in. Network administrator must
  secure the access.
• Access lists can be used to provide security.
• Authentication and encryption should be used

34
Accessible and secure

• A RADIUS client, also referred as Network Access
  Server (NAS), provides the remote connections for
  users. RADIUS client is typically a router, a
  VPN server/router or a wireless access point. A
  RADIUS servers perform authentication,
  authorization and accounting functions.
• VPN is the extension of a private network that
  uses links across the Internet. With VPN, data
  sent between two computers across the public
  Internet are encrypted for confidentiality.
  Hence, it is just like sending data over a
  point-to-point private link.
• IPSec is a set of protocols for creating and
  maintaining secure communications over IP
  networks. Many VPNs are based on IPSec.
• SSL can be used to implement VPN. SSL based VPNs
  typically only require standard web browsers.

35
Accessible and Secure - WLAN

• Security problems with early WLAN systems (WEP
  based IEEE802.11)
• Open system authentication SSID is sent in clear
  text
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA) addresses the
  problems in WEP
• WPA uses the Temporal Key Integrity Protocol
  (TKIP) for encryption and IEEE802.1X/EAP for
  authentication. WPA2 uses the Advanced
  Encryption Standard (AES).
• IEEE 802.1X is based on the use of authentication
  server (e.g. RADIUS) for user management and the
  Extensible Authentication Protocol for secured
  communication.

36
Troubleshooting

• Troubleshooting begins by looking at a
  methodology that breaks down the process of
  troubleshooting into manageable pieces. This
  permits a systematic approach, minimizes
  confusion, and cuts down on time otherwise wasted
  with trial and error troubleshooting.
• The stages of general troubleshooting process
  are
• Step 1 gather symptoms
• Step 2 isolate the problem
• Step 3 correct the problem
• The stages are not mutually exclusive. At any
  point in the process, it may be necessary to
  retrace to previous steps. For example, it may
  be required to gather more symptoms while
  isolating a problem. Often, when attempting to
  correct a problem, another unidentified problem
  could be created.

37
Gather Symptoms

• Troubleshooter gathers and documents symptoms
  from the network, end systems, or users.
• Troubleshooter determines what network components
  have been affected and how the functionality of
  the network has changed compared to baseline.
• Symptoms may appear in many different forms
  alerts from network management system, console
  messages, and user complaints.

38
Gathering Symptoms

• Problem is reported by a person or by software
• Often involves communicating with others
• It is like gathering requirements in software
  design
• It is an iterative process
• Possible questions to ask
• What does not work? What does work?
• Are the things related?
• When the problem was first noticed?
• What has changed since the last time it did work?
• Did any unusual thing happen?
• When exactly does the problem occur?

39
Isolation Correcting Problems

• Isolation of problem
• Identify the characteristics of problems at the
  logical layers of the network so that the most
  likely cause can be selected.
• At this stage, may need to gather and document
  more symptoms depending on the problem
  characteristics that are identified.
• Correct the problem
• Correct an identified problem by implementing,
  testing, and documenting a solution.
• Make change to only one thing at a time. Gather
  results as you change each variable
• Perform each step carefully and test to see if
  symptoms go away
• If the corrective action has created another
  problem, the attempted solution is documented,
  the changes are removed. Then returns to
  gathering symptoms and isolating the problem.

40
Layered Approach

• OSI model is useful in troubleshooting networks.
  The model allows troubleshooting to be described
  in a structured way.
• The ability to identify which layers pertain to a
  networking device gives a troubleshooter the
  ability to minimize the complexity of a problem
  by dividing the problem into manageable parts.
• For example, knowing that Layer 3 issues are of
  no importance to a switch, defines the boundaries
  of a task to layer 1 and layer 2. This simple
  knowledge can prevent the wasting of time
  troubleshooting irrelevant possibilities and will
  reduce the amount of time spent attempting to
  correct a problem.

41
Bottom-up

• When applying a bottom-up approach towards
  troubleshooting a networking problem, the
  examination starts with the physical components
  of the network and then is worked up through the
  layers of the OSI model until the cause of the
  problem is identified.
• Advantages most networking problems reside at
  the lower levels, so, this approach will often
  result in effective results.
• Disadvantages requires checking of every device
  and interface on the network until the possible
  cause of the problem is found. The challenge is
  to determine which devices to start with.

42
Top-down

• When applying a top-down approach towards
  troubleshooting a networking problem, the end
  user application is examined first. Then work
  down from the upper-layers of the OSI model until
  the cause of the problem has been identified.
• This approach requires checking of every network
  application until the possible cause of the
  problem is found. The challenge is to determine
  which application to start with.

43
Divide and conquer

• When the divide and conquer approach is applied
  towards troubleshooting a networking problem, a
  layer is selected and tested in both directions
  from the starting layer.
• This approach is initiated at a particular layer.
  The layer is based on troubleshooter experience
  level and the symptoms gathered about the problem
• Once the direction of the problem is identified,
  troubleshooting follows that direction until the
  cause of the problem is identified.
• If it can be verified that a layer is
  functioning, it is quite safe to assume that the
  layers below it are functioning as well. If a
  layer is not functioning properly, gather
  symptoms of the problem at that layer and work
  downward to lower layers.

44
Selecting an approach

• A troubleshooting approach is often selected
  based on its complexity.
• A bottom-up approach typical works better for
  complex problems.
• If symptoms come from users complaining about
  specific network application(s), a top-down
  approach may be preferred.
• If symptoms come from the network (e.g. network
  monitor display, alarm/warning message from
  devices), a bottom-up approach will likely be
  more effective.
• If a particular problem has been experienced
  previously, then the troubleshooter may know of a
  way to shorten the troubleshooting process.

45
Documentation

• An inventory of equipment and software, such as a
  list of MAC addresses and IP addresses.
• Keep record of changes (a change log file),
  recording
• Each significant change
• Each problem identified
• Each entry dated, with name of person who made
  the entry
• Types of documentation
• Configuration information that describes the
  system, for example, sysreport used in Linux.
• Procedural information that describes how to do
  things. Best, use tools (such as script) that
  automatically document what you have done.

46
Monitoring and Logging

• Event logs are useful for troubleshooting and
  monitoring performance.
• An event (an entry in the log file) may include
  details of date and time when it occurred, event
  ID, event category, etc.
• In Windows systems, event category includes
  application, security, system, etc.
• Performance monitor keeps track of various
  processes. It help identify bottlenecks. It
  help the planning of upgrades, tracking of
  processes, monitoring results of
  tuning/configuration, etc.
• Bottlenecks could be due to the system not having
  enough resources, or due to a malfunctioning
  program, or a program that dominates resource.
• Performance monitoring can be done locally or
  remotely.
• When the value of a monitored object exceed the
  limit, an action is required record the event in
  a log file, send a message, execute a script, etc.

47
Logging

• The syslog.conf file specifies rules for logging
  of system messages on Linux/Unix systems.
• Each rule consists of two fields a selector and
  an action.
• The selector field consists of two parts, a
  facility and a priority.
• The facility specifies the subsystem that
  produced the message.
• Examples of facility auth, authpriv, cron,
  daemon, kern, lpr, mail, news, syslog, user, uucp
  and local0 through local7
• The priority defines the severity of the message.
  
• Examples of priority in ascending order debug,
  info, notice, warning, err, crit, alert, emerg
• Examples of action write the message to a file
  on the localhost, or forward the message to
  another host, or write the message to users'
  screens if they are logged on

48
Logging Policies

• Data logged should be kept for a period rather
  than deleted immediately
• Log files could be reset at periodic intervals.
  Data logged can be kept for a period by
  "rotating" log files.
• For examples, logfiles are kept for a week.
  Backup files are named as logfile.1, logfile.2,
  logfile.6. Every day, the data in logfile.7 is
  lost as logfile.6 overwrites it.
• To store logged data for a longer period,
  compress and archive the logs to tape or other
  permanent media

49
Troubleshooting TCP/IP network

• Step 1. Check whether the local host is properly
  configured, is subnet mask, default gateway
  correct? Use the TCP/IP utilities such as
  ipconfig, netstat, route print, arp, etc.
• Step 2. Use the ping or traceroute commands to
  check whether the default gateway (router) can
  respond. Then, ping outwards i.e. ping hosts
  farther away.
• Step 3. If not able to get through a particular
  node (router), check the configuration (show
  running-config) and use various show commands to
  determine the state (e.g. show ip route, show
  interface)
• Step 4. If all the routers in the path are
  working, check the host configuration at the
  remote host.

50
Useful tools

• netstat shows connections, services, routing
• ifconfig shows network interfaces (for Windows,
  use ipconfig)
• ping - tests connectivity
• traceroute shows route/path information
• route shows, changes routing table
• ip shows, changes, set network configuration
• arp shows MAC addresses
• ps information about processes
• is the web server running ps aux grep httpd
• top shows processes that use the most resources
  (CPU time)
• for Windows, use the task manager

51
netstat

• netstat can show statistics about network
  interfaces, including number of packet/bytes
  sent/received, etc. These values are cumulative
  (since interface was up)
• netstat tua shows all network connections,
  including those listening
• netstat tu shows only connections that are
  established
• netstat i is like ifconfig, shows info and stats
  about each interface
• netstat nr shows the routing table, like route
  n
• Linux and Windows provide netstat

52
ipconfig/ifconfig and route

• ipconfig (Windows), ifconfig (Linux)
• Check interface status connected or disconnected
• Check IP and subnet mask
• Check default gateway, DNS settings
• Route
• Check route table in the computer route print
• Check route table in the router show ip route.
  Help checking routing protocols.
• Can modify route table by adding static routes
  and default route.

53
Ping

• A useful tool for checking connectivity. Sends
  an ICMP echo_request message and waits for an
  ICMP echo_reply message. Shows round trip time.
  Can be used to make a rough measurement of
  throughput.
• If a ping is not successful, the following error
  messages may help understand what is wrong.
• Destination Network Unreachable there is not a
  route to the destination in the route table of
  the local host or the router. This may happen if
  default gateway is not properly assigned to
  computer. For routers, this may be due to
  problems related to routing protocols or
  static/default routes.
• Request Timeout the echo_request message has
  been sent out by the local host, but there is no
  reply possibly due to connectivity problem or the
  remote host is not available.

54
Path Discovery traceroute

• As the name suggest, traceroute (in Windows,
  tracert) provides the information about the route
  from the source to the destination.
• Ping can test connectivity between two points,
  but it does not tell which path is taken by the
  ICMP packets.
• Why bother to know which path is taken? For
  example, verify that a BGP router is sending
  traffic with the preferred route.

55
Rough measurement with ping

• Transmission delay time to put signal onto the
  media.
• Propagation delay time for signal to travel
  across the media.
• Queuing delay time spent waiting for
  transmission in a router/switch.
• Rough measurement with ping
• Ping with packet size 100 bytes, round-trip
  time 2Y sec
• Ping with packet size 1100 bytes, round-trip
  time 2X sec
• A rough estimation of data throughput is
  8000/(X-Y) bps
• Measurement with ping is simple, BUT it may not
  be accurate for example, routers may give lower
  priority to answering pings

56
What is Packet Capture?

• Real time collection of data as it travels over
  networks. Works by putting network interface
  into promiscuous mode which will examine all
  packets that arrive, even those not addressed to
  it. A normal Ethernet interface will ignore
  packets not addressed to it.
• See what client and server are actually
  communicating with each other. Can analyze type
  of traffic on network.
• Tools called packet sniffers, packet analysers,
  protocol analysers, network monitors.
• Do not capture packet without permission!
• Do not invade the privacy of others. Permission
  should be obtained before capturing packets on
  the network.

57
tcpdump

• Be careful not to invade privacy of others. Do
  not capture packet without permission!
• Filter can be used to select addresses,
  protocols, port numbers,...
• Show all network traffic to and from 192.168.0.1
  
• tcpdump host 192.168.0.1
• Show packets to 192.168.0.1
• tcpdump dst 192.168.0.1
• Show packets to port 68 on 192.168.0.1
• tcpdump dst 192.168.0.1 and port 68
• Capture traffic to or from 172.19.64.0/18
• tcpdump net 172.19.64.0/18
• Can specify network as source or destination
• tcpdump src net 205.153.60/24
• tcpdump dst net 172.19.64/18

58
tcpdump - filter

• Can specify protocol
• tcpdump ip
• tcpdump tcp
• tcpdump ip proto ospf
• This will catch DNS name lookups
• tcpdump udp port 53
• This will not work as you might expect
• tcpdump host ictlab and udp or arp
• Instead, need group with parentheses, and quote
• tcpdump "host ictlab and (udp or arp)"
• To see more ways of filtering, look at the
  manual man tcpdump

59
Ethereal

• Ethereal can read data captured by tcpdump
• Ethereal can capture data itself
• Like tcpdump, various types of filters can be
  used with Ethereal.
• Can expand any protocol. View details of
  protocols at different layers data frames, IP
  packets, TCP/UDP segments, application protocols.
  
• Can view the contents of TCP, in ASCII or in
  hexadecimal.
• Can check if a communications stream is encrypted
  or not
• Be careful not to invade privacy of others. Do
  not capture packet without permission.

60
Port Monitoring switched network

• Don't do port monitoring without permission!
• Port monitoring or port mirroring, selects
  network traffic for analysis.
• To capture traffic sent by hosts connected to a
  hub, just attach a protocol analyzer (or a
  sniffer) to this hub.
• On a switch, after the host MAC address is
  learned, unicast traffic to that host is only
  forwarded to the required port, and therefore, is
  not seen by the sniffer.
• How do you use Ethereal or tcpdump to monitor
  traffic between a number of hosts?
• Solution some switches support port monitoring,
  where a switch port can monitor the traffic of
  other ports
• The port monitoring function copies unicast
  packets to the required destination port (monitor
  port).
• However, not every switch supports port
  monitoring function.

61
Port Monitoring switched network

• Don't do port monitoring without permission!
• Source Port a port that is monitored.
• Destination Port (or Monitor Port) a port that
  is monitoring source ports, usually where a
  network analyzer is connected.
• Port Monitoring can be local or remote
• Local port monitoring the monitored ports and
  destination port are on the same switch.
• Remote port monitoring some source ports are not
  located on the same switch as the destination
  port.
• Port Monitoring can be port-based or VLAN-based
• Port-based monitoring specifies one or several
  source ports on the switch and one destination
  port.
• VLAN-Based monitoring on a given switch, monitor
  all the ports belonging to a particular VLAN

62
Port Scanning

• Do not port scan machines without permission!
  Port scanning can be interpreted as a cracking
  attempt
• Port scanning the techniques used to determine
  what ports of a host are listening for
  connections. Port scanning software sends out a
  request to connect to the target computer on each
  port sequentially and records which ports
  responded or seem open.
• Port scanning tools such as Network Mapper (nmap)
  can check what network services a computer is
  offering. A cracked computer may be hiding some
  services with trojaned utilities.
• Network security applications can alert
  administrators if they detect connection requests
  across a broad range of ports from a single host.
  
• To avoid being detected, intruder may
• limits the ports to a smaller target set rather
  than blanket scanning all 65536 ports
• scan the ports over a much longer period of time.