Need some advice on learning networking
Collapse
X
-
-
Re: Need some advice on learning networking
I finally come across something that really kicked my ass for hours. I was attempting to set up:
1 router
1 switch
2 PC's
2 VLANS
Then I'm trying to configure the router so that one PC on VLAN 10 can communicate with a PC on VLAN 20.
Here's a simple explanation of how it's supposed to work. When I try to ping from a PC on 1 VLAN to another PC on a different VLAN, the ARP request only goes out to PC's on the same VLAN as the source PC, so naturally it can't ping the other PC that's on a different VLAN. So, the next thing that happens is that Mr. Router is contacted to see if it knows where the packet should be sent. If Mr. Router is set up correctly, it will contact the PC on the other VLAN and the ping will be successful.
What kicked my ass was setting up the router IP table and sub IP table. It's complicated. Or at least it was for me.Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
I finally come across something that really kicked my ass for hours. I was attempting to set up:
1 router
1 switch
2 PC's
2 VLANS
Then I'm trying to configure the router so that one PC on VLAN 10 can communicate with a PC on VLAN 20.
Here's a simple explanation of how it's supposed to work. When I try to ping from a PC on 1 VLAN to another PC on a different VLAN, the ARP request only goes out to PC's on the same VLAN as the source PC, so naturally it can't ping the other PC that's on a different VLAN. So, the next thing that happens is that Mr. Router is contacted to see if it knows where the packet should be sent. If Mr. Router is set up correctly, it will contact the PC on the other VLAN and the ping will be successful.
What kicked my ass was setting up the router IP table and sub IP table. It's complicated. Or at least it was for me.
I made one of the biggest blunders known to mankind. It cost me hours of frustration. Dumb. Dumb. Dumb.
I could not figure out why I couldn't ping between VLANS. I double checked all of my work and it looked perfect. Wasn't working.
Finally, I figured it out. It turns out that I made a mistake with my trunk set up. By default a trunk line belongs to native VLAN 1. The VLANS that I created were VLAN 10 and VLAN 20. Remember that all data goes thru the trunk. The solution was to add VLAN 10 and VLAN 20 to the trunk. Problem solved.Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
My latest project caused me a lot of frustration. Nevertheless, I woke up bright and early and did it all over again. The first time around I really wasn't understanding every detail as my head was kind of spinning. The 2nd time around, I got it down.
Here's my thoughts on all of this as it relates to copiers. I think the more advanced networking is largely a big waste of time. If a company is setting up inter-VLANS, they're likely big enough to have an IT person and we're not gonna be doing any of this. It's an awful lot of work and I think it's all a bunch of bullshit as far as practical use in the copier world. Is there anyone out there that can convince me otherwise?Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
Today's update:
Cisco continues to cause me great pain and gnashing of the teeth. Let me see how I can explain....
Let's say you have 2 ordinary linksys routers and you want to set up 2 separate networks. You connect from your LAN ports of your main router to your WAN ports of your secondary routers, go to your GUI, set your IP addresses and you're basically done.
Let's contrast that to Cisco Routers:
There are different ways to do it but this is what you'll mostly likely see.
You connect both routers together through the serial ports using a serial cable. You then have to go into command line and give the serial port an IP address. This has to be done on both routers. You then stay on command line of the router and assign an IP address for the Fast Ethernet connection. You then have to tell the router to turn on both connections by using the "no shut" command. While doing all of this you have to make sure you're in the correct mode for each entry. If you're not in the correct mode, you're gonna get an error. After all that work, we finally have the serial port up and running.
But what if you want the 2 separate networks to be able to communicate with each other? Well, that involves setting up an "IP Route' for both routers. If you're not familiar with Cisco, none of this is gonna make sense.
While all of this sounds complicated, and it is, I've made a lot of progress. What used to take hours to complete now takes only minutes. I've gotten pretty good at remembering the command lines and don't have to refer back to the documentation.
I can set up VLANS, inter-VLANS. I can set up separate networks using multiple routers or I can set up separate networks using only one router by using a configuration called a "router on a stick."
I've put in hours and hours of work and at times I felt like giving up. I'm still very new to all of this and have a very long way to go, but at least it's getting easier.
That's all for now.Last edited by BillyCarpenter; 04-02-2021, 03:34 PM.Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
By the way, "routing on a stick" if very interesting. Let me explain. Lets say you want to set up 20 networks. Or a 100 networks. On most routers, you only have a few connects and are limited to how many networks you can create. Theoretically, I suppose you could purchase routers with more connection but that cost money and you'd still be limited to a relatively small number.
That's where "routing on a stick" comes in. You can create 100's of separate networks on 1 router and it's all done logically using sub-interfaces and trunking.Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
Here's my most ambitious project yet.
1 router
5 switches
9 PC's
3 inter-vlans
All working. See below:
network55.JPGAdversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
I've moved on to DHCP services on a Cisco Router and then I'm gonna set up DHCP services on a Server. Even though my DHCP services will come from a dedicated Server, it will still need pass through the router and in order for DHCP to pass through the router, I'm gonna need to set up a relay-agent called DHCP Helper. Should be interesting.
PS- In the first scenario DHCP will come from the router. In the 2nd scenario, DHCP will come from a dedicated server.Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
I've moved on to DHCP services on a Cisco Router and then I'm gonna set up DHCP services on a Server. Even though my DHCP services will come from a dedicated Server, it will still need pass through the router and in order for DHCP to pass through the router, I'm gonna need to set up a relay-agent called DHCP Helper. Should be interesting.
PS- In the first scenario DHCP will come from the router. In the 2nd scenario, DHCP will come from a dedicated server.
This was the easiest thing I've done thus far. With that said, I learn something in the process every time no matter what.
This was only the appetizer. Now I have to set up DHCP to work across inter-vlans.Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
Before attempting to set up DCHP services across inter-vlans, I decided to set up DHCP with no inter-vlans and instead set up 2 different networks with different subnet masks and I was able to get DHCP to work on both networks. There were a couple of tricks involved. It was interesting.
See the network below:
dhcp 2 networks.JPGAdversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
I keep getting side tracked on my way to setting up DHCP across intervlans. I'm watching a video and the guy mentions something about rouge DHCP servers and DHCP snooping and I think it sounds worth exploring and off I go down that path.
Here's the scenario. Lets say an employee brings in a router from home and plugs it in at his office. Lets also say that DHCP is enabled on the router. What do you think is gonna happen? That's right, we now have a rouge DHCP server on the network and it's probably handing out incorrect IP addresses.
How can this be prevented?
On Cisco switches there's something called DHCP Snooping. What this does is monitor every port on the switch for any incoming data that has to do with DHCP offers. If this happens the switch says "NO WAY" and the request is blocked. The only problem with that is if every port is blocked, no device will be able to get a DHCP address. How do we solve this? We create what's called "trusted ports". These are usually the "trunk lines" on the switch that carry DHCP info from the DHCP server.
I never knew switches could do so much. Looking forward to finding out what else they can do.Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
I set up a small network consisting of the following:
1 Enterprise DHCP server
1 Rouge DHCP server
2 DHCP Client PC's.
1 Switch
I plugged everything into the switch and went to the first PC and requested a DHCP address. I did this several times. Sometimes I would get an IP address from the Enterprise Server (correct server) and sometimes I would get an IP address from the rouge server. We don't want this, right?
The next thing I did was enable DHCP SNOOPING on the Cisco switch. I went back to PC1 and requested a DHCP address. It failed. Why? Because DHCP snooping was blocking DHCP offers on every port on the switch. We don't want that, right?
The solution for the problem was to create a "trusted" port that the Enterprise server was plugged into. Once I did that I went back to PC1 and requested a DHCP address and I received one. I did this several times and never received a IP address from the rouge server.
But our work isn't complete. Just because I never received an IP address from the rouge server doesn't necessarily mean that we won't. We need to make sure. We need to make 100% sure. Allow me to explain.
When there's 2 DHCP servers on the network, the one that responds the quickest wins. In my scenario, the Enterprise Server could be responding the quickest and that's the reason we received no DHCP address from the rouge server. But who knows, 2 days from now the rouge server may respond quicker and we can't take that chance.
We need to verify that the rouge server is blocked. But how to we do this?
First we turn off DHCP on the enterprise server and now only DCHP is enabled on the rouge server. Next we need to run the "debug ip dhcp snooping packet" command on the Cisco switch. This is gonna capture any data that has to do with DHCP offers from the rouge switch. If you receive no data....that means the port is blocked.
I did all of this and verified that all was working as it should.
All of this got me to thinking about my own network here at the office. Anyone could easily plug in a rouge router and create havoc. I'm gonna correct this now that I know how to do it. I bet there's a lot of companies out there that are completely in the dark on this.
See network below:
DHCP Snooping.JPGAdversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
I keep trying to get back to setting up DHCP Services across inter-vlans and I keep getting sucked into other areas.
First it was DHCP Snooping (rouge DHCP Server) and now it's Dynamic ARP Inspection. DAI for short.
What is DAI and why do we need it?
To understand this, we need to do a quick review. Remember that we're dealing with Layer 2 switches and that means we're dealing with Mac Addresses. In order for a switch to send a packet to the correct client, it must know the Mac Address of the client it needs to send the packet to. How does the switch know the Mac Address of every client on the network? It asks via an ARP request. ARP is a broadcast to every device on the network or VLAN if they're set up.
But what if we have an ARP attack from a rouge host? Now we have a rouge host sending out his Mac Address instead of the intended one and he's now getting all of your important data. Not good, right?
Fortunately, there's a way to guard against this by incorporating Dynamic ARP Inspection along with DHCP Snooping.
I'll explain this in more detail after I set it up and test it out in Packet Tracer.Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
After doing some (a lot) reading up on Dynamic Arp Inspection and how it protects against a rouge ARP attack, I will attempt to explain it.
When a device is plugged into the network for the first time or when it is booted, the switch builds a Mac Address table that is tied to a port on the switch The Mac Address table looks like this. See below:
Port/Mac Address
01---- 010800207CBA2C
02----30108002022519C
04---- 03 01080011043B65
05---- 0100A024A9BCEE
06----0100A024A791DE
07---- 0100A02463D6EC
08---- 0100A024636AB7
09---- 010080C72EE4A3
10 ----010020AF4A3B31
When a PC wants to send/receive data from a client on the network, the switch looks in the table to know where to send it. A rouge ARP attack can manipulate the table and now the information could be going anywhere.
How do we guard against this? It starts with DHCP Snooping. Remember that DHCP Snooping is on a "Trusted Port" that only the DHCP Server is plugged into. So, we know the Mac Address Table is correct. Here's the key point to understand how this works. DCHP Snooper builds it's own Mac Address Table and DYNAMIC ARP INSPECTION looks at that table instead of the other table. So if a rouge ARP attack occurs, it looks at the table for DCHP Snooping and if it doesn't match up, the request is denied.
I hope that I explained that well enough to make sense.
At some point today I hope to do all of this on Packet Tracer. We'll see how it turns out.Last edited by BillyCarpenter; 04-04-2021, 04:58 PM.Adversity temporarily visits a strong man but stays with the weak for a lifetime.Comment
-
Re: Need some advice on learning networking
I set up a small network consisting of the following:
1 Enterprise DHCP server
1 Rouge DHCP server
2 DHCP Client PC's.
1 Switch
I plugged everything into the switch and went to the first PC and requested a DHCP address. I did this several times. Sometimes I would get an IP address from the Enterprise Server (correct server) and sometimes I would get an IP address from the rouge server. We don't want this, right?
The next thing I did was enable DHCP SNOOPING on the Cisco switch. I went back to PC1 and requested a DHCP address. It failed. Why? Because DHCP snooping was blocking DHCP offers on every port on the switch. We don't want that, right?
The solution for the problem was to create a "trusted" port that the Enterprise server was plugged into. Once I did that I went back to PC1 and requested a DHCP address and I received one. I did this several times and never received a IP address from the rouge server.
But our work isn't complete. Just because I never received an IP address from the rouge server doesn't necessarily mean that we won't. We need to make sure. We need to make 100% sure. Allow me to explain.
When there's 2 DHCP servers on the network, the one that responds the quickest wins. In my scenario, the Enterprise Server could be responding the quickest and that's the reason we received no DHCP address from the rouge server. But who knows, 2 days from now the rouge server may respond quicker and we can't take that chance.
We need to verify that the rouge server is blocked. But how to we do this?
First we turn off DHCP on the enterprise server and now only DCHP is enabled on the rouge server. Next we need to run the "debug ip dhcp snooping packet" command on the Cisco switch. This is gonna capture any data that has to do with DHCP offers from the rouge switch. If you receive no data....that means the port is blocked.
I did all of this and verified that all was working as it should.
All of this got me to thinking about my own network here at the office. Anyone could easily plug in a rouge router and create havoc. I'm gonna correct this now that I know how to do it. I bet there's a lot of companies out there that are completely in the dark on this.
See network below:
[ATTACH=CONFIG]48774[/ATTACH]Comment
Comment