Network Segmentation Notes

Chapter 8: Network Segmentation Notes

Introduction to Network Segmentation

Network segmentation is a strategy used to enhance network management by dividing a network into smaller, more manageable parts. This "divide-and-conquer" approach improves both network performance and security. Segmentation can be achieved physically by creating multiple LANs or logically by using VLANs (Virtual LANs).

Objectives of Network Segmentation:

• Enhance Security: Limiting transmissions within broadcast domains reduces the risk of hackers or malware reaching protected networks. Web servers can be made more accessible from the Internet through a screened subnet (DMZ) with less stringent security policies, isolating other network portions.
• Improve Performance: Segmentation limits broadcast traffic by decreasing the size of each broadcast domain, leading to more efficient bandwidth use and better overall network performance. Prioritizing time-sensitive traffic by isolating it from general traffic helps guarantee timely delivery of packets.
• Simplify Troubleshooting: Network administrators can narrow down problem areas to smaller network segments, making it easier to identify and resolve issues.

Common Network Groupings for Segmentation:

• Geographic locations (e.g., floors of a building or buildings connected by a WAN)
• Departmental boundaries (e.g., Accounting, HR, Sales)
• Device types (e.g., printers, desktops, IP phones)

Subnets

A subnet is a group of IP addresses. A subnet mask is used to determine which part of an IP address identifies the network (network ID) and which part identifies the specific device (node ID or host ID) within that network.

Subnet Masks: Working Mechanism

An IPv4 address consists of 32 bits divided into the network portion (network ID) and the node portion (host ID). The subnet mask indicates the dividing line between these portions.

To determine the network ID of a device, a computer uses a logical process called ANDing.

• If a bit with a value of $1$ is combined (ANDed) with another bit with a value of $1$, the result is $1$.
• If a bit with a value of $0$ is ANDed with any other bit, the result is $0$.

Classful Addressing in IPv4

Classful addressing uses whole octets to define the network ID. Each network class (A, B, C) has a default subnet mask.

• Class A: 8 bits for network ID, 24 bits for host ID
• Class B: 16 bits for network ID, 16 bits for host ID
• Class C: 24 bits for network ID, 8 bits for host ID

Benefits of Subnetting:

• Easier network documentation
• Simplified problem location and resolution
• More straightforward management of non-overlapping IP address spaces by routers
• More efficient routing on larger networks with mathematically related IP address spaces

Calculating Subnets

Subnetting, also known as classless addressing, involves borrowing bits from the host portion of an IP address to represent network information, increasing the number of available subnets while reducing the number of usable host addresses in each subnet.

IPv4 Subnet Calculation in Binary:

To create subnets, bits are borrowed from the host ID. The more bits that are borrowed, the more subnets are created, but the fewer hosts each subnet can contain.

IPv4 Subnet Calculations Using Formulas:

1. Determine the Number of Bits to Borrow: Use the formula $2^n = Y$, where $n$ is the number of bits to borrow, and $Y$ is the number of subnets that result.
2. Determine the Subnet Mask: Modify the default subnet mask by changing bits from host to network information.
3. Calculate the Network ID for Each Subnet: Use the magic number to determine each subnet’s network ID.
4. Determine the IP Address Range for Hosts in Each Subnet: Calculate the number of possible addresses using the formula $2^h - 2 = Z$, where $h$ is the number of bits in the host portion and $Z$ is the number of available hosts in each subnet.

Subnet Mask Tables

Class A, B, and C networks can all be subnetted, but each class has a different number of host information bits that can be used for subnet information.

Implementing Subnets on a Network

After calculating the subnets, configure the router interfaces with IP addresses and subnet masks for each subnet. Static IP addressing can be used on network hosts, or a DHCP server can dynamically assign IP addresses.

UDP Forwarding and IP Helper Addresses

To allow hosts in various subnets to access centralized network services, configure UDP forwarding on the network. This enables routers, firewalls, or layer 3 switches to forward UDP traffic across broadcast domains using IP helper addresses.

Variable Length Subnet Mask (VLSM)

VLSM allows subnets to be further subdivided into smaller groupings, optimizing IP address space allocation. This involves creating the largest subnet first, followed by the next largest, and so on.

Subnets in IPv6

IPv6 addresses are composed of 128 bits. Subnetting in IPv6 is simpler than in IPv4 and differs in substantial ways:

• IPv6 addressing uses no classes.
• IPv6 does not use subnet masks.
• A single IPv6 subnet can supply $18,446,744,073,709,551,616$ IPv6 addresses.

Virtual LANs (VLANs)

A VLAN groups ports on one or more switches, forcing traffic to go through a router and limiting it to a smaller broadcast domain. VLANs abstract the broadcast domain from the networking hardware, allowing the boundaries of the broadcast domain to be virtually defined within a single physical LAN.

Reasons for Using VLANs:

• Identify groups of devices for priority handling
• Isolate connections with heavy or unpredictable traffic patterns
• Isolate groups of devices relying on legacy protocols
• Separate groups of users needing special security or network functions
• Configure temporary networks
• Reduce networking equipment costs

Switch Port Configuration

VLANs can only be implemented through managed switches, whose ports can be partitioned into groups.

To identify transmissions belonging to each VLAN, the switch adds a tag to the Ethernet header. This tag travels with the transmission until it reaches the destination device or a router.

VLAN Trunks

Each port on a switch that supports VLANs is configured as either an access port or a trunk port:

• Access port: Connects the switch to a host and carries traffic for only one VLAN.
• Trunk port: Connects the switch to a networking device and manages traffic from multiple VLANs.

A trunk line (or just “trunk”) is a link between two trunk ports.

The most popular protocol for exchanging VLAN information over trunks is Cisco’s VTP (VLAN Trunk Protocol).

VLANs and Subnets

In most situations, each VLAN is assigned its own subnet of IP addresses. This means that a particular subnet, working at layer 3, includes the same group of hosts as a specific VLAN, working at layer 2.

Subnets organize IP addressing space at layer 3, while VLANs segment network traffic at layer 2.

Types of VLANs

• Default VLAN: Typically preconfigured on a switch and initially includes all the switch’s ports.
• Native VLAN: Receives all untagged frames from untagged ports.
• Data VLAN (or user VLAN): Carries user-generated traffic.
• Management VLAN: Provides administrative access to a switch.
• Voice VLAN: Supports VoIP traffic, requiring high bandwidths and priority.
• Private VLAN: Partitions a VLAN broadcast domain into subdomains with a single primary VLAN and one or more isolated and community secondary VLANs.

Troubleshoot and Secure VLANs

Configuration errors are a common cause of VLAN problems. The show vlan command can help identify misconfigurations.

VLAN hopping is an attack in which a hacker generates transmissions that appear to belong to a protected VLAN, then crosses VLANs to access sensitive data or inject harmful software. Mitigation efforts include:

• Avoid using the default VLAN.
• Change the native VLAN to an unused VLAN ID.
• Disable auto-trunking on switches that don’t need to support traffic from multiple VLANs.
• Specify which VLANs are supported on each trunk instead of accepting a range of all VLANs.
• Use physical security methods to restrict access to network equipment.