Network Design

1
Network Design

• In networking, scalability is the capability to
  grow and adapt without major redesign or
  reinstallation.
• Good design is the key to a network's capability
  to scale . To be scalable, a network design
  should follow a hierarchical model.
• Hierarchical design model simplifies network
  design in a similar way the OSI 7-layer protocol
  model simplifies the communications between
  computers.
• A hierarchical network design model breaks the
  complex problem of network design into smaller,
  more manageable problems.

2
Hierarchical Model/Structure
Regional site C
R
Regional site B
Regional site D
Public Networks
R
R
Core Layer
Regional site A
R
Campus Backbone
Distribution Layer
R
R
Building Backbone
Access Layer
R
R
R
R
Local site
Remote sites
3
Layers in Hierarchical Structure

• A hierarchical model/structure may include the
  following layers
• Core layer that provides optimal transport
  between regional sites or at the network
  backbone. 
• Distribution layer that provides policy-based
  connectivity
• Access layer that provides workgroup and user
  access to the network resources
• Layered models are useful because they facilitate
  modularity. Since devices at each layer have
  similar and well-defined functions,
  administrators can easily add, replace, and
  remove individual device.

4
Advantages of Hierarchical Model

• Design implementation
• As each layer is assigned clear and specific
  functions, it is easier to choose the right
  systems and features for that layer.
  Implementation of each layer and the overall
  network is more simple.
• Each layer addresses a different set of problems
  so that the hardware and software can be
  optimized for specific roles. Devices in the
  same layer can be configured in a consistent way.
  
• Modularity in network design help replicating
  design elements.
• Predictability the behaviour of a network is
  more predictable, capacity planning for growth is
  easier. Modelling of network performance is made
  easier.

5
Advantages of Hierarchical Model

• Scalability
• Functionality is localized and potential problems
  can be recognized more easily, hence, network can
  grow much larger without sacrificing control or
  manageability
• Changes can be more easily implemented. Costs
  and complexity of upgrade are constrained to a
  small subset of the overall network. In large
  flat network architectures, changes can affect
  many parts.
• Ease of troubleshooting
• It is easier to isolate problems in a network as
  the functions of the individual layers are well
  defined.
• Easier to identify failure points in a network by
  structuring the network into small,
  easy-to-understand elements.

6
Traffic Flow in Hierarchical Model

• A hierarchical model for network design is good
  for controlling data traffic patterns. With
  routers suitably placed in the network,
  unnecessary traffic will not flow from one layer
  to the other layer.
• Together with a suitable placement of servers,
  traffic flow (bandwidth usage) can be effectively
  controlled.

• For example, when clients in site Z access their
  local server, the traffic will not go up to the
  regional router. Only when clients in site Z
  access servers in other sites will the traffic go
  up to the regional router and then down to the
  required site.

7
Placement of Servers

• One of the key design consideration is the
  placement of servers, which affect the traffic
  flow (hence, use of bandwidth).
• Some servers (like email servers) are frequency
  accessed by all clients in the network, while
  some servers (like file servers) only serve
  specific client groups the former is referred as
  enterprise server and the latter as workgroup
  server.
• To avoid necessary traffic (across layers and
  sites) wasting network bandwidth
• enterprise servers are better placed at a higher
  layer in the hierarchy, whereas,
• workgroup servers should be placed in the access
  layer

8
Core Layer

• Typically, the Core layer provides connections
  between regional and main sites in a Wide Area
  Network (WAN).
• However, the core of a network does not have to
  exist in the WAN, a LAN backbone can also be part
  of the core layer. Gigabit Ethernet is a typical
  core layer technology.
• The Core layer provides optimized and reliable
  transport structure by forwarding traffic at very
  high speeds. Core layer routes/switches packets
  as fast as possible.
• Devices at the core layer should not be burdened
  with any processing that slow down the speed no
  access-list checking, no data encryption, no
  address translation at the Core layer.

9
Features of Routers at Core Layer

• Scalable routers at the Core layer routers
  should provide multiple modules for various media
  types. Routers at the Distribution layer
  generally need fewer interfaces.
• Features (for reliability) of routers at the Core
  layer
• redundant symmetrical links
• redundant power supplies
• Although many packet processing functions are not
  preferred in the Core layer, the most powerful
  routers should be used in the Core layer to
  provide high speed and reliable transport of data
  between regional sites.
• Routers at the Distribution layer usually has
  lower switching speed than routers at the Core
  layer because they should handle less traffic.

10
Core Layer - Load Balancing

• To add bandwidth, either increase the bandwidth
  of existing link, or put additional links. The
  latter require routers to provide load balancing
  function. Load balancing/sharing can be
  Per-Destination (Fast Switching) or Per-Packet (
  Process Switching).
• Per-destination load balancing
• given two paths to the same network, all packets
  for one destination IP address will travel over
  the first path, all packets for a second
  destination will travel over the second path, and
  so on.
• when router switches first packet to a particular
  destination, a routing table lookup is performed.
  The route and data-link information is stored in
  the fast switching cache. Subsequent packets to
  the same destination are immediately switched out
  the same interface without performing another
  routing table lookup.

11
Core Layer - Load Balancing

• Per-packet load balancing means that the router
  sends one packet for a destination over the first
  path, the second packet for the same destination
  over the second path, and so on.
• Per-destination Vs Per-Packet load balancing
• Per-packet load balancing may distribute traffic
  more evenly
• Per-destination (Fast switching) provides a lower
  switching time and processor utilization.
• Per-destination load balancing can preserve
  packet order. Per-packet load balancing
  guarantees equal load across all links. However,
  there is potential that the packets may arrive
  out of order at the destination because
  differential delay may exist within the network.

12
Core Layer Redundant Links

• At the core layer, redundant links are needed to
  provide fault tolerance so that network can
  withstand individual link failure. Together
  with load balancing of routers, link bandwidth is
  increased. Response times is lowered,
  application availability is improved.
• Multiple routers can be used to terminate dual
  links so that there is not a single-point-of-failu
  re.
• Main disadvantage of duplicating WAN links to
  each site is cost. In larges network, especially
  those using star topology, many links are
  required. A lower cost alternative is using a
  partial/semi-meshed or ring topology.

Star topology with redundant links
Semi-mesh topology
13
Core Layer Dedicated Link Dial-up Link

• A reliable backbone may consists of dual,
  dedicated links. Traffic load can be shared
  between the two links.
• Another model is one dedicated link and one
  dial-up (switched) link.
• Under normal operational conditions, the dial-up
  link is not operational until the dedicated link
  fails.
• The dial-up link can also be setup when the
  dedicated link has reach a limit of traffic load
  (say 90)

14
Distribution Layer

• The distribution layer provides policy-based
  connectivity. Packet manipulation and handling
  occurs in this layer. A policy is an approach in
  handling certain kinds of traffic. Policies can
  be used to secure networks and to preserve
  resources by preventing unnecessary traffic.
• The distribution layer is located between the
  access and core layer. This layer provide
  boundary definition using access lists/filters to
  limit what gets into the core. Traffic filters
  based on area or service type are used to provide
  policy-based access control. Access
  lists/filters can be used to permit or deny
  traffic from particular networks/nodes or
  particular protocols and applications. Access
  filters can be applied on incoming or outgoing
  ports.
• If a network has two or more routing protocols,
  such as RIP and OSPF, route redistribution is
  done at the distribution layer.

15
Access Layer

• This layer provides access to services and data
  servers and workstations are attached to this
  layer. Quick access to local services workgroup
  servers and printers are placed in access layer.
• Using VLANs, users can be grouped according to
  their logical function.
• Access routers generally offer fewer physical
  interfaces than distribution and core routers.
  Access routers generally connect to access
  switches for user access to the network.
• Provide connectivity remote users access through
  WAN services such as ISDN or Frame Relay local
  users access through Ethernet.
• The access layer performs network entry security
  control.
• Routers at the access layer permit/deny users
• Authenticating users prevent unauthorized users
  from accessing network

16
Three-layer, Two-layer, One-layer

• A three-layer model can meet the needs of many
  enterprise networks.
• But not all organizations require a three-layer
  structure. In many cases, one-layer and
  two-layer design are suitable.
• The way the layers are implemented depends on the
  needs of the network being designed.
• However, a hierarchical structure should be
  planned or maintained to allow for future
  expansion. A two-layer structure may expand into
  three-layer.

17
Campus Networks

• Campus networks usually covers a building or
  several buildings in close proximity to each
  other.
• Two major problems with traditional networks have
  always been availability and performance. These
  two problems are both impacted by the amount of
  bandwidth available.
• Traffic that can affect network performance
• Broadcast - traffic that polls the network about
  component status or availability and advertises
  network component status or availability
• Multicast - traffic that is propagated to a
  specific group of users

18
Campus Networks

• Two methods can address the broadcast issue for
  large switched LANs
• Use routers to create many subnets and logically
  segment the traffic limit broadcasts within
  individual subnets. Although this approach can
  confine broadcast traffic, this may create
  traffic bottleneck at the routers.
• Another method is to implement virtual LANs
  (VLANs) in the switched network. VLAN provides
  various advantages of better bandwidth
  utilization, better security and administration
  (adding/moving computers in VLANs).

19
Network Traffic Pattern

• The 80/20 rule states that 80 percent of the
  traffic on a given network segment is local. No
  more than 20 percent of the network traffic move
  across the backbone of the network.
• In today's networks, traffic patterns are moving
  toward the 20/80 model. In the 20/80 model, only
  20 percent of traffic remains local to the
  workgroup LAN, and 80 percent of the traffic
  leaves the local network. Contributing factors
  of this shift in traffic patterns include
• The Internet
• Server Farms
• As majority of traffic leave the local network
  segment, congestion (traffic bottleneck) may
  occurs at routers at the distribution layer
  because of intensive processing resulting from
  policy-based filters

20
LAN Switching and The Hierarchical Model
Switch Block 1
Switch Block 2
switch
switch

• Access Layer provides access-layer aggregation
  and L3/L4 services
• Distribution Layer provides policy-based
  connectivity
• Core Layer provides optimal connectivity between
  distribution blocks

Access Layer
Distribution Layer
Core Block
Core Layer
21
Network Building Blocks

• Network building blocks may include the
  following
• Switch block
• Core block
• Server block
• WAN block
• Mainframe block
• Internet connectivity
• Switch block provides switch and router
  functionality
• Switch block provides Access Layer and
  Distribution Layer functions.

22
Switch Block

• Access Layer
• Switches in the wiring closets connect users to
  the network at the access layer and provide
  dedicated bandwidth to each port.
• Access Layer (AL) devices merge into one or more
  Distribution Layer (DL) devices. AL devices have
  redundant connections to the DL device to provide
  fault tolerance. Spanning-Tree Protocol (STP) is
  required in these AL switches
• Distribution Layer
• Switches/routers provide broadcast control,
  security and connectivity for each switch block.
• The DL device provides switching and routing
  services.
• DL device can be a switch plus an external
  router. DL device can also be a multilayer
  switch

23
Core Block
Switch Block
Switch Block
Switch Block
Switch Block
Collapsed Core
Dual Core
24
Core Block

• A core is required when there are two or more
  switch blocks.
• The core block is responsible for transferring
  traffic between switch blocks at high speed.
  Traffic between switch blocks, server blocks, the
  Internet, and the wide-area network must pass
  through the core.
• Core block must be able to pass traffic as
  quickly as possible
• Because VLANs terminate at the distribution
  device, core links are not trunk links - core
  links do not carry multiple VLANs per link.
• One or more switches can make up a core. To
  provide redundancy, at least two devices shall
  be present in the core.

25
Collapsed Core and Dual Core

• With a Collapsed Core, distribution and core
  layer functions are performed in the same device.
  There is not a separated core block. The DL
  device of one switch block is connected to the DL
  device of another switch block directly, without
  a separate core layer device in between.
• With a Dual Core, each switch block is
  redundantly linked to both core switches,
  providing two equal path links and twice the
  bandwidth.

26
Scalable Network Key Characteristics

• Reliable and available - A reliable network
  should be dependable and available.
• Responsive - A responsive network should provide
  Quality of Service (QoS) for various applications
  and protocols.
• Efficient - Large internetworks must optimize the
  use of resources, especially bandwidth. Reducing
  the amount of overhead traffic results in an
  increase in data throughput.
• Adaptable - An adaptable network is capable of
  accommodating disparate protocols, applications,
  and hardware technologies.
• Accessible but secure - An accessible network
  allows different types of connections while
  securing network integrity.

27
Reliable and Available Network

• In a highly reliable and available network, fault
  tolerance and redundancy make outages and
  failures invisible to the end user. Devices and
  telecommunication links can be very expensive,
  however, the cost of a core router/link goes
  down, can be much higher.
• Reliability can be expressed as Mean Time Between
  Failure (MTBF).
• Availability can be expressed as an percentage of
  time when service is available, eg. service is
  available 99.9 during a day.
• Reliable system may have high availability. High
  availability systems could be built with less
  reliable components if good fault-tolerant
  mechanism is used.
• Core routers maintain reliability and
  availability. The following features can enhance
  reliability and availability scalable routing
  protocols, alternative paths, load balancing and
  dial backup.

28
Reliable Available Network

• Scalable routing protocols routers in the core
  of a network should converge rapidly and maintain
  reachability to all networks and subnetworks.
  Simple distance vector routing protocols, such as
  RIP, take too long to update and adapt to
  topology changes.
• Alternate Paths redundant links maximize
  network reliability and availability, but they
  are expensive to deploy.
• Load Balancing redundant links do not
  necessarily remain idle until a link fails.
  Routers can distribute the traffic load across
  multiple links to the same destination.
• Dial Backup A redundant link could be too
  expensive. A backup link can be configured over
  a dialup technology, such as ISDN.

29
Responsive Network

• End users notice network responsiveness as they
  use the network, users expect network resources
  to respond quickly.
• Traffic Prioritization enables policy-based
  routing and ensures that packets carrying
  mission-critical data take precedence over less
  important traffic.
• To improve responsiveness in a congested network,
  routers may be configured to prioritize certain
  kinds of traffic based on protocol information,
  such as TCP port numbers.
• If the router schedules packets for transmission
  on a first-come, first-served basis
  (First-In-First-Out FIFO queuing), users could
  experience an unacceptable lack of
  responsiveness. User sending delay-sensitive
  voice traffic may be forced to wait too long.
  Delay problem is even more serious when a slow
  WAN link is concerned.

30
Responsive Network Traffic Prioritization
Queuing

• Routers may be configured to reorder packets so
  that mission-critical and delay sensitive traffic
  is processed first. Higher priority packets are
  sent first even if other low priority packets
  arrive ahead of them.
• Priority Queuing
• assign different priority (high, medium, normal,
  low), according to various criteria, to different
  protocols
• for those traffic classified as low priority,
  they might not get serviced in a timely manner,
  or at all.
• Custom Queuing
• custom queuing reserves bandwidth for a specific
  protocol, for example, one may assign 40 of the
  total bandwidth to SNA, 20 to TCP/IP, 20 to
  NetBIOS and 20 for others.
• Custom queuing ensures a minimum amount of
  bandwidth for the specified protocol.

31
Efficient Network

• An efficient network should not waste bandwidth,
  especially over costly WAN links. To be
  efficient, routers should prevent unnecessary
  traffic from traversing the WAN and minimize the
  size and frequency of routing updates.
• Techniques that optimize a WAN connection
• Access lists filtering/stopping unwanted
  traffic
• Snapshot routing
• Dial-on-Demand Routing
• Compression over WANs
• Incremental updates routing protocols such as
  OSPF send routing updates that contain
  information only about routes that have changed.

32
Efficient Network - DDR

• With Dial-on-demand routing (DDR), low-volume,
  periodic network connections can be made over the
  switched network (such as ISDN, PSTN) in a cost
  effective way.
• A router activates the DDR feature when it
  receives an IP packet destined for a location on
  the other side of the dial-up line.
• The router dials the destination phone number and
  establishes the connection. When the transmission
  is complete, the line is automatically
  disconnected.
• The main difference between dial backup and DDR
  is the reason for placing the call. With DDR,
  traffic to the called destination activates the
  link. With dial backup, the link can be
  activated as a result of a primary line failure
  or the utilization of the primary link has
  reached a predefined level.

33
Efficient Network - Snapshot Routing

• Distance vector routing protocols typically
  update neighbor routers with their complete
  routing table at regular intervals even there is
  no change in the network topology. Regular update
  would cause a dial-up link to re-establish just
  to maintain the routing tables. It is possible
  to adjust the timers, but snapshot routing is a
  better solution.
• With snapshot routing, routers exchange their
  route tables during an initial connection. Then,
  waits until the next active period on the line
  before again exchanging routing information.
• The router takes a snapshot of the routing table,
  which it uses during quiet periods while the
  dialup link is down. When the link is
  re-established, the router again updates its
  neighbors.

34
Making a Network Adaptable

• An adaptable network will handle the addition and
  coexistence of multiple routed and routing
  protocols.
• Adaptable protocols are needed to support routing
  information for different routed protocols.
• Adaptable protocols and routers also supports
  route redistribution, which allows routing
  information to be shared among two or more
  different routing protocols. For example, RIP
  routes could be redistributed, or injected, into
  an OSPF area.

35
Accessible and Secure

• Accessible networks let users connect over a
  variety of technologies.
• Users may be connected through wired or wireless
  LAN.
• Remote users/sites may have access to several
  types of WAN services.
• Circuit-switched networks that use dialup lines
• Dedicated networks that use leased lines
• Packet-switched networks
• VPN over the Internet
• The easier it is for legitimate users to access
  the network, the easier it is for unauthorized
  users to break in. Network administrator must
  secure the access.
• Access lists can be used to provide security.
• Authentication and encryption should be used

36
Accessible and Secure

• A RADIUS client, also referred as Network Access
  Server (NAS), provides the remote connections for
  users. RADIUS client is typically a router, a
  VPN server/router or a wireless access point. A
  RADIUS servers perform authentication,
  authorization and accounting functions.
• VPN is the extension of a private network that
  encompasses links across shared or public
  networks like the Internet. VPN enables you to
  send data between two computers across a shared
  or public network in a manner that emulates the
  properties of a point-to-point private link. The
  data being sent is encrypted for confidentiality.
  
• IPSec is a set of protocols for creating and
  maintaining secure communications over IP
  networks. IPSec VPNs ensure the privacy an
• SSL can be used to implement VPN. SSL based VPN
  typically only requires standard web browsers
  with built in SSL capabilities.

37
Accessible and Secure - WLAN

• Security problems with early WLAN systems (WEP
  based IEEE802.11)
• Open system authentication SSID is sent in clear
  text
• Problem/weakness of Wired Equivalent Privacy
  (WEP)
• no defined mechanism to change the encryption
  keys this make it easier to crack the keys
• distribution of encryption keys is not defined
• Wi-Fi Protected Access (WPA) addresses the
  problems in WEP
• WPA uses the Temporal Key Integrity Protocol
  (TKIP) for encryption and IEEE802.1X/EAP for
  authentication. WPA2 uses the Advanced
  Encryption Standard (AES).
• IEEE 802.1X is based on the use of authentication
  server (e.g. RADIUS) for user management and the
  Extensible Authentication Protocol for secured
  communication.

38
Troubleshooting

• Troubleshooting begins by looking at a
  methodology that breaks down the process of
  troubleshooting into manageable pieces. This
  permits a systematic approach, minimizes
  confusion, and cuts down on time otherwise wasted
  with trial and error troubleshooting.
• The stages of general troubleshooting process
  are
• Step 1 gather symptoms
• Step 2 isolate the problem
• Step 3 correct the problem
• The stages are not mutually exclusive. At any
  point in the process, it may be necessary to
  retrace to previous steps. For example, it may
  be required to gather more symptoms while
  isolating a problem. Often, when attempting to
  correct a problem, another unidentified problem
  could be created.

39
Gathering Symptoms

• Troubleshooter gathers and documents symptoms
  from the network, end systems, or users.
• Troubleshooter determines what network components
  have been affected and how the functionality of
  the network has changed compared to baseline.
• Symptoms may appear in many different forms
  alerts from network management system, console
  messages, and user complaints.

40
Gathering Symptoms

• Problem is reported by a person or by software
• Often involves communicating with others
• It is like gathering requirements in software
  design
• It is an iterative process
• Possible questions to ask
• What does not work? What does work?
• Are the things related?
• When the problem was first noticed?
• What has changed since the last time it did work?
• Did any unusual thing happen?
• When exactly does the problem occur?

41
Isolation Correcting Problems

• Isolation of problem
• Identify the characteristics of problems at the
  logical layers of the network so that the most
  likely cause can be selected.
• At this stage, may need to gather and document
  more symptoms depending on the problem
  characteristics that are identified.
• Correct the problem
• Correct an identified problem by implementing,
  testing, and documenting a solution.
• Make change to only one thing at a time. Gather
  results as you change each variable
• Perform each step carefully and test to see if
  symptoms go away
• If the corrective action has created another
  problem, the attempted solution is documented,
  the changes are removed. Then returns to
  gathering symptoms and isolating the problem.

42
Layered Approach

• OSI model is useful in troubleshooting networks.
  The model allows troubleshooting to be described
  in a structured way.
• The ability to identify which layers pertain to a
  networking device gives a troubleshooter the
  ability to minimize the complexity of a problem
  by dividing the problem into manageable parts.
• For example, knowing that Layer 3 issues are of
  no importance to a switch, defines the boundaries
  of a task to layer 1 and layer 2. This simple
  knowledge can prevent the wasting of time
  troubleshooting irrelevant possibilities and will
  reduce the amount of time spent attempting to
  correct a problem.

43
Bottom-up

• When applying a bottom-up approach towards
  troubleshooting a networking problem, the
  examination starts with the physical components
  of the network and then is worked up through the
  layers of the OSI model until the cause of the
  problem is identified.
• Advantages most networking problems reside at
  the lower levels, so, this approach will often
  result in effective results.
• Disadvantages requires checking of every device
  and interface on the network until the possible
  cause of the problem is found. The challenge is
  to determine which devices to start with.

44
Top-down

• When applying a top-down approach towards
  troubleshooting a networking problem, the end
  user application is examined first. Then work
  down from the upper-layers of the OSI model until
  the cause of the problem has been identified.
• This approach requires checking of every network
  application until the possible cause of the
  problem is found. The challenge is to determine
  which application to start with.

45
Divide and Conquer

• When the divide and conquer approach is applied
  towards troubleshooting a networking problem, a
  layer is selected and tested in both directions
  from the starting layer.
• This approach is initiated at a particular layer.
  The layer is based on troubleshooter experience
  level and the symptoms gathered about the problem
• Once the direction of the problem is identified,
  troubleshooting follows that direction until the
  cause of the problem is identified.
• If it can be verified that a layer is
  functioning, it is quite safe to assume that the
  layers below it are functioning as well. If a
  layer is not functioning properly, gather
  symptoms of the problem at that layer and work
  downward to lower layers.

46
Selecting an Approach

• A troubleshooting approach is often selected
  based on its complexity.
• A bottom-up approach typical works better for
  complex problems.
• If symptoms come from users complaining about
  specific network application(s), a top-down
  approach may be preferred.
• If symptoms come from the network (e.g. network
  monitor display, alarm/warning message from
  devices), a bottom-up approach will likely be
  more effective.
• If a particular problem has been experienced
  previously, then the troubleshooter may know of a
  way to shorten the troubleshooting process.

47
Documentation

• An inventory of equipment and software, such as a
  list of MAC addresses and IP addresses.
• Keep record of changes (a change log file),
  recording
• Each significant change
• Each problem identified
• Each entry dated, with name of person who made
  the entry
• Types of documentation
• Configuration information that describes the
  system, for example, sysreport used in Linux.
• Procedural information that describes how to do
  things. Best, use tools (such as script) that
  automatically document what you are doing.

48
Monitoring and Logging

• Event logs are useful for troubleshooting and
  monitoring performance.
• An event (an entry in the log file) may include
  details of date and time when it occurred, event
  ID, event category, etc.
• In Windows systems, event category includes
  application, security, system, etc.
• Performance monitor keeps track of various
  processes. It help identify bottlenecks. It
  help the planning of upgrades, tracking of
  processes, monitoring results of
  tuning/configuration, etc.
• Bottlenecks could be due to the system not having
  enough resources, or due to a malfunctioning
  program, or a program that dominates resource.
• Performance monitoring can be done locally or
  remotely.
• When the value of a monitored object exceed the
  limit, an alert/action is required. The
  alert/action can be sending a message, executing
  a script, recording the event in the log file,
  etc.

49
Logging

• The syslog.conf file specify rules for logging of
  system messages on Linux/Unix systems. Each rule
  specified in the syslog.conf file consists of two
  fields a selector and an action.
• The selector field consists of two parts, a
  facility and a priority.
• The facility specifies the subsystem that
  produced the message. Examples of facility
  auth, authpriv, cron, daemon, kern, lpr, mail,
  news, syslog, user, uucp and local0 through
  local7
• The priority defines the severity of the message.
  
• Examples of priority in ascending order debug,
  info, notice, warning, err, crit, alert, emerg
• The action can be writing the message to a file
  on the localhost, or forwarding the message
  another host, or writing the message to users'
  screens if they are logged on

50
Logging Policies

• Data logged should be kept for a period rather
  than deleted immediately
• Log files could be reset at periodic intervals
• It is a good practice to keep data for a period
  by rotating log files.
• For examples, logfiles are kept for a week.
  Backup files are named as logfile.1, logfile.2,
  logfile.6. Every day, the data in logfile.7 is
  lost as logfile.6 overwrites it.
• To store logged data for a longer period,
  compress and archive the logs to tape or other
  permanent media

51
Troubleshooting TCP/IP Networks

• Step 1. Check whether the local host is properly
  configured, is subnet mask, default gateway
  correct? Use the TCP/IP utilities such as
  ipconfig, netstat, route print, arp, etc.
• Step 2. Use the ping or traceroute commands to
  check whether the default gateway (router) can
  respond. Then, progressively ping outwards.
• Step 3. If not able to get through a particular
  node, check the node configuration and use
  various show commands to determine the state of
  the router (e.g. show ip route, show
  running-config)
• Step 4. If all the routers in the path are
  working, check the host configuration at the
  remote host.

52
Useful Tools

• netstat shows connections, services, routing
• ifconfig shows network interfaces (for Windows,
  use ipconfig)
• ping - tests connectivity
• traceroute shows route/path information
• route shows, changes routing table
• ip shows, changes, set network configuration
• arp shows MAC addresses
• ps information about processes
• is the web server running ps aux grep httpd
• top shows processes that use the most resources
  (CPU time)
• for Windows, use the task manager

53
netstat

• netstat can show statistics about network
  interfaces, including number of packet/bytes
  sent/received, etc. These values are cumulative
  (since interface was up)
• netstat tua shows all network connections,
  including those listening
• netstat tu shows only connections that are
  established
• netstat i is like ifconfig, shows info and stats
  about each interface
• netstat nr shows the routing table, like route
  n
• Windows provides netstat also.

54
ipconfig/ifconfig and route

• ipconfig (Windows), ifconfig (Linux)
• Check interface status connected or disconnected
• Check IP and subnet mask
• Check default gateway, DNS settings
• Route
• Check route table in the computer route print
• Check route table in the router show ip route.
  Help checking routing protocols.
• Can modify route table by adding static routes
  and default route.

55
Ping

• Most useful check of connectivity. Sends an ICMP
  echo_request message and waits for an ICMP
  echo_reply message. Shows round trip time. Can
  be used to make a rough measurement of
  throughput.
• If a ping is not successful, the following error
  messages may help understand what is wrong.
• Destination Network Unreachable there is not a
  route to the destination in the route table of
  the local host or the router. This may happen if
  default gateway is not properly assigned to
  computer. For routers, this may be due to
  problems related to routing protocols or
  static/default routes.
• Request Timeout the echo_request message has
  been sent out by the local host, but there is no
  reply possibly due to connectivity problem or the
  remote host is not available.

56
Path Discovery traceroute

• As the name suggest, traceroute (in Windows,
  tracert) provides the information about the route
  from the source to the destination.
• Ping can test connectivity between two points,
  but it does not tell which path is taken by the
  ICMP packets.
• Why bother to know which path is taken? For
  example, verify that a BGP router is sending
  traffic with the preferred route.

57
traceroute Explained (1)

• Explain the functions that are performed by
  packets 1 to 26.

58
traceroute Explained (2)

• Packet 1 sends a DNS query to DNS server
  (140.112.254.4) to query IP address of
  www.csie.ntu.edu.tw
•  Packet 2 sends back the IP address of
  www.csie.ntu.edu.tw which is 140.112.30.28
• The host sends a UDP to 140.112.30.28 with
  time-to-live (TTL) set to 1. TTL decrements by 1
  when the packet passes a router. Here the TTL
  turns to 0, causing the first router
  (192.168.5.1) to send back an ICMP message
  Time-to-live exceeded.
•  Packets 5 and 6 try to resolve the name of the
  first router but unsuccessful.
•  Packets 7 to 10 repeat what packet 3 and 4
  did two more times so that different response
  time can be collected to calculate the average.

59
traceroute Explained (3)

• Packets 11 to 18 send UDP packet to
  140.112.30.28 with TTL set to 2. This time the
  packet managed to reach the second router
  (140.112.4.126) before it dies and causing the
  second router to send back an ICMP message
  Time-to-live exceeded. The same UDP packet is
  repeated two times to calculate the average
  response time.
•  Packets 19 to 26 send UDP packet to
  140.112.30.28 with TTL set to 3. This time the
  packet managed to reach the third router
  (140.112.30.28) before it dies and since this
  third routers IP address matches the destination
  address of the UDP, the router return another
  ICMP message Destination unreachable because
  the destination port is deliberately selected to
  one that is normally not used (gt 3000). Name
  resolution is performed by packets 21 and 22
  successfully. The same packet is repeated two
  more time to calculate the average response time.
  

60
Rough Measurement with ping

• Transmission delay time to put signal onto the
  media.
• Propagation delay time for signal to travel
  across the media.
• Queuing delay time spent waiting for
  transmission in a router/switch.
• Rough measurement with ping
• Ping with packet size 100 bytes, round-trip
  time 2Y ms
• Ping with packet size 1100 bytes, round-trip
  time 2X ms
• A rough estimation of data throughput is
  8000/(X-Y) bps
• Measurement with ping is simple, BUT it may not
  be accurate for example, routers may give lower
  priority to answering pings

61
What is Packet Capture?

• Real time collection of data as it travels over
  networks. Works by putting network interface
  into promiscuous mode which will examine all
  packets that arrive, even those not addressed to
  it. A normal Ethernet interface will ignore
  packets not addressed to it.
• See what client and server are actually
  communicating with each other. Can analyze type
  of traffic on network.
• Tools called packet sniffers, packet analysers,
  protocol analysers, network monitors.
• Do not capture packet without permission!
• Do not invade the privacy of others. Permission
  should be obtained before capturing packets on
  the network.

62
Packet Capture - When?

• Most powerful technique
• When need to see what client and server are
  actually saying to each other
• When need to analyse type of traffic on network
• Requires understanding of network protocols to
  use effectively

63
Example

• The following trace file is the contents of an
  Ethernet frame captured by a protocol analyzer
• Sequence Captured Bit stream
• 0000 23 87 45 9A 43 88 34 CD 7E FF 34 62 08 00
  45 FF
• 0010 12 34 23 76 40 00 64 06 CD AB 85 23 43 59
  85 23
• 0020 43 5A 23 87 52 63 25 41 40 43 00 00 00 00
  FF 75
• 0030 20 00 35 75 00 00 82 04 05 91 70 90
• Given that Ethernet II frame format is
• 8 bytes 6 6 2
  varies 4
• Preamble Dest. Source Type
  Data FCS
• Address Address
• What are the source and destination MAC
  addresses?
• What is the type of Ethernet data?
  (See note page for answer)

64
Example (contd)

• If the frame contains an IP header with the above
  format, determine
• The Ethernet type value and version no. of the IP
  protocol.
• The source and destination IP addresses in
  dot-decimal notation.
• What is the protocol type? (See
  note page for answer)

65
tcpdump

• Be careful not to invade privacy of others. Do
  not capture packet without permission!
• Filter can be used to select addresses,
  protocols, port numbers,...
• Show all network traffic to and from 192.168.0.1
  
• tcpdump host 192.168.0.1
• Show packets to 192.168.0.1
• tcpdump dst 192.168.0.1
• Show packets to port 68 on 192.168.0.1
• tcpdump dst 192.168.0.1 and port 68
• Capture traffic to or from 172.19.64.0/18
• tcpdump net 172.19.64.0/18
• Can specify network as source or destination
• tcpdump src net 205.153.60/24
• tcpdump dst net 172.19.64/18

66
tcpdump - filter

• Can specify protocol
• tcpdump ip
• tcpdump tcp
• tcpdump ip proto ospf
• This will catch DNS name lookups
• tcpdump udp port 53
• This will not work as you might expect
• tcpdump host ictlab and udp or arp
• Instead, need group with parentheses, and quote
• tcpdump "host ictlab and (udp or arp)"
• To see more ways of filtering, look at the
  manual man tcpdump

67
Ethereal (Wireshark)

• Ethereal can read data files captured by tcpdump
• Ethereal can capture data itself
• Like tcpdump, various types of filters can be
  used with Ethereal.
• Can expand any protocol. View details of
  protocols at different layers data frames, IP
  packets, TCP/UDP segments, application protocols.
  
• Can view the contents of an entire TCP stream
  conversation, in ASCII or in hexadecimal.
• Can check if a communications stream is encrypted
  or not
• Be careful not to invade privacy of others. Do
  not capture packet without permission.

68
Port Monitoring Switched Network

• Don't do port monitoring without permission!
• Port monitoring or port mirroring, selects
  network traffic for analysis.
• To capture traffic sent by hosts connected to a
  hub, just attach a protocol analyzer (or a
  sniffer) to this hub.
• On a switch, after the host MAC address is
  learned, unicast traffic to that host is only
  forwarded to the required port, and therefore, is
  not seen by the sniffer.
• How do you use Ethereal or tcpdump to monitor
  traffic between a number of hosts?
• Solution some switches support port monitoring,
  where a switch port can monitor the traffic of
  other ports
• The port monitoring function copies unicast
  packets to the required destination port (monitor
  port).
• However, not every switch supports port
  monitoring function.

69
Port Monitoring Switched Network

• Don't do port monitoring without permission!
• Source Port a port that is monitored.
• Destination Port (or Monitor Port) a port that
  is monitoring source ports, usually where a
  network analyzer is connected.
• Port Monitoring can be local or remote
• Local port monitoring when the monitored ports
  are all located on the same switch as the
  destination port.
• Remote port monitoring some source ports are not
  located on the same switch as the destination
  port.
• Port Monitoring can be port-based or VLAN-based
• Port-based monitoring user specifies one or
  several source ports on the switch and one
  destination port.
• VLAN-Based monitoring on a given switch, the
  user can choose to monitor all the ports
  belonging to a particular VLAN

70
Port Scanning

• Do not port scan machines without permission!
  Port scanning can be interpreted as a cracking
  attempt
• Port scanning the techniques used to determine
  what ports of a host are listening for
  connections. Port scanning software sends out a
  request to connect to the target computer on each
  port sequentially and records which ports
  responded or seem open.
• Port scanning tools such as Network Mapper (nmap)
  help checking what network services a computer is
  offering. A cracked computer may be hiding some
  services with trojaned utilities.
• Network security applications can alert
  administrators if they detect connection requests
  across a broad range of ports from a single host.
  To avoid being detected, intruder may
• limits the ports to a smaller target set rather
  than blanket scanning all 65536 ports
• scan the ports over a much longer period of time.