Need some advice on learning networking

[BillyCarpenter]

Back to the grindstone.

I'm about to build my lab on Packet Tracer and configure DHCP Snooping + Arp Inspection. I think of these as one single tool because they're usually used together, but there actually 2 separate tools. DHCP Snooping will function as a stand alone tool, but Arp Inspection won't work without DHCP Snooping.


I made a new discovery. If we have DHCP Snooping + Arp Inspection enabled on our switch and a copier is plugged into the switch with a duplicate IP address, it will not be able to communicate with anything on the network. If you try to ping from a PC, it's gonna fail. Why? because the device with the same IP address is part Binding Table in the switch and the copier has a different Mac Address..even though it has the same IP address...thus it will be blocked on the network. Food for thought.

[BillyCarpenter]

I set up my network on Packet Tracer and configured DHCP Snooping and ARP Inspection. I ran several tests and everything worked as advertised. There was nothing difficult about setting it up. The hard work is in understanding the theory in how it works and why. It starts with understanding the OSI model. Everything always seems to go back to the OSI model in the world of networking.

Anyway, when I first started playing around with Cisco switches and routers, I hated the CLI (Command Line Interface), but now it's the thing that I love the most. These are enterprise switches and routers and it blows my mind the things that can be done with them. They are truly "smart".

[BillyCarpenter]

Previously I said that I can't envision a scenario in which a copier company would be setting up VLANS, or inter-vlans on a client's network. I suppose there could be a very special circumstance where that needs to happen but I still believe my statement to be true. If anyone wants to dispute that, I'd like to hear it because I'm very new to all of this and I've been wrong before.

With all of that said, I thought I was wasting my time learning all of this. While I find networking interesting, I'm really not into learning something that I'll never use.

Any time that I've tried to learn something that is really difficult, there comes a time when it hits me like a ton of bricks..."Oh, this is why I need to know this and this is why it's important." That moment happened for me yesterday.


I'm watching videos and reading material about how a rouge attacker can bring down a network. When I say "rouge attacker", I'm not talking about some evil genius sitting in his basement like we see in the movies. No, I'm talking about some kid that has learned how to launch an ARP attack by watching a YouTube video and bringing a Raspberry Pi to school and bringing down the entire network. Or maybe it's an employee that wants to get out of work for the day that does the same thing. It could be anyone.

I've learned that network security starts at the switch. For instance, I learned something new. We can tie every port to a Mac Address. If someone tries to plug into the ethernet jack in their office with another PC or device, the port will shut down automatically and they'll NEVER even get on the network. Only the PC that is authorized will be allowed on that port. I've already discussed other security measures at the switch level.


I have a Cisco Switch here at my office but it doesn't have CLI interface so I couldn't do any of this. I went on EBAY and found one that does and ordered it. It only cost about $30 and it's a 24-port switch. I also ordered a Cisco Enterprise Router for about the same price.

[slimslob]

Previously I said that I can't envision a scenario in which a copier company would be setting up VLANS, or inter-vlans on a client's network. I suppose there could be a very special circumstance where that needs to happen but I still believe my statement to be true. If anyone wants to dispute that, I'd like to hear it because I'm very new to all of this and I've been wrong before.

With all of that said, I thought I was wasting my time learning all of this. While I find networking interesting, I'm really not into learning something that I'll never use.

Any time that I've tried to learn something that is really difficult, there comes a time when it hits me like a ton of bricks..."Oh, this is why I need to know this and this is why it's important." That moment happened for me yesterday.


I'm watching videos and reading material about how a rouge attacker can bring down a network. When I say "rouge attacker", I'm not talking about some evil genius sitting in his basement like we see in the movies. No, I'm talking about some kid that has learned how to launch an ARP attack by watching a YouTube video and bringing a Raspberry Pi to school and bringing down the entire network. Or maybe it's an employee that wants to get out of work for the day that does the same thing. It could be anyone.

I've learned that network security starts at the switch. For instance, I learned something new. We can tie every port to a Mac Address. If someone tries to plug into the ethernet jack in their office with another PC or device, the port will shut down automatically and they'll NEVER even get on the network. Only the PC that is authorized will be allowed on that port. I've already discussed other security measures at the switch level.


I have a Cisco Switch here at my office but it doesn't have CLI interface so I couldn't do any of this. I went on EBAY and found one that does and ordered it. It only cost about $30 and it's a 24-port switch. I also ordered a Cisco Enterprise Router for about the same price.

I have never had to set up VLANs on a client network but I have had to work with copiers on VLANs already set up either by the customer's IT or by their ISP, so know about them will someday be good.

[BillyCarpenter]

I have never had to set up VLANs on a client network but I have had to work with copiers on VLANs already set up either by the customer's IT or by their ISP, so know about them will someday be good.

I almost posted something similar to this. I think it will pay off in that I will be able to talk to the IT department with some degree of competence. I never want to come across as an idiot.


I have a quick question for you, slim....


I've been reading up on firewalls. Not software firewalls that are found on the PC or server, but an edge of network physical firewall. What can you tell me about them? Are they worth having?

[slimslob]

I almost posted something similar to this. I think it will pay off in that I will be able to talk to the IT department with some degree of competence. I never want to come across as an idiot.


I have a quick question for you, slim....


I've been reading up on firewalls. Not software firewalls that are found on the PC or server, but an edge of network physical firewall. What can you tell me about them? Are they worth having?

Almost every router on the market has at least some type of firewall builtin. Mostly it is a matter of blocking specific ports that you have to select. Actual hardware firewalls that connect between your internet modem block all ports by default and you have to decide which one to open. That includes port 80, the internet browser port. They can be configured to block incoming traffic, outgoing traffic or both. The one thing that they won't stop is a denial of service attack. The attack can't get through but while the attack is happening, nothing else can get through.

[BillyCarpenter]

Almost every router on the market has at least some type of firewall builtin. Mostly it is a matter of blocking specific ports that you have to select. Actual hardware firewalls that connect between your internet modem block all ports by default and you have to decide which one to open. That includes port 80, the internet browser port. They can be configured to block incoming traffic, outgoing traffic or both. The one thing that they won't stop is a denial of service attack. The attack can't get through but while the attack is happening, nothing else can get through.

I've been meaning to tell you something. Do you remember way back at the beginning of this thread when you mentioned that the OSI model was outdated? I don't think those were your exact words but something to that affect. I was too new to networking at the time to understand what you were talking about. But the internet model is simpler (effectively collapsing the top 3 layers of the OSI model into a single layer) and easier to remember and understand. If you're a pure-bred network engineer that is focused on router/switch, they yes, the 7-layer model is dead.

I don't think I've forgotten much that you taught me, slim.

[BillyCarpenter]

I thought I'd give a quick update on my progress. I'm terrible at trying to explain what I want to say in the written word so bear with me.


I haven't built any new networks. In fact, I had to go back to the networks that I'd already built and address my weak areas before I could move forward. This post has to do with switches, VLANS and inter-vlans.

Switches don't care about IP addresses. They only care about Mac Addresses and VLANs.

Let's address VLANs. When a PC sends a packet to a switch, the PC doesn't know which VLAN it's supposed to go to. There's nothing in the packet about VLANS. The switch knows which VLAN the packet needs to go to but the PC doesn't. Once the switch receives the packet, it adds a VLAN tag to the packet via "encapsulation". The protocol is known as 802.1Q encapsulation. This is created at the trunk line of the switch. Once the switch sends the packet to a fast ethernet port (the port that's connected to the PC) it strips away the VLAN tag and forwards the packet to the PC that it's intended for.


This may sound like a bunch of mumbo-jumbo that's unimportant, but the reason I had to go back and learn it is that I must know this information if I want to know how to trouble shoot the network. It's one thing to configure a network, it's quite another to troubleshoot a problem.

That's all for now.

[BillyCarpenter]

Now let's talk about routers and the role they play in INTER-VLANS.


Keep in mind that VLANS are at the switch level (layer 2) and they are separate networks that can't communicate with each other. But what if you want to communicate between the different VLANS? In order to do this we need a router. Unlike switches, routers care about IP addresses (layer 3). It's important to keep this in mind before I explain how inter-vlans are possible....


....If we have a PC on VLAN 1 it may have an IP address of 192.168.10.2. On VLAN 2 we may have another PC with the IP address of 192.168.20.2. In other words, PC's on different VLAN can't have the same mask, or subnet. That would kind of defeat the purpose.

Anyway, the PC sends the packet to the switch, the switch looks in it's VLAN table and has no way of sending the packet between 2 different VLANs. What happens next is the packet is sent to the router. Keep in mind that the path between the switch and router is connected by a trunk line thusthe VLAN tag (encapsulation 802.1Q) hasn't been stripped away and is still present. Once the packet reaches the router, it has it's own table that it looks at. This table is a different from the table found at the switch. This table binds the VLAN to an IP Address.

I'll admit that's a little confusing and took me a while to grasp.

[BillyCarpenter]

For 2 days I've been trying to get back to my practice lab on sending DHCP addresses across inter-vlans but because I had had weak areas in my knowledge, I had to go back and fill those gaps. This is a lot of information to take in at one sitting. Take my word for this....you don't want any gaps in your understanding of networking because it will come back to bite you. I learned that the hard way. Don't repeat my mistakes if you're trying to learn networking. No detail is unimportant.

There's one more gap that I had to fill before I went back to my practice lab on sending DHCP across inter-vlans and that's DORA.


What is DORA? I'm glad you asked.


DHCP Dora process is handled by a SERVER called DHCP SERVER that dynamically distributes network configuration parameters, such as IP Addresses, gateways, ect. for clients. It is a standardized network protocol used on INTERNET PROTOCOL in the network.

Sound complicated? It's not. Here's how it works.


First the client PC sends out a Discovery Broadcast across the network to see if a DHCP Server is on the network.

Next the DHCP server sends back an Offer that includes the IP address, gateway, ect.

Next the client PC sends back a Request saying that he will take the IP address.

Next the DHCP server sends back an Acknowledgement saying "okay, you I'll make a note of your IP address and you can have this IP address for 4-days (or whatever)...known as the lease time.


Client --------> Discover
......................Offer<-----------Server -
Client --------> Request
......................Ack<-------------Server



I'll explain why these 4 packets are important in a later post.