Title: Network Design
1Network Design
- In networking, scalability is the capability to
grow and adapt without major redesign or
reinstallation. - Good design is the key to a network's capability
to scale . To be scalable, a network design
should follow a hierarchical model. - Hierarchical design model simplifies network
design in a similar way the OSI 7-layer protocol
model simplifies the communications between
computers. - A hierarchical network design model breaks the
complex problem of network design into smaller,
more manageable problems.
2Hierarchical Model/Structure
Regional site C
R
Regional site B
Regional site D
Public Networks
R
R
Core Layer
Regional site A
R
Campus Backbone
Distribution Layer
R
R
Building Backbone
Access Layer
R
R
R
R
Local site
Remote sites
3Layers in Hierarchical Structure
- A hierarchical model/structure may include the
following layers - Core layer that provides optimal transport
between regional sites or at the network
backbone. - Distribution layer that provides policy-based
connectivity - Access layer that provides workgroup and user
access to the network resources - Layered models are useful because they facilitate
modularity. Since devices at each layer have
similar and well-defined functions,
administrators can easily add, replace/remove
individual device.
4Advantages of Hierarchical Model
- Design implementation
- As each layer is assigned clear and specific
functions, it is easier to choose the right
systems and features for that layer.
Implementation of each layer and the overall
network is more simple. - Each layer addresses a different set of problems
so that the hardware and software can be
optimized for specific roles. Devices in the
same layer can be configured in a consistent way.
- Modularity in network design help replicating
design elements. - Predictability the behaviour of a network is
more predictable, capacity planning for growth is
easier. Modelling of network performance is made
easier.
5Advantages of Hierarchical Model
- Scalability
- Functionality is localized and potential problems
can be recognized more easily, hence, network can
grow much larger without sacrificing control or
manageability - Changes can be more easily implemented. Costs
and complexity of upgrade are limited within a
subset of the overall network. In large but flat
network architecture, changes can affect many
parts of the network. - Ease of troubleshooting
- It is easier to isolate problems in a network as
the functions of the individual layers are well
defined. - Easier to identify failure points in a network by
structuring the network into small,
easy-to-understand elements.
6Traffic Flow in Hierarchical Model
- A hierarchical model for network design is good
for controlling data traffic patterns. With
routers suitably placed in the network,
unnecessary traffic will not flow from one layer
to the other layer. - Together with a suitable placement of servers,
traffic flow can be effectively controlled.
- For example, when clients in site Z access their
local server, the traffic will not go up to the
regional router. Only when clients in site Z
access servers in other sites will the traffic go
up to the regional router and then down to the
required site.
7Placement of servers
- Placement of servers affect the traffic flow,
hence, the usage of link bandwidth. - Some servers (like email servers) are frequency
accessed by all clients in the network, while
some servers (like file servers) only serve
specific client groups. The former is referred
as enterprise server and the latter as workgroup
server. - To avoid necessary traffic flow across layers and
sites, wasting network bandwidth - enterprise servers are better placed at a higher
layer in the hierarchy - workgroup servers should be placed in the access
layer
8Core Layer
- Typically, the Core layer provides connections
between regional and main sites in a Wide Area
Network (WAN). - However, the core of a network does not have to
exist in the WAN, a LAN backbone can also be part
of the core layer. Gigabit Ethernet is a typical
core layer technology. - The Core layer provides optimized and reliable
transport structure by forwarding traffic at very
high speeds. - Core layer routes/switches packets as fast as
possible. - Devices at the core layer should not be burdened
with any processing that slow down the speed no
access-list checking, no data encryption, no
address translation (NAT) at the Core layer.
9Features of routers at Core Layer
- Scalable routers at the Core layer routers
should provide multiple modules for different
media types (copper, fiber, etc.) Routers at the
Distribution layer generally need fewer
interfaces. - Features (for reliability) of routers at the Core
layer - redundant symmetrical links
- redundant power supplies
- Although many packet processing functions are not
preferred in the Core layer, the most powerful
routers should be used in the Core layer to
provide high speed and reliable transport of data
between regional sites. - Routers at the Distribution layer usually has
lower switching speed than routers at the Core
layer because they should handle less traffic.
10Core Layer - Load Balancing
- To add bandwidth, either increase the bandwidth
of existing link, or put additional links. The
latter require routers to provide load balancing
function. Load balancing/sharing can be
Per-Destination (Fast Switching) or Per-Packet (
Process Switching). - Per-destination load balancing
- given two paths to the same network, all packets
for one destination IP address will travel over
the first path, all packets for a second
destination will travel over the second path, and
so on. - when router switches first packet to a particular
destination, a routing table lookup is performed.
The route and data-link information is stored in
the fast switching cache. Subsequent packets to
the same destination are immediately switched out
the same interface without performing another
routing table lookup.
11Core Layer - Load Balancing
- Per-packet load balancing means that the router
sends one packet for a destination over the first
path, the second packet for the same destination
over the second path, and so on. - Per-destination Vs Per-Packet load balancing
- Per-packet load balancing may distribute traffic
more evenly - Per-destination (Fast switching) provides a lower
switching time and processor utilization. - Per-destination load balancing can preserve
packet order. Per-packet load balancing
guarantees equal load across all links. However,
there is potential that the packets may arrive
out of order at the destination because
differential delay may exist within the network.
12Core layer Redundant Links
- At the core layer, redundant links are needed to
provide fault tolerance so that network can
withstand individual link failure. Together
with load balancing of routers, link bandwidth is
increased. Response times is lowered,
application availability is improved. - Multiple routers can be used to terminate dual
links so that there is not a single-point-of-failu
re. - Main disadvantage of duplicating WAN links to
each site is cost. In larges network, especially
those using star topology, many links are
required. A lower cost alternative is using a
partial/semi-meshed or ring topology.
Star topology with redundant links
partial-mesh topology
13Core layer dedicated link dial-up link
- A reliable backbone may consists of dual,
dedicated links. Traffic load can be shared
between the two links. - Another model is one dedicated link and one
dial-up (switched) link. - Under normal operational conditions, the dial-up
link is not operational until the dedicated link
fails. - The dial-up link can also be setup when the
dedicated link has reach a limit of traffic load
(say 90)
14Distribution Layer
- The distribution layer provides policy-based
connectivity. Packet manipulation and handling
occurs in this layer. A policy is an approach in
handling certain kinds of traffic. Policies can
be used to secure networks and to preserve
resources by preventing unnecessary traffic. - The distribution layer is located between the
access and core layer. This layer provide
boundary definition using access lists/filters to
limit what gets into the core. Traffic filters
based on area or service type are used to provide
policy-based access control. Access
lists/filters can be used to permit or deny
traffic from particular networks/nodes or
particular protocols and applications. Access
filters can be applied on incoming or outgoing
ports. - If a network has two or more routing protocols,
such as RIP and OSPF, route redistribution is
done at the distribution layer.
15Access Layer
- This layer provides access to services and data
servers and workstations are attached to this
layer. Quick access to local services workgroup
servers and printers are placed in access layer. - Using VLANs, users can be grouped according to
their logical function. - Access routers generally offer fewer physical
interfaces than distribution and core routers.
Access routers generally connect to access
switches for user access to the network. - Provide connectivity remote users access through
WAN services such as ISDN or Frame Relay local
users access through Ethernet. - The access layer performs network entry security
control. - Routers at the access layer permit/deny users
- Authenticating users prevent unauthorized users
from accessing network
16Three-layer, Two-layer, One-layer
- A three-layer model can meet the needs of many
enterprise networks. - But not all organizations require a three-layer
structure. In many cases, one-layer and
two-layer design are suitable. - The way the layers are implemented depends on the
needs of the network being designed. - However, a hierarchical structure should be
planned or maintained to allow for future
expansion. A two-layer structure may expand into
three-layer.
17Campus Networks broadcast issue
- Campus networks usually covers a building or
several buildings in close proximity to each
other. - Two major problems with traditional networks are
availability and performance. These two problems
are both impacted by the amount of bandwidth
available. Broadcast type traffic can consume a
lot of bandwidth and therefore affect the network
performance. - Two methods can address the broadcast issue for
large switched LANs - Use routers to create many subnets and limit
broadcasts within individual subnets. This may
create traffic bottleneck at the routers. - Another method is to implement virtual LANs
(VLANs) in the switched network. VLAN provides
various advantages of better bandwidth
utilization, better security and administration
(adding/moving computers in VLANs).
18Network Traffic Pattern
- The 80/20 rule states that 80 percent of the
traffic on a given network segment is local. No
more than 20 percent of the network traffic move
across the backbone of the network. - In today's networks, traffic patterns are moving
toward the 20/80 model. In the 20/80 model, only
20 percent of traffic remains local to the
workgroup LAN, and 80 percent of the traffic
leaves the local network. Contributing factors
of this shift in traffic patterns include - The Internet
- Server Farms
- As majority of traffic leave the local network
segment, congestion (traffic bottleneck) may
occurs at routers at the distribution layer.
19LAN Switching and The Hierarchical Model
Switch Block 1
Switch Block 2
switch
switch
- Access Layer provides access-layer aggregation
and L3/L4 services - Distribution Layer provides policy-based
connectivity - Core Layer provides optimal connectivity between
distribution blocks
Access Layer
Distribution Layer
Core Block
Core Layer
20Network Building Blocks
- Network building blocks may include the
following - Switch block
- Core block
- Server block
- WAN block
- Mainframe block
- Internet connectivity
- Switch block provides switch and router
functionality - Switch block provides Access Layer and
Distribution Layer functions.
21Switch Block
- Access Layer
- Switches in the wiring closets connect users to
the network. - Access layer devices have redundant connections
to the distribution layer device to provide fault
tolerance. - Spanning-Tree Protocol (STP) is required in the
access layer switches - Distribution Layer
- Switches/routers provide broadcast control,
security and connectivity for each switch block. - The distribution layer device provides switching
and routing services. - A distribution layer device can be a switch plus
an external router. - A distribution layer device can also be a
multilayer switch
22Core Block
Switch Block
Switch Block
Switch Block
Switch Block
Collapsed Core
Dual Core
23Core Block
- A core is required when there are two or more
switch blocks. - The core block is responsible for transferring
traffic between switch blocks at high speed.
Traffic between switch blocks, server blocks, the
Internet, and the wide-area network must pass
through the core. - Core block must be able to pass traffic as
quickly as possible - One or more switches can make up a core. To
provide redundancy, at least two devices shall
be present in the core. - With a Collapsed Core, distribution and core
layer functions are performed in the same device.
There is not a separated core block. The DL
device of one switch block is connected to the DL
device of another switch block directly, without
a separate core layer device in between. - With a Dual Core, each switch block is
redundantly linked to both core switches,
providing two equal path links and twice the
bandwidth.
24Scalable Network Key Characteristics
- Reliable and available - A reliable network
should be dependable and available. - Responsive - A responsive network should provide
Quality of Service (QoS) for various applications
and protocols. - Efficient - Large internetworks must optimize the
use of resources, especially bandwidth. Reducing
the amount of overhead traffic results in an
increase in data throughput. - Adaptable - An adaptable network is capable of
accommodating disparate protocols, applications,
and hardware technologies. - Accessible but secure - An accessible network
allows different types of connections while
securing network integrity.
25Reliable and Available Network
- In a highly reliable and available network, fault
tolerance and redundancy make outages and
failures invisible to the end user. Devices and
telecommunication links can be very expensive,
however, the cost of a core router/link goes
down, can be much higher. - Reliability can be expressed as Mean Time Between
Failure (MTBF). - Availability can be expressed as an percentage of
time when service is available, eg. service is
available 99.9 during a day. - Reliable system may have high availability. High
availability systems could be built with less
reliable components if good fault-tolerant
mechanism is used. - Core routers maintain reliability and
availability. The following features can enhance
reliability and availability scalable routing
protocols, alternative paths, load balancing and
dial backup.
26Reliable Available Network
- Scalable routing protocols routers in the core
of a network should converge rapidly and maintain
reachability to all networks and subnetworks.
Simple distance vector routing protocols, such as
RIP, take too long to update and adapt to
topology changes. - Alternate Paths redundant links maximize
network reliability and availability, but they
are expensive to deploy. - Load Balancing redundant links do not
necessarily remain idle until a link fails.
Routers can distribute the traffic load across
multiple links to the same destination. - Dial Backup A redundant link could be too
expensive. A backup link can be configured over
a dialup technology, such as ISDN.
27Responsive Network
- End users notice network responsiveness as they
use the network, users expect network resources
to respond quickly. - Traffic Prioritization enables policy-based
routing and ensures that packets carrying
mission-critical data take precedence over less
important traffic. - To improve responsiveness in a congested network,
routers may be configured to prioritize certain
kinds of traffic based on protocol information,
such as TCP port numbers. - If the router schedules packets for transmission
on a first-come, first-served basis
(First-In-First-Out FIFO queuing), users could
experience an unacceptable lack of
responsiveness. User sending delay-sensitive
voice traffic may be forced to wait too long.
Delay problem is even more serious in slow WAN
links.
28Responsive Network Traffic Prioritization
Queuing
- Routers may be configured to reorder packets so
that mission-critical and delay sensitive traffic
is processed first. Higher priority packets are
sent first even if other low priority packets
arrive ahead of them. - Priority Queuing
- assign different priority (high, medium, normal,
low), according to various criteria, to different
protocols - for those traffic classified as low priority,
they might not get serviced in a timely manner,
or at all. - Custom Queuing
- reserves bandwidth for a specific protocol,
ensures a minimum amount of bandwidth be provided
to the protocol. - configuration may include specify max number of
packets in each custom queue specify amount of
data to be forwarded from each queue during its
turn in the cycle.
29Efficient Network
- An efficient network should not waste bandwidth,
especially over costly WAN links. To be
efficient, routers should prevent unnecessary
traffic from traversing the WAN and minimize the
size and frequency of routing updates. - Techniques that optimize a WAN connection
- Access lists filtering/stopping unwanted
traffic - Snapshot routing
- Dial-on-Demand Routing
- Compression over WANs
- Incremental updates routing protocols such as
OSPF send routing updates that contain
information only about routes that have changed.
30Efficient Network - DDR
- With Dial-on-demand routing (DDR), low-volume,
periodic network connections can be made over the
switched network (such as ISDN, PSTN) in a cost
effective way. - A router activates the DDR feature when it
receives an IP packet destined for a location on
the other side of the dial-up line. - The router dials the destination phone number and
establishes the connection. When the transmission
is complete, the line is automatically
disconnected. - The main difference between dial backup and DDR
is the reason for placing the call. With DDR,
traffic to the called destination activates the
link. With dial backup, the link can be
activated as a result of a primary line failure
or the utilization of the primary link has
reached a predefined level.
31Efficient Network - Snapshot routing
- Distance vector routing protocols typically
update neighbor routers with their complete
routing table periodically even there is no
change in the network topology. Regular update
would cause a dial-up link to re-establish just
to maintain the routing tables. It is possible
to adjust the timers, but snapshot routing is a
better solution. - With snapshot routing, routers exchange their
route tables during an initial connection. Then,
waits until the next active period on the line
before again exchanging routing information. - The router takes a snapshot of the routing table,
which it uses while the dialup link is down.
When the link is re-established, the router again
updates its neighbors.
32Making a network adaptable
- An adaptable network will handle the addition and
coexistence of multiple routed and routing
protocols. - Adaptable protocols are needed to support routing
information for different routed protocols. - Adaptable protocols and routers also supports
route redistribution, which allows routing
information to be shared among two or more
different routing protocols. For example, RIP
routes could be redistributed, or injected, into
an OSPF area.
33Accessible and secure
- Accessible networks let users connect over a
variety of technologies. - Users may be connected through wired or wireless
LAN. - Remote users/sites may have access to several
types of WAN services. - Circuit-switched networks that use dialup lines
- Dedicated networks that use leased lines
- Packet-switched networks
- VPN over the Internet
- The easier it is for legitimate users to access
the network, the easier it is for unauthorized
users to break in. Network administrator must
secure the access. - Access lists can be used to provide security.
- Authentication and encryption should be used
34Accessible and secure
- A RADIUS client, also referred as Network Access
Server (NAS), provides the remote connections for
users. RADIUS client is typically a router, a
VPN server/router or a wireless access point. A
RADIUS servers perform authentication,
authorization and accounting functions. - VPN is the extension of a private network that
uses links across the Internet. With VPN, data
sent between two computers across the public
Internet are encrypted for confidentiality.
Hence, it is just like sending data over a
point-to-point private link. - IPSec is a set of protocols for creating and
maintaining secure communications over IP
networks. Many VPNs are based on IPSec. - SSL can be used to implement VPN. SSL based VPNs
typically only require standard web browsers.
35Accessible and Secure - WLAN
- Security problems with early WLAN systems (WEP
based IEEE802.11) - Open system authentication SSID is sent in clear
text - Wired Equivalent Privacy (WEP)
- Wi-Fi Protected Access (WPA) addresses the
problems in WEP - WPA uses the Temporal Key Integrity Protocol
(TKIP) for encryption and IEEE802.1X/EAP for
authentication. WPA2 uses the Advanced
Encryption Standard (AES). - IEEE 802.1X is based on the use of authentication
server (e.g. RADIUS) for user management and the
Extensible Authentication Protocol for secured
communication.
36Troubleshooting
- Troubleshooting begins by looking at a
methodology that breaks down the process of
troubleshooting into manageable pieces. This
permits a systematic approach, minimizes
confusion, and cuts down on time otherwise wasted
with trial and error troubleshooting. - The stages of general troubleshooting process
are - Step 1 gather symptoms
- Step 2 isolate the problem
- Step 3 correct the problem
- The stages are not mutually exclusive. At any
point in the process, it may be necessary to
retrace to previous steps. For example, it may
be required to gather more symptoms while
isolating a problem. Often, when attempting to
correct a problem, another unidentified problem
could be created.
37Gather Symptoms
- Troubleshooter gathers and documents symptoms
from the network, end systems, or users. - Troubleshooter determines what network components
have been affected and how the functionality of
the network has changed compared to baseline. - Symptoms may appear in many different forms
alerts from network management system, console
messages, and user complaints.
38Gathering Symptoms
- Problem is reported by a person or by software
- Often involves communicating with others
- It is like gathering requirements in software
design - It is an iterative process
- Possible questions to ask
- What does not work? What does work?
- Are the things related?
- When the problem was first noticed?
- What has changed since the last time it did work?
- Did any unusual thing happen?
- When exactly does the problem occur?
39Isolation Correcting Problems
- Isolation of problem
- Identify the characteristics of problems at the
logical layers of the network so that the most
likely cause can be selected. - At this stage, may need to gather and document
more symptoms depending on the problem
characteristics that are identified. - Correct the problem
- Correct an identified problem by implementing,
testing, and documenting a solution. - Make change to only one thing at a time. Gather
results as you change each variable - Perform each step carefully and test to see if
symptoms go away - If the corrective action has created another
problem, the attempted solution is documented,
the changes are removed. Then returns to
gathering symptoms and isolating the problem.
40Layered Approach
- OSI model is useful in troubleshooting networks.
The model allows troubleshooting to be described
in a structured way. - The ability to identify which layers pertain to a
networking device gives a troubleshooter the
ability to minimize the complexity of a problem
by dividing the problem into manageable parts. - For example, knowing that Layer 3 issues are of
no importance to a switch, defines the boundaries
of a task to layer 1 and layer 2. This simple
knowledge can prevent the wasting of time
troubleshooting irrelevant possibilities and will
reduce the amount of time spent attempting to
correct a problem.
41Bottom-up
- When applying a bottom-up approach towards
troubleshooting a networking problem, the
examination starts with the physical components
of the network and then is worked up through the
layers of the OSI model until the cause of the
problem is identified. - Advantages most networking problems reside at
the lower levels, so, this approach will often
result in effective results. - Disadvantages requires checking of every device
and interface on the network until the possible
cause of the problem is found. The challenge is
to determine which devices to start with.
42Top-down
- When applying a top-down approach towards
troubleshooting a networking problem, the end
user application is examined first. Then work
down from the upper-layers of the OSI model until
the cause of the problem has been identified. - This approach requires checking of every network
application until the possible cause of the
problem is found. The challenge is to determine
which application to start with.
43Divide and conquer
- When the divide and conquer approach is applied
towards troubleshooting a networking problem, a
layer is selected and tested in both directions
from the starting layer. - This approach is initiated at a particular layer.
The layer is based on troubleshooter experience
level and the symptoms gathered about the problem - Once the direction of the problem is identified,
troubleshooting follows that direction until the
cause of the problem is identified. - If it can be verified that a layer is
functioning, it is quite safe to assume that the
layers below it are functioning as well. If a
layer is not functioning properly, gather
symptoms of the problem at that layer and work
downward to lower layers.
44Selecting an approach
- A troubleshooting approach is often selected
based on its complexity. - A bottom-up approach typical works better for
complex problems. - If symptoms come from users complaining about
specific network application(s), a top-down
approach may be preferred. - If symptoms come from the network (e.g. network
monitor display, alarm/warning message from
devices), a bottom-up approach will likely be
more effective. - If a particular problem has been experienced
previously, then the troubleshooter may know of a
way to shorten the troubleshooting process.
45Documentation
- An inventory of equipment and software, such as a
list of MAC addresses and IP addresses. - Keep record of changes (a change log file),
recording - Each significant change
- Each problem identified
- Each entry dated, with name of person who made
the entry - Types of documentation
- Configuration information that describes the
system, for example, sysreport used in Linux. - Procedural information that describes how to do
things. Best, use tools (such as script) that
automatically document what you have done.
46Monitoring and Logging
- Event logs are useful for troubleshooting and
monitoring performance. - An event (an entry in the log file) may include
details of date and time when it occurred, event
ID, event category, etc. - In Windows systems, event category includes
application, security, system, etc. - Performance monitor keeps track of various
processes. It help identify bottlenecks. It
help the planning of upgrades, tracking of
processes, monitoring results of
tuning/configuration, etc. - Bottlenecks could be due to the system not having
enough resources, or due to a malfunctioning
program, or a program that dominates resource. - Performance monitoring can be done locally or
remotely. - When the value of a monitored object exceed the
limit, an action is required record the event in
a log file, send a message, execute a script, etc.
47Logging
- The syslog.conf file specifies rules for logging
of system messages on Linux/Unix systems. - Each rule consists of two fields a selector and
an action. - The selector field consists of two parts, a
facility and a priority. - The facility specifies the subsystem that
produced the message. - Examples of facility auth, authpriv, cron,
daemon, kern, lpr, mail, news, syslog, user, uucp
and local0 through local7 - The priority defines the severity of the message.
- Examples of priority in ascending order debug,
info, notice, warning, err, crit, alert, emerg - Examples of action write the message to a file
on the localhost, or forward the message to
another host, or write the message to users'
screens if they are logged on
48Logging Policies
- Data logged should be kept for a period rather
than deleted immediately - Log files could be reset at periodic intervals.
Data logged can be kept for a period by
"rotating" log files. - For examples, logfiles are kept for a week.
Backup files are named as logfile.1, logfile.2,
logfile.6. Every day, the data in logfile.7 is
lost as logfile.6 overwrites it. - To store logged data for a longer period,
compress and archive the logs to tape or other
permanent media
49Troubleshooting TCP/IP network
- Step 1. Check whether the local host is properly
configured, is subnet mask, default gateway
correct? Use the TCP/IP utilities such as
ipconfig, netstat, route print, arp, etc. - Step 2. Use the ping or traceroute commands to
check whether the default gateway (router) can
respond. Then, ping outwards i.e. ping hosts
farther away. - Step 3. If not able to get through a particular
node (router), check the configuration (show
running-config) and use various show commands to
determine the state (e.g. show ip route, show
interface) - Step 4. If all the routers in the path are
working, check the host configuration at the
remote host.
50Useful tools
- netstat shows connections, services, routing
- ifconfig shows network interfaces (for Windows,
use ipconfig) - ping - tests connectivity
- traceroute shows route/path information
- route shows, changes routing table
- ip shows, changes, set network configuration
- arp shows MAC addresses
- ps information about processes
- is the web server running ps aux grep httpd
- top shows processes that use the most resources
(CPU time) - for Windows, use the task manager
51netstat
- netstat can show statistics about network
interfaces, including number of packet/bytes
sent/received, etc. These values are cumulative
(since interface was up) - netstat tua shows all network connections,
including those listening - netstat tu shows only connections that are
established - netstat i is like ifconfig, shows info and stats
about each interface - netstat nr shows the routing table, like route
n - Linux and Windows provide netstat
52ipconfig/ifconfig and route
- ipconfig (Windows), ifconfig (Linux)
- Check interface status connected or disconnected
- Check IP and subnet mask
- Check default gateway, DNS settings
- Route
- Check route table in the computer route print
- Check route table in the router show ip route.
Help checking routing protocols. - Can modify route table by adding static routes
and default route.
53Ping
- A useful tool for checking connectivity. Sends
an ICMP echo_request message and waits for an
ICMP echo_reply message. Shows round trip time.
Can be used to make a rough measurement of
throughput. - If a ping is not successful, the following error
messages may help understand what is wrong. - Destination Network Unreachable there is not a
route to the destination in the route table of
the local host or the router. This may happen if
default gateway is not properly assigned to
computer. For routers, this may be due to
problems related to routing protocols or
static/default routes. - Request Timeout the echo_request message has
been sent out by the local host, but there is no
reply possibly due to connectivity problem or the
remote host is not available.
54Path Discovery traceroute
- As the name suggest, traceroute (in Windows,
tracert) provides the information about the route
from the source to the destination. - Ping can test connectivity between two points,
but it does not tell which path is taken by the
ICMP packets. - Why bother to know which path is taken? For
example, verify that a BGP router is sending
traffic with the preferred route.
55Rough measurement with ping
- Transmission delay time to put signal onto the
media. - Propagation delay time for signal to travel
across the media. - Queuing delay time spent waiting for
transmission in a router/switch. - Rough measurement with ping
- Ping with packet size 100 bytes, round-trip
time 2Y sec - Ping with packet size 1100 bytes, round-trip
time 2X sec - A rough estimation of data throughput is
8000/(X-Y) bps - Measurement with ping is simple, BUT it may not
be accurate for example, routers may give lower
priority to answering pings
56What is Packet Capture?
- Real time collection of data as it travels over
networks. Works by putting network interface
into promiscuous mode which will examine all
packets that arrive, even those not addressed to
it. A normal Ethernet interface will ignore
packets not addressed to it. - See what client and server are actually
communicating with each other. Can analyze type
of traffic on network. - Tools called packet sniffers, packet analysers,
protocol analysers, network monitors. - Do not capture packet without permission!
- Do not invade the privacy of others. Permission
should be obtained before capturing packets on
the network.
57tcpdump
- Be careful not to invade privacy of others. Do
not capture packet without permission! - Filter can be used to select addresses,
protocols, port numbers,... - Show all network traffic to and from 192.168.0.1
- tcpdump host 192.168.0.1
- Show packets to 192.168.0.1
- tcpdump dst 192.168.0.1
- Show packets to port 68 on 192.168.0.1
- tcpdump dst 192.168.0.1 and port 68
- Capture traffic to or from 172.19.64.0/18
- tcpdump net 172.19.64.0/18
- Can specify network as source or destination
- tcpdump src net 205.153.60/24
- tcpdump dst net 172.19.64/18
58tcpdump - filter
- Can specify protocol
- tcpdump ip
- tcpdump tcp
- tcpdump ip proto ospf
- This will catch DNS name lookups
- tcpdump udp port 53
- This will not work as you might expect
- tcpdump host ictlab and udp or arp
- Instead, need group with parentheses, and quote
- tcpdump "host ictlab and (udp or arp)"
- To see more ways of filtering, look at the
manual man tcpdump
59Ethereal
- Ethereal can read data captured by tcpdump
- Ethereal can capture data itself
- Like tcpdump, various types of filters can be
used with Ethereal. - Can expand any protocol. View details of
protocols at different layers data frames, IP
packets, TCP/UDP segments, application protocols.
- Can view the contents of TCP, in ASCII or in
hexadecimal. - Can check if a communications stream is encrypted
or not - Be careful not to invade privacy of others. Do
not capture packet without permission.
60Port Monitoring switched network
- Don't do port monitoring without permission!
- Port monitoring or port mirroring, selects
network traffic for analysis. - To capture traffic sent by hosts connected to a
hub, just attach a protocol analyzer (or a
sniffer) to this hub. - On a switch, after the host MAC address is
learned, unicast traffic to that host is only
forwarded to the required port, and therefore, is
not seen by the sniffer. - How do you use Ethereal or tcpdump to monitor
traffic between a number of hosts? - Solution some switches support port monitoring,
where a switch port can monitor the traffic of
other ports - The port monitoring function copies unicast
packets to the required destination port (monitor
port). - However, not every switch supports port
monitoring function.
61Port Monitoring switched network
- Don't do port monitoring without permission!
- Source Port a port that is monitored.
- Destination Port (or Monitor Port) a port that
is monitoring source ports, usually where a
network analyzer is connected. - Port Monitoring can be local or remote
- Local port monitoring the monitored ports and
destination port are on the same switch. - Remote port monitoring some source ports are not
located on the same switch as the destination
port. - Port Monitoring can be port-based or VLAN-based
- Port-based monitoring specifies one or several
source ports on the switch and one destination
port. - VLAN-Based monitoring on a given switch, monitor
all the ports belonging to a particular VLAN
62Port Scanning
- Do not port scan machines without permission!
Port scanning can be interpreted as a cracking
attempt - Port scanning the techniques used to determine
what ports of a host are listening for
connections. Port scanning software sends out a
request to connect to the target computer on each
port sequentially and records which ports
responded or seem open. - Port scanning tools such as Network Mapper (nmap)
can check what network services a computer is
offering. A cracked computer may be hiding some
services with trojaned utilities. - Network security applications can alert
administrators if they detect connection requests
across a broad range of ports from a single host.
- To avoid being detected, intruder may
- limits the ports to a smaller target set rather
than blanket scanning all 65536 ports - scan the ports over a much longer period of time.