So let's talk a little bit about network devices and how they've evolved. And I really do think this is relevant for the exam. I would be able to discern between the different types of devices in their value in the network. Now, I'm gonna go back a few years toe hubs Just because I think it helps us understand
what devices do if we start with the basics. And if you start with the origins,
you know, if you go back to the nine, needs to go back to the early two thousands. If I had a couple of computers to connect together quick, I wanted it to be easy. The device I'd bring in this a home,
ah. Hab sends all data out all ports,
and that's not a good idea. You know, if I'm an attacker and I plug a sniffer into any port on the hub, what am I gonna see? I'm gonna see all the traffic and his network's grew auras. I had more computers connect together if I went hub hub.
You know, I'm seeing much more traffic, more systems, air plugged in the hubs. So now if a has traffic to send to be.
It goes out to every system on the network. That's how Hub works.
The only reason we ever wanted to hump. The only reason we ever said, Oh, let's bring in a hub is Ah, Hobb did one thing better than any other device.
It did cheap, better than any other device. I've always been able to get a hub for 25 30 bucks. Set it down, plug into the hub computers, communicate quick and easy. No configuration, not much money. So a hub was our guy for a long time, just for a quick, easy way to connect computers. Okay,
has its problems. Doesn't do any sort of addressing all data out all ports all the time. So from a security perspective, that's a problem.
Another thing that hubs did not do is they didn't provide any sort of isolation of traffic and one of the things about Ethernet network. So we're not gonna go into a really deep network. Discussion is Ethernet. Networks are contention based, and when I say contention based, what I mean by that is
the more systems on the network. The Maur competing for time on the cable
So if I've got two or three systems on a hub connected, it's not a big deal, because that's not a lot of traffic. But if I have Hub, hub, network or hub to Hub to Hub and as my network grows all of a sudden I have Maureen Maureen, Maureen Morse systems competing for time on the cable.
And that's when we have problems with collisions because,
uh, on Lee to only one system can send data on the wire at the time in an Ethernet network. So if multiple systems try to do that, we get the collision. So when you're getting poor performance, you look at the back of your computer. If you see that green light flashing, everything is good, it's all right with the universe.
But once you start to see that orange light flashing with, that's generally an indication off.
We're having collisions and a hub won't help with that.
So what did we do? Well, one of the things that we used to do was we used to bring in a switch, and rather than going hub hub, I bring in my switch.
I gather up traffic on a hub, and then I'd go hub to switch. Okay, Switches were a lot more expensive than Hub. Several $100 but they provided me collision Domain isolation
That's very helpful.
Switches isolate collision domains.
So what that means is you could also call that contention domains. That means every port on a switch is its own collision domains. So the only two computers that can collide A and B again, that's not months. It's not a lot of traffic, so this is going to drastically reduce collisions.
And what I've done in this drawing is I've created three separate little independent collision domains,
so I've reduced collisions drastically. Another thing that switches do in addition to isolating collision domains,
is they use Mac addresses
to direct traffic. And please know that a switch uses Mac addresses by default. Some of you may have worked on other higher level switches, and we're not gonna get into a big, lengthy discussion discussion of the O S I model. But for those of you that are networking people
by default, switch is a layer to device, and it uses Mac addresses.
So what that means is the switch learns the network based on Max, all the switch understands is Mac addresses, which are address is bound to the network card. So when Computer A picks up traffic on this port, that switch learns the Mac address of computer, eh?
And the next time it has traffic for that particular Mac address, it only sends it out the appropriate port.
So was switch over time sort of acts like a traffic cop directing traffic out the appropriate port. That gives me a speed boost in speed improvement.
But what a switch does not natively do is it does not isolate broadcast traffic. And let me tell you what. That's a problem.
Let's say these guys are my sales team.
Let's say these guys are my production team.
Um, actually, before I get into broadcast domain, So let me just mention one other thing. Uh, I mentioned that hubs were cheap historically, and they are, you know, they've always been cheap
switches, as I mentioned, used to cost hundreds of dollars. But with the advent of links ISS and Netgear switches, now we have switches that are chief. I go out by switch for 20 or 30 bucks. Well, if I could buy a switch for 20 or 30 bucks. Why use a hub? And the answer is I don't.
So what we do now is we plug computers directly into switches.
There we go. Switch to switch.
And, uh, you know, we're gonna configure in redundancy. This isn't necessarily a literal drawing. It's just conceptual. Logical, strong. But the idea is, with each system plugged into its own port, each system has its own collision domain.
That's a good thing.
So what that means is I've virtually eliminated, uh, collisions on my network.
Also, from an attacker standpoint, if we were all connected together with hubs and I plugged into a port on the Hub, I see all the traffic on the network. But if I have my sniffer and I plug it into a port on a switch,
what does my sniffer gonna be able to access? Nothing.
So this is a much more secure environment as well, because with sniffers directing traffic out on Lee, the appropriate port,
nothing is gonna come out that port other than perhaps art broadcasts which you know are not going to really help an attacker. So switches air more secure configurations, certainly than a hub.
All right, but let's go back to the idea I was gonna talk about before. Let's say these are the sales people. Let's say this is my production network and let's say these are my human resource is servers.
Ah, that contains sensitive information
would have switched. Does not do for me
is it doesn't isolate networks. For instance, let's say the sales people have an application, and that application generates a lot of broadcast because some applications due.
So I've got an application for sales,
and that broadcast is actually going everywhere on my network
Now. It's not that broadcasts are evil, because sometimes a computer needs to learn something in broadcast the only way it can learn.
But when I've got a broadcast that only two systems need to see, and that broadcast is hitting every system on the network, that's a waste that's gonna cause additional traffic. It's gonna decrease performance. So what I'd like to do is I'd like the segment out the sales, and it's broadcasting application from the rest of the network.
Another consideration. I have the HR department and I have some very sensitive information over here.
I've got payroll information, salary information, stuff that I don't want the general public have access to. I don't really want this on the same network as my production network. I think we mentioned Target. We talked about how target made the mistake of not isolating out networks appropriately.
You want to keep trusted information secret information
away from untrusted. Okay, maybe I have a guest network where I allow vendors and contractors and the general public I don't want them on the same network is my HR network. And a switch isn't gonna do that for me. That's not what a switch is designed to do. A switch is designed to use Mac addresses
and isolate collision traffic.
Would I want to do is I want to take my great big network and break it up into lots of little networks. We refer to that as sub netting and the device that historically we've brought in to do that
so what we do is we plug each network into its home port in the router and the router did a couple of things that a switch doesn't do. A router isolates
rob cast traffic. So now, because these guys are on their own port on the router. This application that creates a lot of broadcast is stuck on this port on the router. Sometimes you'll hear people say routers don't forward broadcast so that routers and allow that broadcast to hit other ports. So I've isolated the broadcast traffic, too.
The particular poor,
Um, and because broadcasting is an I p concept. And by that I mean there's a particular I P address that is used to broadcast.
I have to have a device that understands I p addresses switches, don't switches, use Mac addresses I p addresses or logical a Mac addresses burn into the network card. Okay, that's bound to the nick. Where's an I? P? Address changes based on logical considerations like broadcast.
So I need a mechanism that understands I p addresses. So what I can do is with this sub net that I've just created over here. Each network will get its own sub net I D. So this might be the 10.8 dot 0.0, network. This might be the 10.16 00 network.
And this might be the 10.24
oh network. And because a router is able to understand, I P addresses when traffic goes is destined for 10.16 dot 0.1.
A router understands that's out this board,
and it sends traffic out the appropriate port. So what I have is I have broadcast domain isolation, and I have the ability for all these different networks to communicate, which is good.
I I probably want sales to be able to access the production network. Given the appropriate circumstance, it doesn't mean they have free access, but it does mean that I can communicate across the boundaries. A. So the router uses I p address. It's able to segment traffic for broadcast purposes,
and it uses I P addresses to do so
But the problem once again a router is expensive.
Like I said, you're gonna get to land ports on a router, most likely when you go to buy one and again, not talking links us a net here. We're talking about production rounders on, and I've already used three ports on the router, and I haven't even addressed the other networks.
So what I'd like to do is, I'd like to be able to get this isolation on a device with more ports than a router.
And what is that? That's a switch. Okay, but please understand this. A switch does not natively isolate broadcast traffic.
However, some switches and honestly, many switches today, but that has not always been the case. And please, no. This is not an inherent switch capability,
But many switches today have a function of the operating system
that you can create install called a virtual land of villain. And what does that do that allows me to take this switch
with all these beautiful ports?
Obviously, it's a lot more ports in my router had,
and I can assign ports on the router to the sales villain
and that sales villainous associated with 10.800 Network
in this ports associated with the production villain. And this is a configuration I have to do on the switch. And again, not all switches support this. So that's the production network with 10.16. And we'll make this the HR
villain. And what I've done is I've created three separate sub nets or virtual lands, and I've done it on the switch.
Why? Because of switches. Cheaper
broadcast remains on a switch.
Because of switches cheaper and switches. Also easier to configure.
I'll tell you what. If somebody that's been in networking for 20 years, we love to words when they come together. We like cheap and we like easy. And so what a villain does is it gives us a cheap, easy way to segment or sub net our network into broadcast domains.
Great. I've got a switch. I've done what a switch does, and it's saved me money.
But here's the problem.
A switch on Lee understands Mac addresses
a switch, does not understand what to do with an I P address.
So, for instance, on this port, anything plugged into this port
the 10.80 network, that's all this port understands. So if this, uh if a systems trying to send something to the 10.16 network, that switch doesn't know how to get it there. That switch doesn't know how to send 10.16 traffic to this particular pork
or to send 10.24 traffic to this port.
A switch doesn't see. I p addresses a switch. Doesn't understand. I p addresses a switch doesn't use I P addresses. Why? Because of switch uses Mac addresses and again going back to the S I reference model. And if you don't know Os I, that's okay.
But for those of you that do a switch is a layer to device
layer to is about hardware dressing. Layer three, which a router is
is about I p addresses.
Okay, so I've created my villain on a layer to switch was just what switches are by default, and I have separated them out by broadcast domains. But the problem is, I have no inter veal in communication,
meaning guys here can't communicate with guys here, can't communicate with guys there.
That might be what I want. Maybe I want true isolation of those networks. And from a security standpoint, that might be a good thing.
But in reality, I probably do want that interview in communication.
one of the things that I could do is I could bring in a router,
and I could plug a router here, and we could use a tagging protocol to allow those villains to communicate.
But I need a layer three device to allow isolation of traffic based on I P addresses. So if I set up my veal in on a layer to switch, which which is our by default. They use Mac addresses. I don't get the interviewing communication, so I bring in a router, and that's certainly one way to do it.
routers are expensive, right? We've already said that. So what's a better solution? What's the way it's done? Most of the time, If any of you have ever been on a layer three switch,
okay. And even if you haven't, if you had to take a guess at what a layer three switch does that a traditional switch does not do What is it?
Understanding V I P addresses a layer three switch now can not only isolate villains, but it has capability of reading I P addresses and directing traffic out the appropriate port based on I p.
So what we've done is we've taken the switch and almost made it a router.
Okay, so a villain on a switch remember the points I want to make here,
So if you create a villain on the switch
switches, many of them can create the lands. It don't.
So what does that mean?
If my desire is to have inner villian communication,
I would need a particular type of switch called a layer three switch.
Now layer three switch still is not gonna replace routers. Even though we get very similar functionality, we get similar functionality on the inside. So in many instances, in our server room, we've gotten rid of a lot of routers and we've moved in layer three switches. But I'm still gonna need to get off my network
and connect to my Internet service provider,
connect my VPN connect my branch office using mpls or some other technology. So the bottom line is, routers will still be on the network. They air more considered when connective ity devices than land connectivity devices. Meaning I'm going to use routers for
connection off my network.
Layer three switches are gonna be to allow efficient routing of traffic internally.
Hey, so I would certainly have thes concepts. I would know the benefit of a virtual land from a security perspective. If I were an attacker, if I wanted to compromise the company's network, I would much rather have to access one network than three. So every time I sub net my network
un creating little, many domains,
and that's one more network security functions I have to get through. So rather than being able to break into one network now, I'd have to break into this network than this network in this network, as opposed to if we hadn't brought in the sub nets just having one giant network. So V lands bring security to the environment.
They improve performance
and isolation as well. So I would certainly know Hub switch, router, villain, villain switching Layer three switch If there were any, you could kind of disregard hubs because, like I said, we're not using hubs anymore. But I do think it helps to go back and understand the original collectivity devices. So this is an idea that's very testable and certainly has
a tremendous real world value
as well as a test value