Access Layer Functionality

This section describes the access layer functions and the interaction of the access layer with the distribution layer and local or remote users. The access layer is the concentration point at which clients access the network. Access layer devices control traffic by localizing service requests to the access media. The purpose of the access layer is to grant user access to network resources. Following are the access layer's characteristics In the campus environment, the access layer typically...

Administrative Distance

Most routing protocols have metric structures and algorithms that are incompatible with other protocols. It is critical that a network using multiple routing protocols be able to seamlessly exchange route information and be able to select the best path across multiple protocols. Cisco routers use a value called administrative distance to select the best path when they learn of two or more routes to the same destination from different routing protocols. Administrative distance rates a routing...

Analyzing Network Traffic and Applications

Traffic analysis is the third step in characterizing a network. Traffic analysis verifies the set of applications and protocols used in the network and determines the applications' traffic patterns. It might reveal any additional applications or protocols running on the network. Each discovered application and protocol should be described in the following terms Security-related requirements Scope (in other words, the network modules in which the application or protocol is used) Use the...

ANS Components

Figure 3-24 illustrates an example of ANS deployed in offices connected over a WAN, providing LAN-like performance to users in the branch, regional, and remote offices. ANS components are deployed symmetrically in the data center and the distant offices. The ANS components in this example are as follows Cisco Wide Area Application Services (WAAS) software Cisco WAAS software gives remote offices LAN-like access to centrally hosted applications, servers, storage, and multimedia. Cisco Wide Area...

ANS Examples

Table 3-1 illustrates some sample application deployment issues that many IT managers face today and how ANS resolves these issues. Table 3-1 Examples of Application Deployment Issues and Solutions Table 3-1 Examples of Application Deployment Issues and Solutions Consolidation of data centers results in remote employees having slower access to centrally managed applications Wide-area application services in the branch office that compress, cache, and optimize content for remote users so that...

Answers to Review Questions

The Cisco vision for an intelligent information network includes the following Integration of networked resources and information assets that have been largely unlinked Intelligence across multiple products and infrastructure layers Active participation of the network in the delivery of services and applications 2. Evolving to an intelligent information network consists of three phases in which functionality can be added to the infrastructure as required Phase 1 Integrated transport Everything...

Answers to Review Questions and Case Studies

This appendix provides internetworking expert solutions (listed by chapter) to the review questions and case study questions in each chapter. A solution is provided for each case study task based on assumptions made. There is no claim that the provided solution is the best or only solution. Your solution might be more appropriate for the assumptions you made. The provided solution enables you to understand the author's reasoning and offers a means of comparing and contrasting your solution.

Ii

For the Enterprise Campus, DHCP and internal DNS servers should be located in the Server Farm these servers should be redundant. For remote locations, Cisco routers can provide DHCP and DNS at the Enterprise Edge. External DNS servers should be redundant for example, at two service provider facilities, or one at a service provider facility and one in a demilitarized zone at the Enterprise Campus or remote data center.

Border Gateway Protocol

BGP is an EGP that is primarily used to interconnect autonomous systems. BGP is a successor to EGP, the Exterior Gateway Protocol (note the dual use of the EGP acronym). Because EGP is obsolete, BGP is currently the only EGP in use. BGP-4 is the latest version of BGP. It is defined in RFC 4271, A Border Gateway Protocol (BGP-4). As noted in this RFC, the classic definition of an AS is a set of routers under a single technical administration, using an Interior Gateway Protocol (IGP) and common...

C

CA (Certification Authorities), IKE digital dark fiber, 314-315 Enterprise Campus networks, 230 comparison table, 233-234 copper cabling, 231 example of, 234-235 multimode fiber cabling, 232 optical fiber cabling, 232 single-mode fiber cabling, 232 wireless cabling, 232 modems, 308 WAN CATV transmissions, 309 data flows, 309 uBR, 308 CAC (Call Admission Control), voice networks location-based CAC, 541-542 RSVP with, 543 calculating subnet masks, 816-819 call agents (MGCP), 521 call centers, 487...

Calculating the Networks for a Subnet Mask

After you identify your subnet mask, you must calculate the ten subnetted network addresses to use with 172.16.0.0 255.255.240.0. One way to do this is as follows Step 1 Write the subnetted address in binary format, as shown at the top of Figure B-7. If necessary, use the decimal-to-binary conversion chart provided in Table B-1. Figure B-7 Calculating the Subnets Shown in Figure B-6 In Binary 10101100.00010000.00000000.00000000 Step 2 On the binary address, draw a line...

Calculating Trunk Capacity or Bandwidth

The trunk capacity for voice calls can be calculated by the following formula Trunk capacity (number of simultaneous calls to be supported) * (bandwidth required per call) The first component of this formula, the number of simultaneous calls to be supported, is the number of circuits required for the known amount of traffic, as calculated from the Erlang tables. NOTE If 100 percent of calls must go through, Erlang tables are not required instead, the maximum number of simultaneous calls...

Case Study 101 ACMC Hospital Network Security Design

This case study is a continuation of the ACMC Hospital case study introduced in Chapter 2, Applying a Methodology to Network Design. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a...

Case Study 102 ACMC Hospital Network Connecting More Hospitals

This case study is a continuation of ACMC Hospital Case Study 10-1. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the initial customer scenario and build on the solutions provided thus far. You can use any and all documentation, books, white papers, and so on. In each step, you act as a network design consultant. Make creative proposals to accomplish the...

Case Study ACMC Hospital Network Upgrade

This case study analyzes the network infrastructure of Acme County Medical Center (ACMC) Hospital, a fictitious small county hospital in the United States. This same case study is used throughout the remainder of the book so that you can continue to evaluate your understanding of the concepts presented. Use the scenarios, information, and parameters provided at each task of the ongoing case study. If you encounter ambiguities, make reasonable assumptions and proceed. For all tasks, use the...

Case Study Answers

The following are some of the infrastructure aspects that should be considered Switches and power supplies that support PoE should be recommended. The available building wiring closet power, cooling, and space need to be reviewed. QoS mechanisms should be considered, including in the Campus switches and on the WANs. CAC might be required for calls from the clinics to the main campus. cRTP and LFI can also be considered. The current cabling infrastructure and configuration need to be reviewed,...

Case Study Questions

Step 1 Identify key business security requirements, risks, and threats about which ACMC should be concerned. Step 2 Design the Enterprise Edge modules for ACMC (E-commerce, Internet Connectivity, Remote Access and VPN, and WAN and MAN and Site-to-Site VPN). Determine how they should connect to the rest of the ACMC Hospital network. The design can use a consolidated approach in which devices are shared between modules. Step 3 Design the security for remote clinics, using the Internet with VPN...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at...

Centralized WLAN Components

As illustrated in Figure 3-23, the four main components in a centralized WLAN deployment are as follows End-user devices A PC or other end-user device in the access layer uses a wireless NIC to connect to an access point (AP) using radio waves. Wireless APs APs, typically in the access layer, are shared devices that function similar to a hub. Cisco APs can be either lightweight or autonomous. Lightweight APs are used in centralized WLAN deployments. A lightweight AP receives control and...

Characteristics of the OSI Layers

The OSI reference model's seven layers can be divided into two categories upper layers and lower layers. The upper layers contend with application issues and are generally only implemented in software. The highest layer, the application layer, is closest to the end user. Both users and application layer processes interact with software applications that contain a communications component. The term upper layer is sometimes used to refer to any layer above another layer in the OSI model....

Comparison of Routing Protocol Convergence

As shown in Figure 7-8, different routing protocols need different amounts of time to converge in a given network. Although the convergence depends on the network's topology and structure, pure distance vector protocols are slower to converge than link-state protocols. The use of periodic updates and the hold-down mechanism are the main reasons for slow convergence. As a result, the fast-converging protocols should be used when the network's convergence time is crucial. Figure 7-8 Routing...

Configuring Inside Global Address Overloading or PAT

The following procedure configures inside global address overloading Step 1 At a minimum, IP routing and appropriate IP addresses must be configured on the router. Step 2 Configure dynamic address translation, as described in the Configuring NAT for Basic Local IP Address Translation section earlier in this appendix. When you define the mapping between the access list and the IP NAT pool, add the overload keyword to the command Router(config) ip nat inside source list access-list-number pool...

D

DAI (Dynamic Address Inspection), DoS attacks, 659 dark fiber (cable), 314-315 data availability, 655 Data Center Access layer (Enterprise Data Center networks), 274 Data Center Aggregation layer (Enterprise Data Center networks), 274-275 Data Center Core layer (Enterprise Data Center networks), 275 Data Center modules (Enterprise Architecture), 144, 158 Data Center networks, 268 architecture framework, 269-271 cooling, 276 Data Center Access layer, 274 Data Center Aggregation layer, 274-275...

Data units

A frame is an information unit whose source and destination are data link layer entities. A frame is composed of the data link layer header (and possibly a trailer) and upper-layer data. The header and trailer contain control information that is intended for the destination system's data link layer entity. The data link layer header and trailer encapsulate data from upper-layer entities. Figure C-8 illustrates the basic components of a data link layer frame. Figure C-8 Data from Upper-Layer...

Deploying Security in the Enterprise Campus

Consider an organization that has experienced several incidents in which laptop users on the campus network have brought in viruses from home, some users have attempted to intercept network traffic, and some interns have tried to hack the network infrastructure. To manage the risks, the organization implements identity and access control solutions, threat detection and mitigation solutions, infrastructure protection, and security management. Figure 10-21 illustrates where various security...

Design Considerations for Guest Services in Wireless Networks

Providing wireless guest services with traditional autonomous APs poses significant challenges. To maintain internal corporate network security, guest traffic must be restricted to the appropriate subnet and VLAN these guest VLANs must extend throughout the infrastructure to reach every location where guest access is required. Reconfiguring of the access switches that serve conference rooms, offices, and cubicles to selectively adjust VLANs for guest access can involve many network staff hours....

Designing Remote Connectivity

This chapter discusses the WAN function that provides access to remote sites and the outside world. It details WAN technologies and WAN design considerations. The chapter explores how these technologies are used, including for remote access, with virtual private networks (VPN), for backup, and how the Internet is used as a backup WAN. This chapter describes the Enterprise WAN and metropolitan-area network (MAN) architecture, and the Enterprise Branch and Teleworker architectures. The selection...

Determining an IP Address Class

To accommodate large and small networks, the 32-bit IP addresses are segregated into Classes A through E. The first few bits of the first octet determine the class of an address this then determines how many network bits and host bits are in the address. Figure B-4 illustrates the bits for Class A, B, and C addresses. Each address class allows for a certain number of network addresses and a certain number of host addresses within a network. Table B-2 shows the address format, the address range,...

Distance Vector Example

A distance vector router's understanding of the network is based on its neighbor's perspective of the topology consequently, the distance vector approach is sometimes referred to as routing by rumor. Routers running traditional distance vector protocols periodically send their complete routing tables to all connected neighbors. Convergence might be slow because triggered updates are not typically used (RIPv2 is an exception) and loop detection timers are long. In large networks, running a...

Distance Vector Versus Link State Versus Hybrid Protocols

There are two main types of routing protocols Distance vector protocol In a distance vector protocol, routing decisions are made on a hop-by-hop basis. Each router relies on its neighbor routers to make the correct routing decisions. The router passes only the results of this decision (its routing table) to its neighbors. Distance vector protocols are typically slower to converge and do not scale well however, they are easy to implement and maintain. Examples of distance vector protocols...

Documenting the Design

A design document lists the design requirements, documents the existing network and the network design, identifies the proof-of-concept strategy and results, and details the implementation plan. The final design document structure should be similar to the one in Figure 2-26, which includes Introduction Every design document should include an introduction to present the main reasons leading to the network design or redesign. Design requirements Also a mandatory part of any design document, this...

Dynamic IPv6 Address Assignment

IPv6 dynamic address assignment strategies allow dynamic assignment of IPv6 addresses, as Link-local address The host configures its own link-local address autonomously, using the link-local prefix FE80 0 10 and a 64-bit identifier for the interface, in an EUI-64 format. Stateless autoconfiguration A router on the link advertises either periodically or at the host's request network information, such as the 64-bit prefix of the local network and its willingness to function as a default router...

E

E& M (Ear & Mouth) signaling, analog signaling, 491 EAP-FAST (EAP-Flexible Authentication via Secure Tunneling), UWN, 587 EAP-TLS (EAP-Transport Layer Security), UWN, 587 EAP-TTLS (EAP-Tunneled Transport Layer Security), UWN, 587 EBGP (External Border Gateway Protocol), 460 echo cancellers, 528-529 echo trails, 529 hybrid transformers, 528 inverse speech, 529 irritation zones, 529 telephones, 528 voice networks, 527-528 ECN (Explicit Congestion Notification), 329-330 Architecture), 152...

Effl

Stairwells (Reinforced Building Area) KEY In general, an AP can support approximately seven to eight wireless phones or about 20 POINT data-only devices. The facility should be visually inspected to identify potential issues, such as metal racks, elevator shafts, stairwells, and microwave equipment. The next step in the RF site survey process is to identify preliminary AP locations based on the planned coverage area and user density. This step can be supported with several tools. For example,...

Enterprise Branch Architecture

Recall that the Cisco Enterprise Architecture, based on the Cisco SONA, includes branch modules that focus on the remote places in the network. Enterprises are seeking opportunities to protect, optimize, and grow their businesses by increasing security consolidating voice, video, and data onto a single IP network and investing in applications that will improve productivity and operating efficiencies. These services provide enterprises with new opportunities to reduce costs, improve...

Enterprise Campus Requirements

As shown in Table 4-3, each Enterprise Campus module has different requirements. For example, this table illustrates how modules located closer to the users require a higher degree of scalability so that the Campus network can be expanded in the future without redesigning the complete network. For example, adding new workstations to a network should result in neither high investment cost nor performance degradations. Table 4-3 Enterprise Campus Design Requirements Table 4-3 Enterprise Campus...

Enterprise Data Center Module

The Enterprise Data Center module has an architecture that is similar to the campus Server Farm module discussed earlier. The Enterprise Data Center network architecture allows the network to evolve into a platform that enhances the application, server, and storage solutions and equips organizations to manage increased security, cost, and regulatory requirements while providing the ability to respond quickly to changing business environments. The Enterprise Data Center module may include the...

Enterprise Edge WAN and MAN Considerations

When selecting Enterprise Edge technologies, consider the following factors Support for network growth Enterprises that anticipate significant growth should choose a technology that allows the network to grow with their business. WAN technologies with high support for network growth make it possible to add new branches or remote offices with minimal configuration at existing sites, thus minimizing the costs and IT staff requirements for such changes. WAN technologies with lower support for...

Enterprise Teleworker Module

The Enterprise Teleworker module provides people in geographically dispersed locations, such as home offices or hotels, with highly secure access to central-site applications and network services. The Enterprise Teleworker module supports a small office with one to several employees or the home office of a telecommuter. Telecommuters might also be mobile users people who need access while traveling or who do not work at a fixed company site. Depending on the amount of use and the WAN services...

Evolution of Enterprise Networks

You do not have to go far back in history to find a time when networks were primarily used for file and print services. These networks were isolated LANs that were built throughout the enterprise organization. As organizations interconnected, these isolated LANs and their functions grew from file and print services to include critical applications the critical nature and complexity of the enterprise networks also grew. As discussed in the previous section, Cisco introduced the hierarchical...

Flat Routing Protocols

Flat routing protocols have no means of limiting route propagation in a major network (within a Class A, B, or C network) environment. These protocols are typically classful distance vector protocols. Recall from Chapter 6 that classful means that routing updates do not include subnet masks and that the protocol performs automatic route summarization on major network (class) boundaries. Summarization cannot be done within a major network. These protocols support only fixed-length subnet masking...

Global Aggregatable Unicast Addresses

IPv6 global aggregatable unicast addresses are equivalent to IPv4 unicast addresses. The structure of global aggregatable unicast addresses enables summarization (aggregation) of routing prefixes so that the number of routing table entries in the global routing table can be reduced. Global unicast addresses used on links are aggregated upward, through organizations, and then to intermediate-level ISPs, and eventually to top-level ISPs. A global unicast address typically consists of a 48-bit...

Gradient of Trust

The gradient of trust determines the trust level between domains, which can be minor to extreme, and determines the extent of security safeguards and attention to monitoring required. The trust relationship between segments should be controlled at defined points, using some form of network firewall or access control, as illustrated in the examples in Figure 10-11. Mastering domains of trust is a key component of good network security design. Figure 10-11 Domains and Gradients of Trust Private...

Guidelines for Creating an Enterprise Network

When creating an Enterprise network, divide the network into appropriate areas, where the Enterprise Campus includes all devices and connections within the main Campus location the Enterprise Edge covers all communications with remote locations and the Internet from the perspective of the Enterprise Campus and the remote modules include the remote branches, teleworkers, and the remote data center. Define clear boundaries between each of the areas. NOTE Depending on the network, an enterprise...

H

Examples of, 507 gatekeepers, 505-506 gateways, 504 MCU, 506 terminals, 504 IPv6 packet headers, 406-407 TCP headers (TCP IP protocol suite, transport layer), 20 UDP headers (TCP IP protocol suite, transport layer), 20 health checklists (networks), network design methodologies, 102-103 HID (Human Interface Device), 164 hierarchical network design access layer, 129 example of, 133 L2 switching, 132-133 multilayer switching, 132-133 role of, 131 backbone layer. See core layer core layer, 129,...

H323

H.323 is an ITU-T standard for packet-based audio, video, and data communications across IP-based networks. The ITU-T H.323 standard is a foundation for audio, video, and data communications across IP-based networks, including the Internet. By complying with the H.323 standard, multimedia products and applications from multiple vendors can interoperate, thereby allowing users to communicate without concern for compatibility. The H.323 standard is broad in scope and includes standalone devices...

Hierarchical Routing in the WAN

Figure 3-7 shows an example of hierarchical routing in the WAN portion of a network. Figure 3-7 Hierarchical Routing in the WAN Figure 3-7 Hierarchical Routing in the WAN In Figure 3-7, a typical packet between access sites follows these steps Step 1 The packet is Layer 3-forwarded toward the distribution router. Step 2 The distribution router forwards the packet toward a core interface. Step 3 The packet is forwarded across the WAN core. Step 4 The receiving distribution router forwards the...

IEEE 80211 Operational Standards

In September 1999 the IEEE ratified the IEEE 802.11a standard (5 GHz at 54 Mbps) and the IEEE 802.11b standard (2.4 GHz at 11 Mbps). In June 2003, the IEEE ratified the 802.11g standard (2.4 GHz at 54 Mbps) this standard is backward-compatible with 802.11b systems, because both use the same 2.4-GHz bandwidth. The following are the existing IEEE 802.11 standards for wireless communication 802.11a 54 Mbps at 5 GHz, ratified in 1999 802.11b 11 Mbps 2.4 GHz, ratified in 1999 802.11d World mode,...

IGP and EGP Example

Figure 7-2 shows three interconnected autonomous systems (domains). Each AS uses an IGP for intra-AS (intra-domain) routing. Figure 7-2 Interior Protocols Are Used Inside and Exterior Protocols Are Used Between Autonomous Systems Figure 7-2 Interior Protocols Are Used Inside and Exterior Protocols Are Used Between Autonomous Systems The autonomous systems require some form of interdomain routing to communicate with each other. Static routes are used in simple cases typically, an EGP is used....

Information Exchange Process

The information exchange process occurs between peer OSI layers. Each layer in the source system adds control information to data, and each layer in the destination system analyzes and removes the control information from that data. For example, if System A sends data from a software application to System B, the data is passed to System A's application layer. System A's application layer then communicates any control information required by System B's application layer by prepending a header to...

Integrated Security Within Network Devices

The section explains the security features integrated in Cisco network devices. To design and implement a secure network, it is necessary to integrate security in every part of the network environment. Cisco network devices supporting integrated security include the following Security appliances, including Cisco PIX security appliances Endpoint security solutions The following sections describe these devices. Devices based on Cisco IOS software incorporate various security features to create an...

Interaction Between OSI Model Layers

A given OSI layer generally communicates with three other OSI layers the layer directly above it, the layer directly below it, and its peer layer in other networked computer systems. For example, System A's data link layer communicates with System A's network layer, System A's physical layer, and System B's data link layer. Figure C-3 illustrates this interaction example. Figure C-3 OSI Model Layer Communicates with Three Other Layers

Interface Identifiers in IPv6 Addresses

In IPv6, a link is a network medium over which network nodes communicate using the link layer. Interface IDs in IPv6 addresses are used to identify a unique interface on a link. They can also be thought of as the host portion of an IPv6 address. Interface IDs are required to be unique on a link and can also be unique over a broader scope. When the interface identifier is derived directly from the data link layer address of the interface, the scope of that identifier is assumed to be universal...

Internal Security

Strongly protecting the internal Enterprise Campus by including security functions in each individual element is important for the following reasons If the security established at the Enterprise Edge fails, an unprotected Enterprise Campus is vulnerable. Deploying several layers of security increases the protection of the Enterprise Campus, where the most strategic assets usually reside. Relying on physical security is not enough. For example, as a visitor to the organization, a potential...

Introduction to Integrated Networks

Figure 8-14 illustrates a typical enterprise WAN with separate data and voice networks. Integrating data, voice, and video in a network enables vendors to introduce new features. The unified communications network model enables distributed call routing, control, and application functions based on industry standards. Enterprises can mix and match equipment from multiple vendors and geographically deploy these systems wherever they are needed. One means of creating an integrated network is to...

Introduction to WANs

This section defines a WAN and describes its primary design objectives. A WAN is a data communications network that covers a relatively broad geographic area. A WAN typically uses the transmission facilities provided by service providers (SP) (also called carriers), such as telephone companies. Switches, or concentrators, connect the WAN links, relay information through the WAN, and enable the services it provides. A network provider often charges users a fee, called a tariff, for the services...

Introduction to Wireless Technology

NOTE As noted in the introduction to this book, we assume that you understand the wireless networking material in the Cisco Press title Building Cisco Multilayer Switched Networks (BCMSN) (Authorized Self-Study Guide), 4th Edition, ISBN 1-58705-273-3. This section includes some material from that book as an introduction to wireless technology. Refer to that Cisco Press BCMSN title for more detailed information. A wireless communication system uses radio frequency (RF) energy to transmit data...

IP Standard Access Lists

Standard access lists permit or deny packets based only on the packet's source IP address, as shown in Figure B-9. The access list number range for standard IP access lists is 1 to 99 or from 1300 to 1999. Standard access lists are easier to configure than their more robust counterparts, extended access lists. Figure B-9 Standard IP Access Lists Filter Based Only on the Source Address A standard access list is a sequential collection of permit and deny conditions that apply to source IP...

IP Telephony Components

An IP telephony network contains four main voice-specific components IP phones IP phones are used to place calls in an IP telephony network. They perform voice-to-IP (and vice versa) coding and compression using special hardware. IP phones offer services such as user directory lookups and Internet access. The phones are active network devices that require power to operate power is supplied through the LAN connection using PoE or with an external power supply. Switches with inline power Switches...

Pv4 Access Lists

Figure B-8 Access Lists Control Packet Movement Through a Network Transmission of Packets on an Interface Table B-5 shows the available types of IP access lists on a Cisco router and their access list numbers. Named access lists are also available for IP. This section covers IP standard and extended access lists. For information on other types of access lists, refer to the technical documentation on the Cisco website at http www.cisco.com. WARNING Cisco IOS Release 10.3 introduced substantial...

Pv4 Addresses and Subnetting Job

Figure B-1 is a job aid to help you with various aspects of IP addressing, including how to distinguish address classes, the number of subnets and hosts available with various subnet masks, and how to interpret IP addresses. Net First Standard Mask Class Host Octet Binary A N.H.H.H 1-126 1111 1111 0000 0000 0000 0000 0000 0000 B N.N.H.H 128-191 1111 1111 1111 1111 0000000000000000 C N.N.N.H 192-223 1111 1111 1111 1111 1111 1111 00000000 Address 172.16.5.72 1010 1100 0001 0000 0000 0101 0100...

Pv6 Routing Protocols

The routing protocols available in IPv6 include interior gateway protocols (IGP) for use within an autonomous system and exterior gateway protocols (EGP) for use between autonomous systems. As with IPv4 CIDR, IPv6 uses the same longest-prefix match routing. Updates to the existing IPv4 routing protocols were necessary for handling longer IPv6 addresses and different header structures. Currently, the following updated routing protocols or draft proposals are available Integrated IS-IS version 6...

LANs and WANs

LANs were first used between PCs when users needed to connect with other PCs in the same building to share resources. A LAN is a high-speed, yet relatively inexpensive, network that allows connected computers to communicate. LANs have limited reach (hence the term local-area network), typically less than a few hundred meters, so they can connect only devices in the same room or building, or possibly within the same campus. A LAN is an always-on connection in other words, you don't have to dial...

Link State Example

Both OSPF and Integrated IS-IS use the Hello protocol for establishing neighbor relationships. Those relationships are stored in a neighbor table (also called an adjacencies database). Each router learns a complete network topology from information shared through these neighbor relationships. That topology is stored in the router's link-state database (LSDB), also called the topology table or topology database. Each router uses this topology and the SPF algorithm to create a shortest-path tree...

LWAPP Fundamentals

LWAPP is an IETF draft protocol that defines the control messaging for setup and path authentication and runtime operations between APs and WLCs. LWAPP also defines the tunneling mechanism for data traffic. The LWAPP tunnel uses Layer 2 or Layer 3 transport. LWAPP defines how the lightweight APs communicate with the WLC. LWAPP data messages encapsulate and forward data frames from and to wireless clients. LWAPP control messages are management messages exchanged between a WLC and the APs. LWAPP...

N

N + 1 deterministic redundancy design, UWN, 626 N + N deterministic redundancy design, UWN, 627 N + N +1 deterministic redundancy design, UWN, 628 NAC (Network Access Control), Self- Defending Networks, 678-679 NAM (Network Analysis Module), 701 NANP (North American Numbering Plans), PSTN numbering plans, 497-498 NAP (Network Access Providers), ADSL, 306 overloading inside global addresses, 865-866 translating local IP addresses, 864 functions of, 861 implementing, considerations for, 869...

NAC Framework and Cisco NAC Appliance

NAC allows network access only to compliant and trusted wired or wireless endpoint devices, such as PCs, laptops, servers, and personal digital assistants (PDA), and it can restrict the access of noncompliant devices. Two NAC options are available the NAC framework and the NAC appliance. The NAC framework is an industrywide initiative led by Cisco that uses the network infrastructure and third-party software to enforce security policy compliance on all endpoints. The NAC framework is sold...

Name Resolution

Names are used to identify different hosts and resources on the network and to provide user-friendly interaction with computers a name is much easier to remember than an IP address. This section covers the purpose of name resolution, provides information about different available name resolution strategies, and discusses Domain Name System (DNS) name resolution. Hosts (computers, servers, printers, and so forth) identify themselves to each other using various naming schemes. Each computer on...

NAT and PAT Operation

NAT can be used to perform several functions, including the following Static address translation Establishes a one-to-one mapping between inside local and global addresses. Dynamic source address translation Establishes a dynamic mapping between the inside local and global addresses by associating the local addresses to be translated with a pool of addresses from which to allocate global addresses. The router creates translations as needed. Address overloading Can conserve addresses in the...

Net Flow Versus RMON Information Gathering

NetFlow can be configured on individual interfaces, thereby providing information on traffic that passes through those interfaces and collecting the following types of information Source and destination interfaces and IP addresses Input and output interface numbers TCP UDP source port and destination ports Number of bytes and packets in the flow Source and destination autonomous system numbers (for BGP) Compared to using SNMP with RMON MIB, NetFlow's information-gathering benefits include...

Network Design Tools

Several types of tools can be used to ease the task of designing a complex modern network, Network modeling tools Network modeling tools are helpful when a lot of input design information (such as customer requirements, network audit and analysis results, and so on) exists. Network modeling tools enable modeling of both simple and complex networks. The tools process the information provided and return a proposed configuration, which can be modified and reprocessed to add redundant links,...

Objectives of This Book

The goal of this book is to provide you with the knowledge you need to gather internetworking requirements, identify solutions, and design the network infrastructure and services to ensure basic functionality, using the principles of hierarchical network design to structure and modularize a converged enterprise network design. Design tasks might include understanding the design methodology structuring and modularizing the network design using the Cisco Enterprise Architecture designing the...

OSI Layer Services

One OSI layer communicates with another layer to make use of the services provided by that other layer. The services provided by adjacent layers help a given OSI layer communicate with its peer layer in other computer systems. Layer services involve three basic elements the service user, the service provider, and the service access point (SAP). In this context, the service user is the OSI layer that requests services from an adjacent OSI layer. The service provider is the OSI layer that...

OSI Models Presentation Layer

The presentation layer provides a variety of coding and conversion functions that are applied to application layer data. These functions ensure that information sent from one system's application layer is readable by another system's application layer. Some examples of presentation layer coding and conversion schemes include common data representation formats, conversion of character representation formats, common data compression schemes, and common data encryption schemes. Common data...

OSI Models Session Layer

The session layer establishes, manages, and terminates communication sessions between presentation layer entities. Communication sessions consist of service requests and service responses that occur between applications that are located in different devices. Protocols that are implemented at the session layer coordinate these requests. Some examples of session layer implementations include Zone Information Protocol (ZIP), which is the AppleTalk protocol that coordinates the name binding process...

OSPF Characteristics

OSPF is a link-state protocol that has the following characteristics for deployment in enterprise networks Fast convergence OSPF achieves fast convergence times using triggered link-state updates that include one or more link-state advertisements (LSA). LSAs describe the state of links on specific routers and are propagated unchanged within an area. Therefore, all routers in the same area have identical topology tables each router has a complete view of all links and devices in the area....

OSPF Hierarchical Design

Although OSPF was developed for large networks, its implementation requires proper design and planning this is especially important for networks with 50 or more routers. The concept of multiple separate areas inside one domain (or AS) was implemented in OSPF to reduce the amount of routing traffic and make networks more scalable. In OSPF, there must always be one backbone area area 0 to which all other nonbackbone areas must be directly attached. A router is a member of an OSPF area when at...

Overloading Inside Global Addresses

Figure D-3 illustrates NAT operation when a single inside global address simultaneously represents multiple inside local addresses overloading addresses is also known as PAT. Figure D-3 PAT Overloading Inside Global Addresses Figure D-3 PAT Overloading Inside Global Addresses The following describes the process of overloading inside global addresses, as depicted in Step 1 The user at Host 10.1.1.1 opens a connection to Host B. Step 2 The first packet the router receives from Host 10.1.1.1...

P

P2P VPN (Peer-to-Peer Virtual Private Networks), WAN design, 337 packet sniffers, Edge Distribution module, 263 packet-switched networks, 12, 296-298 packets, 856 BER, WAN design, 318 classification, 242, 538 delays, voice networks, 521-523 FEC, 301 filtering, ACL extended, 830-837, 839 standard, 821-829 IPv6, packet headers, 406-407 loss voice networks, 527 WAN design, 318 marking, 242, 538 switching, 27 unicast packets, 16 PAgP (Port Aggregation Protocol), managing in Enterprise Campus...

Physical Security Guidelines

The traditional method of managing the risk of physical compromise is to deploy physical access controls using techniques such as locks or alarms. It is also important to identify how a physical security breach might interact with network security mechanisms. For example, there could be a significant risk if an attacker physically accesses a switch port located in a corporate building and from there has unrestricted access to the corporate network. If, during the development of the security...

Private and Public IPv4 Addresses

Recall from Chapter 1 that the IP address space is divided into public and private spaces. Private addresses are reserved IP addresses that are to be used only internally within a company's network, not on the Internet. Private addresses must therefore be mapped to a company's external registered address when sending anything on the Internet. Public IP addresses are provided for external communication. Figure 6-1 illustrates the use of private and public addresses in a network. Figure 6-1...

R

RAP (Rooftop AP), outdoor wireless network design considerations, 632-633 RDP (Remote Desktop Protocol), 171 REAP (Remote Edge Access Protocols), 639-641 REAP mode (lightweight AP), 601 reconnaissance (networks) Edge Distribution module, Campus Core layer, 263 RED (Random Early Detection), 329 redesigning networks (network design methodologies), 119-120 redirect servers, SIP, 518 redundancy building distribution layer, Enterprise Campus networks, 253-255 deterministic WLC redundancy, 624 N + 1...

Recommended Practices for Infrastructure Protection

The following are some recommended practices for infrastructure protection Allow only SSH, instead of Telnet, to access devices. Enable AAA and role-based access control (using RADIUS or TACACS+) for access to the command-line interface (CLI) and privileged mode access on all devices. Collect and archive syslog messages (event notification messages) from network devices on a syslog server. When using Simple Network Management Protocol (SNMP), use SNMP version 3 (SNMPv3) and its authentication...

Remote Access Network Design

When you're designing remote-access networks for teleworkers and traveling employees, the type of connection drives the technology selection, such as whether to choose a data link or a network layer connection. By analyzing the application requirements and service provider offerings, you can choose the most suitable of a wide range of remote-access technologies. Typical remoteaccess requirements include the following Data link layer WAN technologies from remote sites to the Enterprise Edge...

Restricting Virtual Terminal Access

This section discusses how you can use standard access lists to limit virtual terminal access. Standard and extended access lists block packets from going through the router. They are not designed to block packets that originate within the router. An outbound Telnet extended access list does not prevent router-initiated Telnet sessions by default. For security purposes, users can be denied virtual terminal (vty) access to the router, or they can be permitted vty access to the router but denied...

Review Questions

Answer the following questions, and then refer to Appendix A for the answers. 1. Figure 3-38 presents a sample hierarchically structured network. Some of the devices are marked with letters. Map the marked devices to the access, distribution, and core layers in this figure. 2. Describe the role of each layer in the hierarchical network model. 3. True or false Each layer in the hierarchical network model must be implemented with distinct physical devices. 4. Which two statements are true a....

RIPv2 Convergence Example

RIPv2 is a distance vector protocol that periodically propagates its routing information. Distance vector protocols use the principle of hold-down to prevent routing loops. Putting a route in hold-down after the route has failed (perhaps due to a link failure) means that if a routing update arrives with the same or a worse metric, the new route is not installed until the hold-down timer expires. Even though the destination might no longer be reachable, a route in hold-down is still used to...

Risk Integrity Violations and Confidentiality Breaches

Key security risks are integrity violations and confidentiality breaches. Integrity violations can occur when an attacker attempts to change sensitive data without proper authorization. An example of an integrity violation is when an attacker obtains permission to write to sensitive data and then changes or deletes it. The owner of the data might not detect such a change until it is too late, perhaps when the change has already resulted in tangible loss. Because of the difficulty of detecting...

RMON1 and RMON2

RMON1 only provides visibility into the data link and the physical layers potential problems that occur at the higher layers still require other capture and decode tools. Because of RMONl's limitations, RMON2 was developed to extend functionality to upper-layer protocols. As illustrated in Figure 3-31, RMON2 provides full network visibility from the network layer through to the application layer. Figure 3-31 RMON2 Is an Extension of RMON1 Application Presentation Session Transport Network RMON2...

Routers Work at the Lower Three OSI Layers

The router doesn't care what is in the higher layers what kind of data is in the packet. The router is just responsible for sending the packet the correct way. The router does have to be concerned with the data link and physical layers, though, because it might have to receive and send data on different media. For example, a packet received on an Ethernet LAN might have to be sent out on a Frame Relay WAN, requiring the router to know how to communicate on both these types of media. In terms of...

Routing in the Building Distribution Layer

The Building Distribution layer is the intermediate point between the Campus Core and the Building Access layers. In addition to other issues (such as physical media and IP addressing), the choice of routing protocol depends on the routing protocols used in the Campus Core and Building As a recommended practice, the same routing protocol should be used in all three layers of the Enterprise Campus. If multiple routing protocols must be used, the Building Distribution layer redistributes among...

Routing in the Enterprise Edge Modules

In the Enterprise Edge modules, the underlying physical topology, IP addressing, and the deployed equipment also drive the choice of routing protocol. The routing protocols in the Enterprise Edge modules are typically OSPF, EIGRP, BGP, and static routing. NOTE Routing protocols running in the enterprise edge module are referred to as edge routing protocols. EIGRP gives an administrator more influence on routing and is suitable for NBMA environments in which there is a split-horizon issue...

Routing Protocol Convergence

Whenever a change occurs in a network's topology, all the routers in that network must learn the new topology. This process is both collaborative and independent the routers share information with each other, but they must calculate the impact of the topology change independently. Because they must mutually develop an independent agreement on the new topology, they are said to converge on this consensus. Convergence properties include the speed of propagation of routing information and the...

Security Services in a Modular Network Design

Security is an infrastructure service that increases the network's integrity by protecting network resources and users from internal and external threats. Without a full understanding of the threats involved, network security deployments tend to be incorrectly configured, too focused on security devices, or lacking appropriate threat response options. Security both in the Enterprise Campus (internal security) and at the Enterprise Edge (from external threats) is important. An enterprise should...

Services Within Modular Networks

Businesses that operate large enterprise networks strive to create an enterprise-wide networked infrastructure and interactive services to serve as a solid foundation for business and collaborative applications. This section explores some of the interactive services with respect to the modules that form the Cisco Enterprise Architecture. A network service is a supporting and necessary service, but not an ultimate solution. For example, security and QoS are not ultimate goals for a network they...

Static Routing

The term static routing denotes the use of manually configured or injected static routes for traffic forwarding purposes. Using a static route might be appropriate in the following circumstances When it is undesirable to have dynamic routing updates forwarded across slow bandwidth links, such as a dialup link When the administrator needs total control over the routes used by the router When a backup to a dynamically learned route is necessary When it is necessary to reach a network that is...

Structured Design

The output of the design should be a model of the complete system. The top-down approach is highly recommended. Rather than focusing on the network components, technologies, or protocols, instead focus on the business goals, technical objectives, and existing and future network applications and services. Structured design focuses on a systematic approach, dividing the design task into related, less complex components, as follows First, identify the applications needed to support the customer's...

Summary of Interior Routing Protocol Features

There is no best or worst routing protocol. The decision about which routing protocol to implement (or whether multiple routing protocols should indeed be implemented in a network) can be made only after you carefully consider the design goals and examine the network's physical topology in detail. Table 7-2 summarizes some characteristics of IP routing protocols discussed in this chapter. Although they are no longer recommended enterprise protocols, RIPv1, RIPv2, and IGRP are also included in...

Summary Report

The result of the network characterization process is a summary report that describes the network's health. The customer input, network audit, and traffic analysis should provide enough information to identify possible problems in the existing network. The collected information must be collated into a concise summary report that identifies the following Features required in the network Possible drawbacks of and problems in the existing network Actions needed to support the new network's...

TCPIP Internet Layer Protocols

The TCP IP Internet layer corresponds to the OSI network layer and includes the IP-routed protocol, as well as a protocol for message and error reporting. The protocols at this layer include the following IP Provides connectionless, best-effort delivery of datagrams through the network. A unique IP address a logical address is assigned to each interface of each device in the network. IP and IP addresses are introduced later in this chapter and are described in more detail in Appendix B, IPv4...