Difference between revisions of "Bandwidth Management and Optimisation Training"
(→DHCP Snooping) |
(→IP source gaurd/ Dyanmic IP lockdown) |
||
Line 233: | Line 233: | ||
This is a mechanism which prevents forgery of IP addresses from the client machine. Only the IP address assigned to the client by DHCP or any statically registered address can be used behind the port. | This is a mechanism which prevents forgery of IP addresses from the client machine. Only the IP address assigned to the client by DHCP or any statically registered address can be used behind the port. | ||
If a switch supports this function, it is recommended that it be actuated on client ports. The function may require that DHCP snooping is also being used. | If a switch supports this function, it is recommended that it be actuated on client ports. The function may require that DHCP snooping is also being used. | ||
+ | |||
+ | ===Dynamic ARP Inspection=== | ||
+ | |||
+ | This mechanism protects against “man-in-the-middle” attacks which send false ARP packets pretending to | ||
+ | behave as a router. If the switch knows which IP addresses should belong behind which ports it can effectively | ||
+ | block attempts at pretending to be somebody else by way of ARP. This function should definitely be considered, | ||
+ | but may require that DHCP snooping is also in use. | ||
+ | |||
+ | ===Port unicast and multicast flood blocking=== | ||
+ | |||
+ | If packets are sent to new, false MAC addresses, these will always be sent out to all the ports on a switch. A | ||
+ | deliberate attack may hence degrade performance for the entire environment behind the port. This may be | ||
+ | prevented by configuring this function. If a switch supports this property, one should consider actuating it on all | ||
+ | client ports. | ||
===Squid Delay Pools=== | ===Squid Delay Pools=== |
Revision as of 07:08, 6 July 2013
Contents
- 1 Bandwidth Management and Optimisation Training
- 1.1 Objective
- 1.2 Who Should Attend?
- 1.3 Requirements
- 1.4 Course content
- 1.5 Course Cost
- 1.6 Registration
- 1.7 Timetable
- 1.8 BMO Tools
- 1.8.1 Cacti
- 1.8.2 Nagios
- 1.8.3 Smoking
- 1.8.4 mtr
- 1.8.5 Iperf
- 1.8.6 Smokeping
- 1.8.7 Wireshark
- 1.8.8 Dig
- 1.8.9 DHCP Snooping
- 1.8.10 Traffic Storm Control
- 1.8.11 Port security
- 1.8.12 IP source gaurd/ Dyanmic IP lockdown
- 1.8.13 Dynamic ARP Inspection
- 1.8.14 Port unicast and multicast flood blocking
- 1.8.15 Squid Delay Pools
- 1.8.16 IP Plan
- 1.8.17 Nmap
- 1.8.18 Rancid
- 1.8.19 Tcpdump
Bandwidth Management and Optimisation Training
This will be an intense hands-on five (5) day training to teach skills required for bandwidth management and optimization at the Campus environment
Objective
The main objective of the training is to empower the various network administrators from the various institutions with skills that will enable them to effectively manage the networks of the various institutions that they represent. This will enable them to ensure the bandwidth they are been provided with is been used for academic work and not been consumed by viruses, spam, peer-to-peer traffic and other malware.
Who Should Attend?
This course is designed for technical staff that operates a TCP/IP network and intends to provide connectivity to both students and faculty.
Requirements
The participants are required to be conversant with Linux/Unix commands. All participants are required to submit current network diagrams for discussion during the Case Studies. Each participant is also required to bring a laptop.
Course content
This is a hands on training experience where the participants will setup a Bandwidth Management and Optimization Box using a wide variety of tools in both Unix and Linux.
The training will begin by introducing the students to the importance of network management and best campus design principles. The training will also give them skills on how to troubleshoot common campus network problems and teach them how to install and manage network monitoring tools. They will also be taught bandwidth management principles within a campus environment and how to develop and implement bandwidth policies.
Course Cost
This is a cost recovery based training and the Participants will contribute an amount to cater for their accommodation and the trainers time. This cost will cost USD...... Per Participant.
Registration
All participants will be nominated by the ICT Director/ ICT Head at the Institution . All nominations should be received by 15th July 2013
Timetable
DAY/TIME |
8.00-10.00am |
10.00-10.15am |
10.15am-1.00pm |
1.00pm-2.00pm |
2.00pm-4.00pm |
4.00pm-4.15pm
|
4.15pm-6.00pm |
|
Monday |
Introduction |
Tea break |
Why Network Management |
Lunch |
Campus Network design |
Tea break |
Campus Network design | |
Tuesday |
Network management Basics |
Tea break |
The bandwidth Challenge |
Lunch |
Solving network Problems |
Tea break |
Case Study: Campus A and B |
|
Wednesday |
Network Monitoring tools |
Tea break | Network Monitoring tools |
Lunch |
Network Monitoring tools |
Tea break |
Case Study: Campus C and D |
|
Thursday |
Network Monitoring tools |
Tea break |
Network Monitoring tools |
Lunch |
Squid: Delay Pools |
Tea break |
Case Study: Campus E and F |
|
Friday |
Policy development |
Tea break |
Policy development |
Lunch |
Network Monitoring tools |
Tea break |
Case Study: Campus G and H |
|
Saturday |
Network Monitoring tools |
Tea break |
Closing Ceremony |
Lunch | |
|
|
|
|
|
|
|
|
|
|
|
|
BMO Tools
Cacti
Nagios
Smoking
mtr
Iperf
Smokeping
Wireshark
Dig
DHCP Snooping
DHCP snooping should be configured for edge switches (provided it is supported by the switch). The objective is to prevent incorrectly configured clients from behaving as DHCP servers and hence assigning false IP addresses to other clients. This has become a problem and can be avoided by implementing DHCP snooping with its associated blocking function. It is important that this function is only implemented in client ports and not on trunk or network ports.
Traffic Storm Control
The port should be configured so that broadcast traffic is blocked when its volume exceeds a pre-defined acceptable threshold (e.g. 10 %).
Port security
The port security functions can be used to enable better access control to a given switch port. This allows only a certain number of machines (MAC addresses) behind a given port. The configuration should be such that authorised machines still have network access after any additional machines are connected. Only the additional machines are blocked. The function is recommended especially in connection with printers in open areas, so that these switch ports are not misused. As a minimum requirement, all client ports should be configured with a high value which exceeds practical usage, so as to prevent flooding of the CAM table. Note that network ports (ports connecting to other network equipment) must not have this type of configuration.
IP source gaurd/ Dyanmic IP lockdown
This is a mechanism which prevents forgery of IP addresses from the client machine. Only the IP address assigned to the client by DHCP or any statically registered address can be used behind the port. If a switch supports this function, it is recommended that it be actuated on client ports. The function may require that DHCP snooping is also being used.
Dynamic ARP Inspection
This mechanism protects against “man-in-the-middle” attacks which send false ARP packets pretending to behave as a router. If the switch knows which IP addresses should belong behind which ports it can effectively block attempts at pretending to be somebody else by way of ARP. This function should definitely be considered, but may require that DHCP snooping is also in use.
Port unicast and multicast flood blocking
If packets are sent to new, false MAC addresses, these will always be sent out to all the ports on a switch. A deliberate attack may hence degrade performance for the entire environment behind the port. This may be prevented by configuring this function. If a switch supports this property, one should consider actuating it on all client ports.