Internetworking Ch. 8.pptx

Full Transcript

Internetwor
king Ch. 8

Internetworking


Internetworking—the seamless transfer of
information throughout an enterprise, even if
that enterprise has plants and offices
throughout the world—is really the end goal of
enterprise communications



Most internetworking deployments are generally
based on established standards, or standards to
be, and that is the rationale for this chapter



This chapter reviews some previously discussed
information to ensure that key concepts are
understood

Layer 2: Internetworking
Equipment


A Layer 2 device reads the data link
information and uses it to perform some
action



Both devices read the packet’s Layer 2
destination address , the physical address)



A bridge or a switch, depending on its
feature set, can identify the protocol by
reading the type/length field and determine
the 802.2 packet information or any other
protocol information available for the
purpose of filtering

Switch Definition


Recall that a switch reads the Layer 2
address and then uses an electronic switch
to move the information to the addressed
location



The switch consists of a processor, or
processors, and an electronic crossbar that
replaces the collapsed bus in a hub; this
electronic crossbar is the switching fabric



Modern Ethernet switches can auto-detect
speeds and perform conversions for 10
Mbps, 100 Mbps, and 1000 Mbps Ethernet

Bridge Definition


A bridge is a device that contains two sets of Layer 1 and
2 functions and connects network segments of the same
type



If the bridge is transmitting, it develops a cyclic
redundant check character , also called a frame check
sequence , and appends it to the transmitted packet
payload



The bridge uses an internal table, called a bridge table, to
determine which side of the bridge the devices reside on



Regardless of the type, all bridges perform the following
functions: Forwarding Filtering Forwarding is when a
packet is moved from the source port to the destination
port

Bridge Definition


Two methods are used to reduce
the number of collisions on a
many-node shared network
segment: increasing the data
speed or using a bridge to break
up the collision domain into
smaller domains

Types of Bridges


Several different devices are called
bridges; some actually are bridges,
and some are not



In general, bridges are classified
as: Static

Static bridges, popular from the
mid1970s to the mid1980s, are no
longer in use, however it is helpful to
understand how they worked

Static
Bridge

The table was a database
containing each device’s
connectivity to each port )

The purpose of the table was to ensure that
the bridge would forward packets across
the bridge when necessary and block
packets that did not need to be forwarded

Learning Bridge


The learning bridge is the contemporary
model bridge



Learning bridges are dynamic, in that
changes are identified and reflected
within a short time period



On systems running the Transmission
Control Protocol/Internet Protocol suite
of protocols, the Address Resolution
Protocol can be used to populate the
bridge tables

Transparent
Bridge


Transparent bridging is the easiest from
the user’s point of view as there are no
computations other than the spanning
tree algorithm for the user to implement



In many cases, transparent bridging
only applies to Ethernet and there are a
host of other network protocols,
particularly in industrial networking,
that must be interconnected on a Layer
1/Layer 2 basis

Translating Bridge


A translating bridge passes packets between
two different networks, such as 802.3 and 802



A translating bridge must change between big
endian and little endian transmission,
different packet sizes , and different bridging
techniques



The 802.5 network also uses source routing ,
a different concept than transparent bridging,
which requires translation between the two
bridging techniques: transparent and source
routing

Used in token ring networks, a source
route bridge places the Layer 2
packet routing and loop detection on
the client, rather than on the bridge

Source
Route
Bridge

Source routing is not as efficient as
the spanning tree algorithm because
it depends on the client, rather than
the bridge

Token ring networks can use the spanning
tree algorithm instead of source routing,
provided that all of the token ring network
bridges/switches can also do so

Many bridges, called remote bridges,
have provision for wide area
connectivity and enable bridging
across the wide area network

Remote
Bridges

One concern with remote
bridging is its lack of bandwidth
in most WAN applications

A bridge is not the answer to
crossing a WAN; a Layer 3
device should be considered

Switches as
Bridges


A switch reads the data link
addresses, just as a bridge does, and
determines which port to connect



A switch should be considered to be
a multi-port bridge



For both switches and bridges, there
are some considerations that must
be taken into account with complex
connections

Filtering


A bridge operates in “promiscuous”
mode



Filtering means the bridge matches
a packet to its bridge table



This produces one of three results:
the match is on the same port, the
match is on a different port, or
there is no match

Same Port Match


Referring to figure 8-2, note that when the
bridge receives a packet from workstation
06-fe-01-c3-24-78 for delivery to workstation
06-fe-01-10-00-f4, it looks in the bridge
table and it finds a match—on the same port



Then the bridge blocks the packet,
preventing the packet from crossing the
bridge



The bridge takes two actions on this packet:
it prevents it from travelling across the
bridge and it checks the CRCC

Different Port
Match


Referring to figure 8-2, note that if the
bridge receives a packet from
workstation 06-fe-01-35-c2-ce for
delivery to workstation 06-fe-01-c324-78, it finds a match in the table—
on a different port



The bridge therefore forwards the
packet across the bridge and it checks
the CRCC

Flooding: No
Match Found


Referring to figure 8-3, if the bridge receives a
packet with a destination address that cannot be
found in the bridge table , the bridge floods—
sends the packet to—all of the available ports
except the port where the packet originated



A two-port bridge would merely forward to the
other port; bridges with three or more ports
would flood this packet to all ports in the hopes of
obtaining an answer from one of them



The method used to accomplish loop elimination
in a transparent bridge is the spanning tree
algorithm

Spanning Tree
Algorithm


The spanning tree algorithm is an IEEE 802.1d
standardized method that enables bridges to detect and
eliminate network loops



Although this adds more traffic to the network, it uses
configuration messages between bridges to determine a
single path between network segments



It does this by developing a tree structure—one root and
many branches; the branches are paths to the network
segments or ports



The STA determines a root bridge and then opens the
loops by blocking certain bridge I/O ports



The algorithm used to create the tree and to locate
devices within the tree structure uses this ID

Spanning Tree
Algorithm


For our present purposes, a
configuration message should have
three parts: Number of hops As
mentioned above, the tree is set
up using spanning tree
configuration messages

Spanning Tree
Summary


Crucial to your understanding of bridges,
or any Layer 2 device, are: the fact that
the lowest ID is the root and the concept
of configuration messages



Most industrial bridges and switches use a
slightly different algorithm called the
rapid spanning tree algorithm



This algorithm does not need as much
time to determine the root and tree upon
startup or after loss of the current root

Since we are dealing with
industrial networks,
redundancy is relevant

Layer 3
Devices

Network redundancy is
common within industrial
systems

Redundant industrial Ethernet networks, or
any other redundant network dedicated to
industrial requirements, are generally
vendor-specific implementations

As we stated at the outset of this
book, industrial systems are
becoming a part of larger systems

VLANS

This includes having their packets go other
places—not simply remaining within the
little islands of automation that they have
been restricted to in the past

Layer 3 is where you find the network
you want to address and where you
find out how to route to the location
you want

Layer 3 Packet
Information


In this section we will deal primarily with
TCP/IP over Ethernet: the LAN standard



If the decimal value of the two Type/Length
octets is fewer than 1500 decimal , it is
expected that the 802.2 control octets
follow



If the two octets are more than 1500
decimal, the frame is a non-802.2 frame
and the Type/Length octets identify which
protocol will be followed

Router Actions


In order to simplify the explanation of routing, simple
numbers, rather than complete addresses, are used in the
following examples



When a router receives a packet that is destined for
another network, it must create a route or path to the
foreign network in the form of a list of router hops



Every time a router receives a packet and hands it off, it
rewrites the data link address for the next router to which
the packet will travel



Each router has to determine, on its own, the travel path
for each packet



Figure 8-9 is a simplified explanation of how a packet goes
from a workstation with a Layer 2 address of 101 to a
workstation with a Layer 2 address of

Router
Actions

If the MAC address it is looking for is
not on this network segment, then it
will plug in the MAC address of the
default router, in our case

Router 105 would look in its
routing table and see if a
path exists to Network

Since we will discuss discovery
later, let us assume that the
routing table has that path

The router will move the packet
across the router and change the
Layer 2 addresses to reflect the next
router in line, as shown in figure 8

You will note that the Layer 3
addresses remain unchanged but the
Layer 2 addresses reflect moving the
packet on the Network 30 segment

Router Protocols: Exterior Gateway For a single
connection to the Internet, the routing outside
the Layer 2 network is simple: all messages not
going to an internal host go to the default
gateway that connects to the Internet

Advertis
ing

Border Gateway Protocol and other such
“exterior gateway” protocols were defined to
allow routers on the edge of adjacent networks
to exchange information about the IP address
ranges they know about

To use BGP, the router must be on a /24
network and it must be assigned a 16bit Autonomous System Number by the
American Registry for Internet Numbers

Advertising


With BGP, the designated border
router communicates with its
peers, the border routers it directly
connects with, and exchanges
routing information, such as IP
addresses in its network and routes
it knows about from peer
communications

Router Protocols:
Interior Gateway


BGP is used to exchange routing information
between autonomous systems and is the protocol
used between Internet service providers



Customer networks usually employ an Interior
Gateway Protocol , such as Routing Information
Protocol , Intermediate System to Intermediate
System , Enhanced Interior Gateway Routing
Protocol , or Open Shortest Path First to exchange
routing information within their networks



BGP can technically be used internally but it is
more common to use the RIP or OSPF routing
protocols

Routing Information
Protocol


RIP is a distance vector protocol



The protocol derives its name from the fact that it uses a
single measurement of path length: the number of hops



It is a dynamic routing protocol that was developed for
internal use on smaller IP networks



RIP uses User Datagram Protocol port 520 for route
updates and calculates the best route based on hop count



RIP requires less CPU power and RAM than other routing
protocols but it does have limitations: Metric: Since RIP
uses the hop count to determine the best route to a
destination, based solely on how many hops it is to the
destination network, RIP tends to be inefficient if there are
multiple routes to the same location

Routing Information
Protocol


This design is used to prevent routing loops, in which
data could never get off of the media and would
circulate forever, as though it were routed to nowhere



Class Routing Only: RIP v1 is a class routing protocol that
supports IPv4 original classes: A, B, and C



RIP v1 advertises all networks it knows as class type
networks, therefore, it cannot subnet a network properly
other than using /8, /16, or /24 subnet masks



Routers running RIP broadcast the full list of all the
routes they know every 60 seconds



The router listens to all the other routers that are
sending updates and then builds a routing table from
the updates

Link State
Protocols


Link state protocols use more information than hop count, such as link
speed, location, and the like



Link state protocols converge much faster than distance vector protocols



The protocol we will discuss is the Open Shortest Path First



OSPF: This routing protocol is used to determine the correct route for packets
within IP networks



OSPF supports CIDR Variable Length Subnet Masks



OSPF supports authenticating route updates



OSPF uses Link State Flooding to tell other routers which LANs this router is
directly connected to



Link State Flooding: Using a process called link state flooding, routers using
the OSPF protocol send out information concerning networks that they are
directly connected to in the form of an advertisement

Link State
Protocols


OSPF messages are in the form of IP
datagrams packaged using protocol
number 89 for the IP Protocol field



OSPF utilizes five message types for
various types of communication:
Hello: Routers use these messages as
a form of greeting to discover
adjacent routers on its local links and
networks

Multiple Protocols


When you are using a multi-protocol router , you
can keep protocol information in two ways: Separate
databases for each protocol One database shared
between protocols We will discuss these next



The users of each protocol are effectively in two
different networks and the synchronization and
upgrading of link information occurs separately



Using a shared database means you have only one
set of users and one set of configuration settings—a
fact not to be taken lightly if you have to administer
many routers—which is usually the deciding factor
in selecting between ships passing in the night or
integrated routing

How Routers Are
Designated


One router is designated to be the reference
router, to whom all other routers
synchronize their topology maps



Most of the above router explanations were
based on the assumption that it is an IPv4
world, which it will be for quite some time in
the industrial areas



There is a RIP for IPv6; however, the OSPF
routing protocol was designed to
accommodate many protocols and IPv6
presents no problems for OSPF routers

The major and most important
advantage of using routers over bridges
is segmentation of the network:
breaking it up into organizational units

Bridges
versus
Routers

Segmentation makes a robust
network, and it allows a
quarantine to be set up, if needed

Routers add reliability by allowing
fast convergence after link problems
and by providing alternative paths
for data

Routing Topologies


Hierarchies are established to help
organize routers



The routing rules are as follows:
Level 2 routers talk to Level 2
routers at the backbone level



Level 2 routers talk to the
designated Level 1 router at the
area level

Router Physical
Connections


Routers may have one-to-one, one-tomany, or many-to-one I/Os



A departmental multi-protocol router
typically has an Ethernet connection for
the LAN side and a WAN connection ,
channel service unit , data service unit ,
or fiber optic) on the routed side



These devices bridge on the LAN side and,
when a packet is destined for another
network, the router forwards the packet

VLANs


If a traditional IP router is used to separate
network areas, then the network is divided
into subnetworks



In either case, the router or Layer 3 switch is
the main locus for all of the network traffic



To create a VLAN, the routing switch is
configured to define devices on different ports
to act as if they are on the same LAN segment



VLANs can then be used to group arbitrary
collections of end nodes on multiple LAN
segments into separate domains

Managed Switches


The features and configuration of managed
switches vary by manufacturer, as well as
by model



The configuration interface used for
managing a switch is generally some form
of Web interface, although there will be
limited hardware configuration elements



Smart switches are managed switches that
have a limited user-changeable set of
features

VLAN settings


Vendors are working to improve security and
performance by adding functionality that would
enable the switches to examine entire data
streams and to take specific action upon them



One of the problems with the present multipledevice approach is that infrastructure
connectivity devices are often purchased by
different groups within the organization



If a Layer 3 device is configured for advanced
features , it can be considered as an Application
Proxy Server and—with packet examination —it
may also be known as a deep inspection firewall

Gateways


There are other devices that are used for
internetworking, however, the only other one
that we will discuss is gateways because of
their interest to industrial users



The gateway types available include:
Translating bridges/protocol converters
Application layer gateways Site-to-site or
computer-to-site VPN gateways We discussed
the translating bridge gateway earlier in the
chapter



Let us discuss the rest of the gateways in turn

Encapsulating
Bridges/Tunneling
Gateways


The Data Link layer is concerned with the frame
organization yet, even in the Ethernet frame,
the Data Link layer does not care how the 1s
and 0s are arranged between the type/length
and the CRCC



In the end, tunneling is how Ethernet and TCP/IP
will become the standard in industrial
networking for Layer 1 through 4 protocols



This will allow vendors to claim that they use
“standard” protocols, even though the tunneled
information may be usable only on that
vendor’s equipment

Network Operating
System Gateways


Network operating system gateways are
also called architectural gateways



Windows Vista/7/8 has several protocols
that must be separately loaded, with
TCP/IP as the default and the only
possible protocol if Active Directory is
used



All of the standard NOS gateways can
run multiple communication protocols
as communications stacks

WAN Gateways


Given the widespread adoption of routing as
the preferable method for networking
multiple networks, WAN gateways have
almost been superseded by routers



Most routers could be called gateways



They can mix and match to the WAN, for
example: Ethernet to frame relay Ethernet to
Asynchronous Transfer Mode Routers can
connect through fiber-optic, wireless, or
copper media, depending on their feature
set and the Physical layer that they interface

Application Layer
Gateways


There are a multitude of
application layer gateways, many
more than can be discussed within
the scope of this text



Some of the available application
gateways are listed below, a few
are discussed in this text in greater
detail

Mail gateways



File format gateways /FAT /NTFS )
Multi-protocol networking

Virtual Private
Network Gateways


There are a multitude of reasons why it is necessary to
have communications traffic between and among
computers that is confidential, source-authenticated, and
content-verified, particularly in an industrial automation
and control system



VPNs provide this across public or non-secure networks
and restricted-access networks, such as a plant LAN



A VPN creates an environment among the connected
devices that is virtually the same as being connected by a
physically private, restricted-access network



A VPN is a system of interacting computers that operates
over a public infrastructure and achieves privacy by
ensuring: ISO digital certificates are issued to each
participant

Virtual Private
Network Gateways


VPNs may be described as providing encryption
“tunnels” for data over the Internet



VPNs use the Internet for transport but the
payload data is indecipherable to all but the
intended group



The gateway term is applied to the VPN router
that interfaces to a LAN ; for example, a site-tosite VPN has two VPN routers that are called
gateways



If a software VPN is chosen, it will require CPU
cycles from the host, although most laptops and
desktops have plenty of spare cycles

SSL or IPsec


There are two contemporary technologies for building a
VPN over the Internet or an intranet: Secure Sockets
Layer and Internet Protocol Security



SSL is easier to deploy but is less standards-based; IPsec
is harder to deploy but it is based on the Internet
Engineering Task Force standards



IPsec is included in many recent operating systems



The main difference between SSL and IPsec is that SSL
makes each software application responsible for security
by adding SSL logic, while IPsec builds it into the TCP/IP
networking software so it is transparent to applications



PPTP, L2TP, and IPsec Many network protocols have
become popular in VPN developments

SSL or IPsec


We will discuss the following protocols
in this section: PPTP – Point-to-Point
Tunneling Protocol L2TP – Layer 2
Tunnel Protocol IPsec – A collection of
related protocols



In Microsoft’s implementation, PPP
traffic can be authenticated with
Challenge-Handshake Authentication
Protocol or MS-CHAP v1/v

This chapter has been a brief tutorial
on some of the facts you need to
understand before starting out on the
internetworking path

Summar
y

For an industrial user, this is a
formidable path, particularly when you
have a closed system that does not
integrate well with the rest of the facility

Continual study of the literature, upgrade
training by vendors, and a good understanding
of your requirements and how they are
changing are the best ways for industrial users
to understand internetworking