A

Accounting), 165, 701 absorption (RF), 567 Acceptable Use of Network documents, 667 access control (security), Self-Defending Networks, 677, 681-682 access layer (hierarchical network design), 129 example of, 133 L2 switching, 132-133 multilayer switching, 132-133 role of, 131 access-list tcp command, 833 access-list udp command, 835 access lists extended, verifying configuration, 842 standard, vty access, restricting, 839-841 Access VPN, WAN design, 333 access-list tcp command, 833 access-list...

About the Technical Reviewers

Shawn Boyd is a senior network consultant for ARP Technologies, Inc. He has worldwide experience in consulting on many different projects, such as security VoIP for Cisco Systems Israel, intrusion prevention for Top Layer Networks of Boston, and DSL infrastructure rollout for Telus Canada. Shawn is also active in course development and is a certified Cisco instructor with ARP Technologies, Inc., responsible for teaching most of the Cisco curriculum. He has coauthored IT security-related books...

Access Control

Trust and identity management is also supported by access control. Access control is the ability to enforce a policy that states which entities (such as users, servers, and applications) can access which network resources. NOTE Access control also indirectly helps ensure confidentiality and integrity of sensitive data by limiting access to the data. In contrast, authorization mechanisms limit the access of an entity to resources based on subject identity. Network access control mechanisms are...

Access Layer Functionality

This section describes the access layer functions and the interaction of the access layer with the distribution layer and local or remote users. The access layer is the concentration point at which clients access the network. Access layer devices control traffic by localizing service requests to the access media. The purpose of the access layer is to grant user access to network resources. Following are the access layer's characteristics In the campus environment, the access layer typically...

Administrative Distance

Most routing protocols have metric structures and algorithms that are incompatible with other protocols. It is critical that a network using multiple routing protocols be able to seamlessly exchange route information and be able to select the best path across multiple protocols. Cisco routers use a value called administrative distance to select the best path when they learn of two or more routes to the same destination from different routing protocols. Administrative distance rates a routing...

Agencies and Standards Groups

Some of the agencies and standards groups related to WLANs are as follows Institute of Electrical and Electronic Engineers (http www.ieee.org ) Creates and maintains operational standards. European Telecommunications Standards Institute (http www.etsi.org ) Chartered to produce common standards in Europe. Wi-Fi Alliance (http www.wi-fi.com ) Promotes and tests for WLAN interoperability. WLAN Association (http www.wlana.org ) Educates and raises consumer awareness about WLANs. FCC (http...

Analyzing Network Traffic and Applications

Traffic analysis is the third step in characterizing a network. Traffic analysis verifies the set of applications and protocols used in the network and determines the applications' traffic patterns. It might reveal any additional applications or protocols running on the network. Each discovered application and protocol should be described in the following terms Security-related requirements Scope (in other words, the network modules in which the application or protocol is used) Use the...

ANS Components

Figure 3-24 illustrates an example of ANS deployed in offices connected over a WAN, providing LAN-like performance to users in the branch, regional, and remote offices. ANS components are deployed symmetrically in the data center and the distant offices. The ANS components in this example are as follows Cisco Wide Area Application Services (WAAS) software Cisco WAAS software gives remote offices LAN-like access to centrally hosted applications, servers, storage, and multimedia. Cisco Wide Area...

ANS Examples

Table 3-1 illustrates some sample application deployment issues that many IT managers face today and how ANS resolves these issues. Table 3-1 Examples of Application Deployment Issues and Solutions Table 3-1 Examples of Application Deployment Issues and Solutions Consolidation of data centers results in remote employees having slower access to centrally managed applications Wide-area application services in the branch office that compress, cache, and optimize content for remote users so that...

Answers to Review Questions

The Cisco vision for an intelligent information network includes the following Integration of networked resources and information assets that have been largely unlinked Intelligence across multiple products and infrastructure layers Active participation of the network in the delivery of services and applications 2. Evolving to an intelligent information network consists of three phases in which functionality can be added to the infrastructure as required Phase 1 Integrated transport Everything...

Answers to Review Questions and Case Studies

This appendix provides internetworking expert solutions (listed by chapter) to the review questions and case study questions in each chapter. A solution is provided for each case study task based on assumptions made. There is no claim that the provided solution is the best or only solution. Your solution might be more appropriate for the assumptions you made. The provided solution enables you to understand the author's reasoning and offers a means of comparing and contrasting your solution.

Application Networking Services in a Modular Network Design

Traditional networks handled static web pages, e-mail, and routine client server traffic. Today, enterprise networks must handle more sophisticated types of network applications that include voice and video. Examples include voice transport, videoconferencing, online training, and audio and video broadcasts. Applications place increasing demands on IT infrastructures as they evolve into highly visible services that represent the face of the business to internal and external audiences. The large...

Application Requirements of WAN Design

Just as application requirements drive the Enterprise Campus design (as illustrated in Chapter 4, Designing Basic Campus and Data Center Networks), they also affect the Enterprise Edge WAN design. Application availability is a key user requirement the chief components of application availability are response time, throughput, packet loss, and reliability. Table 5-2 analyzes these components, which are discussed in the following sections. Table 5-2 Application Requirements on the WAN Table 5-2...

Applying a Methodology to Network Design

This chapter begins with an introduction to the Cisco vision of intelligent networks and the Service Oriented Network Architecture (SONA) architectural framework. The lifecycle of a network and a network design methodology based on the lifecycle are presented. Each phase of the network design process is explored in detail, starting with how to identify customer requirements, including organizational and technical goals and constraints. Because many customers build on an existing network and at...

B

Backbone areas, OSPF, 452 backbone layer (hierarchical network design), 129 BackboneFast (Cisco STP toolkit), 133, 250 backup links, 176 backups, WAN dial backup routing, 338 Internet, 341-343 permanent secondary links, 338-339 shadow PVC, 340 domains, 14 EIGRP usage, 449 integrated IS-IS usage, 455 OSPF usage, 452 voice networks requirements for, 534-535 VAD, 534 voice traffic engineering requirements, 546 trunk capacity calculation, 552 WAN design, 320-321 congestion avoidance, 329-330 data...

Ii

Dynamic IP address assignment is used for assigning IP addresses to end-user devices, including workstations, Cisco IP phones, and mobile devices. DHCP is used to provide dynamic IP address allocation to hosts. DHCP uses a client server model the DHCP server can be a Windows server, a UNIX-based server, or a Cisco IOS device. Cisco IOS devices can also be DHCP relay agents and DHCP clients. Figure 6-15 shows the steps that occur when a DHCP client requests an IP address from a DHCP server. Step...

BGP Implementation Example

In Figure 7-12, BGP is used to interconnect multiple autonomous systems. Because of the multiple connections between autonomous systems and the need for path manipulation, the use of static routing is excluded. AS 65000 is multihomed to three ISPs AS 65500, AS 65250, and AS 64600. Figure 7-12 BGP Is Used to Interconnect Autonomous Systems Figure 7-12 BGP Is Used to Interconnect Autonomous Systems NOTE The AS designator is a 16-bit number with a range of 1 to 65535. RFC 1930, Guidelines for...

Border Gateway Protocol

BGP is an EGP that is primarily used to interconnect autonomous systems. BGP is a successor to EGP, the Exterior Gateway Protocol (note the dual use of the EGP acronym). Because EGP is obsolete, BGP is currently the only EGP in use. BGP-4 is the latest version of BGP. It is defined in RFC 4271, A Border Gateway Protocol (BGP-4). As noted in this RFC, the classic definition of an AS is a set of routers under a single technical administration, using an Interior Gateway Protocol (IGP) and common...

Building a Prototype or Pilot Network

It is often desirable to verify a design before implementation. A design can be tested in an existing, or live, network this is called a pilot or, preferably, in a prototype network that does not affect the existing network. A successful design implementation in either a pilot or prototype network can be used as a proof of concept in preparation for full implementation and can be used as input to the implementation steps. A pilot network tests and verifies the design before the network is...

C

CA (Certification Authorities), IKE digital dark fiber, 314-315 Enterprise Campus networks, 230 comparison table, 233-234 copper cabling, 231 example of, 234-235 multimode fiber cabling, 232 optical fiber cabling, 232 single-mode fiber cabling, 232 wireless cabling, 232 modems, 308 WAN CATV transmissions, 309 data flows, 309 uBR, 308 CAC (Call Admission Control), voice networks location-based CAC, 541-542 RSVP with, 543 calculating subnet masks, 816-819 call agents (MGCP), 521 call centers, 487...

Calculating a Subnet Mask

When contiguous 1s are added to the default mask, making the all-1s field in the mask longer, the definition of the network part of an IP address is extended to include subnets. Adding bits to the network part of an address decreases the number of bits in the host part. Thus, creating additional networks (subnets) is done at the expense of the number of host devices that can occupy each network segment. The number of subnetworks created is calculated by the formula 2s, where s is the number of...

Calculating the Networks for a Subnet Mask

After you identify your subnet mask, you must calculate the ten subnetted network addresses to use with 172.16.0.0 255.255.240.0. One way to do this is as follows Step 1 Write the subnetted address in binary format, as shown at the top of Figure B-7. If necessary, use the decimal-to-binary conversion chart provided in Table B-1. Figure B-7 Calculating the Subnets Shown in Figure B-6 In Binary 10101100.00010000.00000000.00000000 Step 2 On the binary address, draw a line...

Calculating Trunk Capacity or Bandwidth

The trunk capacity for voice calls can be calculated by the following formula Trunk capacity (number of simultaneous calls to be supported) * (bandwidth required per call) The first component of this formula, the number of simultaneous calls to be supported, is the number of circuits required for the known amount of traffic, as calculated from the Erlang tables. NOTE If 100 percent of calls must go through, Erlang tables are not required instead, the maximum number of simultaneous calls...

Case Studies and Review Questions

Starting in Chapter 2, each chapter concludes with a case study on Acme County Medical Center (ACMC) Hospital, a fictitious small county hospital in the United States, to help you evaluate your understanding of the concepts presented. In each task of the case study, you act as a network design consultant and make creative proposals to accomplish the customer's business needs. The final goal of each case study is a paper solution. Also starting in Chapter 2, each chapter also includes review...

Case Study 101 ACMC Hospital Network Security Design

This case study is a continuation of the ACMC Hospital case study introduced in Chapter 2, Applying a Methodology to Network Design. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a...

Case Study 102 ACMC Hospital Network Connecting More Hospitals

This case study is a continuation of ACMC Hospital Case Study 10-1. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a network design consultant. Make creative proposals to accomplish the...

Case Study ACMC Hospital Network Campus Design

This case study is a continuation of the ACMC Hospital case study introduced in Chapter 2. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a network design consultant. Make creative...

Case Study ACMC Hospital Network Upgrade

This case study analyzes the network infrastructure of Acme County Medical Center (ACMC) Hospital, a fictitious small county hospital in the United States. This same case study is used throughout the remainder of the book so that you can continue to evaluate your understanding of the concepts presented. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the...

Case Study Additional Information

Figure 5-30 shows the existing WAN links and the planned campus infrastructure. Figure 5-30 Case Study ACMC Hospital WAN Links and Planned Campus Infrastructure Figure 5-30 Case Study ACMC Hospital WAN Links and Planned Campus Infrastructure The ACMC Hospital CIO realizes that WAN performance to the remote clinics is poor and that some new applications will require more bandwidth. These applications include programs that allow doctors at the central site to access medical images, such as...

Case Study Answers

The following are some of the infrastructure aspects that should be considered Switches and power supplies that support PoE should be recommended. The available building wiring closet power, cooling, and space need to be reviewed. QoS mechanisms should be considered, including in the Campus switches and on the WANs. CAC might be required for calls from the clinics to the main campus. cRTP and LFI can also be considered. The current cabling infrastructure and configuration need to be reviewed,...

Case Study Questions

Step 2 Document any information that you think is missing from the case study scenario and that you consider necessary for the design. Before beginning the design, you will need this information. Assume that you have talked to the customer about the missing information, and document any assumptions you make. You don't need to assume that all the missing information is provided by the customer some might never be available. However, you do need to assume...

Catalyst Services Modules

The following are various security-related modules for the Cisco Catalyst 6500 Series switching platform (and some are also for the Cisco 7600 Series routers) Cisco Catalyst 6500 Series FWSM The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers. Up to four Cisco FWSMs can be installed in a single chassis, providing scalability up to 20 Gbps per chassis. The Cisco FWSM includes many advanced features, such as multiple...

Cdp

CDP is a Cisco-proprietary protocol that operates between Cisco devices at the data link layer. CDP information is sent only between directly connected Cisco devices a Cisco device never forwards a CDP frame. CDP enables systems that support different network layer protocols to communicate and enables other Cisco devices on the network to be discovered. CDP provides a summary of directly connected switches, routers, and other Cisco devices. CDP is a media- and protocol-independent protocol that...

CDP Information

Information in CDP frames includes the following Device ID The name of the neighbor device and either the MAC address or the serial number of the device. Local Interface The local (on this device) interface connected to the discovered neighbor. Holdtime The remaining amount of time (in seconds) that the local device holds the CDP advertisement from a sending device before discarding it. Capability List The type of device discovered (R Router, T Trans Bridge, B Source Route Bridge, S Switch, H...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at...

Centralized WLAN Components

As illustrated in Figure 3-23, the four main components in a centralized WLAN deployment are as follows End-user devices A PC or other end-user device in the access layer uses a wireless NIC to connect to an access point (AP) using radio waves. Wireless APs APs, typically in the access layer, are shared devices that function similar to a hub. Cisco APs can be either lightweight or autonomous. Lightweight APs are used in centralized WLAN deployments. A lightweight AP receives control and...

Characteristics of the OSI Layers

The OSI reference model's seven layers can be divided into two categories upper layers and lower layers. The upper layers contend with application issues and are generally only implemented in software. The highest layer, the application layer, is closest to the end user. Both users and application layer processes interact with software applications that contain a communications component. The term upper layer is sometimes used to refer to any layer above another layer in the OSI model....

Cisco MIB

The Cisco private MIB definitions are under the Cisco MIB subtree (1.3.6.1.4.1.9 or Cisco MIB definitions supported on Cisco devices are available at http www.cisco.com public mibs . The Cisco private MIB subtree contains three subtrees Local (2), Temporary (3), and CiscoMgmt (9). The Local (2) subtree contains MIB objects defined before Cisco IOS software release 10.2 these MIB objects are implemented in the SNMPv1 Structure of Management Information (SMI). The SMI defines the structure of...

Cisco PIX Security Appliances

The Cisco PIX 500 Series security appliances deliver rich application and protocol inspection, robust user and application policy enforcement, multivector attack protection, and secure connectivity services in cost-effective, easy-to-deploy solutions. Ranging from the compact, plug-and-play desktop Cisco PIX 501 security appliance for SOHOs to the modular gigabit Cisco PIX 535 security appliance with superior investment protection for enterprise and service-provider environments, Cisco PIX 500...

Cisco Security Management Technologies

The Cisco Security Management Suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network. This integrated solution can simplify and automate the tasks associated with security management operations, including configuration, monitoring, analysis, and response. The key components of this suite include the following Cisco Security Manager Cisco Security Manager is a powerful but easy-to-use solution for...

Cisco Self Defending Network Phases

As shown in Figure 10-8, the Cisco Self-Defending Network contains three characteristic phases that together provide continuous, intelligent, future-proofed security, from the network through to the application layer Integrated security Security defense technologies are incorporated across all network elements, including routing, switching, wireless, and security platforms so that every point in the network can defend itself. These security features include firewalls, VPNs, and trust and...

Cisco UWN Review

Figure 9-22 reviews the key concepts of the Cisco UWN design. 614 Chapter 9 Wireless Network Design Considerations Figure 9-22 Cisco UWN Third-Party Integrated Applications E911, Asset Tracking, ERP Workflow Automation 614 Chapter 9 Wireless Network Design Considerations Figure 9-22 Cisco UWN Third-Party Integrated Applications E911, Asset Tracking, ERP Workflow Automation Cisco client devices or Cisco Compatible client devices are at the foundation of the UWN, connected to Cisco lightweight...

Clearing NAT Translation Entries

To clear a dynamic translation entry, use the commands shown in Table D-3. Table D-3 Commands to Clear NAT Translation Entries Clears all dynamic translation entries. clear ip nat translation inside global-ip local-ip outside local-ip global-ip Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation. clear ip nat translation outside local-ip global-ip Clears a simple dynamic translation entry that contains an outside translation....

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Comparison of Routing Protocol Convergence

As shown in Figure 7-8, different routing protocols need different amounts of time to converge in a given network. Although the convergence depends on the network's topology and structure, pure distance vector protocols are slower to converge than link-state protocols. The use of periodic updates and the hold-down mechanism are the main reasons for slow convergence. As a result, the fast-converging protocols should be used when the network's convergence time is crucial. Figure 7-8 Routing...

Configuring Inside Global Address Overloading or PAT

The following procedure configures inside global address overloading Step 1 At a minimum, IP routing and appropriate IP addresses must be configured on the router. Step 2 Configure dynamic address translation, as described in the Configuring NAT for Basic Local IP Address Translation section earlier in this appendix. When you define the mapping between the access list and the IP NAT pool, add the overload keyword to the command Router(config) ip nat inside source list access-list-number pool...

Configuring NAT for Basic Local IP Address Translation

The following procedure enables basic local IP address translation Step 1 At a minimum, IP routing and appropriate IP addresses must be configured on the router. Step 2 To perform static address translations for inside local addresses, define the addresses using the following command Routen(config) ip nat inside source static local-ip global-ip Step 3 To perform dynamic translations, do the following a. Configure a standard IP access list to identify the inside network addresses that will be...

Contents

Chapter 1 Network Fundamentals Review 3 Introduction to Networks 3 Protocols and the OSI Model 4 The OSI Model 5 Protocols 6 The OSI Layers 6 Physical Layer Layer 1 7 Data Link Layer Layer 2 7 Network Layer Layer 3 7 Transport Layer Layer 4 8 Upper Layers Layers 5 Through 7 9 Communication Among OSI Layers 9 LANs and WANs 11 Network Devices 13 Terminology Domains, Bandwidth, Unicast, Broadcast, and Multicast 13 Hubs 14 Switches 14 Routers 16 Introduction to the TCP IP Suite 17 TCP IP Transport...

Contents at a Glance

Chapter 1 Network Fundamentals Review 3 Chapter 2 Applying a Methodology to Network Design 57 Chapter 3 Structuring and Modularizing the Network 129 Chapter 4 Designing Basic Campus and Data Center Networks 221 Chapter 5 Designing Remote Connectivity 293 Chapter 6 Designing IP Addressing in the Network 377 Chapter 7 Selecting Routing Protocols for the Network 429 Chapter 8 Voice Network Design Considerations 479 Chapter 9 Wireless Network Design Considerations 565 Chapter 10 Evaluating Security...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 For sales outside the United States please contact

Creating a Draft Design Document

After thoroughly examining the existing network, the designer creates a draft design document. Figure 2-17 illustrates a draft design document's index (not yet fully developed), including the section that describes the existing network. The Design Requirements and Existing Network Infrastructure chapters of the design document are closely related examining the existing network can result in changes to the design requirements. Data from both chapters directly influences the network's design....

D

DAI (Dynamic Address Inspection), DoS attacks, 659 dark fiber (cable), 314-315 data availability, 655 Data Center Access layer (Enterprise Data Center networks), 274 Data Center Aggregation layer (Enterprise Data Center networks), 274-275 Data Center Core layer (Enterprise Data Center networks), 275 Data Center modules (Enterprise Architecture), 144, 158 Data Center networks, 268 architecture framework, 269-271 cooling, 276 Data Center Access layer, 274 Data Center Aggregation layer, 274-275...

Data units

A frame is an information unit whose source and destination are data link layer entities. A frame is composed of the data link layer header (and possibly a trailer) and upper-layer data. The header and trailer contain control information that is intended for the destination system's data link layer entity. The data link layer header and trailer encapsulate data from upper-layer entities. Figure C-8 illustrates the basic components of a data link layer frame. Figure C-8 Data from Upper-Layer...

Deploying Security in the Enterprise Campus

Consider an organization that has experienced several incidents in which laptop users on the campus network have brought in viruses from home, some users have attempted to intercept network traffic, and some interns have tried to hack the network infrastructure. To manage the risks, the organization implements identity and access control solutions, threat detection and mitigation solutions, infrastructure protection, and security management. Figure 10-21 illustrates where various security...

Design Considerations for Guest Services in Wireless Networks

Providing wireless guest services with traditional autonomous APs poses significant challenges. To maintain internal corporate network security, guest traffic must be restricted to the appropriate subnet and VLAN these guest VLANs must extend throughout the infrastructure to reach every location where guest access is required. Reconfiguring of the access switches that serve conference rooms, offices, and cubicles to selectively adjust VLANs for guest access can involve many network staff hours....

Designing an Enterprise Campus

The Enterprise Campus network is the foundation for enabling business applications, enhancing productivity, and providing a multitude of services to end users. The following three characteristics should be considered when designing the campus network Network application characteristics The organizational requirements, services, and applications place stringent requirements on a campus network solution for example, in terms of bandwidth and delay. Environmental characteristics The network's...

Designing for Cisco Internetwork Solutions Desgn Second Edition

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing October 2007 Library of Congress Cataloging-in-Publication Data Teare, Diane. Designing...

Designing High Availability into a Network

Redundant network designs duplicate network links and devices, eliminating single points of failure on the network. The goal is to duplicate components whose failure could disable critical applications. Because redundancy is expensive to deploy and maintain, redundant topologies should be implemented with care. Redundancy adds complexity to the network topology and to network addressing and routing. The level of redundancy should meet the organization's availability and affordability...

Designing Link Redundancy

It is often necessary to provision redundant media in locations where mission-critical application traffic travels. In Layer 2-switched networks, redundant links are permitted as long as STP is running. STP guarantees one, and only one, active path within a broadcast domain, avoiding problems such as broadcast storms (when a broadcast continuously loops). The redundant path automatically activates when the active path goes down. Because WAN links are often critical pieces of the internetwork,...

Designing Remote Connectivity

This chapter discusses the WAN function that provides access to remote sites and the outside world. It details WAN technologies and WAN design considerations. The chapter explores how these technologies are used, including for remote access, with virtual private networks (VPN), for backup, and how the Internet is used as a backup WAN. This chapter describes the Enterprise WAN and metropolitan-area network (MAN) architecture, and the Enterprise Branch and Teleworker architectures. The selection...

Determining an IP Address Class

To accommodate large and small networks, the 32-bit IP addresses are segregated into Classes A through E. The first few bits of the first octet determine the class of an address this then determines how many network bits and host bits are in the address. Figure B-4 illustrates the bits for Class A, B, and C addresses. Each address class allows for a certain number of network addresses and a certain number of host addresses within a network. Table B-2 shows the address format, the address range,...

Differences Between IPv4 and IPv6

Regardless of which protocol is used, the communication between IPv4 and IPv6 domains must be transparent to end users. The major differences to consider between IPv4 and IPv6 include the following IPv4 addresses are 32 bits long, whereas IPv6 addresses are 128 bits long. An IPv6 packet header is different from an IPv4 packet header. The IPv6 header is longer and simpler (new fields were added to the IPv6 header, and some old fields were removed). IPv6 has no concept of broadcast addresses...

Distance Vector Example

A distance vector router's understanding of the network is based on its neighbor's perspective of the topology consequently, the distance vector approach is sometimes referred to as routing by rumor. Routers running traditional distance vector protocols periodically send their complete routing tables to all connected neighbors. Convergence might be slow because triggered updates are not typically used (RIPv2 is an exception) and loop detection timers are long. In large networks, running a...

Distance Vector Versus Link State Versus Hybrid Protocols

There are two main types of routing protocols Distance vector protocol In a distance vector protocol, routing decisions are made on a hop-by-hop basis. Each router relies on its neighbor routers to make the correct routing decisions. The router passes only the results of this decision (its routing table) to its neighbors. Distance vector protocols are typically slower to converge and do not scale well however, they are easy to implement and maintain. Examples of distance vector protocols...

Documenting the Design

A design document lists the design requirements, documents the existing network and the network design, identifies the proof-of-concept strategy and results, and details the implementation plan. The final design document structure should be similar to the one in Figure 2-26, which includes Introduction Every design document should include an introduction to present the main reasons leading to the network design or redesign. Design requirements Also a mandatory part of any design document, this...

Documenting the Security Policy

Figure 10-5 illustrates a sample security policy and how it can be divided into multiple documents that are applicable to the network segments. Figure 10-5 Network Security Policy Documents Corporate Information Security Policy Identify Areas of Protection Define Responsibilities A general document describes the overall risk-management policy, identifies the corporation's assets, and identifies where protection must be applied. It also documents how risk management responsibility is distributed...

Domains of Trust

To segment a network into parts, based on similar policy and concerns, domains of trust are established. The required system security in a network can vary in terms of importance to the business and the likelihood of being attacked. Consistent security controls should be applied within a segment, and trust relationships should be defined between segments. Segments can have different trust models, depending on the security needed. Figure 10-10 illustrates two domains of trust examples. Case 1...

Dual Stack Transition Mechanism

As shown in Figure 6-24, a dual-stack node enables both IPv4 and IPv6 stacks. Applications communicate with both IPv4 and IPv6 stacks the IP version choice is based on name lookup and application preference. This is the most appropriate method for campus and access networks during the transition period, and it is the preferred technique for transitioning to IPv6. A dual-stack approach supports the maximum number of applications. Operating systems that support the IPv6 stack include FreeBSD,...

Dynamic IPv6 Address Assignment

IPv6 dynamic address assignment strategies allow dynamic assignment of IPv6 addresses, as Link-local address The host configures its own link-local address autonomously, using the link-local prefix FE80 0 10 and a 64-bit identifier for the interface, in an EUI-64 format. Stateless autoconfiguration A router on the link advertises either periodically or at the host's request network information, such as the 64-bit prefix of the local network and its willingness to function as a default router...

Dynamic Routing

Dynamic routing allows the network to adjust to changes in the topology automatically, without administrator involvement. A static route cannot dynamically respond to changes in the network. If a link fails, the static route is no longer valid if it is configured to use that failed link, so a new static route must be configured. If a new router or new link is added, that information must also be configured on every router in the network. In a very large or unstable network, these changes can...

E

E& M (Ear & Mouth) signaling, analog signaling, 491 EAP-FAST (EAP-Flexible Authentication via Secure Tunneling), UWN, 587 EAP-TLS (EAP-Transport Layer Security), UWN, 587 EAP-TTLS (EAP-Tunneled Transport Layer Security), UWN, 587 EBGP (External Border Gateway Protocol), 460 echo cancellers, 528-529 echo trails, 529 hybrid transformers, 528 inverse speech, 529 irritation zones, 529 telephones, 528 voice networks, 527-528 ECN (Explicit Congestion Notification), 329-330 Architecture), 152...

Effl

Stairwells (Reinforced Building Area) KEY In general, an AP can support approximately seven to eight wireless phones or about 20 POINT data-only devices. The facility should be visually inspected to identify potential issues, such as metal racks, elevator shafts, stairwells, and microwave equipment. The next step in the RF site survey process is to identify preliminary AP locations based on the planned coverage area and user density. This step can be supported with several tools. For example,...

EIGRP Characteristics

The characteristics that make EIGRP suitable for deployment in enterprise networks include the Fast convergence One advantage of EIGRP is its fast-converging DUAL route calculation mechanism. This mechanism allows backup routes (the feasible successors) to be kept in the topology table for use if the primary route fails. Because this process occurs locally on the router, the switchover to a backup route (if one exists) is immediate and does not involve action in any other routers. Improved...

EIGRP Terminology

Some EIGRP-related terms include the following Neighbor table EIGRP routers use hello packets to discover neighbors. When a router discovers and forms an adjacency with a new neighbor, it includes the neighbor's address and the interface through which it can be reached in an entry in the neighbor table. This table is comparable to OSPF's neighbor table (adjacency database) it serves the same purpose, which is to ensure bidirectional communication between each of the directly connected...

Encryption Fundamentals

Cryptography provides confidentiality through encryption, which is the process of disguising a message to hide its original content. With encryption, plain text (the readable message) is converted into ciphertext (the unreadable, disguised message) decryption at the destination reverses this process. Figure 10-18 illustrates this process. Figure 10-18 Encryption Protects Data Confidentiality The purpose of encryption is to guarantee confidentiality only authorized entities can encrypt and...

Encryption Keys

For encryption and decryption to work, devices need keys. The sender needs a key to lock (encrypt) the message, and the receiver needs a key to unlock (decrypt) the message. Two secure ways to ensure that the receiving device has the correct key are the use of shared secrets and the Public Key Infrastructure (PKI). With shared secrets, both sides know the same key. The encryption key can either be identical to the decryption key or just need a simple transformation to create the decryption key....

Endpoint Security Solutions

Cisco also has security solutions for endpoint security the Cisco Security Agent and the Management Center for Cisco Security Agents. The Cisco Security Agent software integrates endpoint server and desktop computers into the Cisco Self-Defending Network. The Cisco Security Agent provides the following services for endpoints Spyware and adware protection Protection against buffer overflows Distributed firewall capabilities Malicious mobile code protection Operating system integrity assurance...

Enterprise Branch Architecture

Recall that the Cisco Enterprise Architecture, based on the Cisco SONA, includes branch modules that focus on the remote places in the network. Enterprises are seeking opportunities to protect, optimize, and grow their businesses by increasing security consolidating voice, video, and data onto a single IP network and investing in applications that will improve productivity and operating efficiencies. These services provide enterprises with new opportunities to reduce costs, improve...

Enterprise Campus Design

As discussed in Chapter 3, the Enterprise Campus functional area is divided into the following modules Campus Infrastructure This module includes three layers The Building Distribution layer Edge Distribution (optional) This section discusses the design of each of the layers and modules within the Enterprise Campus and identifies best practices related to the design of each.

Enterprise Campus Requirements

As shown in Table 4-3, each Enterprise Campus module has different requirements. For example, this table illustrates how modules located closer to the users require a higher degree of scalability so that the Campus network can be expanded in the future without redesigning the complete network. For example, adding new workstations to a network should result in neither high investment cost nor performance degradations. Table 4-3 Enterprise Campus Design Requirements Table 4-3 Enterprise Campus...

Enterprise Data Center Module

The Enterprise Data Center module has an architecture that is similar to the campus Server Farm module discussed earlier. The Enterprise Data Center network architecture allows the network to evolve into a platform that enhances the application, server, and storage solutions and equips organizations to manage increased security, cost, and regulatory requirements while providing the ability to respond quickly to changing business environments. The Enterprise Data Center module may include the...

Enterprise Edge WAN and MAN Considerations

When selecting Enterprise Edge technologies, consider the following factors Support for network growth Enterprises that anticipate significant growth should choose a technology that allows the network to grow with their business. WAN technologies with high support for network growth make it possible to add new branches or remote offices with minimal configuration at existing sites, thus minimizing the costs and IT staff requirements for such changes. WAN technologies with lower support for...

Enterprise Teleworker Module

The Enterprise Teleworker module provides people in geographically dispersed locations, such as home offices or hotels, with highly secure access to central-site applications and network services. The Enterprise Teleworker module supports a small office with one to several employees or the home office of a telecommuter. Telecommuters might also be mobile users people who need access while traveling or who do not work at a fixed company site. Depending on the amount of use and the WAN services...

Evaluating Security Solutions for the Network

Network security is one of the essential network services it spans the entire network and it must be addressed within each modular block. Modularity ensures that the network designer can focus on a security problem within a particular network module and integrate a particular solution into a global security solution. A modular approach simplifies the design and ensures that a security breach in one of the network modules remains isolated so that it does not affect the entire network. This...

Evaluating the Cost Effectiveness of WAN Ownership

In the WAN environment, the following usually represent fixed costs Equipment purchases, such as modems, channel service unit data service units, and router interfaces Circuit and service provisioning Network-management tools and platforms Recurring costs include the monthly circuit fees from the SP and the WAN's support and maintenance, including any network management center personnel. From an ownership perspective, WAN links can be thought of in the following three categories Private A...

Evaluating the Existing Data Infrastructure for Voice Design

When designing IP telephony, designers must document and evaluate the existing data infrastructure in each enterprise module to help determine upgrade requirements. Items to consider include the following Performance Enhanced infrastructure for additional bandwidth, consistent performance, or higher availability, if required, might be necessary for the converging environment. Performance evaluation includes analyzing network maps, device inventory information, and network baseline information....

Evolution of Enterprise Networks

You do not have to go far back in history to find a time when networks were primarily used for file and print services. These networks were isolated LANs that were built throughout the enterprise organization. As organizations interconnected, these isolated LANs and their functions grew from file and print services to include critical applications the critical nature and complexity of the enterprise networks also grew. As discussed in the previous section, Cisco introduced the hierarchical...

Extending an IP Classful Address Using Subnet Masks

RFC 950, Internet Standard Subnetting Procedure, was written to address the IP address shortage. It proposed a procedure, called subnet masking, for dividing Class A, B, and C addresses into smaller pieces, thereby increasing the number of possible networks. A subnet mask is a 32-bit value that identifies which address bits represent network bits and which represent host bits. In other words, the router does not determine the network portion of the address by looking at the value of the first...

External Threats

When designing security in an enterprise network, the Enterprise Edge is the first line of defense at which potential outside attacks can be stopped. The Enterprise Edge is like a wall with small doors and strong guards that efficiently control any access. The following four attack methods are commonly used in attempts to compromise the integrity of the enterprise network from the outside IP spoofing An IP spoofing attack occurs when a hacker uses a trusted computer to launch an attack from...

Firewall Filtering Using ACLs

Figure 10-13 illustrates the use of a network firewall to control (or filter) access this is a common network authorization implementation. An enterprise network is usually divided into separate security domains (also called perimeters or zones) such as the untrusted Internet zone, the trusted Enterprise Campus zone, public and semipublic server zones, and so forth to allow a network firewall to control all traffic that passes between the perimeters. Because all traffic must pass through the...

Flat Routing Protocols

Flat routing protocols have no means of limiting route propagation in a major network (within a Class A, B, or C network) environment. These protocols are typically classful distance vector protocols. Recall from Chapter 6 that classful means that routing updates do not include subnet masks and that the protocol performs automatic route summarization on major network (class) boundaries. Summarization cannot be done within a major network. These protocols support only fixed-length subnet masking...

Foreword

Cisco Certification Self-Study Guides are excellent self-study resources for networking professionals to maintain and increase internetworking skills and to prepare for Cisco Career Certification exams. Cisco Career Certifications are recognized worldwide and provide valuable, measurable rewards to networking professionals and their employers. Cisco Press exam certification guides and preparation materials offer exceptional and flexible access to the knowledge and information required to stay...

Frame RelayATM Module

The Frame Relay ATM module covers all WAN technologies for permanent connectivity with remote locations. Traditional Frame Relay and ATM are still used however, despite the module's name, it also represents many modern technologies. The technologies in this module include the following Frame Relay is a connection-oriented, packet-switching technology designed to efficiently transmit data traffic at data rates of up to those used by E3 and T3 connections. Its capability to connect multiple...

Global Aggregatable Unicast Addresses

IPv6 global aggregatable unicast addresses are equivalent to IPv4 unicast addresses. The structure of global aggregatable unicast addresses enables summarization (aggregation) of routing prefixes so that the number of routing table entries in the global routing table can be reduced. Global unicast addresses used on links are aggregated upward, through organizations, and then to intermediate-level ISPs, and eventually to top-level ISPs. A global unicast address typically consists of a 48-bit...

Gradient of Trust

The gradient of trust determines the trust level between domains, which can be minor to extreme, and determines the extent of security safeguards and attention to monitoring required. The trust relationship between segments should be controlled at defined points, using some form of network firewall or access control, as illustrated in the examples in Figure 10-11. Mastering domains of trust is a key component of good network security design. Figure 10-11 Domains and Gradients of Trust Private...

Guidelines for Creating an Enterprise Network

When creating an Enterprise network, divide the network into appropriate areas, where the Enterprise Campus includes all devices and connections within the main Campus location the Enterprise Edge covers all communications with remote locations and the Internet from the perspective of the Enterprise Campus and the remote modules include the remote branches, teleworkers, and the remote data center. Define clear boundaries between each of the areas. NOTE Depending on the network, an enterprise...

H

Examples of, 507 gatekeepers, 505-506 gateways, 504 MCU, 506 terminals, 504 IPv6 packet headers, 406-407 TCP headers (TCP IP protocol suite, transport layer), 20 UDP headers (TCP IP protocol suite, transport layer), 20 health checklists (networks), network design methodologies, 102-103 HID (Human Interface Device), 164 hierarchical network design access layer, 129 example of, 133 L2 switching, 132-133 multilayer switching, 132-133 role of, 131 backbone layer. See core layer core layer, 129,...

H323

H.323 is an ITU-T standard for packet-based audio, video, and data communications across IP-based networks. The ITU-T H.323 standard is a foundation for audio, video, and data communications across IP-based networks, including the Internet. By complying with the H.323 standard, multimedia products and applications from multiple vendors can interoperate, thereby allowing users to communicate without concern for compatibility. The H.323 standard is broad in scope and includes standalone devices...

Hierarchical Network Model

The hierarchical network model provides a framework that network designers can use to help ensure that the network is flexible and easy to implement and troubleshoot. As shown in Figure 3-1, the hierarchical network design model consists of three layers The access layer provides local and remote workgroup or user access to the network. The distribution layer provides policy-based connectivity. The core (or backbone) layer provides high-speed transport to satisfy the connectivity and transport...

Hierarchical Routing in the WAN

Figure 3-7 shows an example of hierarchical routing in the WAN portion of a network. Figure 3-7 Hierarchical Routing in the WAN Figure 3-7 Hierarchical Routing in the WAN In Figure 3-7, a typical packet between access sites follows these steps Step 1 The packet is Layer 3-forwarded toward the distribution router. Step 2 The distribution router forwards the packet toward a core interface. Step 3 The packet is forwarded across the WAN core. Step 4 The receiving distribution router forwards the...