VIRTUAL LANS LAN, from the beginning

1
VIRTUAL LANSLAN, from the beginning
2
Message to Host7
3
Message to Host7
COLLISION!!!
Message to Host2
4

• It was a 10Base2 network, with BUS Topology
• Too slow (10 Mb/sec)
• Simplex
• One segment?one collision area one broadcast
  area
• Too many possible errors (physical logical)
• Its a hard job to find errors.

5
Message to Host7
6
Message to Host7
COLLISION!!!
Message to Host9
7

• It was a 10BaseT network with a HUB in the centre
  of the STAR
• Too slow (10 Mb/sec)
• Simplex
• One segment?one collision area one broadcast
  area
• Not so many possible errors (physical logical)
• Its easier to find errors.

8
(No Transcript)
9
Message to Host7
Message to Host9
10

• It was the same Topology with a Switch in the
  centre of the STAR (OSI2)
• Much quicker (up to 10 Gb/sec, with Cu base
  wire)
• Full Duplex
• More than one segment?more and smaller
  collision-area
• Much fewer possible errors (physical logical)
• But!
• Still one broadcast area.

11
Net address192.168.0.0 /24
Net address192.168.1.0 /24
12

• We will have two autonom subnets gt two Broadcast
  areas.
• Necessary
• - All of the Hosts (and the router-port) which
  are connected to the same Switch need a logycal
  address. These addresses are from the same
  address-class.
• - Use a Router (hardware or software) to connect
  the two subnets.

13
Message to H14
Message to H23
Net address192.168.0.0 /24
Net address192.168.1.0 /24
14
Message to H23
Net address192.168.0.0 /24
Net address192.168.1.0 /24
15

• SubNets with a Router
• - We have two autonom SubNets, so we have two
  Broadcast areas.
• AND
• - We can use the positive attributes of a
  Router
• Flexibility
• Firewall
• Will it be enough?

16
But why?

• If I have two logical networks in the same room,
  I can use just one Switch. The Pc-s will
  communicate perfectly.
• BUT this way what is the aim of using two logical
  networks? I think one is enough there.
• Because I wont be able to control the
  data-access of the Pc-s. Its not so safe.

17
192.168.0.4
192.168.0.3
Message to 200.10.11.3
192.168.0.1
200.10.11.3
18
ROOM A
ROOM B
192.168.1.x/24
192.168.0.x/24
19
ROOM A
ROOM B
20
What did we win?

• We can use much fewer network devices
• Easier handling
• Security

What did we lose?

• These Switches 3,4 more expensive
• Must configuring
• The clever device is a little bit slower

21

• So we can use our Switch like two.
• Managing Switches Required. Those can work in the
  3. Layer too.
• All of my Swithes will have two (or more)
  ?partitions?, like in a Hard Disk Drive.
• Its called ?Virtual LAN? (VLAN).
• These Switches can handle 3. layer addresses
  (IP).
• These Switches separate the VLANs if an
  ethernet frame comes from a VLAN, and the
  destination is in an other VLAN, it is possibly
  to forward only through the router. (And
  hopefully through a FIREWALL).

22
ROOM A
ROOM B
192.168.0.20
VLAN_1
VLAN_2
192.168.1.20
VLAN_2
VLAN_2
VLAN_1
VLAN_1
23
About the managed Switches

• Usually those can handle up to 1024 VLANs
• Can manage through the WEB in a HTML form,
  through TELNET, or on an own Consol port
• They have an IP (for the managing)
• Naturally the access can be saved with a PASSWORD

24
Configuration settings
25
Switch login through the WEB
26
Switch status

• status.doc

27
Port statistic
28
VLAN membership
29
This is a key benefit.

• Easily move workstations on the LAN
• Easily add workstations to the LAN
• Easily change the LAN configuration
• Easily control network traffic
• Improve security

30
Three basic VLAN types

• Port-based VLANs
• Widespeard. When we assign the Switchs ports
  to a VLAN. Simple to use.
• MAC address based VLANs
• We must define the MAC addresses which has
  access to a VLAN.
• Protocol-based VLANs
• Configured like MAC addresses, but instead uses
  a logical or IP address.

31
VLAN TRUNKING
Usually when we hear it PORT TRUNKING, we
think of using two or more wires for a connection
like one. So we will have wider Bandwidth
quicker NETWORK. Well! The VLAN trunking is a
little bit strange. We use just one wire instead
of more. We will have a tighter Bandwidth.

• We can use less wires
• Its easier to control the network

32
ROOM A
ROOM B
192.168.0.20
VLAN_1
VLAN_2
192.168.1.20
VLAN_2
T r u n k
Trunk
VLAN_2
VLAN_1
VLAN_1
Trunk
33
Some words about the IPTABLES

• The netfilter/iptables project is a subsystem of
  the Linux 2.4 / 2.5 KERNEL firewall.Its
  functions (these functions mark three tables of
  the netfilter too filter, nat, mangle)
• - Packet-filtering (filter)
• - Network Address Translation (NAT)
• - Packet-marking (mangle)
• Sections of the netfilter
• - Section builded into the standard Linux
  kernel
• - iptables, iptables-save, iptables-restore
  user-part programs

34
Packet-filtering (filter)

• The FIREWALL examines all of the incoming
  packets, and if there is any rule, which apply to
  it, will forward or drop (erase) the packet.

35
Network Address Translation (NAT)

• When a packet come into the firewall from the
  saved network, the firewall will change the
  source (personal) IP to an outher (public) IP.
• So, more host can use the same IP, and just the
  NAT-server (of course the firewall) will know
  which is the sender, the owner.

36
Simply Firewall

• Connect clients to the Internet
• Save clients
• Save Firewall
• Administrating firewall, through SSH from the
  interior network.

37
Setting VARIABLES

• INET_IFACE"eth0" INET_IP"195.199.219.33" LAN1_
  IFACE"eth1
• LAN2_IFACE"eth2
• LAN1_IP"192.168.1.0/24" LAN2_IP"192.168.0.0/24
  "

38
Setting DEFAULTS

• iptables -P INPUT DROP
• iptables -P OUTPUT DROP
• iptables -P FORWARD DROP

39
We will only accept the connections to the
Firewall, which built and valid

• iptables -A INPUT -m state --state
  ESTABLISHED,RELATED -j ACCEPT

40
Permit SSH connection from the ethernet

• iptables -A INPUT -s LAN_IP -i eth1 -p tcp
  --dport 22 -j ACCEPT

41
We can start new connections from the Firewall too

• iptables -A OUTPUT -m state --state
  NEW,ESTABLISHED,RELATED -j ACCEPT

42
A tuzfalon át a belso háló felé csak a már
felépített, érvényes kapcsolatokat engedjük We
will only accept the connections to the ethernet
accross the Firewall, which built and valid

• iptables -A FORWARD -i INET_IFACE -m state
  --state ESTABLISHED,RELATED -j ACCEPT

43
We will also accept the new connections from the
ethernet accross the firewall

• iptables -A FORWARD -i LAN_IFACE -m state
  --state NEW,ESTABLISHED,RELATED -j ACCEPT

44
Encrypting the source-address of the packets from
the ethernet (SNAT)

• iptables -t nat -A POSTROUTING -o INET_IFACE -s
  LAN_IP -j SNAT -- to-source INET_IP

45
Complex firewall

• Connect clients to the Internet
• Save clients, DMZ1, firewall
• Administrating firewall, DMZ through SSH from the
  interior network
• Obtaining services in the DMZ from the outhor
  area.
• 1. DMZ- Demilitarized Zone

46

• Only the Firewall has a public IP address
  (1.2.3.4). The DMZ is on the first ethernet
  interface (eth1) of the Firewall, it uses a
  privat address-area 10.0.0.0/24. The clients are
  on the second insider Lan-card (eth2) of the
  Firewall, their address-area is the
  192.168.1.0/24.
• It will be the next Topic

47
To be continued
Good Bye

Created by Bela Pap