Review, Part 2
4/15/2009
Final Exam
The final exam will be posted by 6pm on Wednesday, April 29, 2009 and you have a week to find three hours to work on it. Use any resource, including asking me questions if you're not sure; don't hesitate to ask me questions. Please let me know if it looks like it will take you more than three hours since that means you're making it harder than I intended. 445-9385
Project
- Any questions or problems?
- Do the packet capture on your laptop in the building of your project.
- Note that the long SNMP command in the project example is missing single quotes in two places (tr and awk).
tr -s " " '\t'awk '{ stuff }'
Review
Now, on to the review! Unless you have questions ...
Performance
- latency, jitter
- throughput (especially as compared to bandwidth), packet loss
Practical Considerations
- Necessary Information
- IP address
- netmask
- gateway / default router
- Useful Information
- DNS servers
- impact of incorrect information?
Troubleshooting Tools
- hardware: replace cables, maybe NIC
- ifconfig/ipconfig, netstat
- ping, traceroute/tracert, mtr, NDT
- nmap
- arp, tcpdump/wireshark
Layer 2 header for 802.1Q
- 4 bytes larger than regular Ethernet, for a maximum 1522 bytes total
- 2 octets for Tagged Protocol Identifier, 0x8100 (a holder for frame type)
- 3 bits for priority, 802.1p
- 1 bit for Canonical Format Indicator
- 12 bits for VLAN ID, 802.1Q
802.1Q VLANs
- 12 bits: VLAN IDs range from 1 to 4094
- 1 is DEFAULT
- 0 and 4095 are not allowed
VLAN Facts of Life
- 802.1Q adds 4 bytes to Ethernet packets between the Layer 2 (Ethernet) header and the Layer 3 leader, increasing the maximum packet size from 1518 to 1522 bytes; 3 bits are for the 802.1p Ethernet class of service and 12 bits are for the 802.1Q VLAN ID.
- A VLAN, by definition, provides broadcast containment. Broadcasts (Windows browser elections, Bonjour) are contained within the VLAN.
VLAN Facts of Life
- Your IP address determines your IP subnet (of course). Your IP subnet uniquely determines your 802.1Q VLAN. Each VLAN can have several subnets, but each subnet has one and only one VLAN. If the VLAN on your switch port doesn't match your IP address subnet, you can't communicate on the network (except at Layer 2, but the user reports no network connectivity).
- For traffic to travel between VLANs, it must go to the router port defined for that VLAN (your gateway). In the simplest case, it then goes through the routing engine and out the router port for the destination VLAN. (It could also go from the routing engine on one router to the routing engine on another router, and then out the router port for the destination VLAN.) Each router knows what subnets match the VLANs it manages, and it knows what router to send packets for the VLANs it doesn't manage.
VLAN Scalability for Users
- You can put every user port in a VLAN manually. This isn't so bad as long as departments (or functional groupings) don't change too much.
- You define policy (from RFC 3580) to change as needed, but the default policy matches what you would set above.
VLAN Scalability for Uplinks
- You can add every VLAN to every switch uplink port (called a trunk port if it trunks more than one VLAN through; all traffic must be VLAN-tagged at this point, or else it will get the PVID (port VLAN ID) from the trunk port) that it might need to traverse to get to other users in this VLAN (what about user mobility???), or ...
- You can turn on GVRP and that will dynamically add to every trunk port (that has GVRP enabled) every VLAN that it "hears" so that VLAN traffic can go wherever needed. Not supported by Cisco.
VLAN Scalability at UNC
We use Door #2 wherever possible!
Quality
- some packets, < 10%, receive better service / are expedited ...
- ... conversely, some packets receive worse service / are delayed, or are policed / dropped
- QoS must be managed end-to-end on all intervening devices
QoS
- none / best-effort
- add more bandwidth, add parallel network
- 802.1p comes with 802.1Q VLANs
- 8 levels, higher number is better service
- 8 queues
QoS
- ToS
- already in IPv4 header (3 bits for IP precedence), but rarely used and often ignored
- DiffServ re-uses entire ToS byte
- but few standards (8 or 21 out of 64 depending on how strict you are)
- useful to convert 802.1p for routers
- IntServ: the Hard QoS example
- MPLS-TE
- hard, expensive, limited scope
QoS Compared
When to use QoS
- scope
- external: identify issue, work with ISP
- internal: identify, fix
- time
- latency: find, upgrade
- jitter: find, then upgrade or shape traffic
- congestion
- always: add bandwidth
- critical times: prioritize traffic
- sometimes: plan for upgrade
Where to use QoS
- tagging: edge
- edge switches run at about 0.2% CPU utilization
- policing: as close to edge as possible
- drop before congestion
- expediting: core
- expedite where congestion is more likely thanks to aggregation
DNS
- Paul Mockapetris, 25 years ago
DNS Records
- SOA record
- primary master nameserver, contact email, serial number, refresh, retry, expire, min TTL
- A record
myterm.domain.unc.edu in a 152.2.24.153
- PTR record
153.24.2.152.in-addr.arpa in ptr myterm.domain.unc.edu
- Cname record
me.domain.unc.edu in cname myterm.domain.unc.edu.- final dot is crucial!
- MX record
myterm.domain.unc.edu in mx 0 mailhost.domain.unc.edu.
DNS Troubleshooting
- host, dig, nslookup, whois
- try another server as primary!
DHCP
- DORA
- Troubleshooting
- can client reach server? (ping)
- does server hear client's request? (server running, helper address for broadcasts through router(s))
- does server have available leases (check server logs)
- ping, syslog, packet capture
Security
- IPS considerations and tradeoffs
Routing
Routing: MPLS
- separates packet forwarding from packet routing
- MPLS-TE, traffic engineering, can be used for QoS
- virtual circuits (VRF, virtual routing and forwarding)
- MPLS VPN
- general
- not-low-end routers
- LSP, LDP
Routing: OSPF
- interior routing protocol (vs BGP)
- various states ...