440 likes | 772 Views
Advanced Ethernet Principals Using Westermo Equipment Westermo Data Communications UK Ltd Presenter: Graham Lee Esq. / Vincento “Coconut” Collis. Red Fox Industrial. Robust Industrial Data Communications - Made Easy. Family of Layer 3 Switches
E N D
Advanced Ethernet Principals Using Westermo Equipment Westermo Data Communications UK Ltd Presenter: Graham Lee Esq. / Vincento “Coconut” Collis
Red Fox Industrial Robust Industrial Data Communications - Made Easy • Family of Layer 3 Switches • High-Performance Ethernet Switch supports: • IGMP • VLAN • FRNT • QoS • Advanced Layer 3 Functions: • Routing • NAT & PAT • OSPF • Firewall • IPsec • Configurable Via: • HTTP, SSH, Telnet, Serial port www.westermo.co.uk
Red Fox Industrial Configurable in three different ways: Web-screen configuration CLI configuration via SSH and Telnet Serial configuration via console port
Slot-based contruction and port numbering Management port Mix of Ethernet and Fibre ports I/O and fault contact Configurable status LED’s I/O & Fault Contact Status LED’s Management port Slot 1 Management Slots 2 & 3 Additional ports
OSI 7-Layer Model The OSI (Open Standards Interconnect) model is a definition of how devices should communicate, each layer performs a defined task and is separate to the layers above and below. Data from higher levels is encapsulated by the lower layers Communication protocols, TCP, UDP IP Addresses, Routers Ethernet, Mac addresses, Switches, Bridges Cat5e Cable, Fibre Optic, DSL, Radio
Preamble Destination MAC Address Source MAC Address Type Field Version IHL Type Of Service Total Length Identification Flags Fragment Offset TTL Protocol Header Checksum Source IP Address Destination IP Address IP Options Src port Seq number Ack Number Data Offset Reserved Dst Port Padding Flags Window Checksum Urgent Pointer Options Cyclic Redundancy Check An Ethernet packet An example packet PDU OSI Layer TCP IP Ethernet Data from upper layers Maximum frame size = 1542 bytes
Types of IP traffic • UDP Connection-less traffic • TCP Connection-based traffic • Broadcast One to all • Multicast One to many
IGMP Multicast reserved addresses 224.0.0.0 to 239.255.255.255 Multicast subscribers Non- subscriber Multicast subscribers Non- subscriber
32 Bit Dotted Decimal Notation 192.168.100.100 Subnet mask segregates IP’s into groups 255.255.255.0 IP Addresses
192.168.10.0 255.255.255.0 11000000.10101000.00001010.00000000 192.168.10.255 255.255.255.0 11000000.10101000.00001010.11111111 Subnets
.255 .0 .1 - .254 Subnet address Broadcast Address
.255 .0 .193 - 254 .1 - .62 .192 .63 .191 .64 .129 - .190 .65 - .126 Subnet address Broadcast Address .128 .127
Operate at Layer 2 Break up broadcast domains Create smaller, logical, network topologies Vlans can be created in one of two ways: Static – per port Dynamic – MAC address allocation Virtual LAN (Vlan)
Grouping parts of a network based on department, function or service. What are Vlans for? • Controlling the proliferation of broadcasts throughout a network • Providing security throughout the network • Gives flexibility to network design
Entire network unused Corporate network Industrial Network • Change the link port into a Vlan trunk port • 2 Vlans • 2 Broadcast domains • Default configuration • 1 Vlan • 1 Broadcast domain
X X Inter-Vlan routing Switches cannot route between VLANs For packets to traverse different VLANs, they must be processed by a router
Vlan Tag information adds 4 bytes of data onto an Ethernet frame making a maximum frame size of 1542 bytes Preamble Destination MAC Address Source MAC Address Type Field 802.1Q Header Version IHL Type Of Service Total Length Identification Flags Fragment Offset TTL Protocol Header Checksum Source IP Address Destination IP Address IP Options Src port Seq number Ack Number Data Offset Reserved Dst Port Padding Flags Window Checksum Urgent Pointer Options Cyclic Redundancy Check Vlan tagging + frame length • Some networking devices are unable to process frames larger than 1538 bytes. These devices require the tags to be removed before the frame is transmitted to them. • Ethernet at the Network layer can only process a maximum unit size (MTU) of 1500, so larger packets are segmented and then reassembled at the destination Data from upper layers
Guarantees Bandwidth Quality of Service (QoS) • Reduces: • Jitter • Delay • Dropped Packets • Out of Order Delivery • Is Required for Some Applications • VoIP • Video Streaming • Absolutely Critical Data
QoS works by assigning types of traffis with DSCP tags (Differentiated Service Code Points) which determine the exact level of service to be treated with. Westermo Switches link the QoS priority tags with the VLAN tags. This means that you cannot tag different types of traffic, but rather groups of hosts (which makes more sense in a control network)
When to implement QoS Quality of Service (QoS) • When you are using an application which requires it: • VoIP • Video Streaming • Absolutely Critical Data • When there is contention for bandwidth • However, increasing bandwidth is always a better solution to increase network performance
FRNT V0 • Proprietary Westermo Redundancy Protocol • Controls topology failover • Fast (<20ms reconfiguration time)
X X X X FRNT Member FRNT Member Focal Point Member devices communicate with focal point to determine topology Focal point detects a ring is created, so it shuts down one of its interfaces which links the ring Switches continue to communicate to report status of topology If a cable fault is detected, the focal point opens its blocked interface to allow full connectivity again
Redundancy protocol which allows a switch level (layer 2) mesh topology Network convergance times of 30 secs and 3 secs Uses lowest MAC address or lowest bridge ID to determine Root bridge STP & RSTP
X X X X X X Principal of root bridge Bridge ID: 8649 Bridge ID: 6039 Internet Bridge ID: 7432 Bridge ID: 4036 Bridge ID: 6696 Bridge ID: 9972 Bridge ID: 4189 Bridge ID: 5827
Allows redundant entry/exit points to a network Does so via a “virtual” gateway IP address which two devices control the responses to Not to be confused with load-balancing VRRP
X X Router ID: 210 Router ID: 50 Use multicast traffic to manage response to the virtual MAC address 00-00-5E-00-01-XX 00-00-5E-00-01-XX Router with the highest VRRP ID Is the ”Master” router If the master router encounters a fault the backup router will take over
Setup FRNT ring. Use testing tools (ping, traceroute) to verify configuration Inspect port mirroring and wireshark Practical Time!!
Routing • Routing occurs at layer 3 • All layer three devices have a routing table
Understanding a Routing table Next hop Network Metric Network next hop Metric 172.16.0.0 directly connected 0 10.0.0.0 directly connected 0 192.168.0.0 directly connected 0 192.168.10.0 192.168.0.2 1 54.19.0.0 192.168.0.2 110 0.0.0.0 172.16.0.100 0 Routing tables read sequentially from top to bottom 0.0.0.0 172.16.0.100 0 Destination address How to get there How far away it is A routing table (sometimes called a Routing Information Base or RIB) has three main parts: When a device needs to send data, it will read down through the table to find where to send it. If no exact match is found, the default gateway will be used These titles basically mean: Notes: You can tell a lot from a routing table. For instance, from this example we know that this router has three different networks configured directly on it, and it knows how to get to a further two more via a router which exists on the 192.168.0.0 network. From the metrics on the two distant networks we can tell what routing protocol is used to advertise them.
Manually configured Used in smaller networks Becomes a headache when employed in larger networks Not tolerant of topology changes Static routing
“Gateway of last resort” Defines how to get to a network that is not explicitly defined Always the last route in the routing table Cannot have multiple default routes Default routing
RIP V1 Distance-Vector protocol Uses timed updates Floods routing table every 30 secs Slow convergence time High overhead Simple to configure Uses “hop count” to determine best path Dynamic routing OSPF • Link-State protocol • Elects a “designated” router to manage topology updates • Updates topology based on keepalive “hello” packets • Floods routing updates upon topology change • Fast convergence time • Calculates the shortest path to destination NB: Other routing protocols exist, but are not implemented in WeOS (YET!!)
How RIP works 172.16.0.0/16 192.168.0.1/30 192.168.10.0/24 A B 54.19.0.0/16 192.168.0.2/24 10.0.0.0/8 RIP is a nice and simple routing protocol, it advertises its entire routing table every 30 seconds out of all interfaces, although convergence time is slow, it is easy to configure Network next hop learned from 172.16.0.0 directly connected directly connected 10.0.0.0 directly connected directly connected 192.168.0.0 directly connected directly connected 192.168.10.0 192.168.0.2 192.168.0.2 54.19.0.0 192.168.0.2 192.168.0.2 Network next hop learned from 192.168.10.0 directly connected directly connected 54.19.0.0 directly connected directly connected 192.168.0.0 directly connected directly connected 172.16.0.0 192.168.0.1 192.168.0.1 10.0.0.0 192.168.0.1 192.168.0.1 Network next hop learned from 172.16.0.0 directly connected directly connected 10.0.0.0 directly connected directly connected 192.168.0.0 directly connected directly connected Network next hop learned from 192.168.10.0 directly connected directly connected 54.19.0.0 directly connected directly connected 192.168.0.0 directly connected directly connected
OSPF Area 0 Area 1 E A B F C D OSPF can define Areas within an Autonomous Network (AS), this keeps routing tables smaller by limiting the total routes that each router needs to be aware of and speeds up network convergence OSPF sends out “hello” packets out of all configured interfaces. Routers build a “neighbourship” table so they are aware of others running OSPF. When routers become aware of each other via the “Hello” packets, they and they are within the same area, they will attempt to negotiate an “adjacency”. Once this is done, they will exchange routing information Routers A and E are “Area Boarder Routers” These routers are part of both areas, and will advertise “summary routes” to areas beyond their own.
OSPF Area 0 Area 1 E A B F C D From here onwards, when a topology change occurs, affected routers will alert the DR of the change and the DR will then broadcast this change to all routers within the area – greatly cutting down of the packets being sent. When a network segment has not fully converged, there can be a lot of packets passing between routers as they attempt to determine the topology. To combat this, the two routers with the highest configured IP addresses will become the Designated Router (DR) and the Backup Designated Router (BDR). As OSPF alerts works upon change of state, this can generate a lot of extra traffic when a link goes down – exactly when additional traffic is not desired!
Practical Time!! • Configure OSPF on your RedFox Industrial and connect it to the other red foxes here. • Use area 0 • Follow the worksheet • Verify OSPF is running and test connectivity.
IPsec Standardised suite of protocols Allows secure, encrypted path for data Used for transferring sensitive data over an untrusted network (such as the internet)
IPsec Tunnels • IKE - Internet Key Exchange • AH - Authentication Header • ESP - Encapsulated Security Payload Duration timers Dead-Peer-Detection Transport Mode Tunnel Mode Main Mode Aggressive Mode
Firewall • Stateful inspection firewall (layer 4) • Permits / denys traffic between Vlans • Filters traffic based on source/destination ports and addresses, or protocol
Three modes of operation: Network Address Translation • Static NAT • Statically configured one to one mapping of internal addresses to external • Dynamic NAT • Dynamic one to one mapping of internal addresses to external • NAT Overload • Dynamic mapping of multiple internal addresses to a single external through the use of port numbers (also referred to as PAT)
SNMP SYSLOG Management and Reporting
Link alarms Fault contact RedFox specific