|
Type ofnetwork devices
|
|
|
end devices (host):
clients 客户机、servers 服务器
|
End devices originate the data that flows through the network
终端设备会发出通过网络传输的数据
End devices are the source or destination of the messages
终端设备是消息的源或目的地
They are the interface between humans and the network
它们是人与通信网络之间的界面
|
|
intermediary devices
|
Connect hosts (end devices) to the network
中间设备可以将单个主机连接到网络中
They direct the path of the data
中间设备可以引导数据路径
|
|
Types of Network Media
|
|
|
|
BANDWIDTH 带宽 is measured in Bits per second :BANDWIDTH is a measure of the data carrying capacity of the media 带宽是对介质的传送数据能力的一种衡量标准
|
Type of Network
|
|
|
Peer to Peer 对等网络
|
Client/Server 客户端/服务器网络
|
|
Easy to create 易于创建
|
Hard to create
|
|
Costs less Money 实施成本更少
|
Costs more Money
|
|
No central device is used for administration 缺少集中管理
|
Servers are used as central devices for administration
|
|
通过网络大小划分网络
|
|
|
LAN
Local Area Network
|
Network in a small geographical area
针对较小地理区域内的用户和终端设备提供网络访问的基础设施
|
|
WLAN
|
WIRELESS LAN — Phone、tablets
|
|
WAN
Wide Area Network
|
Network over a wide geographical area
针对广泛地理区域内的其他网络提供访问的网络基础设施
|
|
通过使用人群划分
|
|
|
INTERNET
|
Everyone can use
|
|
INTRANET 内部网
|
Company’s network that only it’s employees can use
公司的网络,只有它的员工才能使用
|
|
EXTRANET 外联网
|
Company’s network accessed by suppliers, customers, etc
可对供应商、客户等提供安全访问公司数据的服务
|
| Type of Internet | |||
|
broadband 带宽
|
wireless 无线
|
||
|
DSL 电话线拨号上网
|
cable 同轴电缆
|
cellular 蜂窝网络 |
satellite 卫星
不适合木质区域
|
Characteristics of a good network
-
CONVERGED 融合 :多媒体、语音、视频、文本
-
FAULT TOLERANT 容错 :多路径 去往目的地
-
NO CONGESTION 无拥塞 :QOS (Quality of Service )优先选择流量,实时传输语音视频
-
SECURED 安全
DATA SECURITY
-
Data CONFIDENTIALITY 保密性 :强复杂的密码授权
-
Data Integrity 完整性:no one can change
-
Data Availability 可用性 :需要时可访问
Security Violation
-
Denial of services to your resource 资源拒绝服务
-
virus
-
Capture of personal data
How to STOP Security Violations ?
-
Anti-Virus Software – 防毒软件
-
Firewall – 防火墙
-
Intrusion Prevention System (IPS) – 入侵防御
-
Intrusion Detection System (IDS) – 入侵检测
Operating System
-
Hardware 硬件
-
kernel 内核
-
Shell 外壳 :用户界面 Command line interface (CLI):Console,Telnet,secure shell(SSH),AUX
Graphical User interface(GUI)
|
Cisco IOS 访问方式
|
||
|
Console
|
console线with Serial Port 串行端口 or USB Port ,
计算机使用终端仿真软件
|
第一次访问新设备必须使用console
默认工作
物理设备附近工作
|
|
Telnet
|
非默认工作。远程访问
|
TELNET <IP Address/Hostname>
|
|
Secure Shell
SSH
|
非默认工作。远程访问,SSH encrypts the user ID, password and data of the remote session
加密远程会话
|
SSH -L <Username> <IP Address/Hostname>
|
|
AUX
|
旧设备, 电话连接访问设备
|
|
|
Types of Modes
|
|
|
Primary 主要命令模式
验证 排错
|
User—Exec 用户Exec模式
|
|
Privilege Exec 特权模式
|
|
|
Configuration 配置命令模式
|
Line 线路配置模式
|
|
Interface 接口配置模式
|
|
命名约定
-
Starts with a letter (a-z) – 以字母开头
-
Ends with a letter (a-z) or digit (0-9) – 以字母或数字结尾
-
Contains no spaces – 不包含空格
-
Use only letters, digits, and dashes – 仅使用字母、数字和破折号
-
Be less than 64 characters in length – 长度少于 64 个字符
Banner Message 标语
MAC-ADDRESS
-
Address made of 12 Hexa-Decimal numbers.
-
Hexa-Decimal is 0-15 (0-9, 10-A, 11-B, 12-C, 13-D, 14-E, 15-F)
-
One Hexa-Decimal digit is equal to 4 bits.
-
MAC-Address = 12*4 = 48 bits.
-
Example of a MAC-Address is: 0090-271A-60AF.
-
To Check MAC-Address of NIC on you computer,use the command: ipconfig/all
IP Address
子网掩码
Identify number of network bits & host bits in an IP Address
Helps to determine (find) which subnet (network) host belongs
确定主机所属的子网
We can say, 192.168.1.1 belongs to 192.168.1.0/24 network
PING
Check if the destination device is reachable through the network
是否可以通过网络到达目的设备
Tells about the average time to go to the destination & come back
数据包到达目的设备以及响应返回源设备的平均时间
|
IPV4
|
32位 4组 8位 十进制组成
|
|
IPV4过渡IPV6技术
|
设备同时可以使用 IPv4,IPv6 地址
在IPv4网络中 传输 IPv6 包
Network Address Translation 64 – NAT64
IPv6 packet is translated to an IPv4 packet and vice versa
|
|
IPv6
|
128位 4组 32位 16进制
IPv4 from 192.254.0.1 — 169.254.255.254
|
|
Types of IPv6 Addresses
|
|
|
Unicast Address
Global Routing Prefix (Prefix Mask) – Network Bits
Subnet ID – Bits that identify different LANs or Subnets
Interface ID – Host Bits
Cannot be translated to a Global Unicast address
Cannot be used to send data outside the local network
ping ::1
|
|
|
Multicast Address
|
|
|
Anycast Address
用于两台及以上设备
Packet with Destination IP of the Anycast IP is sent to the device nearest to the source
发送至任播地址的数据包会被路由到最近的拥有该地址的设备
|
|
|
Two ways to assign IPv6 Address
|
|
|
Static
|
|
|
Dynamic
Device gets the IP Configuration from the Router
DHCP server is not needed
SLAAC gives IPv6 address, Prefix Mask & DG
DHCPv6 gives DNS Server information to the device
No SLAAC only DHCPv6
DHCPv6 server gives away the full IP Configuration
|
子网划分
原因:
-
Slow network operations due to the significant amount of broadcast traffic.网络运行缓慢,原因是它导致的广播流量太大
-
Slow device operations because a device must accept and process each broadcast packet.设备运行缓慢,原因是设备必须接受和处理每个广播数据包
-
子网划分可以降低整体网络流量并改善网络性能方便管理员实施安全策略,例如哪些子网允许或不允许进行通信
等长子网划分
非等长子网
|
私有地址
Private Address
|
RFC 1918 Internal Address Range
|
CIDR Prefix
|
|
Class A:10.0.0.0 — 10.255.255.255
|
10.0.0.0/8
|
|
|
Class B:172.16.0.0 — 172.31.255.255
|
172.16.0.0/12
|
|
|
Class C :192.168.0.0 — 192.168.255.255
|
192.168.0.0/16
|
|
|
公有地址
Public Address
|
除去私有地址
|
|
Class A
|
1.0.0.0 — 126.0.0.0
|
First number of Class A IP Address is from 1 to 126
Default Subnet Mask for Class A is – 255 . 0 . 0 . 0
Class A IP Address has 8 Network Bits + 24 Host Bits
Prefix Mask:/8
|
|
Class B
|
128.0.0.0 — 191.255.255.255
|
First number of Class B IP Address is from 128 to 191
Default Subnet Mask for Class B is – 255 . 255 . 0 . 0
Class B IP Address has 16 Network Bits + 16 Host Bits
Prefix Mask:/16
|
|
Class C
|
192.0.0.0 — 223.255.255.255
|
First number of Class C IP Address is from 192 to 223
Default Subnet Mask for Class C is – 255 . 255 . 255 . 0
Class C IP Address has 24 Network Bits + 8 Host Bits
Prefix Mask:/24
|
|
Type of IP Address
|
|
|
Network Address
|
Network Address is just like Father of the Family
It is the First IP Address of the Network
Host Bits of the Network Address are all 0’s
|
|
Broadcast Address
|
If you want everyone in the network to listen, send a message to the Broadcast Address
Broadcast Address is just like Mother of the Family
It is the Last IP Address of the Network
Host Bits of the Broadcast Address are all 1’s
|
|
Host Addresses
|
Host Addresses are the Valid IP Addresses 有效IP地址
Valid means that Host IP Addresses can be assigned (given) to the network devices
Host Addresses are IP Addresses between the Network Address & the Broadcast Address
|
|
Types of Network MESSAGES
|
|
|
Unicast :单播
|
one to one
|
|
Broadcast :广播
|
To send Broadcast in the Local (your) network
Destination IP Address 255.255.255.255
|
To send Broadcast to a Remote (outside) network
Let’s say if the remote network is 192.168.1.0/24,then Destination IP of Directed Broadcast is the Broadcast Address
Destination IP: 192.168.1.255/24
|
|
|
Multicast :组播
|
One packet is sent to a group of hosts (devices)
Multicast IP range: 224.0.0.0 – 239.255.255.255
Multicast IP range (Local Network): 224.0.0.0 – 224.0.0.255
Used by Routers to exchange routing information
路由器可以使用组播传输交换路由信息
|
七层协议
|
All
|
Application Layer 应用层
|
HTTP 80,DNS(53) ,DHCP( UDP67和UDP68), FTP/TFTP
POP3 110/IMAP,SMTP 25
|
应用层软件交互,提供网络资源
负责决定一个进程的可用性并查看是否有可用的资源分给该进程
|
|
|
People
|
Presentation Layer 表示层
|
Html,MP3,MP4,ect
|
编解码,解压缩,加解密
|
|
|
Seem
|
Session Layer 会话层
|
logical Port 21,22,23,80…
|
创建于发送方和接送方
监视数据传输时会话
出具传输结束终止会话
|
|
|
To
|
Transport Layer 传输层
|
Segment 字段
|
TCP (可靠有确认)or UDP
SPX
|
将数据分层小部分
数据封装成PDU(Protocol data unit)
源 和 目的 Port Number 添加到字段
flow control
|
|
Need
|
Network Layer 网络层
|
Packet 数据包
|
Encapsulate the Transport Layer PDUs从传输层封装 PDU
Routing the packets towards their destination将数据包路由到目的地
|
源 和 目的IP地址 添加到 数据段
|
|
Data
|
Data-link Layer 数据链路层
|
Frame 帧
|
源 和目的MAC地址 添加到 packet
|
|
|
Processing
|
Physical Layer 物理层
|
NIC (Network interface card or LAN card)
|
将帧 转化为位 BIT(0&1)
|
|
Parts of the Frame
|
Frame Encapsulation / Frame Encoding
帧编码
|
|
|
Header 帧头
|
Frame start
|
8 bytes 二进制表示新帧的开始
10101011
|
|
Addressing 编址
|
6 bytes 目的MAC地址 + 6 bytes 源 MAC地址
|
|
|
Type 类型
|
2 bytes 告诉数据包中的三层协议
It is 0X0800 for IPv4 – 0000 1000 0000 0000
It is 0X86DD for IPv6 – 1000 0110 1101 1101
0X means Hexa-Decimal
|
|
|
Control 控制
|
4 bytes
3 Bits out of 4 Bytes are used for Quality of Service
4个字节中的3个字节用于服务质量
111 means most important data
101 is used for VOICE Data
100 is used for VIDEO Data
|
|
|
Data 数据
|
数据完整性Data Integrity
无人能够在数据传输过程中更改数据
|
|
|
Trailer 帧尾
|
Error Detection 错误检测
|
4 bytes
Frame Check Sequence (FCS) 检查数据完整性
Cyclic Redundancy Check – CRC循环冗余检验
CRC = 比较计算传输前后FH(帧头)+Data+FCS 值
|
|
Frame Stop
|
||
|
Size of Ethernet Frame
|
||
|
Runt 侏儒帧
|
<64 bytes
|
drop
|
|
64 bytes — 1518 bytes
|
||
|
Jumbo 巨人帧
|
> 1518 bytes
|
drop
|
|
TCP/IP
|
OSI | ||
|
4
|
Application
|
Application Layer
Presentation Layer
Session Layer
|
Data
|
|
3
|
Transport |
Transport Layer
|
Segment 字段
|
|
2
|
Internet
|
Network Layer
|
Packet 数据包
|
|
1
|
Network Access
|
Data-link Layer
Physical Layer
|
Frame 帧
|
|
TCP
Transmission Control Protocol
传输控制协议
|
UDP
User Datagram Protocol
用户数据报协议
|
|
|
Reliable Protocol
Guarantee delivery of data
保证数据的传送
|
Unreliable Protocol
NO guarantee of delivery
|
|
|
High Overhead (Big),SLOW
|
Low Overhead (Small), FAST
|
|
|
Connection Oriented 面向连接:
(要事先建立一条通信线路,其有三个过程:建立连接、使用连接和释放连接)
|
Connectionless 面向无连接:
(通信双方不需要事先建立一条通信线路,而是把每个带有目的地址的包(报文分组)送到线路上,由系统自主选定路线进行传)
|
|
|
TCP如何避免 数据冗余 congestion
TCP uses Window Size 窗口大小(SLIDING WINDOW 滑动窗口)
Default Window Size is 1
|
||
|
TCP 三次握手
Telnet — TCP 23
SSH — TCP 22
FTP —- TCP 21
HTTP — TCP 80
|
||
|
2 characteristics shared by TCP & UDP
|
||
|
Port Numbers 端口号
|
Ensure communication & connectivity with remote device
以确保与远程网络设备的通信和连接
To send data to the correct application
让接收主机转发数据到适当的应用程序
To deliver the Web page to the correct web browser
确保正确的网页传输到正确的浏览器窗口
|
|
|
Checksum 校验和
|
Sequence Number 序列号 : 每一个数据段有一个不同的序列号
Acknowledgement Number 应答 = 序列号 + 1
|
To reassemble the segments at the remote location
在远程位置重组数据段
To identify missing segments at the destination
确定目的地丢失的数据段
|
|
Data Link Sublayers 数据链路子层
|
|
|
Logical Link Control (LLC)逻辑链路控制
|
为网络层服务
LLC在帧中添加信息
该信息用于标识帧中所封装的网络层协议 (IPv4 or IPv6)
|
|
Media Access Control (MAC) 介质访问控制
|
帮助在不同类型上发送和接受数据帧
同时处理错误检测 Error Detection
|
|
Topology 拓扑
|
|
|
LOGICAL Topology
逻辑拓扑
|
Logical topology shows how the network transfers data between connected devices
逻辑拓扑显示网络在相连节点之间传输数据的方式
设备 接口 连接信息 地址
|
|
PHYSICAL Topology
物理拓扑
|
Physical topology shows physical connection of devices
物理拓扑显示设备的物理互连方式
设备位置
|
|
Types of LAN Topologies
|
|
|
Star 星型
|
|
|
Extended Star 拓展星型
|
2 or more Star Topologies connected together
中心设备相连
|
|
Bus 总线
|
All devices are connected in a line & ends terminated
所有终端设备都相互连接,并在两端以某种形式端接
|
|
Ring 环
|
All devices are connected like a ring (no termination)
终端系统与其各自的邻居相连,形成一个环状。
与总线拓扑不同,环拓扑不需要端接。
|
|
Types of WAN Topologies
|
|
|
Point-to-Point – 点对点
|
|
|
Hub & Spoke – 集中星型
|
Hub – Head Office Spokes – Branch Offices
星型拓扑的 WAN 版本,在该拓扑中有一个中心站点,使用点对点链路互连各分支站点
|
|
Full Mesh – 全网状
|
所有人直连
|
|
Hybrid – 混合
|
混合拓扑是点对点、集中星型或网状拓扑的变体或组合。
这可能包括部分网状或扩展星型拓扑。
|
|
Job of Switch & Router
|
|
|
Switch
|
send data from one end device to another in same LAN
|
学习 源 MAC地址和帧 进入端口号,并且储存到CAM表中
(Content Addressable Memory)
(Mac address of End Device + Port number to which End Device is connected)
Command to CHECK the CAM Table is:# show mac-address-table
Command to DELETE the CAM Table is:# clear mac-address-table
|
|
如果已经学习目的Mac地址,就发送消息位置
如果没有学习过,就会除去传入端口外所有端口转发帧(泛洪)
1.Store and Forward 存储转发交换
接受全帧
CRC
检测帧大小,丢弃过大或者过小帧
High Latency 高滞后时间
2.Cut-Through 直通交换
不等待全部帧
只确认 目的MAC地址
不检查帧大小
Low Lanterncy
|
|
|
Router
|
send data from one end device to another in different LANs
|
|
|
|
|
路由表 Routing Table
Check the Routing Table of the Router:# show ip route
Delete the Routing Table of the Router:# clear ip route *
Computer
#Route Print
#Netstat -r
|
Types of Communication 传输类型
|
|
|
Simplex 单工
|
键盘–电脑
|
|
Half Duplex 半双工
|
Both devices can send & receive data but one at a time 不能同时
|
|
Full Duplex 全双工
|
Both devices can send & receive data at the same time
|
交换机与 其他设备 直通线,和交换器 交叉线
路由器,电脑之间使用 交叉线
AUTO-MDIX
自动检测以太网电缆类型的功能
|
Types of Copper Cables
|
|
|
Unshielded Twisted-Pair (UTP)
非屏蔽双绞线
|
|
|
Shielded Twisted-Pair (STP)
屏蔽双绞线
|
|
|
Coaxial
同轴电缆
|
|
|
Fiber-optic cable 光纤
|
|
|
Single-Mode Fiber (SMF)单模光纤
|
|
|
Multi-Mode Fiber (MMF)多模光纤
|
|
|
copper cable
|
Less Money
Easy to terminate & install
Can be installed in places with sharp bends 急转弯
Cannot be used for long distances (<100 metres)
|
|
Fiber-optic
|
More Money
Hard to terminate & install
Cannot be installed in places with sharp bends
Can be used for longer distances
|
|
wireless
|
smartphone & tablets
SECURITY – 安全性
INTERFERENCE – 干扰
COVERAGE AREA – 覆盖范围
|
Throughput 吞吐量
Bits sent across the media over a given period of time
特定时间内通过介质传输的位数
Default Gateway ——DG
It helps a PC to send data outside its LAN
默认网关是可以将流量路由到其他网络的网络设备。它是将流量从本地网络路由出去的路由器。
ARP Request – Address Resolution Protocol
Disadvantages of ARP Request
-
It is a BROADCAST Message, so it goes to everyone in the same LAN. So everyone on the same LAN has to RECEIVE & PROCESS the ARP Request.本地网络上的每台设备都将收到并处理它们
-
In low bandwidth networks, data transfer can be delayed because of ARP broadcasts在带宽较低的大型网络中,多个 ARP 广播可能会导致数据通信延迟
-
Hacker can change the MAC & IP mappings to intercept (get) network data. This is called ARP SPOOFING 欺骗.网络攻击者可能会控制 ARP 消息中的 MAC 地址和 IP 地址映射,以图拦截网络流量
|
Application Layer Protocols
|
||
|
HTTP
|
Hyper Text Transfer Protocol
超文本传输协议
|
|
|
DHCP
|
Dynamic Host Configuration Protocol
动态主机配置协议
|
request an IP address
|
|
DNS
|
Domain Name Service
域名服务器
|
Translates Domain Name (URL) to IP Address (vice versa)
Windows command to check DNS is
> nslookup www.baidu.com
|
How to build a small Network
-
Buy Network Devices
-
Network Design & Cabling
-
Use of REDUNDANCY in the Network
-
IP Addressing
-
-
Choose the IPv4 and/or IPv6 addressing
-
Plan the IP Addressing Scheme – Do Subnetting规划IP寻址方案
-
Assign the IP Addresses
-
5. Configure common Protocols & Services
6. Manage Network Traffic
Secure the Network
-
Identify the Types of Network Threats – 威胁
-
Identify the Types of Network Attacks – 攻击
-
Monitor – 监控 the network at all times
|
Types of Attacks
|
|
|
Malware attack
恶意软件攻击
|
damage 损伤 or steal 盗 data or cause problem in the working of the network
|
|
Reconnaissance attack
侦查攻击
|
This type of attack is to gather information that can be used to plan a bigger attack in future
收集未来可用于规划更大攻击的信息
|
|
Access attack
访问攻击
|
|
|
Brute Force attack 暴力攻击
Brute Force attack → Password attack → Access Attack
Hacker keeps trying the password many number of times
Router(config)# login block-for 180 attempts 4 within 90
This command will block login attempts for 180 seconds
if there are four failed login attempts within 90 seconds
|
|
|
Denial of Service attack
拒绝服务攻击
|
This attack is used to stop the network users from using a network service, like DHCP, DNS, etc.
Short name – DOS Attack
|
Network Monitoring 网络监控
-
Network Monitoring is very important for network security
-
It also helps to plan the future growth
Debug Messages
-
Helpful in Network Monitoring & Troubleshooting
-
Debug Messages tell you about the live traffic
-
Cisco IOS Debug messages are sent to the Console Line by Default
-
Command used to send the Debug messages to the VTY Lines:
# terminal monitor
来源:freebuf.com 2020-09-27 00:12:59 by: test555
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册