NET 102 - Networking Essentials II

Chapter 16, Network Optimization

Objectives:

This lesson discusses securing networks and making them harder to attack. Objectives important to this lesson:

  1. Controlled redundancy
  2. Ethernet bonding/NIC teaming
  3. Spanning tree protocol
  4. Load balancing
  5. Quality of service
  6. Traffic/bandwidth/packet shaper
  7. Multilayer switches
  8. Troubleshooting
Concepts:
Chapter 16, Network Optimization

TestOut tells us in this chapter that some redundancy is a good thing for a network, partly because components and connections fail. There should be ways to accommodate failure for that reason alone. There may also be instances in which we use what seem like redundant components to increase performance when there is no failure.

Ethernet bonding is an example of using redundant NICs to increase the performance of a server by increasing its bandwidth on the network. This is done on Windows servers, as opposed to Windows workstations, because Windows server operating systems typically support this technique but Windows workstation operating systems typically do not. (This observation will, no doubt, have to be updated in the future.) Linux servers typically support this technique and call it by this name. Network teaming is another name for Ethernet bonding, and is more typically found in Windows networks.

To implement NIC teaming, first you install two or more NICs in a server, then connect them either to different switches or to the same switch.

  • If using different switches, this is called switch independent bonding. Only one NIC is typically active at a time in this case, but the other NIC is in passive mode, ready to take over if the other NIC, or its switch fail.
  • If connecting to the same switch, both NICs must be in Active/Acitve mode, both processing frames at all times. This increases the server's bandwidth, but the switch must support this technique for it to work.

The lesson also wants us to understand Spanning Tree Protocol. Historically, this protocol was designed for bridges, but the problem it applies to occurs on switches as well. The bottom line is that bridges and switches are (mostly) layer 2 devices. They work with MAC addresses. When there are two (or more) paths across switches from one segment to another, and the switches on those paths both forward packets, each switch sees the packets forwarded by the other switch, and the devices get confused about which segment/port the MAC addresses live on. This is bad.

Enter the spanning tree protocol, like a hero to solve our problem. The protocol says that if there are two ways to cross over to another segment, the devices will determine which device has the best connection, and use the route across that device. The process of choosing the best path involves each device sending information about itself and its connections to every other such device. This process is carried out every time a new path is added or lost, and the process of defining the preferred paths is called convergence. Rapid Spanning Tree Protocol (RSTP) allows devices to reach convergence in a few hundred milliseconds.

Every port on a switch can be in one of several states. Three are important to this discussion:

  • Discarding - a port in this state does not learn new MAC addresses or forward frames
  • Learning - a port in this state is learning MAC addresses and associated ports, and is writing information in the MAC address table of its switch/bridge
  • Forwarding - a port in this state is doing the things in the learning mode, and it is also forwarding frames based on information in the MAC address table

Spanning tree protocol also causes bridges/switches to elect a root bridge. Remember that information the bridges/switches send about themselves? It includes their IDs, composed of their MAC address and a code assigned by an admin. The bridge with the lowest ID is automatically the root bridge. Note that the admin can rig the election by assigning a low code to a favorite bridge. If all codes were the same, the bridge with the lowest MAC address would be the root bridge.

Another feature of the spanning tree protocol is that it calls for each device to participate in sharing its information regularly. If a designated bridge (the one being used for a segment) has failed to communicate recently, the root bridge can call for a new election, which will result in choosing a new designated bridge for a segment whose designated bridge has gone down. In this way, devices sharing redundant paths across a network can manage the details about those paths by themselve, in most cases.

TestOut also discusses load sharing, which is sometimes called load balancing. With regard to networking, you need to know that load sharing splits a data stream across multiple routes, and reassembles them on the far end. We expect this to happen for every packet in an IP network, so this should not be a new concept.

TestOut mentions Quality of Service in regard to time sensitive delivery of packets. The following notes are taken from the NET 226 class, whose text discusses some methods to meet Quality of Service requirements that your customer may have.

  • IP Precedence and Type of Service - This part is historical, so bear with it.
    The text explains that IP packets have always had bits in their headers to tag their service types, so some packets could be given precedence over others. This link will take you to a page that diagrams the header portion of several types of packets. The bottom line is that if you used routers and applications that could handle this data, you could hope to prioritize packets from applications that needed time sensitive delivery.

    Note that the Type of Service field is subdivided into a Precedence (priority level) field and a Type field. Note also that the value in the Precedence field lets the router make choices between packets that are queued for the same interface (port). What does this mean? That packets queued for different interfaces are not in competition with each other, which gives us more incentive for a router to have multiple routes to the same destination, starting with the port at which a packet leaves the router. This may be more important than the rest of the details in this part of the discussion, since the author ends it by telling us that no protocols did a good job of using this information, and the next discussion is more important.

  • IP Differentiated Services Field - The text explains that this was the next evolution of the Type of Service field in IP packets. The confusing illustration on page 377 uses two methods to number the bits in a packet. The lower part of the illustration numbers them consecutively from the beginning of the packet. The upper part of the illustration numbers them from the beginning of the Differentiated Services Codepoint (DSCP) field. The purpose of this field is the same as it always was, this is just the newer version of coding it.

  • Resource Reservation Protocol (RSVP) - RSVP is not a very good acronym. It is a protocol that can be used by a host to request a quality of service from a network. Routers can make this request to other routers to set up channels of a particular service level. The text explains that using RSVP is an example of an out of band request for a service level. Using the bits in the DSCP field to mark packets for a service level is an example of an in band request for service.

TestOut also mentions devices that may be called traffic shapers, bandwidth shapers, or packet shapers. Their purpose is to be aware of the current demands on a network, and to take steps to prioritize the flow of data across it as needed by packets that have priority over other packets. Methods mentioned include bandwith throttling, to limit the amount of data that can be pulled from a device, and rate limiting, to restrict data flows to specific customers. Both methods may be helpful in managing attacks on a server.

As noted above, switches were designed to be ISO-OSI model Layer 2 devices because they use MAC addresses for their primary duties. TestOut tells us that switches use hardware circuits to perform these tasks. The circuit noted in the discussion is called an application-specific integrated circuit (ASIC). It is described as allowing the switch to operate at wire-speed, meaning that it allows data to flow where it is needed as fast as the cable in question will allow, due to this circuit being used instead of passing packets to the switch's CPU to be examined.

Managed switches, however, can also operate at higher levels in the networking model. TestOut refers to switches operating on Layers 4 through 7 as content switches, web switches, or application switches. Their value is that they can perform load balancing, decryption, and other functions at wire-speed through the use of ASIC functions.

TestOut finishes the chapter with a unit on troubleshooting. Note that the main thing is to be calm and cautious, and to use a specific set of troubleshooting steps listed in the materiel. Keep in mind the advice typically given to doctors: first, do no harm. Review the troubleshooting steps proposed by TestOut and you will see that this is a key principle in their method.

Week 9 Assignment: Labs for Chapter 16

  1. Complete as many labs as you can, as soon as you can. For this week, concentrate on doing the labs in Chapters 3 and 4 of the TestOut lessons. Repeat the labs until you score at least 80% on them.
  2. When you have done what you can for this week, capture a screen that shows your current progress, and submit it to me as this week's report of your progress.