Fundamentals of IP Networking 2017 Webinar Series Part 4 Building a Segmented IP Network Focused On Performance & Security

Similar documents
IP Multicast: Does It Really Work? Wayne M. Pecena, CPBE, CBNE

Broadcast Infrastructure Cybersecurity - Part 2

Cloud 101. Wayne M. Pecena, CPBE, CBNE Texas A&M University - KAMU

OSI Transport Layer. objectives

Network Protocols - Revision

Networking Technology for the Broadcast Engineer The Next Level: Wayne M. Pecena, CPBE, 8 VSB, AMD, DRB, CBNT Texas A&M University

TCP /IP Fundamentals Mr. Cantu

Chapter 7. Local Area Network Communications Protocols

OSI Transport Layer. Network Fundamentals Chapter 4. Version Cisco Systems, Inc. All rights reserved. Cisco Public 1

CCNA Exploration Network Fundamentals. Chapter 04 OSI Transport Layer

EITF25 Internet Techniques and Applications L7: Internet. Stefan Höst

Networking for Data Acquisition Systems. Fabrice Le Goff - 14/02/ ISOTDAQ

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

IP Network Troubleshooting Part 3. Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Opening Tutorial. Download Handout Package:

Networks Fall This exam consists of 10 problems on the following 13 pages.

Computer Networks (Unit wise Questions)

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

THE OSI MODEL. Application Presentation Session Transport Network Data-Link Physical. OSI Model. Chapter 1 Review.

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

Network Model. Why a Layered Model? All People Seem To Need Data Processing

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Just enough TCP/IP. Protocol Overview. Connection Types in TCP/IP. Control Mechanisms. Borrowed from my ITS475/575 class the ITL

Lecture-4. TCP/IP-Overview:

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

5105: BHARATHIDASAN ENGINEERING COLLEGE NATTARMPALLI UNIT I FUNDAMENTALS AND LINK LAYER PART A

4.0.1 CHAPTER INTRODUCTION

Defining Networks with the OSI Model. Module 2

ROYAL INSTITUTE OF INFORMATION & MANAGEMENT

TSIN02 - Internetworking

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Different Layers Lecture 20

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

CISCO EXAM QUESTIONS & ANSWERS

Study Guide. Module Two

06/02/ Local & Metropolitan Area Networks 0. INTRODUCTION. 1. History and Future of TCP/IP ACOE322

What You Need to Know About IP Networking Tutorial

Appendix B Policies and Filters

UDP, TCP, IP multicast

EEC-682/782 Computer Networks I

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

OSI Layer OSI Name Units Implementation Description 7 Application Data PCs Network services such as file, print,

CCNA. Course Catalog

PRACTICAL ROUTERS and SWITCHES for ENGINEERS and TECHNICIANS

Networking Technologies and Applications

VoIP / RoIP for Technicians

Paper solution Subject: Computer Networks (TE Computer pattern) Marks : 30 Date: 5/2/2015

Layering in Networked computing. OSI Model TCP/IP Model Protocols at each layer

TSIN02 - Internetworking

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

CCNA 1 v3.11 Module 11 TCP/IP Transport and Application Layers

2. What flavor of Network Address Translation can be used to have one IP address allow many users to connect to the global Internet? A. NAT B.

NT1210 Introduction to Networking. Unit 10

Chapter 6: Network Communications and Protocols

Cisco Interconnecting Cisco Networking Devices Part 1.

Business Data Communications and Networking

1. Which OSI layers offers reliable, connection-oriented data communication services?

Where we are in the Course

Router 6000 R17 Training Programs. Catalog of Course Descriptions

Configuring Commonly Used IP ACLs

EEC-484/584 Computer Networks. Lecture 16. Wenbing Zhao

Computer Communication & Networks / Data Communication & Computer Networks Week # 03

TSIN02 - Internetworking

CHAPTER-2 IP CONCEPTS

Networking and TCP/IP. John Kalbach November 8, 2004

TCP/IP Overview. Basic Networking Concepts. 09/14/11 Basic TCP/IP Networking 1

Introduction to Networking

User Datagram Protocol

Guide To TCP/IP, Second Edition UDP Header Source Port Number (16 bits) IP HEADER Protocol Field = 17 Destination Port Number (16 bit) 15 16

Networking Technology for Broadcast Engineers"

TSIN02 - Internetworking

This tutorial will help you in understanding IPv4 and its associated terminologies along with appropriate references and examples.

Principles behind data link layer services:

CS 716: Introduction to communication networks th class; 7 th Oct Instructor: Sridhar Iyer IIT Bombay

Principles behind data link layer services:

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Principles behind data link layer services

Chapter 2. Communicating Over The Network. CCNA1-1 Chapter 2

Computer Networks. More on Standards & Protocols Quality of Service. Week 10. College of Information Science and Engineering Ritsumeikan University

Networking Technology for Broadcast Engineers

Copyleft 2005, Binnur Kurt. Objectives

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Information about Network Security with ACLs

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

ICS 351: Today's plan. OSPF BGP Routing in general routing protocol comparison encapsulation network dynamics

Internetwork Expert s CCNP Bootcamp. Hierarchical Campus Network Design Overview

Internet. Organization Addresses TCP/IP Protocol stack Forwarding. 1. Use of a globally unique address space based on Internet Addresses

OSI Model with Protocols. Layer Name PDU Address Protocols Device

ACL Rule Configuration on the WAP371

Fundamentals of Computer Networking AE6382

Chapter 7. IP Addressing Services. IP Addressing Services. Part I

Lab - Using Wireshark to Examine TCP and UDP Captures

Networking Fundamentals

KillTest ᦝ䬺 䬽䭶䭱䮱䮍䭪䎃䎃䎃ᦝ䬺 䬽䭼䯃䮚䮀 㗴 㓸 NZZV ]]] QORRZKYZ PV ٶ瀂䐘މ悹伥濴瀦濮瀃瀆ݕ 濴瀦

Introduction to VoIP. Cisco Networking Academy Program Cisco Systems, Inc. All rights reserved. Cisco Public. IP Telephony

Network Configuration Guide

Interconnecting Cisco Networking Devices Part 1 ICND1

Transcription:

Fundamentals of IP Networking 2017 Webinar Series Part 4 Building a Segmented IP Network Focused On Performance & Security Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services KAMU Public Broadcasting

Fundamentals of IP Networking 2017 Webinar Series Advertised Presentation Scope Part 1- Introduction to IP Networking Standards & the Physical Layer Part 2 - Ethernet Switching Fundamentals and Implementation Part 3 - IP Routing and Internetworking Fundamentals Part 4 - Building a Segmented IP Network Focused On Performance & Security - July 25 Part 4 will bring the conceptual aspects of previous webinars together to understand how to design and implement a segmented network infrastructure designed for performance and security. Best practice approaches will be presented to insure network performance and security. Specific topics will include developing an IP addressing plan, segmentation techniques, and Access Control List (ACL) implementation. Part 5 - Cybersecurity Fundamentals & Securing the Network - August 29 2

Today s Outline: Takeaway Review From Webinar 3 Brief Overview of Layer 4 and above Network Design Considerations Segmented Network Design IP Addressing Plan Access Control Lists (ACL) Takeaways, References, Questions, and Maybe Some Answers 3

Takeaway Points Layer 3 The Network Layer Focus Upon Packet Delivery to a Network IP Routing Protocol IP Address Contains Network Address IP Routing Protocols Internal External Best Protocol = Best Fit for Your Network Environment IP Addressing Rules Must Be Obeyed: Each Network MUST Have a Unique Network ID Each Host MUST Have a Unique Host ID Every IP Address MUST Have a Subnet Mask An IP Address Must Be Unique Globally If Host on the Public Internet The First & Last IP Address of a Network is Not Useable! VLSM Widely Used Today Subnet Mask Explicated Stated (CIDR notation) Public IPv4 Address Space is Limited IPv6 Provides Expanded Address Space + IP Re-Engineering IPv6 is NOT Backward Compatible With IPv4 (but Migration Friendly) Future - IPv6: A Must to Add Hosts to the Internet Restores Host-Host Communications That IP is Based Upon 4

BRIEF OVERVIEW OF LAYER 4 AND ABOVE 5

TCP Basics Transmission Control Protocol RFC 675 and later v4 in RFC 793 Connection Oriented Protocol Connection Establishment Segmentation & Sequencing Acknowledgement Flow Control or Windowing Guaranteed Or Reliable Data Delivery Acknowledgment of Packet Receipt Retransmission Occurs if Packet Not Received High Overhead Requires Establishment of a Session TCP Windowing Feature Dynamic Window Sizing Slow-Start 6

TCP 3-Way Handshake Host 1 Host 2 Host 1 Initiates Connection to Host 2 Host 2 Responds With Acknowledgement Plus Sends It s Own Synchronization Message to Host 1 SYN SYN + ACK ACK Host 1 Sends Synchronize Message to Host 2 Host 1 Completes the 3-Way Handshake By Sending Acknowledgement to Host 2 7

The TCP Session Summary Network Connection Closed SYN Sent SYN + ACK ACK SYN Listen SYN Received Data Segment 1 ACK Connection Established Data Segment 2 ACK Connection Established Data Segment 3 ACK FIN FIN Wait 1 FIN Wait 2 ACK FIN ACK CLOSE Wait Last ACK 8 Time Connection Closed

UDP Basics User Datagram Protocol RFC 768 Connectionless Protocol Simple or Lightweight, but Inherently Unreliable Best Effort Data Delivery Low Overhead, Thus Low Latency Why Use? Required for Real-Time Applications: VOIP or Video Over IP or Voice Over IP AOIP or Audio Over IP Latency More Detrimental Than Data Loss 9

UDP Session Network SYN ACK SYN + ACK TCP Used to Establish UDP Session Data Data Data Data Data Time 10

TCP Connection Oriented Guaranteed Delivery Acknowledgments Sent Reliable, But Higher Latency Segments & Sequences Data Resends Dropped Segments Provides Flow Control Performs CRC Uses Port Numbers for Multiplexing TCP vs UDP UDP Connectionless Not Guaranteed No Acknowledgements Unreliable, But Low Latency No Sequencing No Retransmission No Flow Control Performs CRC Uses Port Numbers for Multiplexing 11

12 TCP and UDP Headers

RTP Real Time Protocol RFC 3550 UDP Based Real-time Streaming Media Delivery RTP Provides: Packet Sequencing Timestamping Payload Type RTP Stream Overview (encapsulated in UDP segments): RTP Data Transfer (time stamped) RTCP QoS Feedback (receiver to sender) Frame Layer 2 Packet Layer 3 Segment Layer 4 Layer 5 Ethernet Header IP Header UDP Header RTP Header RTP Payload 13

A Few Words About Port Numbers RFC 6335 Applications Are Indexed by a Port Number Allows Differentiation of Multiple Applications Port Numbers Can Be Between 0 65,535 0 1,023 Are Considered Reserved or System Ports 1,024 49,151 User Ports Can Be Registered 49,152 65,535 Are Considered Dynamic or Private 65,535 TCP and 65,535 UDP Port Numbers Reserved & Registered Ports Numbers: http://www.iana.org/assignments/port-numbers 14

Examples: Well Known System Port Numbers Port 20 / 21 FTP File Transfer Protocol Port 23 TELNET Port 53 DNS Domain Name Service Port 80 HTTP Port 110 POP3 Post Office Protocol Port 123 NTP Network Time Protocol Port 161 SNMP Simple Network Management Protocol (UDP) Port 443 - HTTPS

Sockets A Socket Is a Combination of an IP Address & A Port Number Allows Multiple Network Services to Exist on the Same Host (IP Address) IP Address + Port Number = Socket IP Address: 192.168.100.10 Port Number: 8080 Yields Socket: 192.168.100.10:8080 Server Email Web Server Stream Media Server 192.168.100.100 User PC Email Ap Browser AP Media Player Ap SMTP Server HTTP Server Stream Media Server Mail Client Web Browser Stream Media Player TCP UDP TCP UDP 192.168.100.100 192.168.100.002 192.168.100.100 TCP 25-192.168.100.002 TCP 1245 192.168.100.100 TCP 80-192.168.100.002 TCP 1328 16 192.168.100.100 UDP 1755-192.168.100.002 UDP 1873

NETWORK DESIGN CONSIDERATIONS 17

The Building Blocks: Hubs, Switches, & Routers Hub Layer 1 Device Acts as a Repeater - All Incoming Frame FWD Out Every Other Port X Half-Duplex Based CSMA/CD Algorithm Controlled No Intelligence Collision & Broadcast Domain Across All Ports Switch Layer 2 Device Originally Called Forwarding - Then Bridging - Now Called Switching Full Duplex Based Intelligence Based Selectively Forwards Frame to a Port Each Port is a Collision Domain (assuming one device per port) Each Switch is Within a Broadcast Domain Router Layer 3 Device Forwards Packets Between Different Networks Creates Broadcast Domains Each Interface is a Broadcast Domain 18

The Flat Network Legacy Network Architecture 192.168.1.0.1.2.3.4.5.6.7.8.9.10.11.12 A Single Broadcast Domain Common Addressed Subnet Challenges: Manageability, Security, Scalability, Reliability 19

The Hierarchical Network 192.168.1.0 Organize By: Geographic Policy / Regulation Security Performance 192.168.1.0 /26 192.168.1.128 /26 192.168.1.64 /26 20

Network Design Considerations Understand Your Environment Each Network is Different! IP Addressing Considerations VLAN Configuration Routing Protocol Selection Network Service(s) Selection (DNS, DHCP, etc) Security Aspects Access, Management, Documentation, & Monitoring Physical Layer Scheme Hardware (Switch & Router) Selection

Network Architecture Considerations Layer 3 Core or Backbone Layer 2 Classic Layered Approach Distribution Access

Ethernet Switch Considerations Network Role & Location Self-Contained Stackable Modular (chassis + cards) Interface Requirements Capabilities - Range Interface Density Layer 3 Capability? Processor/Memory/MAC Addresses Supported/Multicast IGMP Backplane Fabric Throughput /Forwarding Rate (Gbps) Redundancy (power, processor, interfaces) PoE Requirements / Switch Capacity: (48vdc nominal) 802.af (15w) Class 3 802.at (25w) PoE+

Router Considerations Network Role & Location Self-Contained Modular (chassis + cards) Interface Requirements Capabilities (LAN/WAN) Processor/Memory/Route Capacity Fabric/Backplane Throughput (packets per second PPS ) Redundancy (power, processor, interfaces) Required Feature Set: Security / IDS QoS MPLS VOIP NetFlow

SEGMENTED NETWORK DESIGN 25

Logical Networks Production VLAN Administration VLAN Engineering VLAN Engineering Rack Room Production Island Administrative Suites 26

ISP CAT5 TP Cisco 1841 Router CAT5 TP Cisco 3750G Switch MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch HP ProCurve 2530 Switch

The Ennes Network Architecture for KSBE Ennes Router VLAN Configuration: Internet DHCP Cisco 1841 100 - Administration 200 - Production 300 - Engineering 400 - NetMgmt Cisco C2960G Prod Switch EngRack Switch Admin Switch Cisco C2960G Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) 400 - NetMgmt Cisco C3750G Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) 400 - NetMgmt

EngRack Switch to Ennes Router Interface Gi1/0/1 Fa0/1 VLAN 100 Fa0/1.1 Trunk Interface VLAN 200 VLAN 300 Fa0/1.2 Fa0/1.3 Sub-Interface VLAN 400 Fa0/1.4 802.1Q Trunk Link

What is Wrong With This Design? ISP Cisco 3750G Switch CAT5 TP CAT5 TP Cisco 1841 Router 100Mbps Why a 100 Mbps Link Here? GigE MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch

ISP CAT5 TP Let s Fix It! Cisco 1841 Router Cisco 3750G Switch MM Fiber Then Re-Configure Ports: Switch & Router MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch

Another Approach! ISP CAT5 TP Cisco 3750G Switch Use a Layer 3 Switch MM Fiber Cisco 2960G Switch MM Fiber Cisco 2960G Switch

IP ADDRESSING PLAN 33

IP Addressing Considerations IP Address Planning (range) Current Needs Scalability Organize Subnets (Hierarchical) IP Address Host Allocation Public vs Private (RFC 1918) Static vs Dynamic Policy Assignment Documentation (IPAM sys) What About IPv6? Implementation Factors Migration Plan

Network Address Translation NAT RFC 3022 Types of NAT: Static One-to-One Translation Dynamic Pool of Public Addresses Made Available to Outbound Traffic Client Traffic NAT Overloading or Port Address Translation (PAT) Translates to a Single Public IP by Use of a Unique Port Number NAT Addressing Terminology: Inside Local or Inside Private Inside Global or Inside Global Outside Global or Outside Public Outside Local or Outside Private Inside Local In General: Inside Addresses Are Local Global Addresses Are Public Outside Local Inside Global Inside Network (private) Gateway Router w/ NAT Services Outside Network Outside Global 35

Static NAT Source IP Address Changed by NAT Simple Layer 3 Packet 10.0.0.2 128.194.300.2 Payload 128.194.247.2 128.194.300.2 Payload Source IP Destination IP 10.0.0.2 /24 10.0.0.2 mapped to 128.194.247.2 10.0.0.3 mapped to 128.194.247.3 10.0.0.4 mapped to 128.194.247.4 Public Network Space 10.0.0.3 /24 Private Network Space 10.0.0.0/24 Gateway Router w/ NAT Services 128.194.247.0 /24 10.0.0.4 /24 Simple Layer 3 Packet 128.194.247.2 mapped to 10.0.0.2 128.194.247.3 mapped to 10.0.0.3 128.194.247.4 mapped to 10.0.0.4 Source IP 128.194.300.2 /24 Destination IP 128.194.247.2 10.0.0.2 Payload 128.194.300.2 128.194.247.2 Payload Destination IP Address Changed by NAT 36

Dynamic NAT 10.0.0.2 /24 Pool Of AVAILABLE Public IP Addresses Public Network Space 10.0.0.3 /24 Private Network Space Gateway Router w/ NAT Services 10.0.0.4 /24 NAT Table 10.0.0.2 128.194.247 10 IP Address Chosen from Pool of Public IP Addresses: 128.194.247.2 128.194.247.14 Dynamic Entry Remains if Traffic Flows (timeout) Common to Have More Private Hosts Than Public IP Address Space 37

NAT Overloading or PAT Port Address Translation Single Address NAT / Port-Level Multiplexed NAT 10.0.0.3 /24 10.0.0.2 /24 Private Network Space 10.0.0.4 /24 Gateway Router w/ NAT Services Public Network Space 128.194.247.10 Source Address & Port NAT Table Inside Local Inside Global 10.0.0.2:1024 128.194.247.10:1024 10.0.0.3:1026 128.194.247.10:1026 10.0.0.4:1028 128.194.247.10:1028 Destination Address & Port 38

NAT Drawbacks! Accountability Limited Globally Multiple Internal Hosts Share Global IP Address Breaks IP Concept of End-End Connectivity Complicates Process of Allowing a Global IP Host to Establish Session With an Internal Host 39

The Ennes Network Architecture for KSBE Ennes Router VLAN Configuration: Internet DHCP Cisco 1841 100 - Administration 200 - Production 300 - Engineering 400 - NetMgmt Cisco C2960G Prod Switch EngRack Switch Admin Switch Cisco C2960G Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) 400 - NetMgmt Cisco C3750G Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) 400 - NetMgmt Subnet # Hosts Subnet Address Mask 1 st IP Address Last IP Address Size Broadast Network # Hosts HOSTS Subnet Administration 8 10 Production Engineering 12 14 15 17 Consider Growth 20% NetMgmt 4 5

IP Address Block Size Based Upon 2 n LSB 2 n 128 64 32 16 8 4 2 1 41

16 32 IP Addressing Plan Base Network: 192.168.100.0 /25 32 8 Use a VLSM Subnet Calculator: http://subnettingpractice.com/vlsm.html

The Ennes Network Architecture for KSBE Internet DHCP Fa0/0 Ennes Router Management: 192.168.100.82 Cisco 1841 Cisco C2960G Management: 192.168.100.83 Prod Switch Trunk - VLAN(s): 200,300,400 Gi0/7 Management: 192.168.100.84 Fa0/1 Gi1/0/1 EngRack Switch Gi1/0/27 Gi1/0/28 Cisco C3750G Trunk - VLAN(s): 100,200,300,400 Gi0/7 Admin Switch Cisco C2960G Management: 192.168.100.85 Trunk - VLAN(s): 100,400 Enabled VLANS: 200 Production (4 hosts) 300 Engineering (2 hosts) 400 - NetMgmt Enabled VLANS: 100 Administration (2 hosts) 200 Production (8 hosts) 300 Engineering (12 hosts) 400 NetMgmt (1 host) Enabled VLANS: 100 Administration (6 hosts) 400 - NetMgmt VLAN IP Address Configuration: VLAN: Network: Mask: Default Gateway: 100 Administration 192.168.100.64 255.255.255.240 192.168.100.65 200 Production 192.168.100.32 255.255.255.224 192.168.100.33 300 Engineering 192.168.100.0 255.255.255.224 192.168.100.1 400 - NetMgmt 192.168.100.80 255.255.255.248 192.168.100.81

IP Configuration Plan

IP Configuration Plan - 2

The First & Last IP Address of a Network is Not Useable! The First Address = Network Address or Wire Address The Last Address = Broadcast Address /25 /26 /27 Network Address Gateway Address 64 IP Addresses Network Address 62 Useable Hosts 32 IP Addresses Network Address 30 Useable Hosts Gateway Address Broadcast Address 128 IP Addresses 126 Useable Hosts Gateway Address Broadcast Address Broadcast Address 46

ACCESS CONTROL LISTS (ACL) 47

Access Control List ACL Provides Basic Network Access Security Buffer Packet Filter Based Filter IP Network Packets Forwarded @ Egress Interface Blocked @ Ingress Interface Implemented: Border Internally Internet Network Apply @ Border 48 Apply Internally

Standard Access List The ACL Rules Can Only Permit or Deny The Source Host IP Address Placed Closest to Destination Host Extended Access List Can Permit or Deny Based Upon: Source IP Address Destination IP Address TCP Port # UDP Port # TCP/IP Protocol Placed Closest to Source Network 49

Implementing an Access Control List One ACL per: Interface Direction Protocol Ingress ACL Filters Inbound Packets Egress ACL Filters Outbound Packets Egress ACL Filters Outbound Packets Ingress ACL Filters Inbound Packets Interface 0/0 Interface 0/1 Create Access Control List Permit or Deny: Source IP Address Destination IP Address ICMP TCP/UDP Source Port TCP/UDP Destination Port Apply Access Control List 50

ACL Implementation Example Block External Users From Pinging Inside Network Hosts 192.168.10.2 /24 192.168.10.1 /24 E0 E1 The Internet Router 1 192.168.10.6 /24 Create Access List on Router 1: access list 10 deny icmp any any access-list 10 permit ip any any Apply Access List to Interface: interface ethernet1 ip access-group 10 in 51 Configuration Disclaimer: Exact configuration commands may vary based upon specific equipment models and software version. Generic Cisco commands utilized for illustration purposes.

TAKEAWAYS, REFERENCES, QUESTIONS, AND MAYBE SOME ANSWERS 52

Takeaway Points Part 4 Use Segmented Networks Design Techniques: Performance Security Policy VLANs Allow a Common Physical Infrastructure to Support Multiple Isolated Networks, Broadcast Domains, or Subnets Each Network, Subnet, or VLAN is a Broadcast Domain With a Unique IP Address Scheme L2 Ethernet Switches Eliminate Collision Domains L3 Routers Control Broadcast Domains NAT Can Be Used to Minimize IPV4 Address Space IP Addressing Rules Must Be Obeyed: Each Network MUST Have a Unique Network ID Each Host MUST Have a Unique Host ID Every IP Address MUST Have a Subnet Mask An IP Address Must Be Unique Globally If Host on the Public Internet The First & Last IP Address of a Network is Not Useable! 53

My Favorite Reference Texts: 54

55 My Favorite Subnet Calculator The Mask ios Subnet Calculator: http://www.cylineapro.com/cylsoft-portfolio/the-mask-ipv4-ipv6-calculator

Web Reference Sources: www.packetlife.net 56

57

Thank You for Attending! Wayne M. Pecena wpecena@sbe.org 979.845.5662 Don t Miss: Webinar #5 - Cybersecurity Fundamentals & Securing the Network August 29 58

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback