Opening Tutorial. Download Handout Package:

Transcription

1 v2 Opening Tutorial Download Handout Package: Wayne M. Pecena, CPBE, CBNE Texas A&M University Office of Information Technology Educational Broadcast Services KAMU Public Broadcasting

2 Advertised Tutorial Scope Abstract: IP Switches and Routers come in increasingly many flavors with a wide range of ever expanding capabilities. Routers are the heart of IP networks, whether the more-or-less plug and play consumer-off-the-shelf variety or the redundant heavy iron that makes up our data centers and equipment rooms. Designing networks, and thus configuring routers, is both science and art. In this year s tutorial, Wayne will build a network from the ground up. Show us how to add access points, implement practical security, teach us about what we can learn from our routers in terms of traffic and use patterns. Along the way, we ll cover router selection and how many of the features and functions can be beneficial in a broadcast setting.

3 The Agenda for This Morning 8am IP Networking 101 Tutorial or Refresher 9am Welcome From John Poray, SBE Executive Director 9:15am Why Build a Segmented Network? What Are the Pieces? 10:00am Let s Build The Network Does It Really Work? 10:45am Takeaways Q & A 3

4 Expectations My Goal For You ME 4

5 IP Networking Tutorial or Refresher Download Handout Package: 5

6 IP Networking 101 Tutorial Introduction: IP Networking Models & Standards Data Flow Focus: Layer 1 The Physical Infrastructure Layer 2 Physical Addressing & Ethernet Switching Layer 3 Virtual Addressing & IP Routing Layer 4 TCP and UDP Transport 6

7 5 Things Required To Build a Network Send Host Receive Host Message or Data to Send Between Hosts Media to Interconnect Hosts Protocol to Define How Data is Transferred Media Protocols Media Send Host DATA Receive Host A Network is a Group of Host Devices That Share a Common Addressing Scheme A Host is Any Device That Can Be Connected to That Network 7

8 IP Networking Models & Standards 8

9 Standards Organizations De Jure & De Facto IETF Internet Engineering Task Force The Internet Standard RFC s IEEE- Institute of Electrical & Electronic Engineers Ethernet & Wireless LAN Standards ISO International Standards Organization OSI Reference Model ITU International Telecommunications Union Global Telecommunications Standards (ie PSTN) EIA Electronic Industries Association Focused on Physical Layer Standards 9

10 IETF Internet Engineering Task Force Request for Comments RFC s The Standards Bible of the Internet Used to Explain All Aspects of IP Networking Nomenclature RFC xxxx Requirement Levels: Required Recommended Elective Limited Use Deprecated / Not Recommended 10

11 IEEE- Institute of Electrical & Electronic Engineers Project 802 Ethernet Standards: Bridging Ethernet Wireless 11

12 The OSI Model Open Systems Interconnection (OSI) Model Provides Layer Swapping Partitions Communications Function - Defines How Data Traverses From An Application to the Network Networking Focus 12

13 Open Systems Interconnection OSI Model Application Presentation Session Transport Network Data Link Physical User Application Interaction Standardizes Data Encoding/Decoding/ Compression/Encryption Tracks User Sessions Inter-Host Communications Manages End-End Connections: TCP, UDP, & Flow Control Provides Internetwork Routing (path) Provides Virtual Addressing (IP) Provides Network Access Control, Physical Address (MAC), & Error Detection Interfaces to Physical Network, Moves Bits Onto & Off Network Medium 13

14 Another OSI Model Perspective Application 7 Presentation 6 Session 5 Transport 4 Network 3 Data Link 2 Physical 1 POP SMTP 25 RS-xxx WEB HTTP 80 TCP IPv4 PPP ISDN ADSL File Transfer FTP 20 / SNAP CAT 5 Directory DNS 53 UDP IPv6 Ethernet II Coax Net Mgmt SNMP 161 / 162 Fiber Application Layers Data Flow Layers 14

15 15 Encapsulation Data is Encapsulated As It Travels Through the Stack From Application

16 The Protocol Data Unit Layer PDU 4 Segment Source Port Destination Port Data 3 Packet Source IP Destination IP Protocol Segment 2 Frame Destination MAC Source MAC Ether Type Packet FCS 1 Bit

17 Encapsulation & De-Encapsulation Application Application Upper Level Data Presentation Presentation Upper Level Data Session PDU Session TCP Header Upper Level Data Transport Segment Transport IP Header Data Network Packet Network LLC Header MAC Header Data Data CS CS Data Link Frame Data Link Physical Bits Physical 17

18 Intra-Layer Communications 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical NO 18

19 TCP/IP Model or TCP/IP Stack OSI Model TCP/IP Model Application Presentation Application Session Transport Network Data Link Physical Transport Internet Network Interface 19 TCP/IP Ethernet Focused

20 Data Flow Focus: Layer 1 The Physical Infrastructure 20

21 Ethernet Media Evolution Thicknet Vampire Tap Thinnet Topology Also Migrates from Bus to Star Based 21

22 Ethernet Physical Standards IEEE Standard Physical Standard Cable Type Speed Maximum Length 802.3a 10-Base-2 Coax (thin-net) 10 Mbps 185m Base-5 Coax (thick-net) 10 Mbps 500m 802.3i 10-Base-T Twisted Pair 10 Mbps 100m 802.3u 100-Base-TX Twisted Pair 100 Mbps 100m 802.3u 100-Base-T4 Twisted Pair 100 Mbps 100m 802.3u 100-Base-FX MM Fiber 100 Mbps m 802.3u 100-Base-SX MM Fiber 100 Mbps 500m 22

23 Ethernet Physical Standards continued IEEE Standard Physical Standard Cable Type Speed Maximum Length 802.3ab 1000-Base-T Twisted Pair 1 Gbps 100m 802.3z 1000-Base-SX MM Fiber 1 Gbps 500m 802.3z 1000-Base-LX MM Fiber 1 Gbps 500m 802.3z 1000-Base-LX SM Fiber 1 Gbps Several Km 802.3an 10G-Base-T Twisted Pair 10 Gbps 100m 802.3ae 10G-Base-SR MM Fiber 10 Gbps 300m 802.3ae 10G-Base-LR SM Fiber 10 Gbps Several Km and 20 Gigabit, 40 Gigabit, & 100 Gigabit Ethernet.. 23

24 Ethernet GBIC & SFP Modules Giga-Bit Interface Converter - GBIC Transceiver SC Fiber Connector Single Form-factor Pluggable SFP (mini GBIC) Transceiver LC Fiber Connector Copper or Optical Based Transceiver to Provide Flexible Physical Interface -1000Base-T (some support 100/100-Base-T as well) Base-SX / LX / ZX - Multi-Mode / Single-Mode Fiber 24

25 Wireless Fidelity Networking Standards Ghz 2 Mbps (maximum) b 2.4 Ghz 11 Mbps a 5 Ghz 54 Mbps g 2.4 Ghz 54 Mbps n 2.4 MIMO 300 Mbps 802.ac 2.4 / 5 Ghz 450 / 1300 Mbps Frequency Bands (ISM): 2.4 Ghz Ghz 5 Ghz Ghz 25

26 Data Flow Focus: Layer 2 Physical Addressing & Ethernet Switching 26

27 Ethernet Network Physical Addressing MAC Address 6 Bytes Hexadecimal Notation - 00:12:3F:8D:4D:A7 Layer 2 Physical Address Fixed Burned-in-Address Assigned by NIC Mfg. Local in Scope Simplified Representation FF:FF:FF:FF:FF:FF 00:12:3F:8D:4D:A DATA Trailer Destination MAC Source MAC Source IP Destination IP IP Packet Ethernet Frame 27

28 The Ethernet Frame The Ethernet Frame Comes in Flavors: Raw Early Novell Netware IPX LLC IEEE Ethernet SNAP IPX, AppleTalk v2 Ethernet II (DIX) TCP/IP Multiple Frame Types Can Coexist on a Network 28

29 The Layer 2 Ethernet II (DIX) Frame An Ethernet II (DIX) Frame Preamble Destination Source Type Data CRC Address Address 8 BYTES 6 BYTES 6 BYTES 2 BYTES BYTES VARIABLE 4 BYTES Invalid FRAME Lengths: < 64 BYTES = RUNT FRAME > 1518 BYTES = GIANT FRAME Note Preamble Not Used in Frame Length Calculation Destination Source Type Address Address Data CRC 64 Byte Minimum 1518 Byte Maximum 29

30 Media Access Control (MAC) Address 48 bits Organization Unique Identifier (OUI) Mfg. Assigned 24 bits 24 bits 6 hexadecimal digits 6 hexadecimal digits A4 : 67 : 06 AB : 41 : D5 OUI A4:67:06 = Apple, Inc.

31 MAC Address Formats Always 48 Bits Expressed as Hexadecimal Can Be Represented in Several Formats: 00:A0:C9:14:C8:29 00-A0-C9-14-C A0.C914.C829 6 Bytes Byte 6 Byte 5 Byte 4 Byte 3 Byte 2 Byte 1 Organization Unique Identifier OUI Network Interface Controller NIC 31

32 Managed vs Un-Managed Ethernet Switches Managed Switch User Configurable Provides Ability to Control & Monitor Host Communications Port Configuration, Security, & Monitoring VLAN Implementation Redundancy Supported (STP) QoS (Prioritization) Implementation Port Mirroring Un-Managed Switch Fixed Configuration Plug & Play Provides Basic Host Communications Cheaper 32

33 Ethernet Switch Functions Learn MAC Addresses Filter Ethernet Frames Forward Ethernet Frames Flood Ethernet Frames Allow Redundancy (Avoid loops where redundant links exist) Can Provide Port Security Features

34 Learning a MAC Address Switch MAC Address Table Content Addressable Memory (CAM) Table A1 A2 A3 A4 MAC ADDRESS PORT 08-3e-8e A1 08-3e-8e A2 08-3e-8e A3 08-3e-8e A4 A Real MAC Address Table 08-3e-8e e-8e e-8e e-8e NOTE VLAN 1 is Special

35 Frame Flow Through Network P R E Destination MAC 00:00:0C:C1:00:20 Source MAC 00:00:0C:C1:00:10 T Y P E Source IP Destination IP DATA C R C 00:00:0C:C1:00: :00:0C:C1:00: :00:0C:C1:00: HOST A 00:06:5B:01:02: MAC Address Changes As Frame Passes Through the Network 00:06:5B:11:22: :00:0C:C1:00: HOST B P R E Destination MAC 00:06:5B:11:22:33 Source MAC 00:00:0C:C1:00:30 T Y P E Source IP Destination IP DATA C R C P R E Destination MAC 00:00:0C:C1:00:01 Source MAC 00:06:5B:01:02:03 T Y P E Source IP Destination IP DATA C R C 35

36 Virtual Local Area Network VLAN Allows Separation or Segmentation of Networks Across a Common Physical Media Creates Subset of Larger Network VLAN Control of Broadcast Domains Each VLAN is a Broadcast Domain Architecture Flexibility Security Static Port Based VLAN(s) Most Popular Manual Configuration Switch Port Security Features Dynamic Port Based MAC-Based VLAN(s) Assignment Based Upon MAC Address Protocol-Based VLAN(s) Assignment Based Upon Protocol 36

37 VLAN Example Access / Untagged Trunk / Tagged Switch Port Type Configuration: Cisco Terminology Access Link Member of One VLAN Only Connects to a Host Trunk Link Carries Traffic From Multiple VLANS Between Switches HP Terminology Untagged Port Member of One VLAN Only Connects to a Host Tagged Port - Carries Traffic From Multiple VLANS Between Switches 37

38 Switch Interface Configuration Switch 2 Switch 1 Switch 3 38

39 Switch Interface Configuration Interface Config: TRUNK / TAGGED Blue VLAN Green VLAN Interface Config: TRUNK / TAGGED Blue VLAN Red VLAN Green VLAN Switch 2 Switch 1 Switch 3 Access / Un-Tagged Interface Access / Un-Tagged Interface Access / Un-Tagged Interface 39

40 Adding the VLAN Tag ETHERNET FRAME PREAMBLE DESTINATION MAC ADDRESS SOURCE MAC ADDRESS TYPE DATA CRC 802.1Q ETHERNET FRAME PREAMBLE DESTINATION MAC ADDRESS SOURCE MAC ADDRESS TAG TYPE DATA CRC 4 bytes 802.1Q TAG TPID 0X8100 PRI C F I VLAN ID VLAN ID = 12 bits Yields 4,096 Possible VLAN(s) 40

41 Broadcast Domains Broadcast Domains Blue VLAN Green VLAN Red VLAN No Connectivity Exists Between Broadcast Domain, Networks, or Subnets 41

42 VLAN Configurations LAN #1 LAN #2 Physical Separate Networks VLAN Implementation VLAN #1 VLAN #2 VLAN #1 VLAN #2 Inter-Switch Links VLAN #1 VLAN #2 VLAN #1 VLAN #2

43 Trunk Link VLAN #1 & #2 Trunk Inter-Switch Links VLAN #1 VLAN #2 VLAN #1 VLAN #2 VLAN #1 VLAN #2 Trunk Link VLAN #1 & #2 Trunk Inter-Switch Links VLAN #1 VLAN #2 VLAN #1 VLAN #2

44 Trunk Link VLAN #1 & #2 Trunk Link VLAN #1 & #2 Trunk Inter-Switch Links VLAN #1 VLAN #2 VLAN #1 VLAN #2 Internet Trunk Link VLAN #1 & #2 Trunk Link VLAN #1 & #2 Trunk Inter-Switch Links VLAN #1 VLAN #2 VLAN #1 VLAN #2

45 Application Presentation Application Presentation Session Session Transport Transport Network Network Data Link Data Link Data Link Data Link Data Link Data Link Physical Physical Physical Physical Physical Physical 45

46 Data Flow Focus: Layer 3 Virtual Addressing & IP Routing 46

47 IP Network Virtual Addressing IPv4 Address 4 Bytes Doted Decimal Notation Layer 3 Logical Address Can Change Determined by Network - Assigned by User Global in Scope Simplified Representation FF:FF:FF:FF:FF:FF 00:12:3F:8D:4D:A DATA Trailer Destination MAC Source MAC Source IP Destination IP IP Packet Ethernet Frame 47

48 IP Addressing Rules Each Network MUST Have a Unique Network ID Each Host MUST Have a Unique Host ID Every IP Address MUST Have a Subnet Mask Implied for a Classful Network Explicit Stated for Classless Network An IP Address Must Be Unique Globally If Host on the Public Internet 48

49 The IPv4 Address 32 Bit Binary Address and 32 Bit Binary Mask 2 32 Yields 4,294,967,296 Addresses 32 Bits Divided Into Four (4) Octets or Bytes Expressed in Dotted Decimal Notation 32 bit IP Address Octet 1 Octet 2 Octet 3 Octet Bytes

50 2-Part IPv4 Address 32 bit IP Address Octet 1 Octet 2 Octet 3 Octet Bytes Network Address Subnet Mask Determines Host Address 50

51 IPv4 Address Classes 32 bits Class A 8 bits 8 bits 8 bits 8 bits NETWORK HOST HOST HOST Class B NETWORK NETWORK HOST HOST Class C NETWORK NETWORK NETWORK HOST Class D Multicast Class E Experimental 51

52 IPv4 Default Mask Class A 8 bits 24 bits NETWORK HOST HOST HOST Default Mask: Class B NETWORK 16 bits NETWORK HOST 16 bits HOST Default Mask: Class C 24 bits 8 bits NETWORK NETWORK NETWORK HOST Default Mask:

53 Classful IPv4 Addressing First Octet Range Network Range Available Networks ,384 2,097,152 Available Hosts/Network 16,777,214 65, Network Bits Host Bits 24 Class 16 B Class 8 C Default Mask

54 Variable Length Subnet Masking (VLSM) Allows Classless Subnetting VLSM RFC 1009 Mask Information is Explicit Must Be Specified Allows More Efficient Use of Address Space Taylor Address Space to Fit Network Needs Allows You to Subnet a Subnet Subnetting Borrows Host Bits to Create More Networks VLSM Allows Mask To Be Moved 54

55 VLSM Allows Mask to Be Determined on a Bit Basis Remember: Classful Addressing Specified Network/Host Boundary A B C Octet 1 Octet 2 Octet 3 Octet 4 Network Host Network Host Classless Addressing Allows Network/Host Boundary to Be Specified at an Individual Bit Octet 1 Octet 2 Octet 3 Octet 4 19 Subnet Mask Bits =

56 CIDR RFC 1517, 1518, 1519, 1520 Classless Interdomain Routing (CIDR) Class System No Longer Applies Routing Between Routing Domains Allows Supernets To Be Created Combining a Group of Class C Addresses Into a Single Block CIDR Notation (slanted notation): /19 Mask:

57 IP Address Mask Formats Classful Addressing: (Implied Mask ) VLSM Addressing: (Explicit Mask CIDR Notation : /19 Number of Mask Bits

58 Private IPv4 Address Space RFC 1918 Established Private Address Space Class A: to Class B: to Class C: to Private Address Space or 1918 Space : Private IP Address Space Is NOT Routable to the Global Internet Widely Used: Hide Host IP Address Security by Obscurity Minimize Public IP Use May Be Translated With Network Address Translation (NAT) Techniques: One-One Network Address Translation (NAT) Static & Dynamic Many-One Port Address Translation (PAT) 58

59 Network Address Translation NAT RFC 3022 RFC 1918 Addressed Hosts Inside Network (private) Outside Network Public Address Space (Usually) Gateway Router w/ NAT Services NAT Allows a Host Without a Valid Public IP Address to Communicate With a Host That Has a Public IP Address by Simply Changeing the IP Addresses as Packet Passes Through the NAT Device Why Use? Conserve Public IP Address Space Security by Obscurity (hide actual host IP address) NAT Types: Static One-to-One Translation Dynamic Pool of Public Addresses Made Available to Outbound Traffic Client Traffic NAT Overloading or Port Address Translation (PAT) Translates to a Single Public IP by Use of a Unique Port Number 59

60 Special Use Reserved IPv4 Address Space RFC /8 Network Address This Network or Wire Address /8 Private IP Address Space (RFC 1918) /8 Loopback Address /16 IETF Zero Configuration Address Space (RFC 3927) /16 Private IP Address Space (RFC 1918) /16 Private IP Address Space (RFC 1918) /4 Multicast Address Space /4 Experimental Address Space /32 Broadcast Address 60 Yields About 3.7 Billion Useable IPv4 Addresses

61 Routing Routing is Simply the Moving Packets Between Different Networks (Subnets or Broadcast Domains) by A Routing Protocol Using a Routed Protocol by Determining the Best Route to the Destination. OSI Model Layer 3 Defined Inter-Networking Process Routing Types: Static Routing Dynamic Routing Routing Protocol Classes: Interior Gateway Protocol (IGP) Exterior Gateway Protocols (EGP) 61

62 Broadcast Domains Broadcast Domains Blue VLAN Green VLAN Red VLAN No Connectivity Exists Between Broadcast Domain, Networks, or Subnets 62

63 Add Connectivity Between Broadcast Domains Add Router GE0 GE2 Network #1 Network #3 GE1 Network #2 FE0 Blue VLAN Green VLAN Red VLAN 63

64 Routing Types Static Routing Appropriate for Small & Simple Networks Minimal Router CPU/Memory No Routing Update Overhead Appropriate for Stable Networks Often Used in Stub Networks Human Intervention / Administration Required Yy Dynamic Routing Appropriate for Changing Topology Environments Automatically Adapts to Changes Desirable When Multiple Paths Exist More Scalable Hardware More Complex Less Configuration Error Prone 64

65 Dynamic Routing Categories Distance Vector Routing Protocol Periodic Routing Table Updates Distance Used as a Metric Neighbors Trust Neighbors Slow Convergence Link State Routing Protocol Routing Table Updates As Changes Occur Maintains Neighbor, Topology, & Shortest-Path Tables Each Router Updates From All Others Cost Used as a Metric 65

66 Routing Metrics & Administrative Distance Determines The Best Path to Target Host Cost Metrics: Hop Count The Number of Routers in a Path Bandwidth Throughput (bps) Load Traffic Flowing Through a Router Delay Network Latency (distance or congestion) Reliability Amount of Downtime of a Network Path Administrative Distance Indicates Believability of the Route Often Used When Multiple Protocols Are Used Often Used to Prefer A Certain Path When Multiple Paths Exist Routing Protocols Have Default Administrative Distances 66 Smaller Metrics = Best Route Lower Administrative Distance = More Believed

67 Hop Count May Not Be The Best Metric Ethernet 100 Mbps DS-3 45 Mbps DS-3 45 Mbps T Mbps T Mbps 67

68 The Routing Protocol Learn the route to each subnet in the internetwork (build routing table) Determine the best route (one route) Remove routes that are no longer valid Update routing table to reflect changes Perform updates quickly Prevent routing loops

69 The Routing Table Each Router Maintains It s Own Routing Table Routing Table Contents: Destination Network Cost and/or Metric Gateway or Next Hop Address Route Types: Direct Connected Remote Routes 69

70 Routing Table Examples Router A Router B / /30 Router C IP Configuration: mask default gateway / / /24 Router B /24 Routing Destination Table Network Static Routing Table Manually Entered Destination Network /24 Next Hop Address /30 Metric / /24 Next Hop Address /24 Metric / Router A sends Network / / /30 0 Router B sends Network /24 Dynamic Routing Table Generated by Routing Updates from All Routers 70

71 IGP and EGP Protocols Exterior Gateway Protocol RIP IGRP EIGRP OSPF IS-IS BGP RIP IGRP EIGRP OSPF Interior Gateway Protocol Interior Gateway Protocol 71

72 Routing Protocol Choices Most Popular Interior Distance Vector Interior Link State Exterior Path Vector Classful RIP IGRP EGP Classless RIP v2 EIGRP OSPF v2 IS-IS BGP v4 IPv6 RIPng EIGRP v6 OSPF v3 IS-IS v6 BGP v4 Our Focus 72

73 Practical Routing Protocol Choices Common IGP Protocols VLSM Support RIP v2 EIGRP (Cisco) OSPF v2 Type: Distance Vector Hybird Link-State Metric: Hop Count Bandwidth/Delay Cost Administrative Distance: Hop Count Limit: None Convergence: Slow Fast Fast Updates: Full Table Every 30 Seconds Send Only Changes When Change Occurs Send Only When Change Occurs, But Refreshed Every 30m RFC Reference: RFC 1388 N/A RFC

74 What Is A Layer 3 Switch? IMHO Marketing Terminology Applied to a One Box Solution: OSI Model Defines Layer 2 Switching OSI Model Defines Layer 3 Routing A Layer 3 Switch Incorporates Both in One Box Multilayer Switch Port Types: Switchport: Layer 2 Port MAC Addresses Learned Layer-3 Port: Routing Port Not for All Environments: Limited to Ethernet Ports/Interfaces Limited to OSPF and RIP Protocols 74

75 Layer 3 Switch Internals VLAN 100 VLAN 300 Port 0 Port 2 Port 4 Port 6 Port 8 Port 10 Port 12 Port 14 VLAN 200 Port 1 Port 3 Port 5 Port 7 Port 9 Port 11 Port 13 Port 15

76 Application Presentation Application Presentation Session Session Transport Transport Network Network Network Network Data Link Data Link Data Link Data Link Data Link Data Link Data Link Data Link Physical Physical Physical Physical Physical Physical Physical Physical 76

77 Data Flow Focus: Layer 4 TCP and UDP Transport 77

78 TCP Basics Transmission Control Protocol RFC 675 and later v4 in RFC 793 Connection Oriented Protocol Connection Establishment Segmentation & Sequencing Acknowledgement Flow Control or Windowing Guaranteed Or Reliable Data Delivery Acknowledgment of Packet Receipt Retransmission Occurs if Packet Not Received High Overhead Requires Establishment of a Session TCP Windowing Feature Dynamic Window Sizing Slow-Start 78

79 TCP 3-Way Handshake Host 1 Host 2 Host 1 Initiates Connection to Host 2 Host 2 Responds With Acknowledgement Plus Sends It s Own Synchronization Message to Host 1 SYN SYN + ACK ACK Host 1 Sends Synchronize Message to Host 2 Host 1 Completes the 3-Way Handshake By Sending Acknowledgement to Host 2 79

80 UDP Basics User Datagram Protocol RFC 768 Connectionless Protocol Simple or Lightweight, but Inherently Unreliable Best Effort Data Delivery Low Overhead, Thus Low Latency Why Use? Required for Real-Time Applications: VOIP or Video Over IP or Voice Over IP AOIP or Audio Over IP Latency More Detrimental Than Data Loss 80

81 TCP Connection Oriented Guaranteed Delivery Acknowledgments Sent Reliable, But Higher Latency Segments & Sequences Data Resends Dropped Segments Provides Flow Control Performs CRC Uses Port Numbers for Multiplexing TCP vs UDP UDP Connectionless Not Guaranteed No Acknowledgements Unreliable, But Low Latency No Sequencing No Retransmission No Flow Control Performs CRC Uses Port Numbers for Multiplexing 81

82 Why Build a Segmented Network? What Are the Pieces? Download Handout Package:

83 83 Network Landscape 70 s / 80 s / 90 s

84

85 The Legacy Flat Network A Single Broadcast Domain 85

86 The Hierarchical Network Organize By: Policy Regulation Security Performance / / /26 86

87 Logical Networks Production VLAN Administration VLAN Engineering VLAN Engineering Rack Room Production Island Administrative Suites 87

88 Hubs, Switches, & Routers Hub Layer 1 Device X Acts as a Repeater - All Incoming Frame FWD Out Every Other Port Half-Duplex Based CSMA/CD Algorithm Controlled No Intelligence Collision & Broadcast Domain Across All Ports Switch Layer 2 Device Originally Called Forwarding - Then Bridging - Now Called Switching Full Duplex Based Intelligence Based Selectively Forwards Frame to a Port Each Port is a Collision Domain (assuming one device per port) Each Switch is Within a Broadcast Domain Router Layer 3 Device Forwards Packets Between Different Networks Creates Broadcast Domains Each Interface is a Broadcast Domain 88

89 Network Design Considerations Understand Your Environment Each Network is Different IP Addressing Considerations VLAN Configuration Routing Protocol Selection Network Service(s) Selection (DNS, DHCP, etc) Security Aspects Access, Management, Documentation, & Monitoring Physical Layer Scheme Hardware (Switch & Router) Selection

90 Network Architecture Considerations Core or Backbone Layer 3 Layer 2 Classic Layered Approach Distribution Access

91 IP Addressing Considerations IP Address Planning (range) Current Needs Scalability Organize Subnets (Hierarchical) IP Address Host Allocation Public vs Private (RFC 1918) Static vs Dynamic Policy Assignment Documentation (IPAM sys) What About IPv6? Implementation Factors Migration Plan

92 Network Infrastructure Threats (A Subset of IT Security) Denial of Service DoS Spoofing Hijacking Authentication Bypass or Back Door Access Physical Access And the list goes on & on.. 92

93 Goals of Network Security Provides Confidentiality Maintain Privacy Prevent Use by Those Unauthorized Provides Authentication Verify That User s Are Who They Say They Are Maintains Data Integrity Data Has Not Changed Network Send Host DATA Receive Host 93

94 Security Begins With a Policy Planning Policy Creation Threat Analysis Policy Lifecycle Policy Implementation & Enforcement Management & Monitoring Detection Assessment 94

95 Common Policy Attributes What Does a Security Policy Define? Company Objectives Regulation Requirements System Requirements User Rules & Procedures Who is the Security Policy Audience? Anyone or Any Device That Has Network Access 95

96 Common Policy Terminology Asset Any object of value Vulnerability A system weakness to be exploited Threat - Possible danger to a system or its information Risk The feasibility that a vulnerability might be exploited Exploit - An attack directed at a vulnerability Countermeasure - An action or mitigation of a risk 96

97 Attributes of a Secure Network Layered Approach ( Defense in Depth NOTE 1) Different Security Controls Within Different Groups Security Domains Segmentation of Network Into Areas or Groups Privileges Restrict to Need To Access Deny by Default Access Restrict by Firewalls, Proxies, etc. Logging Accountability, Monitoring, & Activity Tracking NOTE 1 Cisco Security Terminology 97

98 Ethernet Switch Considerations Network Role & Location Self-Contained Stackable Modular (chassis + cards) Interface Requirements Capabilities - Range Interface Density Layer 3 Capability? Processor/Memory/MAC Addresses Supported/Multicast IGMP Backplane Fabric Throughput /Forwarding Rate (Gbps) Redundancy (power, processor, interfaces) PoE Requirements / Switch Capacity: (48vdc nominal) 802.af (15w) Class at (25w) PoE+

99 Router Considerations Network Role & Location Self-Contained Modular (chassis + cards) Interface Requirements Capabilities (LAN/WAN) Processor/Memory/Route Capacity Fabric/Backplane Throughput (packets per second PPS ) Redundancy (power, processor, interfaces) Required Feature Set: Security / IDS QoS MPLS VOIP NetFlow

100 Simulation

101 Practical VLAN Configuration 1 Cisco to Cisco Switch Port 23 Port 23 Port 2 Port 14 Port 4 Port 24 VLAN /24 Host Device A Host Device B VLAN /24 Host Device C Host Device D Conceptual Configuration: define vlan 100 & 200 in switch set port 2 mode to access set port 14 mode to access set port 23 mode to trunk allow vlan 100 & 200 on trunk port Conceptual Configuration: define vlan 100 & 200 in switch set port 4 mode to access set port 24 mode to access set port 23 mode to trunk allow vlan 100 & 200 on trunk port Exact configuration command will vary by switch model / IOS version 101

102 Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface Fa0/2 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 100 Switch(config-if)#no shut Switch(config-if)#exit Switch(config)#exit Configuration Detail Switch A Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface Fa0/14 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 200 Switch(config-if)#no shut Switch(config-if)#exit Switch(config)#exit Switch# Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface Fa0/23 Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk vlan 100 ^ % Invalid input detected at '^' marker. Switch(config-if)#switchport trunk allowed vlan 100,200 Switch(config-if)#exit Switch(config)#exit

103 Configuration Detail Switch B Switch B(config)#interface fa0/23 Switch B(config-if)#switchport mode trunk Switch B(config-if)#switchport trunk allowed vlan 100,200 Switch B(config-if)#exit Switch B(config)#exit Switch B# Switch B(config)#interface fa0/4 Switch B(config-if)#switchport mode access Switch B(config-if)#switchport accss vlan 100 Switch B(config-if)#no shut Switch B(config-if)#exit Switch B(config)#exit Switch B#config t Enter configuration commands, one per line. End with CNTL/Z. Switch B(config)#interface fa0/24 Switch B(config-if)#switchport mode access Switch B(config-if)#switchport access vlan 200 Switch B(config-if)#no shut Switch B(config-if)#exit Switch B(config)#exit Switch B#

104 Cisco vs HP Terminology Function Cisco HP VLAN Switch Port Access Mode Untagged Mode 802.1q Switch Port Trunk Mode Tagged Mode Aggregated Links Ether Channel Trunk Group

105 Practical VLAN Configuration 2 Cisco to HP Switch Port 23 Port 18 Port 2 Port 14 Port 7 Port 24 VLAN /24 Host Device A Host Device B VLAN /24 Host Device C Host Device D Conceptual Configuration: define vlan 100 & 200 in switch set port 2 mode to access set port 14 mode to access set port 23 mode to trunk allow vlan 100 & 200 on trunk port Cisco Terminology Access Mode Trunk Mode Conceptual Configuration: define vlan 100 & 200 in switch set port 7 as untagged vlan 100 set port 24 as untagged vlan 200 set port 18 as tagged vlan 100 & 200 HP Terminology Untagged Tagged 105

106 Router Configuration: Blue Network: /24 Green Network: /24 Red Network: /24 Assign Network to an Interface: interface ge0 ip address no shutdown interface ge1 ip address no shutdown interface ge2 ip address no shutdown Enable RIP Routing: router rip network network network Configuration Disclaimer: Exact configuration commands may vary based upon specific equipment models and software version. Generic Cisco commands utilized for illustration purposes. 106

107 When to Route When to Switch? Router Broadcast Domain 1000-Full Full Broadcast Domain 10 Half 100 Full 1000 Full 100 Full 100 Full 1000 Full Switch 10 - Half Route to Limit a Broadcast Domain or Provide Interoperability Between Networks Collision Domain Hub Switch to Create a Zero Collision Domain 10 Half 10 Half 10 Half 100 Full Capable

108 Cisco Ethernet Switch Configuration Basics Switch Access Understanding the UI Modes Interface Configuration Access & Trunk Modes Show Commands

109 Switch Access Methods User Mode Console Cable Privilege Mode Global Configuration Mode Network Access Interface Configuration Mode Telnet / SSH HTTP (web browser)

110

111 HELP?

112 Different Types of Interfaces FastEthernet (100Mbps) Gigabit Ethernet (1000 Mbps)

113 Trunk and Access Ports Trunk Access

114 Show Commands

115 Command Disclaimer Catalyst Nexus CatOS IOS NX - OS Catalyst 29xx 35xx 36xx 37xx 38xx and others.. Nexus Products

116 Let s Build The Network Does It Really Work? Download Handout Package:

117 Our Hardware Cisco WS-C3750G-24TS Switch Cisco WS-C2960G-8TC Switch Cisco 1841 Router

118

119

120

121 ISP CAT5 TP Cisco 1841 Router CAT5 TP Cisco 3750G Switch MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch HP ProCurve 2530 Switch

122 The Ennes Network Architecture for KSBE Ennes Router VLAN Configuration: Internet DHCP Cisco Administration Production Engineering NetMgmt Cisco C2960G Prod Switch EngRack Switch Admin Switch Cisco C2960G Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) NetMgmt Cisco C3750G Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) NetMgmt

123 The Ennes Network Architecture for KSBE Ennes Router VLAN Configuration: Internet DHCP Cisco Administration Production Engineering NetMgmt Cisco C2960G Prod Switch EngRack Switch Admin Switch Cisco C2960G Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) NetMgmt Cisco C3750G Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) NetMgmt Subnet # Hosts Subnet Address Mask 1 st IP Address Last IP Address Size Broadast Network # Hosts HOSTS Subnet Administration Production Engineering NetMgmt Consider Growth 20%

124 IP Address Block Size Based Upon 2 n LSB 2 n

125 IP Addressing Plan Base Network: /25

126 IP Configuration Plan

127 IP Configuration Plan - 2

128 EngRack Switch to Ennes Router Interface Gi1/0/1 Fa0/1 VLAN 100 Fa0/1.1 Trunk Interface VLAN 200 VLAN 300 Fa0/1.2 Fa0/1.3 Sub-Interface VLAN 400 Fa0/ Q Trunk Link

129 Internet Does It Really Work? DHCP The Ennes Network Architecture for KSBE Fa0/0 Ennes Router Management: Cisco 1841 Cisco C2960G Management: Prod Switch Trunk - VLAN(s): 200,300,400 Gi0/7 Management: Fa0/1 Gi1/0/1 EngRack Switch Gi1/0/27 Gi1/0/28 Cisco C3750G Trunk - VLAN(s): 100,200,300,400 Gi0/7 Admin Switch Cisco C2960G Management: Trunk - VLAN(s): 100,400 Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) NetMgmt Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) NetMgmt VLAN IP Address Configuration: VLAN: Network: Mask: Default Gateway: 100 Administration Production Engineering NetMgmt

130 ISP CAT5 TP Cisco 1841 Router CAT5 TP Cisco 3750G Switch MM Fiber Cisco 2960G Switch MM Fiber MM Fiber Cisco 2960G Switch HP ProCurve 2530 Switch

131 The Ennes Network Architecture for KSBE EXPANDED Ennes Router VLAN Configuration: Internet DHCP Cisco Administration Production Engineering NetMgmt Cisco C2960G Prod Switch Cisco C3750G EngRack Switch Admin Switch Cisco C2960G Gi1/0/24 Port 9 HP ProCurve 2530 Switch ( )

132

133 What is Wrong With This Design? ISP Cisco 3750G Switch CAT5 TP CAT5 TP Cisco 1841 Router 100Mbps Why a 100 Mbps Link Here? GigE MM Fiber Cisco 2960G Switch MM Fiber MM Fiber Cisco 2960G Switch HP ProCurve 2530 Switch

134 ISP CAT5 TP Let s Fix It Cisco 1841 Router Cisco 3750G Switch MM Fiber MM Fiber Then Re-Configure Ports: Switch & Router Cisco 2960G Switch MM Fiber MM Fiber Cisco 2960G Switch HP ProCurve 2530 Switch

135 Another Approach ISP CAT5 TP Cisco 3750G Switch Use a Layer 3 Switch MM Fiber Cisco 2960G Switch MM Fiber MM Fiber Cisco 2960G Switch HP ProCurve 2530 Switch

136 Takeaways Questions Maybe Some Answers Download Handout Package: 136

137 Application Presentation Application Presentation Session Transport Network Layer 2 Device Network Layer 3 Device Network Layer 2 Device Session Transport Network Data Link Data Link Data Link Data Link Data Link Data Link Data Link Data Link Physical Physical Physical Physical Physical Physical Physical Physical 137

138 Packet Flow Through Network P R E Destination MAC 00:00:0C:C1:00:20 Source MAC 00:00:0C:C1:00:10 T Y P E Source IP Destination IP DATA C R C 00:00:0C:C1:00: :00:0C:C1:00: IP Address Does Not Change As Packet Passes Through the Network (except if NAT is involved) 00:00:0C:C1:00: :00:0C:C1:00: HOST A 00:06:5B:01:02: MAC Address Changes As Frame Passes Through the Network 00:06:5B:11:22: HOST B P R E Destination MAC 00:06:5B:11:22:33 Source MAC 00:00:0C:C1:00:30 T Y P E Source IP Destination IP DATA C R C P R E Destination MAC 00:00:0C:C1:00:01 Source MAC 00:06:5B:01:02:03 T Y P E Source IP Destination IP DATA C R C 138

139 Takeaway Points Physical Addressing Provided by Layer 2 MAC Address Ethernet Switches Eliminate or Minimize Collision Domains Virtual Addressing Provided by Layer 3 IP Address IP Routers Create and Limit Broadcast Domains All IP Addresses Must Have a Subnet Mask: Implied or Explict An IP Address Has 2-Parts: Network Address & Host Address The IP Address Mask Determines the Network Address Host Address Separation

140 Takeaway Points - 2 Hierarchical or Segmented Networks Are Desirable Network Traffic May Be Isolated Because of: Policy Regulations Security Performance VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks Each VLAN is an Isolated Network or Subnet and is a Broadcast Domain With a Unique IP Address Scheme What Happens in a VLAN Stays in the VLAN 140

141 Security Takeaway Points Insure User Switch Ports Are Set as Access or Non-Trunking Disable Any Un-Used Switch Ports Place Unused Ports in a Non-Used Black Hole VLAN Never Used VLAN 1 Create a Secure Management Environment: SSH Access (Secure Shell) OUB Access (Out of Band) Use ACLs (Access Control Lists) Change Default Logins Disable Services Not Required Understand & Know Your Network Baseline Utilize Switch Port Security 141

142 My Favorite Reference Sources: IEEE Ethernet References: IETF Resources: RFC References: MAC OUI Look-Up: IPv4 Address Block Size: Cisco Oriented Guides: On-Line Subnet Calculator: The Mask IOS Subnet Calculator: 142

143 143 My Favorite Reference Texts:

144 Knowledge & Expertise There is a Lot We Did Not Cover This Morning Source: Simon Wardley (2008) 144

145 The Real World OSI Model RFC 2321 A Description of the Usage of Nondeterministic Troubleshooting and Diagnostic Methodologies ID10T Errors 145

146 146

147 Thank You for Attending Wayne M. Pecena Texas A&M University ? Questions? 147 Download Handout Package:

148 The Ennes Network Architecture for KSBE Internet DHCP Fa0/0 Ennes Router Management: Cisco 1841 Cisco C2960G Management: Prod Switch Trunk - VLAN(s): 200,300,400 Gi0/7 Management: Fa0/1 Gi1/0/1 EngRack Switch Gi1/0/27 Gi1/0/28 Cisco C3750G Trunk - VLAN(s): 100,200,300,400 Gi0/7 Admin Switch Cisco C2960G Management: Trunk - VLAN(s): 100,400 Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) NetMgmt Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) NetMgmt VLAN IP Address Configuration: VLAN: Network: Mask: Default Gateway: 100 Administration Production Engineering NetMgmt

149 Configuration Details: EngRack_SW EngRack> EngRack>enable EngRack#show runnin EngRack#show running-config Building configuration... Current configuration : 3064 bytes version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption hostname EngRack no aaa new-model switch 1 provision ws-c3750g-24ts-1u system mtu routing 1500 ip subnet-zero no file verify auto spanning-tree mode pvst spanning-tree extend system-id vlan internal allocation policy ascending interface GigabitEthernet1/0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,200,300,400 switchport mode trunk interface GigabitEthernet1/0/2 switchport access vlan 100 switchport mode access interface GigabitEthernet1/0/3 switchport access vlan 100 switchport mode access interface GigabitEthernet1/0/4 switchport access vlan 200

150 switchport mode access interface GigabitEthernet1/0/5 switchport access vlan 200 switchport mode access interface GigabitEthernet1/0/6 switchport access vlan 200 switchport mode access interface GigabitEthernet1/0/7 switchport access vlan 200 switchport mode access interface GigabitEthernet1/0/8 switchport access vlan 200 switchport mode access interface GigabitEthernet1/0/9 switchport access vlan 200 switchport mode access interface GigabitEthernet1/0/10 switchport access vlan 200 switchport mode access interface GigabitEthernet1/0/11 switchport access vlan 200 switchport mode access interface GigabitEthernet1/0/12 switchport access vlan 400 switchport mode access interface GigabitEthernet1/0/13 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/14 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/15 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/16 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/17 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/18 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/19 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/20

151 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/21 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/22 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/23 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/24 switchport access vlan 300 switchport mode access interface GigabitEthernet1/0/25 interface GigabitEthernet1/0/26 interface GigabitEthernet1/0/27 switchport trunk encapsulation dot1q switchport trunk allowed vlan 200,300,400 switchport mode trunk interface GigabitEthernet1/0/28 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,400 switchport mode trunk interface Vlan1 no ip address interface Vlan400 ip address ip classless ip http server ip http secure-server control-plane line con 0 line vty 0 4 login length 0 line vty 5 15 login end EngRack#

152 Configuration Details: Ennes Router Ennes> Ennes>enable Password: Ennes#show runni Ennes#show running-config Building configuration... Current configuration : 1104 bytes version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname Ennes boot-start-marker boot-end-marker enable password sbe no aaa new-model dot11 syslog ip cef multilink bundle-name authenticated archive log config hidekeys interface FastEthernet0/0 ip address dhcp client-id FastEthernet0/0 duplex auto speed auto interface FastEthernet0/1 no ip address

153 duplex auto speed auto interface FastEthernet0/1.1 encapsulation dot1q 100 ip address interface FastEthernet0/1.2 encapsulation dot1q 200 ip address interface FastEthernet0/1.3 encapsulation dot1q 300 ip address interface FastEthernet0/1.4 encapsulation dot1q 400 ip address router rip network ip forward-protocol nd no ip http server no ip http secure-server control-plane line con 0 line aux 0 line vty 0 4 login scheduler allocate end Ennes#

154 Configuration Details: Prod_SW Prod_SW> Prod_SW>enable Prod_SW#show runni Prod_SW#show running-config Building configuration... Current configuration : 1160 bytes version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname Prod_SW boot-start-marker boot-end-marker no aaa new-model system mtu routing 1500 ip subnet-zero spanning-tree mode pvst spanning-tree extend system-id vlan internal allocation policy ascending interface GigabitEthernet0/1 switchport access vlan 200 switchport mode access interface GigabitEthernet0/2 switchport access vlan 200 switchport mode access interface GigabitEthernet0/3 switchport access vlan 200 switchport mode access

155 interface GigabitEthernet0/4 switchport access vlan 200 switchport mode access interface GigabitEthernet0/5 interface GigabitEthernet0/6 switchport access vlan 300 switchport mode access interface GigabitEthernet0/7 switchport access vlan 300 switchport mode access interface GigabitEthernet0/8 description Trunk to EngRack_SW switchport trunk allowed vlan 200,300 interface Vlan1 no ip address no ip route-cache shutdown ip http server ip http secure-server control-plane line con 0 line vty 5 15 end Prod_SW#

156 Configuration Details: Admin_SW Admin_SW> Admin_SW>enable Admin_SW#show runnin Admin_SW#show running-config Building configuration... Current configuration : 1123 bytes version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname Admin_SW boot-start-marker boot-end-marker no aaa new-model system mtu routing 1500 ip subnet-zero spanning-tree mode pvst spanning-tree extend system-id vlan internal allocation policy ascending interface GigabitEthernet0/1 switchport access vlan 100 switchport mode access interface GigabitEthernet0/2 switchport access vlan 100 switchport mode access interface GigabitEthernet0/3 switchport access vlan 100 switchport mode access interface GigabitEthernet0/4 switchport access vlan 100

157 switchport mode access interface GigabitEthernet0/5 switchport access vlan 100 switchport mode access interface GigabitEthernet0/6 switchport access vlan 100 switchport mode access interface GigabitEthernet0/7 interface GigabitEthernet0/8 switchport trunk allowed vlan 100,400 switchport mode trunk interface Vlan1 no ip address no ip route-cache shutdown ip http server control-plane line con 0 line vty 5 15 end Admin_SW#

158 Cisco C2960G "Admin" Switch Port Host Device IP Address Mask CIDR Gateway Cable # Port Status VLAN # VLAN Name Gi1/0/0 Admn Host / A-1 Access 100 Administration Gi1/0/1 Admn Host / A-2 Access 100 Administration Gi1/0/2 Admn Host / A-3 Access 100 Administration Gi1/0/3 Admn Host / A-4 Access 100 Administration Gi1/0/4 Admn Host / A-5 Access 100 Administration Gi1/0/5 Admn Host / A-6 Access 100 Administration Gi1/0/6 Disabled Gi1/0/7 EngRack_SW F-4 Trunk F-3 100/400

159 Cisco C3750G "EngRack" Switch Port Host Device IP Address Mask CIDR Gateway Cable # Port Status VLAN # VLAN Name Gi1/0/1 EnnesRtr Trunk 100/200/300/400 Gi1/0/2 Admn Host / Access 100 Administration Gi1/0/3 Admn Host / Access 100 Administration Gi1/0/4 Prod Host / Access 200 Production Gi1/0/5 Prod Host / Access 200 Production Gi1/0/6 Prod Host / Access 200 Production Gi1/0/7 Prod Host / Access 200 Production Gi1/0/8 Prod Host / Access 200 Production Gi1/0/9 Prod Host / Access 200 Production Gi1/0/10 Prod Host / Access 200 Production Gi1/0/11 Prod Host / Access 200 Production Gi1/0/12 NetMgmt / Access 400 NetMgmt Gi1/0/13 EngHost / Access 300 Engineering Gi1/0/14 EngHost / Access 300 Engineering Gi1/0/15 EngHost / Access 300 Engineering Gi1/0/16 EngHost / Access 300 Engineering Gi1/0/17 EngHost / Access 300 Engineering Gi1/0/18 EngHost / Access 300 Engineering Gi1/0/19 EngHost / Access 300 Engineering Gi1/0/20 EngHost / Access 300 Engineering Gi1/0/21 EngHost / Access 300 Engineering Gi1/0/22 EngHost / Access 300 Engineering Gi1/0/23 EngHost / Access 300 Engineering Gi1/0/24 EngHost / Access 300 Engineering Gi1/0/25 F-1 Shutdown Gi1/0/26 F-2 Shutdown Gi1/0/27 ProdSW F-3 Trunk 100/400 Gi1/0/28 AdminSw F-4 Trunk 200/300/400