Embed Size (px)
Citation preview
VLAN Considerations• Why do you not want a flat network?
VLAN Considerations• Why do you not want a flat network?• Large Broadcast traffic that can cripple a larger
network.• Can’t identify where a device is physically on your
network easily.• Can’t separate part of your network for security
reasons.
• Vlans are a way you can create multiple logical networks that are segmented from one another.
VLANs Config on a Cisco Switch• Enable routing on core switch. If you don’t do this, another
device would need to route traffic between Vlans.• Switch(config) # ip routing
• Configure Vlan Interface(s)• Switch#configure terminal
Switch(config)#interface Vlan2 Switch(config)#description Admin Wired NetworkSwitch(config-if)#ip address 10.1.2.1 255.255.255.0 Switch(config-if)#ip helper-address 10.1.2.8Switch(config-if)#no shutdown
• Configure the Default Route (if this switch will route. Only needs to be done at core switch that has your Vlan interfaces IP addresses)• Switch(config) # ip route 0.0.0.0 0.0.0.0 10.1.1.2
VLANs Config on a Cisco Switch• Verify• Switch(config) # show ip route• Gateway of last resort is 10.1.1.2 to network 0.0.0.0
10.1.1.0/30 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/48 10.0.0.0/24 is subnetted, 3 subnets C 10.1.10.0 is directly connected, Vlan10 C 10.1.3.0 is directly connected, Vlan3 C 10.1.2.0 is directly connected, Vlan2 S* 0.0.0.0/0 [1/0] via 10.1.1.2
VLANs Config on a Cisco Switch• Tagged vs Untagged Vlans• Tagged – Ability to send multiple Vlans through the
same port/interface.• interface GigabitEthernet2/0/24
description Core to Admin TCA Switch switchport trunk encapsulation dot1q switchport mode trunk
• Untagged – Ability to tag a port to a vlan so any device you plug in is placed on that logical network• interface GigabitEthernet1/0/6
switchport access vlan 1030 switchport mode access spanning-tree portfast
IP Addresses / Subnetting• Consider how many devices will be on each of your Vlan’s or
networks. Also take into consideration how many subnets you will need so you don’t run out of ranges. You do not want to run out of IP’s or you will have unhappy people. • Wireless can be very unpredictable and contain many devices with
people carrying multiples. Consider sporting events or events where people come in with an abnormal amount of devices from your normal use.
• http://www.aelius.com/njh/subnet_sheet.html
Netmask Hosts IP Range
/24 255.255.255.0
254 10.1.1.0 – 10.1.1.255
/22 255.255.252.0
1,022 10.1.0.0 – 10.1.3.255
/20 255.255.240.0
4,094 10.1.0.0 – 10.1.15.255
/16 255.255.0.0 65,534
10.1.0.0 – 10.1.255.255
IP Addresses / Subnetting• I have done /16’s (255.255.0.0). Not the best practice but it is easier to
remember different subnets. I could achieve the same result by doing a \22 or a \21. • 10.0.x.x – Servers
10.1.x.x – Admin Wired10.1.1.x – Static IP’s10.1.2.x – DHCP Reservations (exclude from the main DHCP Scope)10.1.3.x to 10.1.8.x – DHCP Addresses
10.2.x.x – Elem Wired10.3.x.x – MS/HS Wired10.11.x.x – Admin Wireless10.12.x.x – Elem Wireless10.13.x.x – MS/HS Wireless10.14.x.x – Guest Wireless
• You want to keep device counts down to make your broadcast domain smaller. Broadcasts will go to all computers on network and on larger networks, this will degrade the performance.
IPv6• Anyone started looking at IPv6? Reserved IPv6
Address Space?
IPv6• IPv6 Key Items• IPv6 is already running on your network and you didn’t have to
do anything!
• Devices will prefer IPv6 over IPv4 routes.
• With the IoT (Internet of Things), many technical and nontechnical devices are going to communicate on the network. That’s a lot of IP’s that will be needed!
• You will not run out of IP addresses! A IPv6 subnet is /64 so you have 18,446,744,073,709,551,616 IP addresses to use! That’s right, each of your subnets will have more IP’s than IPv4 does in its entirety!
• Don’t make a subnet less than a /64. This will cause you issues!!!!
• We don’t need no stinking NAT’s. Every device will have a Public IP address.
IPv6• IPv6 Key Items• It is not urgent yet to implement IPv6, but it should not be ignored
either since IPv6 is a whole different beast than IPv4.• IPv4 Public Addresses are harder to get new ones. If you need
additional public IP’s, IPv6 may be your only option.• Make sure new devices are IPv6 ready. IPv6 ready can mean a lot
of different things. • You will more than likely run IPv4 an IPv6 both at the same time,
this is called Dual Stack.• IPv6 Addresses are in hex rather than decimal format and look
like this.• 2620:11B0:A12F:134F:FCBA:A94D:4321:5678• 2620:11B0:A12F:: = 2620:11B0:A12F:0000:0000:0000:0000:0000
IPv6• How can you tell if your computer is accessing a
website in IPv6?• IPvFoo Extension for Google Chrome. This is good when
you are testing IPv6 to ensure everything is working as expected.
IPv6 Security Concerns• Microsoft does not recommend you disable IPv6
on your clients or servers.
• Since computers prefer to use IPv6, hackers can hijack your traffic on your current network today. Be sure to review these documents below.• Block Rogue DHCP Servers and Rogue Router
Advertisements• http://blogs.cisco.com/perspectives/ipv6-first-hop-security • http://
www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-3s/ip6f-xe-3s-book/ip6-ra-guard.pdf
IPv6: LISD & MCISD Consortium• We purchased a /40 since we are treating each
of our 20+ district’s as a site.
•Net Range: 2620:11B:1000:: - 2620:11B:10FF:FFFF:FFFF:FFFF:FFFF:FFFFCIDR: 2620:11B:1000::/40 (Direct Assignment)Net Name: LENAWEE-MONROE-TECHNOLOGY-CONSORTIUM
• IPv6 takes quite a bit of planning if you do it correctly.
Number of Sites Prefix Block Size
1 /48
2-12 /44
13-192 /40
193-3,072 /36
3,072 - 49,152 /32
Routing• Do you route on your switch or firewall?
• I personally like to route on the core switch rather than firewall.• I have a 3750x stacked switch for my core with redundant
connections to my other switches/racks. • I don’t have dual firewalls so if that goes down and if that
was doing the network routing, my clients would not be able to access internal servers.
• One less hop that a packet needs to make across a subnet.• If you experience a DDoS or other network attack from the
outside that maxes out your firewall resources, your internal traffic will still flow as expected.
NATing• Do you NAT your network traffic out 1 IP address?
• Since we have a /24 (254 usable public addresses), we are NATing each subnet out a different IP address.• If abnormal traffic is happening in or out of your
network, you can easily narrow down a subnet/location.• In SYN FLOOD Attacks and other types of DDoS attacks,
it is easier to block a NAT IP address from coming in with your ISP to sacrifice part of your network rather than taking down your whole network.
Backups• Do you have a config backup of all your network switches
and firewalls?
• When making a network switch or firewall change, do you create a backup?• Recommend you do this on your changes. Never know when a
switch/firewall is going to bite the dust.
• My first week taking my ISD position, our firewall died. Luckily, we were able to find a backup that was a year old. Over the next few days, we had to make corrections for changes since the last backup.
• Cisco Network Assistant• http://
www.cisco.com/c/en/us/support/cloud-systems-management/network-assistant/tsd-products-support-general-information.html
DOCUMENTATION!!!!!!!• Don’t overlook this!
• Comments/Descriptions go a long way in switch and firewall configs. Too much information is better than none.
• Excel File/OneNote of important information about network, servers, website logins, software licensing, etc. Password protecting the file is a very good idea if the file would get out. See sample file located in the 2015 Spring PD Day resources.
• Keep repository of technical items (i.e. Cisco commands). OneNote is really good to use to manage items like this.
• Keepass or other program to encrypt/save passwords.
Document during Major Issues• When we experienced our DDoS attacks, we have
spent weeks troubleshooting and tracking down.
• I highly recommend start documenting and taking screenshots of suspicious activity during issues since you will forget what you have done or total time spent by you and others in your department.
• After things clear up and you resolve the issue, if needed, you would be able to provide your total time spent working on issues and have evidence if you need to submit this to law enforcement.
