A

Time 2 The device on port 0 replies to the message. The switch associates the source address of the message with port 0. Any future communications involving either of these end stations will not require these steps, because the switch now knows which ports they are associated with. This process happens all the time in every switch. For most switches, when a table entry has reached a certain age and has not been referenced in a while, it can be removed. This process is called aging out.

Network Is a Network

On the surface, it would seem there is not necessarily a problem. Why not just put the new bank branches and applications on the network Why not just add the video camera and badge reader endpoints to the network One major concern is security. We may not want any random employee to be able to access specialized applications and devices such as ATMs and security endpoints. There also could be regulations or laws requiring proper separation of networks during an acquisition, for example. Another...

Acknowledgments

Jim and Neil would like to thank the following people Our families, whom we lied to after the last book, when we said we would not do this again, and who put up with our working late nights and weekends. This time, we mean it. Our publisher and the fine team at Cisco Press and Pearson Education. We would especially like to thank our editor, Sheri Cain, who bravely agreed to join us on another project our production manager, Patrick Kanouse Chris Cleveland Karen Gettman Tonya Simpson Jennifer...

Active Monitoring

An IPS actively monitors packets inline on the network. The figure shows the steps involved 1. Traffic on the network is not copied but is forwarded through the IPS Sensor for analysis. 2. If traffic matches an intrusion signature, the signature fires. 3. Traffic that matches the signature is dropped. 4. IPS Sensor also sends an alarm to the management console. With IPS, packets that are part of the intrusion attempt are prevented from reaching the target.

Address Classes

When the IP address scheme was developed, only the first octet was used to identify the network portion of the address. At the time it was assumed that 254 networks would be more than enough to cover the research groups and universities using this protocol. As usage grew, however, it became clear that more network designations would be needed (each with fewer hosts). This issue led to the development of address classes. Addresses are segmented into five classes (A through E). Classes A, B, and...

Address Learning

A switch must learn the addresses of the devices attached to it. First it inspects the source address of all the traffic sent through it. Then it associates the port the traffic was received on with the MAC address listed. The following example illustrates this concept. The MAC addresses are not in the correct format and are shown for clarity only Time 0 The switch shown has an empty MAC address table. Time 1 The device attached to port 2 sends a message intended for the device on port 0. This...

Advanced Encryption Standard AES

The Advanced Encryption Standard (AES) is the latest algorithm adopted for securing data communications. It is widely used by the U.S. government and many companies. It is quickly becoming the de facto encryption algorithm everywhere it is not subject to export restrictions. AES was invented by two Belgians, Joan Daemen and Vincent Rijmen. It was submitted for an industry standard proposal and was standardized in 2002. AES is also the fundamental data encryption standard used by the Wi-Fi...

After a Disaster Occurs

Practice and planning are put to the test if disaster strikes. To avoid confusion, or worse (such as causing more damage), a checklist should be developed as part of the planning effort and should be followed when the time comes. The checklist will vary from business to business and situation to situation, but most will closely resemble the following example 1. Make sure that your people are safe. Are all personnel accounted for Consider sending home noncritical personnel to avoid confusion. 2....

Analog Voiceto Digital Conversion

With traditional telephony systems, the sound waves produced by the human voice are converted into analog electrical signals that are easily transmitted down a wire. On the receiving end of the connection, the electric signals are used to excite a diaphragm (speaker), which produces a very good representation (or analogy) of the original signal. Analog signals are composed of continuously variable waveforms having an infinite number of states. Therefore, theoretically they can be exactly...

Anatomy of a Contact Center

Whether you call a computer company for support, an insurance company to make a claim, or an airline to check the status of a flight, you interact with a call center in some fashion. Likewise, when you receive a call during dinner asking whether you want to subscribe to a newspaper, a call center is interacting with you. The goal of a call center is to efficiently route a call to the appropriate person or call service while managing call queues when there are more calls than available...

Anomaly Detection

The key to telemetry is baselining network behavior under normal operating conditions, using tools such as Cisco NetFlow. This baseline test should be performed over several days (or even weeks) at different times of day and under different traffic loads. When you understand what normal network behavior looks like, anomalies will be apparent. Baselining uses several types of information Average peak network utilization Percent distribution of packet types and application devices joining or...

Appliance Based Cisco Clean Access

In an appliance-based NAC solution, any attempt to access the network is redirected to an appliance called the Clean Access Server (CAS), which performs the NAC challenge. After performing a challenge to and receiving a response from the end-user device, the CAS communicates with the Clean Access Manager (CAM) to check the device's policy. Typically the challenge-and-response process is very quick and is unnoticeable during the normal network login process. It may take longer if a scan needs to...

Application Layer

With the convergence of Unified Communications and IP data networks, it is easy to create new applications that merge the worlds of phones, video, and computers. Examples of these applications include the following The ability to use speech recognition in combination with call-handling rules Users can set up personalized rules that provide call forwarding and screening on-the-fly. They can forward calls to other user-defined locations such as their homes or cellular phones. Additionally, users...

Architecting a Branch Network

Many network services need to be considered Network fundamental services such as DHCP and QoS Security services such as firewall and intrusion prevention Identity services such as 802.1x and access control Mobility services such as wireless LAN access Unified Communications services such as telephony, conferencing, and collaboration Application networking services such as file services and access to applications In addition, each of these services must efficiently mesh into a broader...

Assessing Device Health

Plenty of high-quality software applications are available to scan laptops and computers for the presence of malicious software. These include antivirus, anti-spyware, anti-adware, and software inventory programs. Many of these programs require constant updates of their signature databases so that they can always recognize the latest malicious software threats and prevent them from infecting a computer. Whether the signatures are current and whether scans have been scheduled and executed may...

Ata Glance Asynchronous Transfer Mode ATM

ATM delivers information in fixed-size units called cells. Every ATM cell, regardless of the type of information (voice, video, data), is exactly 53 bytes with 48 bytes of information and 5 bytes of header (overhead) information. This is different from other protocols that can increase the cell size and actually increase the header or overhead traffic on a network. There are two distinct advantages in using fixed cell sizes that outweigh the cost of the additional overhead. Header 48 Bytes of...

Ata Glance QoS

Classification refers to marking packets with a specific priority denoting a requirement for special service from the network. This can be done at different places in the network by Layer 2 or Layer 3 devices, or by endpoints themselves. Typical classification schemes identify priorities of Critical (voice and mission-critical data), High (video), Normal (e-mail, Internet access), and Low (fax, FTP). The above percentages are just starting guidelines each network and application might require...

Ata Glance Telepresence

The Telepresence solution is also compatible with legacy H.323 technologies, so it is possible to conference in legacy videoconferencing endpoints. However, they will not experience the same meeting experience as someone using a Telepresence endpoint. All video and audio signals are combined and transmitted using a single Video-over-IP traffic stream. All video and audio signals are combined and transmitted using a single Video-over-IP traffic stream. This requires only a single Ethernet port...

Ata Glance Unified Communications

Communications allows people to see how to best reach the people they need to communicate with, whether through instant messaging, phone, or videoconferencing. Unified Communications greatly speeds up the communication process, which often means closing a deal faster or responding to a customer issue faster. This system improves the chances of reaching people, reducing missed communications and having to retry with other forms of communication. For example, you can find out via Presence and...

Atm

ATM is a standard for cell-based relay that carries voice, video, and data in small, fixed-size cells. ATM networks are connection-oriented networks that combine the benefits of circuit switching (guaranteed capacity and constant transmission delay) with those of packet switching (flexibility and efficiency for intermittent traffic). ATM transmits at speeds from a few Mbps to many Gbps. High-speed ATM circuits typically require optic-fiber cables to transmit such high speeds. Speeds of these...

ATM Connections

ATM is a connection-based service that uses two primary types of circuits permanent virtual circuits (PVC) and switched virtual circuits (SVC). ATM also can use a connectionless service, but it is relatively rare, so it is not discussed in detail. A connection-based service means that a connection must be requested, established, and confirmed before any user information (such as voice, video, or data) is sent. PVCs typically are used for direct connections between sites. Similar to a leased...

ATM Features

ATM implements two features that make it both useful and interesting (well, interesting in a network geek kind of way). The two concepts are asynchronous transmission and fixed cell size. The Asynchronous part of ATM refers to the protocol's ability to use a more efficient version of time-division multiplexing (TDM). Multiplexing is a method of combining multiple data streams onto a single physical or logical connection. Time division means that each data stream has an assigned slot in a...

ATM Network Interfaces

ATM networks are composed of ATM switches interconnected by point-to-point ATM links. The links connecting the switches come in two forms. User-network interfaces (UNI) connect ATM endpoints to ATM switches. Network Node Interfaces (NNI) connect ATM switches together. UNIs and NNIs can be further classified by the type of network the switch resides in (public or private). The figure shows examples of several interfaces.

Authentication and Isolation

In the campus, 802.1x Identity-Based Networking Services (IBNS) (discussed in Part V, Securing the Network) can be used at the network edge to authenticate, authorize, and admit devices to the appropriate network partition. In the access layer, VLANs represent the first level of path isolation. Across the campus backbone, traffic isolation technologies such as GRE, .1Q VLAN trunk-ing, VRF-Lite, and MPLS are used to provide secure network partitions. At the handoff between the campus network and...

B

Back-end congestion notification (BECN), 72 back end functions (data centers), 223 backbone, 65 backups availability, 122-123 data centers, 223 dial, 71 disaster recovery, 143 Backward Explicit Congestion Notification (BECN), 75 conservation for VoIP, 262-263 Ethernet, 38 low-bandwidth tools, 272 videoconferencing, 284 BECN (back-end congestion notification), 72 BPDU (bridge protocol data units), 49 branch office designs, 113-115, 243 architecture, 114 communications, 116-117 distributed...

Backing Up Systems

There are a number of ways to back up data centers and application farms. Some companies back up systems each night after the close of business. In this case, the worst-case data loss is a single day. Another backup scheme is called synchronous data mirroring. It allows companies to perform realtime backups with no lag, ensuring that virtually no data is lost in the event of a natural or man-made disaster. An added benefit of synchronous data mirroring is that both systems can be online at the...

Balancing Security and Access

Most people in networking believe that balancing security and access is a zero-sum game give to one, and you must take from the other. Wireless security was no different in the beginning, because users were forced to enter 26-digit hexadecimal codes to gain secure wireless access. It was a pain, but that was the price you paid for checking your e-mail when meetings started to get boring. Wireless security has come a long way from the easily breached Wired Equivalent Privacy (WEP) security keys...

Balancing Trust Versus Security

Security and trust are opposing concepts. Trust is required for applications to run, but open access can expose a network to attacks or misuse. On the other hand, a very restrictive security policy might limit exposure but also reduce productivity. When security is a primary design consideration, a trust boundary can be determined on a per-user basis, and the proper balance can be struck.

Before a Disaster Occurs

The first step in a business continuance plan is to assess the business criticality and downtime impact of each business application. The risk assessment should consider how a temporary or extended loss of each application and function impacts the business, with regards to the following Financial losses (lost revenue) Customer satisfaction and retention For each system, application, or function deemed critical, a backup recovery plan must be implemented. After the critical systems, data, and...

Bells and Whistles

In addition to providing cost-effective surveillance, digital IP-enabled video systems can provide advanced services such as motion detection and analytics. When integrated with other applications, digital video signals can automatically trip alarms, notify security staff, and even provide streaming video feeds to mobile devices. Keep gear and wiring closets locked and restrict access. If possible, keep the main and backup power separate from each other and from the other gear. If possible,...

Branch Communication

Unified Communications capability must also be integrated into a company's branch networks to ensure maximum productivity and efficiency. Services such as call control and routing, gateways to the PSTN, and conferencing circuits (to name Integrated Services Building Block Layers Protect the infrastructure. Maintain network transport continuity and availability. Protect against information threat or alteration over untrusted transport mediums. Protect against information threat or alteration...

Branch Offices Rule

Once upon a time, the corporate headquarters was king, with the majority of employees who worked for the company going to work at the headquarters. In the service economy, companies needed geographic coverage and local offices near their customers, which fueled an explosion of branch offices. A branch office can be anything from a gas station or convenience store, to a retail store in a shopping mall, to a stock-trading location, to your local bank branch. Branch offices are everywhere. Just...

Branch Security

Extending corporate networking and communications services to many locations creates many new security threat entry points. Therefore, the hardening of the branch network through infrastructure protection mechanisms is critical. Many companies that maintain a good security posture at their headquarters leave themselves vulnerable at branch offices. Branch networks need the same level of security services and protection as headquarters campus networks. Ideally, branch networks and campus...

Building Networks for Ease of

Campus, as it applies to networking, typically describes the routers, switches, network appliances, and servers that make up the networking infrastructure for a set of buildings located in close proximity. A campus can be the manufacturing site of a large corporation, the headquarters for a bank, or a college campus. A design goal for campus networks is to separate buildings, floors, workgroups, and server farms into smaller Layer 3 groups to prevent network faults from affecting large...

Buildingto Building Bridge Systems

Wireless bridges create a single LAN by linking remote networks. For simple networks, the bridge connects to a hub or switch on the LAN. If the network contains multiple subnetworks, the bridge is connected to a router. Wireless bridges are a convenient and cost-effective solution for rapidly growing companies and for those located in areas where a fixed connection is either expensive or impractical. In some cases building-to-building Wi-Fi wireless bridges offer superior price and performance...

Bullets Bombs and Secret Codes

Although this might sound surprising, encryption codes and cryptography methods fall under the same export laws as guns, ammunition, and explosives However, this makes sense when you think about national security issues. It is sometimes necessary to eavesdrop and wiretap the communications of unfriendly entities. Limiting the export of the most sophisticated cryptography methods protects our country's ability to stay ahead of eavesdropping methods being used against us. It also limits the...

Cable Equipment

Adding cable Internet service requires only a cable modem to home users, because cable-ready televisions provide their own filtering. Therefore, interference between data and TV signals is not an issue. At the cable company a Cable Modem Termination System (CMTS) is required to aggregate upstream and downstream.

Caching

Caching is the process of preloading information that is likely to be used, in close proximity to where it will be used. Intelligent caching is critical to achieving the performance required by today's high-end business applications. Cisco WAFS provides caching locally for files being used or modified by the branch office. With data read caching, when a user opens a file, a copy is stored on the local appliance. From then on, with each request, the Cisco FE checks to see if the data has...

Caching More Than Web Pages

The initial benefits of caching were realized with static web content. However, video and audio files are also appropriate candidates for caching. One example is a CEO's address to the company. You can broadcast the address live and then store it as video on demand for people to watch when they have time. You can push the broadcast to local caching servers so that an employee in another country can watch the video without having it stream from the location of the original video. To the overseas...

Call Center Telemarketing

When a good f number is reached, the call is handed off to an agent. This is the brain of telemarketing boiler rooms. This system constantly dials numbers and hands calls off to agents. It is constantly updated with phone number lists which are purchased from many sources (some illegally). When a good f number is reached, the call is handed off to an agent.

Call Processing Layer

CallManager is the center of the call-processing layer. CallManager fills the role of the digital switch in the PSTN or a PBX in a corporate telephone network. It provides the connectivity, signaling, and device control and intelligence for IP phones and gateways. In addition, CallManager performs operations, administration, maintenance, and provisioning (OAM& P). Cisco CallManager is responsible for establishing a call between two phones, but after the call is established, CallManager...

Campus Size Design Considerations

Some general rules of thumb are listed for various campus sizes. The figure shows the recommended design for a campus with fewer than 200 edge ports. This design collapses the core and distribution into one layer, which limits scaling to a few access switches. This design is recommended for campuses with 200 to 1000 ports. A separate distribution layer allows for future growth. A redundant core ensures high availability and allows equal-cost paths. This is a very...

Catalyst Example

Using a sample deployment with a Cisco Catalyst 6500 running a Programmable Intelligence Services Accelerator (PISA), the benefits of deep packet inspection can be demonstrated. Mission-critical applications can be recognized on the network and prioritized, providing a higher level of service and guarantees for network resources. Undesirable applications, such as peer-to-peer file-sharing programs, can be deprioritized to the lowest class of service or dropped altogether. Worms can be...

Centralizing Applications

For all the reasons we want to centralize storage, it is also highly desirable to centralize application servers. Again, the trick is how to have central application servers being used by employees in branch offices over a WAN without impacting application performance. The WAN, because of its limited bandwidth and relatively longer latencies than a LAN, inherently slows down applications (to a grinding halt if we are not careful). Because most employees at a typical company now work in branch...

Centralizing Storage

Centralizing storage in the headquarters data center is strongly preferred, instead of having a myriad of distributed file servers in far-flung branch offices. This greatly simplifies operations, including backups and disaster recovery planning, as well as regulatory compliance issues. Companies only need a team of central IT staff administering the file servers in the central data center. The trick is how to have central file servers being used by employees in branch offices over a WAN without...

Challenges with Virtual Networks

Many applications and collaboration systems rely on open networks unrestricted communication between endpoints. Placing endpoints within virtual network partitions by definition restricts the flow of traffic to appropriate other endpoints and applications. The two aims (open and closed) can be diametrically opposed at times, creating challenges for virtualized networks. One of the keys in implementing virtual networks is to understand the necessary traffic flows between virtual partitions and...

Change Control Management

Always expect the worst when first installing upgrades it will save you time and trouble in the long run. Introduce all changes to the network in a controlled way. This includes testing changes before moving them onto the production network, researching software upgrades for known bugs, and having a backout plan in case the change causes a failure or doesn't take correctly. Software should be thoroughly tested and used in a real (quarantined) or simulated real environment before being put on...

Cisco Networking Simplified Second Edition

Jim Doherty, Neil Anderson, Paul Delia Maggiora Copyright 2008 Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United...

Cisco Unified Personal Communicator CUPC

The Cisco Unified Personal Communicator (CUPC) refers to an integrated Unified Communications client that runs on a laptop or handheld computer, bringing together many forms of communications on a single device. Types of communications include voice, video, instant messaging, voice mail, e-mail, application sharing, and web conferencing and collaboration. The CUPC endpoint is integrated into the business Unified Communications system. Therefore, it has a phone number in the corporate dial plan...

Cisco Unified Wireless Solution

The Cisco Unified Wireless solution with Wireless Control System (WCS) provides an integrated approach for wireless and mobility services deployment and operations, including the following The data plane includes wireless APs at the headquarters campus and also at the branch offices, providing unified wireless access to many types of clients. The control plane includes management of APs and radio frequency (RF) coverage, as well as detection of rogue APs and interference. The management plane...

Combating Access Based Attacks

A common entry point for network threats are the wired (and wireless) access ports where devices connect, such as laptops, printers, IP phones, and others. Without appropriate measures, hackers attempting to cause mischief in networks can plug into a port and use it as a launching location to work their way into the rest of the network. Such intrusions may require physical access to the corporate location. Physical security measures such as locked doors, badge readers, video surveillance, and...

Combating Virus Outbreaks

Mobility has given corporate employees huge productivity gains. They can access corporate applications from home, while traveling, and via wireless hotspots at coffee shops and airports. Always-on broadband networks have also led to huge strides in productivity. Employees can work from home in the evenings or even during extended periods when they are unable to get to work, such as during an ice storm. But mobility and flexibility come at a price. Increasingly, corporate computer assets...

Comfort Noise

The digital signals used in VoIP are usually much cleaner than the analog signals used in circuit-switched telephony. This is because in analog systems, any amplification of the signal also amplifies noise, resulting in the static heard in the background during calls. With digital signals, noise can be cleaned out, and a much more pure sound can be achieved. This may seem like a good thing, but it actually causes problems. It turns out that on analog calls the slight background noise indicates...

Communicating Between Layers

Each layer of the OSI model uses its own protocol to communicate with its peer layer in the destination device. The OSI model specifies how each layer communicates with the layers above and below it, allowing vendors to focus on specific layers that will work with any other vendor's adjacent layers. Information is exchanged between layers using protocol data units (PDU). PDUs include control information (in the form of headers and trailers) and user data. PDUs include different types of...

Comparative Features of NAT Network Address Translation Static NAT

Address Assignments Do Not Change Good for Security Dynamic NAT Assigns Outside Address from Pool to Inside Address Address Assignments Only Last for a Single Communication Session Preserves Address Space But Can Run Out of Outside Addresses The router gateway maps the inside address to the outside address.

Comparative Features of PAT Port Address Translation

Uses One Outside Address For Many Inside Addresses (Call Overloading) Port Numbers (Usually Very High) Assigned on a Per-Session Basis Fools Packet Instead of Address 10.0.0.1 1256 10.0.0.2 1567 10.0.0.3 1683 etc. 17.1.5.1 1256 17.1.5.1 1567 17.1.5.1 1683 etc. The router gateway maps the inside address to the outside address.

Compressing Voice

One of key issues with VoIP is the conservation of bandwidth. Because the routing information contained in VoIP packets can more than double the packet's size, it is important to compress the voice data as much as possible. There are three levels, or orders, of compression. The first order is to simply not transmit what cannot be heard. A typical conversation is mostly silent (hard to believe, but true). It is possible to optimize the VoIP bandwidth by not transmitting unless there are sounds...

Computers Speaking the Same Language

The Internet protocols comprise the most popular, nonproprietary data-networking protocol suite in the world. The Internet protocols are communication protocols used by electronic devices to talk to each other. Initially, computers were the primary clients of IP protocols, but other types of electronic devices can connect to IP networks, including printers, cellular phones, and MP3 players. Today, even common devices such as vending machines, dishwashers, and cars are being connected to IP...

Conferencing Gets Simple

Audioconferencing revolutionized standard meeting practice, but when it was first established, it required a conference operator to admit participants and manage the conference. Conferencing evolved to being easy enough that employees could quickly and easily organize their own conference bridges. (However, we have been in plenty of meetings where the ease of today's conference bridge technology continues to elude some of the brightest engineers.) VoIP makes conferencing more flexible and...

Congestion Notification

Frame Relay reduces network overhead by implementing simple congestion notification mechanisms. Frame Relay uses two methods of congestion notification Forward Explicit Congestion Notification (FECN) and Backward Explicit Congestion Notification (BECN). FECN sends a message to the destination device when a Frame Relay switch senses congestion in the network. A DTE device receiving this message can relay this information to a higher-layer protocol for processing. In turn, the protocol can...

Contents

Introduction Part I Networking How Computers Communicate The OSI Open Versus Proprietary Seven Layers At-a-Glance OSI Model Internet Infrastructure How It All Connects TCP IP and IP Addressing Computers Speaking the Same Language What Is an Address Dynamically Allocated IP Addresses Domain Names and Relationship to IP Matching Domain Names to IP At-a-Glance TCP IP At-a-Glance IP At-a-Glance NAT and PAT Internet Applications The Internet and Its Applications Web Peer-to-Peer Sharing Part II...

Control Plane Policing

CoPP implementations are dependent on the product type and device architecture. For some switches, forwarding can occur without involving the main device CPU, shown in the figure as linecard to linecard. Traffic limiting can be enforced to ensure that control traffic needing to be serviced by the main CPU is appropriate, by enforcing a number of queues into the main CPU. No one class of requests (such as traffic) can overwhelm the other classes, such as control commands.

Control Plane Protection

Control Plane Protection (sometimes called Control Plane Policing or CoPP) involves taking explicit measures to ensure that no matter what occurs with the data plane, the control plane continues to function and be responsive. Possible control plane protection methods include the following Preserving CPU bandwidth as a high priority for control plane services Safeguards on the data plane to prevent CPU overruns Separate CPU processors for the data plane and control plane Control Plane Protection...

Converged Networks and QoS

Traditionally, computer networks transported data applications and provided file storage services. The modern business network is also the communications backbone, supporting many applications, including delay-sensitive data, but also voice, high-quality video, and web-based conferencing and collaboration. Because the network is now a communications backbone, it must provide predictable, measurable, and sometimes guaranteed services. But the network has finite resources in terms of bandwidth,...

Corporate Employee Clean and Dirty Networks

With the implementation of intelligent endpoint authentication and admission onto the network, using solutions such as 802. lx IBNS and Network Admission Control (NAC), there is a need to separate the clean endpoints, network, and services from the dirty. With virtualized networks, we can implement a clean network partition. As soon as employees authenticate and ensure that their laptop or computer is healthy, it is admitted to the clean network and has access to normal applications. Endpoints...

Coverage and Quality

For proper coverage and call quality, the density of wireless AP placement needs to be sufficient. With wireless laptops, access tends to be nomadic. With this usage model, losing connectivity while in motion and then reestablishing a session in a second location is not a significant issue. With wireless VoIP, clients inherently move between access points. It's critical to maintain a session during a voice call. Overlapping access point coverage of 15 to 20 percent is one element of maintaining...

Critical Communication Questions to Answer

What types of Unified Communications services are needed now and in the future Will the Unified Communications architecture be heavily centralized or distributed Which Unified Communications services will be provided locally Integrated Services Building Block Layers Integrated Services Building Block Layers Call Control, Dial Plan, E911 CER, CCM, SRST, CCME CUE, Gatekeeper, CAC Call Control, Dial Plan, E911 CER, CCM, SRST, CCME CUE, Gatekeeper, CAC Integrated Gateway and Media Resources...

Critical Security Questions to Answer

The following questions related to security should be answered as part of the branch design process What are the company's critical security policies What new potential vulnerabilities are created by extending all corporate applications and services to many locations What types of secure communications may be required for industry or regulatory compliance Are local laws being followed regarding employee privacy in international locations What is the security management strategy

Cwdm

Coarse Wavelength Division Multiplexing (CWDM) uses wavelength-specific pairs of GBICs to combine up to eight optical signals onto a single fiber. Each switch pair is fitted with one or more pairs of GBICs. Each GBIC pair is tuned to a specific frequency that allows the switch to add (mux) or pluck out (demux) a single beam of light (data stream). CWDM can be deployed as ring or point-to-point. One major drawback of CWDM is that it cannot be amplified, which makes this solution...

D Denial of Service DoS

DoS attacks provide a means for bringing down a network without having to gain internal access. DoS attacks work by flooding a network device or application server with bogus traffic (which can be e-mail or IP ICMP packets). Distributed DoS (DDoS) is coordinated DoS attacks from multiple sources. DDoS is more difficult to block because it uses multiple, changing source IP addresses that are hard to distinguish from legitimate IP addresses. With the advent of sophisticated Trojan horse viruses...

D Sniffing Spoofing

Sniffing refers to the act of intercepting TCP packets. This can be simple eavesdropping or something more sinister. Spoofing is the act of sending an illegitimate packet with an expected ACK, which can be guessed, predicted, or obtained by snooping. In a DOS attack, the web server identifies the suspect source and blocks any more incoming packets from it. The attacker can remotely take control of many other computers and start launching timed attacks. The solution is the same for the DOS...

Data Center Facilities

The housing of critical computing resources such as those found in a data center typically requires specialized facilities and trained personnel to run a 24 7 operation. The efficient, protected, and secure operations of these business-critical systems require consideration of and planning for the following items Cabling (raised flooring or overhead tracks) Temperature and humidity controls Fire and smoke detection systems Restricted access and surveillance systems Space planning for future...

Data Center Layers

Data centers can be logically divided into six logical layers. These layers do not correlate to the OSI layers. This list represents one of a number of ways to look at data centers. These layers are based on logical functions Aggregation Consists of network infrastructure components that connect all data center service devices, such as firewalls, content switches, Call Managers, and Content Distribution Managers. Front-end Contains FTP, Telnet, e-mail, web servers, and other business...

Data Center Management

Management services typically are overlaid on top of all other services. Every layer of the data center model requires its own set of management considerations but must be supported by different organizational entities or even by distinct functional groups within the enterprise. Specific management categories include configuration management, fault management, performance management, security management, and accounting management. Each of these categories must be included in the planning of the...

Data Center Migration

Data center virtualization can take several migration steps, starting with consolidation of the server and storage servers. To virtualize the server and I O services in the data center, it is necessary to implement a unified interconnect fabric to enable shared pools of computer and storage servers. In plain English, this means that fiber-channel or ATM links are replaced with Ethernet. Finally, virtualization of applications environments can occur, in which applications are mapped to resources...

Data Center Virtualization

The main idea with data center virtualization is to abstract the physical equipment in the data center storage devices, servers, load balancers, and so on from the applications that run on them. By doing so, resources can be purchased and deployed in a pool and allocated logically to applications, lowering overall equipment requirements and costs. New applications can more quickly be brought online by provisioning from the already deployed resource pool. As applications age out, their resources...

Data Link Connection Identifier

Frame Relay virtual circuits are identified by datalink connection identifiers (DLCI). DLCI values typically are assigned by the Frame Relay service provider. Frame Relay DLCIs are of local significance only. In other words, the DLCI values are unique only at the endpoints, not over WANs. Therefore, two DTE devices connected by a virtual circuit might use a different DLCI value to refer to the same connection. In addition, two DTEs can be connected on the same virtual circuit but still have...

Data Privacy

The ability to provide secure communication is crucial when you must protect information from eavesdropping. Digital encryption technologies and protocols such as Internet Protocol Security (IPsec), Secure Socket Layer (SSL), and Secure Real-Time Protocol (SRTP) are commonly used to protect data, especially when being transported over a shared or untrusted network, such as a service provider WAN or public Internet. New technologies such as Digital Rights Management and data watermarking are...

Dedicated CPUs

In cases where more robust network availability is essential, more sophisticated network devices may use an architecture that provides more guarantees of availability. For example, in some cases it may be advisable or even necessary to use dedicated CPUs for control plane activity. As shown in the figure, separate processors handle data plane and control plane requests. In this way, the control plane processor should always be available to process requests, even if the data plane processor is...

Dedications

This book is dedicated to Bradley Mitchell. Bradley was introduced to us by our publisher as a technical reviewer when we wrote our first book together back in 2004 (Home Networking Simplified). We were so happy with his effort, his insightful comments, and his technical expertise that we asked him to be a reviewer on the next book. And on the one after that. And so on and so on until we look back and realize that over five titles, the entire set of the Networking Simplified series, Bradley has...

Deencapsulation

De-encapsulation, the opposite of encapsulation, is the process of passing information up the stack. When a layer receives a PDU from the layer below, it does the following 1. It reads the control information provided by the peer source device. 2. The layer strips the control information (header) from the frame. 3. It processes the data (usually passing it up the stack). Each subsequent layer performs this same de-encapsulation process. To continue the preceding example, when the plane arrives,...

Deep Packet Inspection

Deep Packet Inspection (DPI) is a technique that allows network security devices such as firewalls to look deeper into the IP packet to try to learn its true intent. Instead of relying on fairly standard packet header information (essentially Layers 2 and 3), which again is starting to look the same for every application on the network, DPI can look much further up the OSI stack, into Layers 4 through 7. With the increased visibility that DPI provides, it is possible for network security...

Departmental Virtual Networks

Increasingly, companies are struggling to comply with a myriad of industry and government regulations stipulating how financial and customer data is handled and protected. Regulations including the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, Payment Card Industry (PCI), and Basel II (in Europe) contain specific provisions governing the handling of information. They also specify precautions that companies must take. Network virtualization can help achieve...

Deployment Models

Unified Communications has four deployment models Single site Unified Communications is implemented in a single location. Multisite independent call processing Unified Communications is implemented in multiple remote sites, but calls between the sites travel across the PSTN. Multisite with distributed call processing Unified Communications is implemented across multiple remote sites with call-processing and voice-messaging equipment present at each location. Calls travel across the IP WAN as...

Deployment Modes

Site-to-site VPNs link company headquarters, remote locations, branch offices, and e-business partners to an internal network over one shared infrastructure. Site-to-site VPNs can be intranets or extranets. It is not uncommon for extranets to traverse multiple service providers. Remote-access VPNs allow corporate users and mobile workers to access a corporate intranet securely by using their cable, DSL, or the local numbers of an ISP to dial in and connect to the network. Leveraging local ISP...

Designing a Wireless Network

Although it may seem a bit trivial to the casual user whose idea of assembling a wireless network is connecting his Linksys router to his cable modem, designing a wireless network on a corporate scale takes real engineering skill and effort. Some key considerations must be addressed they are quite different from what is involved in implementing a wired network. The first of these is which wireless standard is to be used. There are several, each of which has pros and cons. Another consideration...

Device Isolation

The Cisco network virtualization framework can be used to isolate specialized devices, such as ATMs and manufacturing robots, as well as to provide hosted network services for in-store kiosks Access control uses MAC Auth Bypass (MAB) and static port assignment to map specialized devices (ATMs, IP video surveillance cameras, building HVAC systems, manufacturing robots, hosted entity kiosks, and so on) to private virtual network partitions. Path isolation securely isolates specialized device...

Diffie Hellman Key Exchange

Understanding how encryption uses keys is only half the battle. You must also have a secure way of negotiating and passing keys without a third party obtaining them, even when the keys are exchanged over insecure links. The Diffie-Hellman key exchange protocol was designed for just this purpose. The exchange is secure because keys are never transmitted in clear text, so they are exceptionally difficult to figure out. Key interception is prevented using two known prime numbers that have a...

Digital Subscriber Line DSL

DSL uses the existing phone wires connected to virtually every home in most countries. The twisted-pair wires that provide phone service are ideal, because the available frequency ranges on the wires far exceed those required to carry a voice conversation. Human speech occupies frequencies of roughly 4000 hertz (4 kHz) or less. The copper wires that provide phone service can carry in the range of 1 to 2 million hertz (1 to 2 MHz). DSL provides more downstream data (from the Internet to you)...

Distance Vector Versus Link State

The two main classes of routing are distance vector routing and link-state routing. With distance vector routing, also called routing by rumor, routers share their routing table information with each other. Each router provides and receives updates from its direct neighbor. In the figure, Router B shares information with Routers A and C. Router C shares routing information with Routers B and D. A distance vector describes the direction (port) and the distance (number of hops or other metric) to...

Distributed Office Challenges

The norm today for most companies is to have one or a few large headquarters sites, several fairly large regional offices, and a significant number of branch offices. The number of branch offices often depends on the business model or industry segment the company is in. For example, a retail store chain may have two headquarters locations (often one is for geographic redundancy in case of a catastrophic event) and several hundred or thousand stores (which are essentially branch offices)....

Distributed Workforce

Increasingly, companies are taking advantage of distributed workforces, with nearly half or even the majority of employees working at locations other than a headquarters site. With such a significant number of the company's resources located remotely, network designs needed to change. It is no longer acceptable to provide minimal services to branch offices. They must have the same level of services as a headquarters site. After all, why have half your workforce be much less productive than...

Distribution nTier Model

As the importance and size of server farms have increased, the limitations of a traditional client server model of data storage and retrieval have become more evident. The -tier model separates the server farm functions into distinct tiers, which improves both efficiency and ease of management. The model typically has three tiers. The first tier typically runs the user-facing applications, the second tier maps user requests to the data, and the third tier is where the data is actually stored....

Doc

Dispersion and nonlinearities can erode signal clarity. This is a function of distance and speed. Chromatic distortion causes a spreading of the signal over distance. This can cause signals to interfere with each other. The silica (glass) core carries the signal. Polarization or mode distortion is another phenomenon. At 10-Gb rates and higher, signals tend to broaden as they travel down the fiber, causing intersignal interference. Multiplexing is the process of combining multiple signals over a...

Domain Names and Relationship to IP Addresses

Because IP addresses are difficult to remember in their dotted-decimal notation, a naming convention called domain names was established that's more natural for people to use. Domain names such as www.cisco.com are registered and associated with a particular public IP address. The Domain Name System (DNS) maps a readable name to an IP address. For example, when you enter http www.cisco.com into a browser, the PC uses the DNS protocol to contact a DNS name server. The name server translates the...

DR Planning

After outlining possible threats, the DR team ranks the services and systems according to three categories mission-critical, important, and not so important. The ranking determines the depth of planning, funding, and resiliency. A DR team takes the following steps STEP 1 Form a planning group. STEP 2 Perform risk assessments and audits. STEP 3 Establish priorities for the network and applications. STEP 4 Develop recovery strategies. STEP 5 Prepare an up-to-date inventory and documentation of...

Dre

Data Redundancy Elimination (DRE) compresses traffic that traverses the WAN, minimizing the WAN bandwidth required to provide high-performance applications to branch office employees. DRE works by caching frequently transmitted data segments and transmitting a label representing the information (a much smaller piece of information to transmit than the original information). At the destination, Cisco WAAS reverses the DRE encoding process using the DRE cache, restoring the data payloads to their...

Dynamic Multipoint VPNs DMVPN

Site-to-site VPNs that use IPsec for encryption typically were set up in advance and in a point-to-point topology. Each tunnel must be configured between a branch office and a headquarters site. A WAN headend aggregating many thousands of branch office connections could literally have tens of thousands of configuration commands required to deploy a WAN service. DMVPNs simplify the deployment. There are two types of DMVPN topologies Hub-and-spoke DMVPN connects many branch offices (spokes) to a...

E

EAP (Extensible Authentication Protocol), 188, 326 EGP (Exterior Gateway Protocols), 58 EIGRP (Enhanced Interior Gateway Routing Protocol), 55 addresses, 27 clients, 27 domain names, 27 receiving, 28 recipients, 27 sending, 28 web-based, 27 encapsulation, 9, 78 encryption export laws, 100 importance, 100 keys, 101 layers, 102 packets, 205 problems, 100 standards, 100 VPNs, 95 wireless, 326 enforcing security policies, 158-160 engineering traffic, 272 Enhanced Interior Gateway Routing Protocol...

Mail

E-mail is one of the most common network applications in use today. Although it might seem relatively new, e-mail was invented in the early 1970s. Back then, of course, there was no Internet as we know it today, so having e-mail was a bit like owning a car before there was a highway system. Today, e-mail is so widespread that ISPs just assume that you want an e-mail address and automatically assign you one (or even several) when you begin your service agreement. There are two basic ways to...